❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.233
❯ nmap -sC -sV -p- -oN nmap.log 10.0.0.233
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-02-02 17:51 +0545
Nmap scan report for 10.0.0.233
Host is up (0.00098s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 70d4efc9276f8d957aa5511951fe14dc (RSA)
| 256 3f8d243fd25ecae6c9af372347bf1d28 (ECDSA)
|_ 256 0c337e4e953db02d6a5eca39910d1308 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kerne
No access to FTP. Two possible paths.
An unusual sentence in the Apache default page.
Perform gobuster scan.
❯ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <http://10.0.0.233> -x php,txt,html -o medium.log
/.php (Status: 403) [Size: 275]
/index.html (Status: 200) [Size: 10674]
/.html (Status: 403) [Size: 275]
/manual (Status: 301) [Size: 309] [--> <http://10.0.0.233/manual/>]
/.html (Status: 403) [Size: 275]
/.php (Status: 403) [Size: 275]
/server-status (Status: 403) [Size: 275]
/hades (Status: 301) [Size: 308] [--> <http://10.0.0.233/hades/>]
Perform gobuster scan on /hades
❯ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <http://10.0.0.233/hades> -x php,txt,html -o medium-hades.log
❯ cat medium-hades.log
/.php (Status: 403) [Size: 275]
/.html (Status: 403) [Size: 275]
/index.php (Status: 200) [Size: 0]
/door.php (Status: 200) [Size: 555]
/.html (Status: 403) [Size: 275]
/.php (Status: 403) [Size: 275]
/door.php
It matches with the hint (open the door). There is an input that accepts the magic word. We can use “Kraken” for this. Or, bruteforcing also works.
After we enter Kraken, we see a domain name “medusa.hmv”. We have to add it on /etc/hosts.
Same thing on medusa.hmv. So, subdomain enumeration.
❯ ffuf -r -c -ic -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "HOST: FUZZ.medusa.hmv" -u '<http://10.0.0.233>' -fs 10674
/'___\\ /'___\\ /'___\\
/\\ \\__/ /\\ \\__/ __ __ /\\ \\__/
\\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
\\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
\\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\
\\/_/ \\/_/ \\/___/ \\/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : <http://10.0.0.233>
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.medusa.hmv
:: Follow redirects : true
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 10674
________________________________________________
dev [Status: 200, Size: 1973, Words: 374, Lines: 26, Duration: 1423ms]
:: Progress: [114437/114437] :: Job [1/1] :: 667 req/sec :: Duration: [0:03:05] :: Errors: 0 ::