OSINT

web.thereserve.loc (10.200.XXX.13)

We begin by examining the three identified servers and conducting enumeration on the web server.

By using a browser plugin like Wappalyzer, we can analyze the technologies used by the server, including any available version information.

This information can be valuable for identifying exploits or known vulnerabilities associated with the technologies and their specific versions, potentially aiding in compromising the server.

Although similar details can be manually extracted from HTTP headers, source code inspection, or URL paths, the plugin provides a much faster way to gather this information, which is crucial during an engagement.

While exploring the website, we also discovered info.php at http://web.thereserve.loc/info.php, which may reveal further details about the technologies in use, internal directories, and configurations.

We notice that there is a navigator menu on the top with the tabs “Overview”, “Meet the Team” and “ContactUs”.

Since we are gathering information, the “Meet the Team” page might give us some useful information regarding the employees of the organization, the team’s structure, roles, and email addresses.

Through client-side source code inspection on the images, we discover a path to the team images, with each image revealing the user's name.

Accessing the identified path (/october/themes/demo/assets/images/) reveals a directory listing vulnerability, allowing us to view all names associated with the images.

A significant risk with this image naming convention is the high likelihood that these names follow the same format as corporate email addresses. By reviewing the "Contact Us" page, we see that CVs and other documents can be sent to applications@corp.thereserve.loc.

This reveals the domain structure used in corporate emails, enabling us to compile a potential list of usernames:

antony.ross@corp.thereserve.loc
ashley.chan@corp.thereserve.loc
brenda.henderson@corp.thereserve.loc
charlene.thomas@corp.thereserve.loc
christopher.smith@corp.thereserve.loc
emily.harvey@corp.thereserve.loc
keith.allen@corp.thereserve.loc
laura.wood@corp.thereserve.loc
leslie.morley@corp.thereserve.loc
lynda.gordon@corp.thereserve.loc
martin.savage@corp.thereserve.loc
mohammad.ahmed@corp.thereserve.loc
paula.bailey@corp.thereserve.loc
rhys.parsons@corp.thereserve.loc
roy.sims@corp.thereserve.loc

With the password policy and base list available, we can start building a list of potential passwords to use against authentication forms or services later on.

The project brief provides some restricted special characters used required password policy.

To generate a password list with the information gathered a rule to mangle the password base is required. To do so the john.conf was extended by a custom rule:

[List.Rules:RTC]
Az"[0-9]" $[!@#$%^]

Generate the password.txt

john --wordlist=password_base_list.txt --rules=RTC --stdout > passwords.txt

vpn.thereserve.loc (10.200.XXX.12)

Upon accessing the VPN server, we encounter a login page that requires an internal (corporate) account, which could be a good target for brute-force attempts.

Through testing various endpoints, we discover /vpn and /vpns; the first endpoint provides a .ovpn template file.

mail.thereserve.loc (10.200.XXX.11)

When accessing the hostname specified for the mail page, we encounter a server error with an HTTP status code 403 – Forbidden.

However, when accessing the IP address directly, we see a default IIS page, indicating that the correct path may be required to access the email application.

By examining the technologies related to the webpage, we determine that the web server is running RoundCube, an open-source webmail software.

A quick search for the application leads us to the GitHub repository at https://github.com/roundcube/roundcubemail.

Additionally, Wappalyzer identifies several other technologies in use on the server.

Upon inspection, we discover that the server is not only running RoundCube, but also utilizes PHP.

By examining the GitHub repository, we identify a main index.php page, which redirects us to the default login application page. This login page could potentially be another target for a brute-force attack.

We can also use login using the credentials given to us earlier by e-citizen to view any emails addressed to us.

Flags are provided via E-mail. They can also be accessed via the e-citizen platform.

So far, we have collected a wealth of useful information through our OSINT research, utilizing passive methods or simply browsing. Along with the identified technologies and their versions, we've compiled a list of potential usernames and passwords.

The next step is to identify a point of failure and breach the perimeter.

To do this, we begin by performing active enumeration of the three servers using the Nmap scanner.

Nmap for web.thereserve.loc

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn web.thereserve.loc -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 12:47 IST
Nmap scan report for web.thereserve.loc (10.200.118.13)
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 09:7a:f3:cc:5a:52:4e:d4:b3:48:e3:5c:1c:8f:f7:74 (RSA)
|   256 96:79:26:12:ce:de:e3:09:79:db:f4:3b:f9:23:08:78 (ECDSA)
|_  256 c4:82:50:4d:d2:27:f1:20:46:28:ba:f5:dc:d8:0e:f1 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.06 seconds

Nmap for vpn.thereserve.loc

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn vpn.thereserve.loc -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 12:47 IST
Nmap scan report for vpn.thereserve.loc (10.200.118.12)
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f2:b9:e0:c8:de:65:0b:a1:74:3c:54:75:a6:fd:e5:63 (RSA)
|   256 ae:16:ea:32:9f:70:24:cd:d2:76:15:0e:f1:69:7b:7a (ECDSA)
|_  256 8d:a0:14:d9:33:bf:a7:27:9e:1f:3a:6e:9f:8a:96:57 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: VPN Request Portal
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.51 seconds

Nmap for mail.thereserve.loc

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn mail.thereserve.loc -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 12:47 IST
Warning: 10.200.118.11 giving up on port because retransmission cap hit (6).
Nmap scan report for mail.thereserve.loc (10.200.118.11)
Host is up (0.27s latency).
Not shown: 981 closed tcp ports (conn-refused)
PORT      STATE    SERVICE       VERSION
22/tcp    open     ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 f3:6c:52:d2:7f:e9:0e:1c:c1:c7:ac:96:2c:d1:ec:2d (RSA)
|   256 c2:56:3c:ed:c4:b0:69:a8:e7:ad:3c:31:05:05:e9:85 (ECDSA)
|_  256 d3:e5:f0:73:75:d5:20:d9:c0:bb:41:99:e7:af:a0:00 (ED25519)
25/tcp    open     smtp          hMailServer smtpd
| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open     http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 403 - Forbidden: Access is denied.
| http-methods: 
|_  Potentially risky methods: TRACE
110/tcp   open     pop3          hMailServer pop3d
|_pop3-capabilities: UIDL TOP USER
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
143/tcp   open     imap          hMailServer imapd
|_imap-capabilities: NAMESPACE SORT CHILDREN QUOTA ACL completed CAPABILITY IDLE OK RIGHTS=texkA0001 IMAP4rev1 IMAP4
445/tcp   open     microsoft-ds?
587/tcp   open     smtp          hMailServer smtpd
| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
1052/tcp  filtered ddt
2002/tcp  filtered globe
2103/tcp  filtered zephyr-clt
2608/tcp  filtered wag-service
3306/tcp  open     mysql         MySQL 8.0.31
| ssl-cert: Subject: commonName=MySQL_Server_8.0.31_Auto_Generated_Server_Certificate
| Not valid before: 2023-01-10T07:46:11
|_Not valid after:  2033-01-07T07:46:11
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.31
|   Thread ID: 13
|   Capabilities flags: 65535
|   Some Capabilities: Support41Auth, SupportsLoadDataLocal, IgnoreSigpipes, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsTransactions, FoundRows, Speaks41ProtocolNew, LongPassword, InteractiveClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsCompression, LongColumnFlag, Speaks41ProtocolOld, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: h     /J\x1B73N
| ;3\x1901py`p~\x1D
|_  Auth Plugin Name: caching_sha2_password
3389/tcp  open     ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THERESERVE
|   NetBIOS_Domain_Name: THERESERVE
|   NetBIOS_Computer_Name: MAIL
|   DNS_Domain_Name: thereserve.loc
|   DNS_Computer_Name: MAIL.thereserve.loc
|   Product_Version: 10.0.17763
|_  System_Time: 2024-11-12T07:18:44+00:00
| ssl-cert: Subject: commonName=MAIL.thereserve.loc
| Not valid before: 2024-11-06T10:50:16
|_Not valid after:  2025-05-08T10:50:16
|_ssl-date: 2024-11-12T07:18:57+00:00; 0s from scanner time.
6004/tcp  filtered X11:4
7402/tcp  filtered rtps-dd-mt
8300/tcp  filtered tmi
16080/tcp filtered osxwebadmin
Service Info: Host: MAIL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-11-12T07:18:45
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.15 seconds

From the results of scanning web.thereserve.loc and vpn.thereserve.loc, we observe that only the HTTP and SSH ports are available. For the time being, we will not attempt a brute-force attack on SSH.

On the mail server, we discover numerous open ports and services.

While several of these services are interesting, we decide to focus on setting up a brute-force attempt on the SMTP service using Hydra.

Last updated

Was this helpful?