b3dr0ck_9009

Custom Application

---

Nmap discovered an unknown service on the target port 9009 This service was implied through the post on the other web server

┌──(kali㉿kali)-[~/archive/thm/b3dr0ck]
└─$ nc $IP 9009
 
 
 __          __  _                            _                   ____   _____ 
 \ \        / / | |                          | |            /\   |  _ \ / ____|
  \ \  /\  / /__| | ___ ___  _ __ ___   ___  | |_ ___      /  \  | |_) | |     
   \ \/  \/ / _ \ |/ __/ _ \| '_ ` _ \ / _ \ | __/ _ \    / /\ \ |  _ <| |     
    \  /\  /  __/ | (_| (_) | | | | | |  __/ | || (_) |  / ____ \| |_) | |____ 
     \/  \/ \___|_|\___\___/|_| |_| |_|\___|  \__\___/  /_/    \_\____/ \_____|
                                                                               
                                                                               
 
 
What are you looking for? 

Connecting to the service via Netcat, greets with a prompt

What are you looking for? test
Sorry, unrecognized request: 'test'
 
You use this service to recover your client certificate and private key

It would appears that there are a list of “request” The response claims that this service can be used to recover a client certificate and private key

What are you looking for? cert
Sounds like you forgot your certificate. Let's find it for you...
 
-----BEGIN CERTIFICATE-----
MIICoTCCAYkCAgTSMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMMCWxvY2FsaG9z
dDAeFw0yNDA3MTExMTU1MzJaFw0yNTA3MTExMTU1MzJaMBgxFjAUBgNVBAMMDUJh
cm5leSBSdWJibGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDof6Sw
4JBg8PrjRH0iAm3+Ft2Se1auUEedZ8EZzbJiWwqHOZqLPJv479NJKdD/rxkH2D2c
i9va9+m29crKRBV924h8PflL7UJSWkeKzTGL/dV9Og4Wqg0BQNmjzsqld9DrhBf4
teYNTbdriCmhnVN/WDz1yPjE7SO0mL5FKmskl4hWIY6W38LraWslMryzvecSq7mM
19d7vx7rSOTaVo5IaVcbcJm8j1yER35nAIMxlbVm8ew419Y2SeldfmPt09/tNtpN
HSj3j6u2XkQfIGuYAeLhcWCBrCWmV/EkAdua3RHmT32Tq60OTa9aispSXg+d+bJ/
O0Pmjb+FnB3oGsenAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD86pNE7pLPZw6jP
VWHYD2Bg7ywrkL93JLKQY8vqP01JeofON1H3dnvhPd9EyMp9SQkdK4Ta4G4CWOdr
YNUNWybhNHc2JYgKJSjIepZEgozsARNIp4F8sHWAh3sX2Y+quI2/66rogYrf/U/X
2j2z8zEdLrI/oG8XrZGyhbyQ5fBG/moQ1XC70SOMn+FpYg2KJAfhI+tBE22SHxmK
lRrbtX7Jx5WOnGwcSlvMoH4kgb6VpAK177jYTl17SmpKvT0xQ1sBtlQua6vXPtqy
tGO7Ct2qiYOXlSVHtEoTquvwvMARVRfvrmAPuxeTCl9ebu0ey0eiyga/+34bxN2N
n8RhJ40=
-----END CERTIFICATE-----

Inputting cert, shows what appears to be a client certificate I will save this to a file; cert.pub

What are you looking for? key
Sounds like you forgot your private key. Let's find it for you...
 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA6H+ksOCQYPD640R9IgJt/hbdkntWrlBHnWfBGc2yYlsKhzma
izyb+O/TSSnQ/68ZB9g9nIvb2vfptvXKykQVfduIfD35S+1CUlpHis0xi/3VfToO
FqoNAUDZo87KpXfQ64QX+LXmDU23a4gpoZ1Tf1g89cj4xO0jtJi+RSprJJeIViGO
lt/C62lrJTK8s73nEqu5jNfXe78e60jk2laOSGlXG3CZvI9chEd+ZwCDMZW1ZvHs
ONfWNknpXX5j7dPf7TbaTR0o94+rtl5EHyBrmAHi4XFggawlplfxJAHbmt0R5k99
k6utDk2vWorKUl4PnfmyfztD5o2/hZwd6BrHpwIDAQABAoIBAQDaiB+koW8Tr24i
cB2t+dqpGZTqOkQfVBX8PamjN1SUXj5nHB3HAhEYy1MtUcDAkzRTy00d99eO2bcz
4ZPaymPpCJAhN587XqcYAQN906DelJg2PHtBklTm+K2Y6qZPIW+d72sYuuChYIsm
57U500bIS4gA/gXWE4+cEHXHTTeoC3tWC0Jk0KuUSmcWNSDNnQcmbYkSEby5Pt/j
Q6VSbnmRlvjghlR2AfDs5KLnpdTW8VIt3+Grj5lgiP3tdMsT39eU3PS+OMYN8b41
IFE7Et4lysHxIXqQ7mre+esQERGtELGD3zpmOoVM3rvy2dw/AnSjmGTrSkbFMYUh
RJ+QEP8BAoGBAP/K52xvDDuZRvlrmzaSYDRAvWmGPbzl+4uBF8rye9/caJ6gRg+j
Z6tTY2YjMLlxLE9bunvU3aqMdhXYrJ4aiprmow6hJE0ZhWlqPm5PyWIeEaRciJtJ
VbfEYgRIkOHZlloqK4r8rPg1TNIKae8Jy+aejNokvyoK89hVeAmu1MHDAoGBAOiv
53JptWfIRMYrT7+Rv8GzQgeuuBjxixW7srpUShMXwNfmwYaF2GcwRPoGmfFlKDJy
vQbAVNjg380s1lNJmWnG7JdLgBbArxzEN78Wmp9iGMXqw1o41QzhJI/blyK5BW1P
SZcSc/P8XHS2TgJpSogO7jTDnUXP7iyHeQ3jKYBNAoGAfP2RCBNbTuQfIlHKjmgI
SoA4DhBiqqNWv1xdW/YRQdpZ5Ok8Uvft+HHO6GHZtUPv+vc/sLLbfjMUoKg38SnX
AMoic0uaiXInFtOrnguuxBsdU8tDlV3IXPvBSYaMBVBlf7mLfWbqvn6NAzXDfeKz
mAVxnkbGgqzHaraY6WJc5DECgYEAqWDyn4xnasaTmZWJla+o4H12gVUj2bRqREW/
kncs/Lz7ua3WDfB8WJEAhOgtQ1UZb6+p/bIfkUgQYbBTy4j1zdPqATAKa4WTcuM6
mTUBFSg5VEjSL2jTXW6+SKHWYIZCdxGSRhA+q8p2Gtdh7ctrX6NOrsX+RAVaILv0
2LEVUrkCgYEA/fmQkTrw5FEsbcFf0r6PRxIrAE9I5ae+TSA57mIuCFzjYgeL6V+z
rBVqdaSt+TR0TcUZAtA+lVLw4wrgF1MGH52tf9ja7S8K4s+5hJg6ybyYXomuOjW8
rcVWnnu1xU/6JMntZHEyiffVSNXxQT2XCWxpIimlZO3tUqVMq5KDbzY=
-----END RSA PRIVATE KEY-----

Inputting key, shows what appears to be a private key Saved to a file; key.pri

What are you looking for? secure
Looks like the secure login service is running on port: 54321
 
Try connecting using:
socat stdio ssl:MACHINE_IP:54321,cert=<CERT_FILE>,key=<KEY_FILE>,verify=0
 
What are you looking for? login
Looks like the secure login service is running on port: 54321
 
Try connecting using:
socat stdio ssl:MACHINE_IP:54321,cert=<CERT_FILE>,key=<KEY_FILE>,verify=0

It would also appear that the unknown service on the target port 54321 is an authentication endpoint as suggested by the suggestion; socat stdio ssl:MACHINE_IP:54321,cert=<CERT_FILE>,key=<KEY_FILE>,verify=0