Web
Nmap discovered a Web server on the target port 80
The running service is Golang net/http server
┌──(kali㉿kali)-[~/archive/thm/wonderland]
└─$ curl -i http://$IP
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 402
Content-Type: text/html; charset=utf-8
Last-Modified: Mon, 01 Jun 2020 22:45:08 GMT
Date: Wed, 28 Aug 2024 13:08:04 GMT
<!DOCTYPE html>
<head>
<title>Follow the white rabbit.</title>
<link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
<h1>Follow the White Rabbit.</h1>
<p>"Curiouser and curiouser!" cried Alice (she was so much surprised, that for the moment she quite forgot how to speak good English)</p>
<img src="/img/white_rabbit_1.jpg" style="height: 50rem;">
</body>200
Webroot
Fuzzing
┌──(kali㉿kali)-[~/archive/thm/wonderland]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.35.235/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
img [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 321ms]
poem [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 317ms]
r [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 856ms]
:: Progress: [20476/20476] :: Job [1/1] :: 600 req/sec :: Duration: [0:00:34] :: Errors: 0 ::ffuf found poem and r
r
Fuzzing r
┌──(kali㉿kali)-[~/archive/thm/wonderland]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://$IP/r/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.35.235/r/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
a [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 325ms]
:: Progress: [20476/20476] :: Job [1/1] :: 603 req/sec :: Duration: [0:00:34] :: Errors: 0 ::a
/r/a
fuzzing /r/a
┌──(kali㉿kali)-[~/archive/thm/wonderland]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://$IP/r/a/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.35.235/r/a/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
b [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 330ms]
:: Progress: [20476/20476] :: Job [1/1] :: 546 req/sec :: Duration: [0:00:36] :: Errors: 0 ::b
rabbit?
/r/a/b
/r/a/b/b
/r/a/b/b/i
/r/a/b/b/i/t
CLEARTEXT Credential
Checking the source code reveals what appears to a CLEARTEXT credential of the alice user; HowDothTheLittleCrocodileImproveHisShiningTail
It will be tested against the target SSH server
poem
Fuzzing /poem
┌──(kali㉿kali)-[~/archive/thm/wonderland]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://$IP/poem/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.35.235/poem/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [20476/20476] :: Job [1/1] :: 591 req/sec :: Duration: [0:00:35] :: Errors: 0 ::Nothing found