We begin by examining the three identified servers and conducting enumeration on the web server.
By using a browser plugin like Wappalyzer, we can analyze the technologies used by the server, including any available version information.
This information can be valuable for identifying exploits or known vulnerabilities associated with the technologies and their specific versions, potentially aiding in compromising the server.
Although similar details can be manually extracted from HTTP headers, source code inspection, or URL paths, the plugin provides a much faster way to gather this information, which is crucial during an engagement.
While exploring the website, we also discovered info.php at http://web.thereserve.loc/info.php, which may reveal further details about the technologies in use, internal directories, and configurations.
We notice that there is a navigator menu on the top with the tabs “Overview”, “Meet the Team” and “ContactUs”.
Since we are gathering information, the “Meet the Team” page might give us some useful information regarding the employees of the organization, the team’s structure, roles, and email addresses.
Through client-side source code inspection on the images, we discover a path to the team images, with each image revealing the user's name.
Accessing the identified path (/october/themes/demo/assets/images/) reveals a directory listing vulnerability, allowing us to view all names associated with the images.
A significant risk with this image naming convention is the high likelihood that these names follow the same format as corporate email addresses. By reviewing the "Contact Us" page, we see that CVs and other documents can be sent to applications@corp.thereserve.loc.
This reveals the domain structure used in corporate emails, enabling us to compile a potential list of usernames:
With the password policy and base list available, we can start building a list of potential passwords to use against authentication forms or services later on.
The project brief provides some restricted special characters used required password policy.
To generate a password list with the information gathered a rule to mangle the password base is required. To do so the john.conf was extended by a custom rule:
[List.Rules:RTC]
Az"[0-9]" $[!@#$%^]
Generate the password.txt
john --wordlist=password_base_list.txt --rules=RTC --stdout > passwords.txt
vpn.thereserve.loc (10.200.XXX.12)
Upon accessing the VPN server, we encounter a login page that requires an internal (corporate) account, which could be a good target for brute-force attempts.
Through testing various endpoints, we discover /vpn and /vpns; the first endpoint provides a .ovpn template file.
mail.thereserve.loc (10.200.XXX.11)
When accessing the hostname specified for the mail page, we encounter a server error with an HTTP status code 403 – Forbidden.
However, when accessing the IP address directly, we see a default IIS page, indicating that the correct path may be required to access the email application.
By examining the technologies related to the webpage, we determine that the web server is running RoundCube, an open-source webmail software.
Additionally, Wappalyzer identifies several other technologies in use on the server.
Upon inspection, we discover that the server is not only running RoundCube, but also utilizes PHP.
By examining the GitHub repository, we identify a main index.php page, which redirects us to the default login application page. This login page could potentially be another target for a brute-force attack.
We can also use login using the credentials given to us earlier by e-citizen to view any emails addressed to us.
Flags are provided via E-mail. They can also be accessed via the e-citizen platform.
So far, we have collected a wealth of useful information through our OSINT research, utilizing passive methods or simply browsing. Along with the identified technologies and their versions, we've compiled a list of potential usernames and passwords.
The next step is to identify a point of failure and breach the perimeter.
To do this, we begin by performing active enumeration of the three servers using the Nmap scanner.
Nmap for web.thereserve.loc
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]└─$nmap-sC-sV-Pnweb.thereserve.loc-T4StartingNmap7.94SVN ( https://nmap.org ) at 2024-11-12 12:47 ISTNmapscanreportforweb.thereserve.loc (10.200.118.13)Hostisup (0.22s latency).Notshown:998closedtcpports (conn-refused)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH7.6p1Ubuntu4ubuntu0.7 (Ubuntu Linux; protocol2.0)|ssh-hostkey:|204809:7a:f3:cc:5a:52:4e:d4:b3:48:e3:5c:1c:8f:f7:74 (RSA)|25696:79:26:12:ce:de:e3:09:79:db:f4:3b:f9:23:08:78 (ECDSA)|_256c4:82:50:4d:d2:27:f1:20:46:28:ba:f5:dc:d8:0e:f1 (ED25519)80/tcpopenhttpApachehttpd2.4.29 ((Ubuntu))|_http-server-header:Apache/2.4.29 (Ubuntu)|_http-title:Sitedoesn't have a title (text/html).Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 36.06 seconds
Nmap for vpn.thereserve.loc
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]└─$nmap-sC-sV-Pnvpn.thereserve.loc-T4StartingNmap7.94SVN ( https://nmap.org ) at 2024-11-12 12:47 ISTNmapscanreportforvpn.thereserve.loc (10.200.118.12)Hostisup (0.21s latency).Notshown:998closedtcpports (conn-refused)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH7.6p1Ubuntu4ubuntu0.5 (Ubuntu Linux; protocol2.0)|ssh-hostkey:|2048f2:b9:e0:c8:de:65:0b:a1:74:3c:54:75:a6:fd:e5:63 (RSA)|256ae:16:ea:32:9f:70:24:cd:d2:76:15:0e:f1:69:7b:7a (ECDSA)|_2568d:a0:14:d9:33:bf:a7:27:9e:1f:3a:6e:9f:8a:96:57 (ED25519)80/tcpopenhttpApachehttpd2.4.29 ((Ubuntu))|_http-title:VPNRequestPortal|_http-server-header:Apache/2.4.29 (Ubuntu)ServiceInfo:OS:Linux; CPE:cpe:/o:linux:linux_kernelServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress (1 hostup) scanned in 38.51 seconds
From the results of scanning web.thereserve.loc and vpn.thereserve.loc, we observe that only the HTTP and SSH ports are available. For the time being, we will not attempt a brute-force attack on SSH.
On the mail server, we discover numerous open ports and services.
While several of these services are interesting, we decide to focus on setting up a brute-force attempt on the SMTP service using Hydra.
