❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.4
10.0.0.164
Doing my regular scan didn’t give me any ports.
So, only scanned for ports (without any timing flag and check). Used min-rate to 10000
❯ nmap -v --min-rate=1000 -p- -oN nmap.log -Pn 10.0.0.164
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-07 09:19 +0545
Initiating Parallel DNS resolution of 1 host. at 09:19
Completed Parallel DNS resolution of 1 host. at 09:19, 0.00s elapsed
Initiating Connect Scan at 09:19
Scanning 10.0.0.164 [65535 ports]
Connect Scan Timing: About 23.25% done; ETC: 09:22 (0:01:42 remaining)
Discovered open port 5003/tcp on 10.0.0.164
Connect Scan Timing: About 46.17% done; ETC: 09:22 (0:01:11 remaining)
Connect Scan Timing: About 73.46% done; ETC: 09:22 (0:00:33 remaining)
Completed Connect Scan at 09:21, 114.92s elapsed (65535 total ports)
Nmap scan report for 10.0.0.164
Host is up (0.00064s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
5003/tcp open filemaker
Port 5003 is open. Let’s do the full scan on this port.
❯ nmap -p 5003 -A -oN 5003.log -Pn 10.0.0.164
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-07 09:26 +0545
Nmap scan report for 10.0.0.164
Host is up (0.00063s latency).
PORT STATE SERVICE VERSION
5003/tcp open filemaker?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Fri, 06 Jan 2023 17:50:54 GMT
| Server: WSGIServer/0.2 CPython/3.8.6
| Content-Type: text/html; charset=utf-8
| X-Frame-Options: DENY
| Vary: Cookie
| Content-Length: 7453
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| Set-Cookie: csrftoken=obgHa0HHJkyNjvxBYjcTTEVXuToGDaYSMlcFhzXxNY3UbCH9mCTnrFMRnaCBzIIP; expires=Fri, 05 Jan 2024 17:50:54 GMT; Max-Age=31449600; Path=/; SameSite=Lax
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
| <meta name="description" content="">
| <meta name="author" content="">
| <title>[Un]baked | /</title>
| <!-- Bootstrap core CSS -->
| <link href="/static/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
| <!-- Custom fonts for this template -->
| <link href="/static/vendor/fontawesome-free/css/all.min.cs
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Fri, 06 Jan 2023 17:50:54 GMT
| Server: WSGIServer/0.2 CPython/3.8.6
| Content-Type: text/html; charset=utf-8
| X-Frame-Options: DENY
| Vary: Cookie
| Content-Length: 7453
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| Set-Cookie: csrftoken=zMMSMqWmdsZyfiSatCvTn2y3QILZn2VE5xhRCPOlAI6Kn6ERPIJJYLrIEjG8pgyZ; expires=Fri, 05 Jan 2024 17:50:54 GMT; Max-Age=31449600; Path=/; SameSite=Lax
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
| <meta name="description" content="">
| <meta name="author" content="">
| <title>[Un]baked | /</title>
| <!-- Bootstrap core CSS -->
| <link href="/static/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
| <!-- Custom fonts for this template -->
|_ <link href="/static/vendor/fontawesome-free/css/all.min.cs
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port5003-TCP:V=7.93%I=7%D=1/7%Time=63B8E9E5%P=x86_64-pc-linux-gnu%r(Get
SF:Request,1EC5,"HTTP/1\\.1\\x20200\\x20OK\\r\\nDate:\\x20Fri,\\x2006\\x20Jan\\x202
SF:023\\x2017:50:54\\x20GMT\\r\\nServer:\\x20WSGIServer/0\\.2\\x20CPython/3\\.8\\.6
SF:\\r\\nContent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nX-Frame-Options:\\x2
SF:0DENY\\r\\nVary:\\x20Cookie\\r\\nContent-Length:\\x207453\\r\\nX-Content-Type-O
SF:ptions:\\x20nosniff\\r\\nReferrer-Policy:\\x20same-origin\\r\\nSet-Cookie:\\x2
SF:0\\x20csrftoken=obgHa0HHJkyNjvxBYjcTTEVXuToGDaYSMlcFhzXxNY3UbCH9mCTnrFMR
SF:naCBzIIP;\\x20expires=Fri,\\x2005\\x20Jan\\x202024\\x2017:50:54\\x20GMT;\\x20M
SF:ax-Age=31449600;\\x20Path=/;\\x20SameSite=Lax\\r\\n\\r\\n\\n<!DOCTYPE\\x20html>
SF:\\n<html\\x20lang=\\"en\\">\\n\\n<head>\\n\\n\\x20\\x20<meta\\x20charset=\\"utf-8\\"
SF:>\\n\\x20\\x20<meta\\x20name=\\"viewport\\"\\x20content=\\"width=device-width,\\
SF:x20initial-scale=1,\\x20shrink-to-fit=no\\">\\n\\x20\\x20<meta\\x20name=\\"des
SF:cription\\"\\x20content=\\"\\">\\n\\x20\\x20<meta\\x20name=\\"author\\"\\x20conten
SF:t=\\"\\">\\n\\n\\x20\\x20<title>\\[Un\\]baked\\x20\\|\\x20/</title>\\n\\n\\x20\\x20<!-
SF:-\\x20Bootstrap\\x20core\\x20CSS\\x20-->\\n\\x20\\x20<link\\x20href=\\"/static/v
SF:endor/bootstrap/css/bootstrap\\.min\\.css\\"\\x20rel=\\"stylesheet\\">\\n\\n\\x2
SF:0\\x20<!--\\x20Custom\\x20fonts\\x20for\\x20this\\x20template\\x20-->\\n\\x20\\x2
SF:0<link\\x20href=\\"/static/vendor/fontawesome-free/css/all\\.min\\.cs")%r(H
SF:TTPOptions,1EC5,"HTTP/1\\.1\\x20200\\x20OK\\r\\nDate:\\x20Fri,\\x2006\\x20Jan\\x
SF:202023\\x2017:50:54\\x20GMT\\r\\nServer:\\x20WSGIServer/0\\.2\\x20CPython/3\\.8
SF:\\.6\\r\\nContent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nX-Frame-Options:
SF:\\x20DENY\\r\\nVary:\\x20Cookie\\r\\nContent-Length:\\x207453\\r\\nX-Content-Typ
SF:e-Options:\\x20nosniff\\r\\nReferrer-Policy:\\x20same-origin\\r\\nSet-Cookie:
SF:\\x20\\x20csrftoken=zMMSMqWmdsZyfiSatCvTn2y3QILZn2VE5xhRCPOlAI6Kn6ERPIJJY
SF:LrIEjG8pgyZ;\\x20expires=Fri,\\x2005\\x20Jan\\x202024\\x2017:50:54\\x20GMT;\\x
SF:20Max-Age=31449600;\\x20Path=/;\\x20SameSite=Lax\\r\\n\\r\\n\\n<!DOCTYPE\\x20ht
SF:ml>\\n<html\\x20lang=\\"en\\">\\n\\n<head>\\n\\n\\x20\\x20<meta\\x20charset=\\"utf-
SF:8\\">\\n\\x20\\x20<meta\\x20name=\\"viewport\\"\\x20content=\\"width=device-widt
SF:h,\\x20initial-scale=1,\\x20shrink-to-fit=no\\">\\n\\x20\\x20<meta\\x20name=\\"
SF:description\\"\\x20content=\\"\\">\\n\\x20\\x20<meta\\x20name=\\"author\\"\\x20con
SF:tent=\\"\\">\\n\\n\\x20\\x20<title>\\[Un\\]baked\\x20\\|\\x20/</title>\\n\\n\\x20\\x20
SF:<!--\\x20Bootstrap\\x20core\\x20CSS\\x20-->\\n\\x20\\x20<link\\x20href=\\"/stati
SF:c/vendor/bootstrap/css/bootstrap\\.min\\.css\\"\\x20rel=\\"stylesheet\\">\\n\\n
SF:\\x20\\x20<!--\\x20Custom\\x20fonts\\x20for\\x20this\\x20template\\x20-->\\n\\x20
SF:\\x20<link\\x20href=\\"/static/vendor/fontawesome-free/css/all\\.min\\.cs");
From the scan, we get a Python webserver.
We get a couple of usernames ramsey, wan, and oliver.
There is a search feature.
When we searched hello, we can see a cookie is set.
search_cookie="gASVCQAAAAAAAACMBWhlbGxvlC4=";
Decoding gives the following.
From cyberchef, if we convert it to hex, it looks as follows.
\\x80\\x04\\x95\\x09\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\\x05\\x68\\x65\\x6c\\x6c\\x6f\\x94\\x2e
We can do a similar thing using python.
>>> from base64 import b64decode
>>> hello = b64decode('gASVCQAAAAAAAACMBWhlbGxvlC4=')
>>> print(hello)
b'\\x80\\x04\\x95\\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\\x05hello\\x94.'
>>>