Web
Nmap discovered a Web server on the target port 8081
The running service is Node.js Express framework
┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ curl -i http://$IP:8081
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 20
ETag: W/"14-tVlBr0s73mf41Pi7C/1PMqiyXRc"
Date: Mon, 22 Jul 2024 13:28:52 GMT
Connection: keep-alive
UltraTech API v0.1.3It’s an API server
Fuzzing
┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/api/api-endpoints-res.txt -t 200 -u http://$IP:8081/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.123.20:8081/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/api/api-endpoints-res.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
auth [Status: 200, Size: 39, Words: 8, Lines: 1, Duration: 470ms]
ping [Status: 500, Size: 1094, Words: 52, Lines: 11, Duration: 629ms]
?: [Status: 200, Size: 20, Words: 3, Lines: 1, Duration: 556ms]
:: Progress: [12334/12334] :: Job [1/1] :: 351 req/sec :: Duration: [0:00:51] :: Errors: 0 ::/auth
┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ curl -i http://$IP:8081/auth
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 39
ETag: W/"27-eyFFXmdQ/Imsneqz2tUSLEVh8vY"
Date: Mon, 22 Jul 2024 13:55:53 GMT
Connection: keep-alive
You must specify a login and a passwordIt seems that the auth endpoint takes login and password parameters
/ping
┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ curl -i http://$IP:8081/ping
HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 1094
Date: Mon, 22 Jul 2024 14:00:20 GMT
Connection: keep-alive
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>TypeError: Cannot read property 'replace' of undefined<br> at app.get (/home/www/api/index.js:45:29)<br> at Layer.handle [as handle_request] (/home/www/api/node_modules/express/lib/router/layer.js:95:5)<br> at next (/home/www/api/node_modules/express/lib/router/route.js:137:13)<br> at Route.dispatch (/home/www/api/node_modules/express/lib/router/route.js:112:3)<br> at Layer.handle [as handle_request] (/home/www/api/node_modules/express/lib/router/layer.js:95:5)<br> at /home/www/api/node_modules/express/lib/router/index.js:281:22<br> at Function.process_params (/home/www/api/node_modules/express/lib/router/index.js:335:12)<br> at next (/home/www/api/node_modules/express/lib/router/index.js:275:10)<br> at cors (/home/www/api/node_modules/cors/lib/index.js:188:7)<br> at /home/www/api/node_modules/cors/lib/index.js:224:17</pre>
</body>
</html>Making a GET request to the ping endpoint returns code 500
It might requires an ip address as the name suggests
I have confirmed the ip parameter at the ping endpoint
┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ curl -i http://$IP:8081/ping?ip=10.9.1.180
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 257
ETag: W/"101-1SljdCCXkYgmxBpaC6iBku5AvlI"
Date: Mon, 22 Jul 2024 16:12:54 GMT
Connection: keep-alive
PING 10.9.1.180 (10.9.1.180) 56(84) bytes of data.
64 bytes from 10.9.1.180: icmp_seq=1 ttl=63 time=76.6 ms
--- 10.9.1.180 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 76.674/76.674/76.674/0.000 ms
The output of the response is that of ping command. This implies that the user input is directly passed on as an argument. It might be vulnerable to OS command injection
EXTREMELY UNSTABLE MACHINE. RESETTING
IP ADDRESS SWITCHED TO 10.10.57.71