1. Enumeration:
- Nmap: To scan for open ports and services
$ nmap -sC -sV 10.10.10.217
So Three ports are opened 22:ssh 80:http 443:https
There are two domain names in nmap result(DNS:cereal.htb, DNS:source.cereal.htb), Let’s add them in our /etc/hosts file:
2. Web Enumeration:
-
cereal.htb
- There is a simple login page:
- There is a simple login page:
-
source.cereal.htb
- gives us an error page contains path of file(C:\inetpub\source\default.aspx):
- gives us an error page contains path of file(C:\inetpub\source\default.aspx):
-
Gobuster or dirsearch:
$ gobuster dir -u http://source.cereal.htb/ -w /usr/share/ raft-small-words.txt -t 50 or with common.txt wordlist
$ python3 /home/sehs/dirsearch/dirsearch.py -u http://source.cereal.htb -w /usr/share/dirb/wordlists/raft-small-words.txt -e txt,html,php,log,zip,bac,bak,tar
let’s checkout the .git
git clone https://github.com/internetwache/GitTools
cd GitTools/Dumper/
ls
cat README.md
bash gitdumper.sh http://source.cereal.htb/.git/ dist-dir
$ bash gitdumper.sh http://source.cereal.htb/.git/ /home/sehs/Downloads/cereal/dump/
- Extractor script:
- extract commits and their content from a broken repository.
cd ../Extractor/
ls
cat README.md
bash extractor.sh ../../dump/ dist-dir/all_dump/
$ bash extractor.sh /home/sehs/Downloads/cereal/dump/ /home/sehs/Downloads/cereal/all_dump/
So now we got our git files
And extracted them into all_dump
So it seems we got the source code of the application running … let’s look for the authentication mechanism or any other interesting stuff …
- After roaming a bit, found secret:
var key = Encoding.ASCII.GetBytes(“secretlhfIH&FY*#oysuflkhskjfhefesf”);
Secret : secretlhfIH&FY*#oysuflkhskjfhefesf