search

Hades

Entry Point

10.13.38.16

initial nmap scan

sudo nmap -p- --min-rate 1500 -T4 10.13.38.16 | cut -d'/' -f1 | tr '\n' ','

we can see we have the following port open on the target machine

443

Lets see if we can enumerate further information

sudo nmap -sCV -p443 -A -oA TCP_10.13.38.16 10.13.38.16

results

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-21 20:31 EST
Nmap scan report for 10.13.38.16
Host is up (0.29s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=10.13.38.16/organizationName=Gigantic Hosting Limited/stateOrProvinceName=New York/countryName=US
| Not valid before: 2019-09-04T21:52:00
|_Not valid after:  2039-08-30T21:52:00
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   286.09 ms 10.10.14.1
2   286.68 ms 10.13.38.16

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.34 seconds

Whatwe can see

  • We have HTTPS enabled Apache 2.4.29 (Ubuntu)

  • Server itself may be windows server 2012

hashtag
HTTPS

we can see

  • Web server is running Ubuntu (server or container?)

  • we have emails

    • sales@gigantichosting.com

    • we can add the domain name to our hosts file

  • we find /ssltools/certificate.php which looks like a tool to retrieve the SSL cert from a specified domain name or IP address

Lets play around with this

  1. we want to request our own IP address, and see if we can sniff out any data, Since the client (certificate.php) is utilizing SSL we cant simply view the HTTP data directly, we need to utilize a tool called MITMPROXY

  • we can donwload the following tools from

Logomitmproxy - an interactive HTTPS proxymitmproxy.orgchevron-right

  • -p: specifying our local port '443'

  • -mode reverse:https://10.13.18.16: this will set mitmproxy in reverse proxy mode, forwarding traffic back to our target

  • --ssl-insecure: disables ssl certificate validation

  • --set flow_detail=3: This setts the verbosity of flow details to a level 3

  1. Now we can point the PHP function to our local machine

  • after trying to send a request back to our local machine we wearnt getting anything

Looking at the SSL certificate for the website we can find another email address

  • it@gigantichosting.com

feroxbuster

i want to see if we can find any hidden web pages

results

PreviousHTB EndgamesNextXen

Last updated