๐Ÿ‘ฝExfiltrated

nmap -sV -sC -Pn -p- 192.168.102.163 --open

nmap -Pn -p- 192.168.102.163 -T4 --reason

nmap -sU --top-ports 16 192.168.102.163 --reason

nmap -sU -p 69 192.168.102.163 --reason

nmap -Pn -p 22,80 -A 192.168.102.163 -T4

Lets try in Burp suite

locate seclists | grep -i ssh

Above are 2 wordlists for ssh

will try exploring what is data in the seclists

gedit /usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt

Open Burp suite Community Edition

Let's send a curl request

curl -I http://192.168.102.163/

HTTP/1.1 302 Found - permanent redirection

Set-Cookie: INTELLI_06c8042c3d=k403d5hnkotin0n3ubv2aii1bk; - using cookie we can identify the system

Location: http://exfiltrated.offsec/ - Redirection location

Using virtual hosting technology, we can host multiple hosts in a single server.Virtual hosting, also known as virtual server hosting or web hosting, is a technology that allows multiple websites to run on a single physical server.

curl -X GET http://192.168.102.163/ -H "Host: exfiltrated.offsec"

curl -I http://192.168.102.163/ -L

curl -I http://192.168.102.163/ -H "HOTS: exfiltrated.offsec" - Modified Header

How can we check virtual hosting enabled or not?

use gobuster to identify.

Will try hydra

hydra -C /usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt ssh://192.168.102.163

-v - verbose

-f - exit after the first found login/password pair (per host if -M)

hydra -C /usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt ssh://192.168.102.163 -t 4 -v -f

Will check other ports - port 80 open and OS is ubuntu and Apache httpd 2.4.41

This is kind of misconfiguration, and we will know about the version and if the attacker knows easier to identify the exploits.

This should be mitigated. Use finger preventing prevention. - https://docs.veracode.com/r/fingerprinting

Port: 80 / CMS:Subrion 4.2

ttl is 64 - Lunux

ttl is 128 - Windows

ttl is 255 - cisco devices

Lets fingerprinting the webserver

whatweb http://exfiltrated.offsec/ -v

Search exploit MS:Subrion 4.2

found something - https://www.exploit-db.com/exploits/49876

Will try using below links

https://passkwall.medium.com/timing-based-username-enumeration-whats-a-fix-versus-mitigation-8a0f8c7191f2

https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing

https://www.pentestpartners.com/security-blog/time-based-username-enumeration

Will try dirb

dirb http://exfiltrated.offsec/panel/ /usr/share/wordlists/dirb/big.txt -f

PreviousCraftNextPelican

Last updated

Was this helpful?