We begin by examining the three identified servers and conducting enumeration on the web server.
By using a browser plugin like Wappalyzer, we can analyze the technologies used by the server, including any available version information.
This information can be valuable for identifying exploits or known vulnerabilities associated with the technologies and their specific versions, potentially aiding in compromising the server.
Although similar details can be manually extracted from HTTP headers, source code inspection, or URL paths, the plugin provides a much faster way to gather this information, which is crucial during an engagement.
We notice that there is a navigator menu on the top with the tabs “Overview”, “Meet the Team” and “ContactUs”.
Since we are gathering information, the “Meet the Team” page might give us some useful information regarding the employees of the organization, the team’s structure, roles, and email addresses.
Through client-side source code inspection on the images, we discover a path to the team images, with each image revealing the user's name.
Accessing the identified path (/october/themes/demo/assets/images/) reveals a directory listing vulnerability, allowing us to view all names associated with the images.
A significant risk with this image naming convention is the high likelihood that these names follow the same format as corporate email addresses. By reviewing the "Contact Us" page, we see that CVs and other documents can be sent to applications@corp.thereserve.loc.
This reveals the domain structure used in corporate emails, enabling us to compile a potential list of usernames:
With the password policy and base list available, we can start building a list of potential passwords to use against authentication forms or services later on.
The project brief provides some restricted special characters used required password policy.
To generate a password list with the information gathered a rule to mangle the password base is required. To do so the john.conf was extended by a custom rule:
[List.Rules:RTC]
Az"[0-9]" $[!@#$%^]
Generate the password.txt
john --wordlist=password_base_list.txt --rules=RTC --stdout > passwords.txt
vpn.thereserve.loc (10.200.XXX.12)
Upon accessing the VPN server, we encounter a login page that requires an internal (corporate) account, which could be a good target for brute-force attempts.
Through testing various endpoints, we discover /vpn and /vpns; the first endpoint provides a .ovpn template file.
mail.thereserve.loc (10.200.XXX.11)
When accessing the hostname specified for the mail page, we encounter a server error with an HTTP status code 403 – Forbidden.
However, when accessing the IP address directly, we see a default IIS page, indicating that the correct path may be required to access the email application.
By examining the technologies related to the webpage, we determine that the web server is running RoundCube, an open-source webmail software.
Additionally, Wappalyzer identifies several other technologies in use on the server.
Upon inspection, we discover that the server is not only running RoundCube, but also utilizes PHP.
By examining the GitHub repository, we identify a main index.php page, which redirects us to the default login application page. This login page could potentially be another target for a brute-force attack.
We can also use login using the credentials given to us earlier by e-citizen to view any emails addressed to us.
Flags are provided via E-mail. They can also be accessed via the e-citizen platform.
So far, we have collected a wealth of useful information through our OSINT research, utilizing passive methods or simply browsing. Along with the identified technologies and their versions, we've compiled a list of potential usernames and passwords.
The next step is to identify a point of failure and breach the perimeter.
To do this, we begin by performing active enumeration of the three servers using the Nmap scanner.
Nmap for web.thereserve.loc
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn web.thereserve.loc -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 12:47 IST
Nmap scan report for web.thereserve.loc (10.200.118.13)
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09:7a:f3:cc:5a:52:4e:d4:b3:48:e3:5c:1c:8f:f7:74 (RSA)
| 256 96:79:26:12:ce:de:e3:09:79:db:f4:3b:f9:23:08:78 (ECDSA)
|_ 256 c4:82:50:4d:d2:27:f1:20:46:28:ba:f5:dc:d8:0e:f1 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.06 seconds
Nmap for vpn.thereserve.loc
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn vpn.thereserve.loc -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 12:47 IST
Nmap scan report for vpn.thereserve.loc (10.200.118.12)
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f2:b9:e0:c8:de:65:0b:a1:74:3c:54:75:a6:fd:e5:63 (RSA)
| 256 ae:16:ea:32:9f:70:24:cd:d2:76:15:0e:f1:69:7b:7a (ECDSA)
|_ 256 8d:a0:14:d9:33:bf:a7:27:9e:1f:3a:6e:9f:8a:96:57 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: VPN Request Portal
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.51 seconds
Nmap for mail.thereserve.loc
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn mail.thereserve.loc -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 12:47 IST
Warning: 10.200.118.11 giving up on port because retransmission cap hit (6).
Nmap scan report for mail.thereserve.loc (10.200.118.11)
Host is up (0.27s latency).
Not shown: 981 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 f3:6c:52:d2:7f:e9:0e:1c:c1:c7:ac:96:2c:d1:ec:2d (RSA)
| 256 c2:56:3c:ed:c4:b0:69:a8:e7:ad:3c:31:05:05:e9:85 (ECDSA)
|_ 256 d3:e5:f0:73:75:d5:20:d9:c0:bb:41:99:e7:af:a0:00 (ED25519)
25/tcp open smtp hMailServer smtpd
| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 403 - Forbidden: Access is denied.
| http-methods:
|_ Potentially risky methods: TRACE
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: UIDL TOP USER
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: NAMESPACE SORT CHILDREN QUOTA ACL completed CAPABILITY IDLE OK RIGHTS=texkA0001 IMAP4rev1 IMAP4
445/tcp open microsoft-ds?
587/tcp open smtp hMailServer smtpd
| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
1052/tcp filtered ddt
2002/tcp filtered globe
2103/tcp filtered zephyr-clt
2608/tcp filtered wag-service
3306/tcp open mysql MySQL 8.0.31
| ssl-cert: Subject: commonName=MySQL_Server_8.0.31_Auto_Generated_Server_Certificate
| Not valid before: 2023-01-10T07:46:11
|_Not valid after: 2033-01-07T07:46:11
| mysql-info:
| Protocol: 10
| Version: 8.0.31
| Thread ID: 13
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, SupportsLoadDataLocal, IgnoreSigpipes, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsTransactions, FoundRows, Speaks41ProtocolNew, LongPassword, InteractiveClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsCompression, LongColumnFlag, Speaks41ProtocolOld, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: h /J\x1B73N
| ;3\x1901py`p~\x1D
|_ Auth Plugin Name: caching_sha2_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THERESERVE
| NetBIOS_Domain_Name: THERESERVE
| NetBIOS_Computer_Name: MAIL
| DNS_Domain_Name: thereserve.loc
| DNS_Computer_Name: MAIL.thereserve.loc
| Product_Version: 10.0.17763
|_ System_Time: 2024-11-12T07:18:44+00:00
| ssl-cert: Subject: commonName=MAIL.thereserve.loc
| Not valid before: 2024-11-06T10:50:16
|_Not valid after: 2025-05-08T10:50:16
|_ssl-date: 2024-11-12T07:18:57+00:00; 0s from scanner time.
6004/tcp filtered X11:4
7402/tcp filtered rtps-dd-mt
8300/tcp filtered tmi
16080/tcp filtered osxwebadmin
Service Info: Host: MAIL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-11-12T07:18:45
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.15 seconds
From the results of scanning web.thereserve.loc and vpn.thereserve.loc, we observe that only the HTTP and SSH ports are available. For the time being, we will not attempt a brute-force attack on SSH.
On the mail server, we discover numerous open ports and services.
While several of these services are interesting, we decide to focus on setting up a brute-force attempt on the SMTP service using Hydra.
While exploring the website, we also discovered info.php at , which may reveal further details about the technologies in use, internal directories, and configurations.
A quick search for the application leads us to the GitHub repository at .
