InfoSec LAB

UltraTech_Web_31331

Created: 2 min read

Web

Nmap discovered a Web server on the target port 31331 The running service is Apache httpd 2.4.29`

Webroot

The Who are we? section contains 3 potential users;

  • r00t
  • P4c0
  • Sq4l

Fuzzing

┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://$IP:31331/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.123.20:31331/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess               [Status: 403, Size: 299, Words: 22, Lines: 12, Duration: 3502ms]
.htpasswd               [Status: 403, Size: 299, Words: 22, Lines: 12, Duration: 160ms]
css                     [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 3595ms]
favicon.ico             [Status: 200, Size: 15086, Words: 11, Lines: 7, Duration: 1632ms]
javascript              [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 321ms]
images                  [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 4888ms]
js                      [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 160ms]
robots.txt              [Status: 200, Size: 53, Words: 4, Lines: 6, Duration: 1440ms]
server-status           [Status: 403, Size: 303, Words: 22, Lines: 12, Duration: 245ms]
:: Progress: [20476/20476] :: Job [1/1] :: 100 req/sec :: Duration: [0:02:12] :: Errors: 324 ::

robots.txt

robots.txt

utech_sitemap.txt

/what.html

Nothing notable

/partners.html

The /partners.html endpoint is a login page for private partners

Authentication is made through the API endpoint at /auth on the target port 8081

Interestingly, it makes another request to the ping API endpoint with the ip parameter set to the IP address of the target host.

It would appear that ping command is directly used based on the output of the response

I have already confirmed the ping being functioning

Checking the source code reveals a JS script; api.js

api.js

There is a file named api.js that is part of the login page above It would appear that the ping API endpoint exist to check the status of the API endpoint

EXTREMELY UNSTABLE MACHINE. RESETTING IP ADDRESS SWITCHED TO 10.10.57.71

Interactive Graph View

Backlinks