Nmap scan report for 192.168.121.99
Nmap shows 8089 and 33333 are http page.
Looking through 8089 page, it seems to send request to 33333 page.
If we visit 33333 page directly, it’s
If we try to query the resource that we find in 8089,
then we get
<p>Cannot "GET" /list-current-deployments</P>
emmm.. Cannot “GET”.
Therefore we send the payload to burpsuite and try to post it:
POST /list-current-deployments HTTP/1.1
We get not implemented.
I tried to wfuzz it and see if I can replace the data field of post so I can get more information.
wfuzz -z file,/usr/share/seclists/Discovery/Web-Content/api/objects.txt -d "FUZZ" --filter "chars!=22" http://192.168.121.99:33333/list-current-deployments
It didn’t work.
But if we request another resource,
/list-running-procs, it works.
We can see here we have a password passed through command line.
It seems to be base64 encoded. Decode it, and we get:
We can login through ssh using the credential we found:
Finally, we can find local.txt on the ariah’s Desktop.
Upload winpeas using:
We find a pdf file in the
C:/ftp folder, but it needs a password.
We crack it with john. First use
pdf2john to generate hash, then use
rockyou to crack it.
the password is
Temporary Command endpoint exists on the server.
We also find that the 80 port is actually open. I suspect it’s only accessable from internal network. That’s why we didn’t see it in the nmap scan.
Tunnel through using ssh:
ssh -N -L 0.0.0.0:80:192.168.121.99:80 email@example.com
We can easily grab the proof.txt file.
Time cost: 2 hours 30 minutes