❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.4
10.0.0.164
Doing my regular scan didn’t give me any ports.
So, only scanned for ports (without any timing flag and check). Used min-rate to 10000
❯ nmap -v --min-rate=1000 -p- -oN nmap.log -Pn 10.0.0.164
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-07 09:19 +0545
Initiating Parallel DNS resolution of 1 host. at 09:19
Completed Parallel DNS resolution of 1 host. at 09:19, 0.00s elapsed
Initiating Connect Scan at 09:19
Scanning 10.0.0.164 [65535 ports]
Connect Scan Timing: About 23.25% done; ETC: 09:22 (0:01:42 remaining)
Discovered open port 5003/tcp on 10.0.0.164
Connect Scan Timing: About 46.17% done; ETC: 09:22 (0:01:11 remaining)
Connect Scan Timing: About 73.46% done; ETC: 09:22 (0:00:33 remaining)
Completed Connect Scan at 09:21, 114.92s elapsed (65535 total ports)
Nmap scan report for 10.0.0.164
Host is up (0.00064s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
5003/tcp open filemaker
Port 5003 is open. Let’s do the full scan on this port.
❯ nmap -p 5003 -A -oN 5003.log -Pn 10.0.0.164
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-07 09:26 +0545
Nmap scan report for 10.0.0.164
Host is up (0.00063s latency).
PORT STATE SERVICE VERSION
5003/tcp open filemaker?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Fri, 06 Jan 2023 17:50:54 GMT
| Server: WSGIServer/0.2 CPython/3.8.6
| Content-Type: text/html; charset=utf-8
| X-Frame-Options: DENY
| Vary: Cookie
| Content-Length: 7453
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| Set-Cookie: csrftoken=obgHa0HHJkyNjvxBYjcTTEVXuToGDaYSMlcFhzXxNY3UbCH9mCTnrFMRnaCBzIIP; expires=Fri, 05 Jan 2024 17:50:54 GMT; Max-Age=31449600; Path=/; SameSite=Lax
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
| <meta name="description" content="">
| <meta name="author" content="">
| <title>[Un]baked | /</title>
| <!-- Bootstrap core CSS -->
| <link href="/static/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
| <!-- Custom fonts for this template -->
| <link href="/static/vendor/fontawesome-free/css/all.min.cs
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Fri, 06 Jan 2023 17:50:54 GMT
| Server: WSGIServer/0.2 CPython/3.8.6
| Content-Type: text/html; charset=utf-8
| X-Frame-Options: DENY
| Vary: Cookie
| Content-Length: 7453
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| Set-Cookie: csrftoken=zMMSMqWmdsZyfiSatCvTn2y3QILZn2VE5xhRCPOlAI6Kn6ERPIJJYLrIEjG8pgyZ; expires=Fri, 05 Jan 2024 17:50:54 GMT; Max-Age=31449600; Path=/; SameSite=Lax
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
| <meta name="description" content="">
| <meta name="author" content="">
| <title>[Un]baked | /</title>
| <!-- Bootstrap core CSS -->
| <link href="/static/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
| <!-- Custom fonts for this template -->
|_ <link href="/static/vendor/fontawesome-free/css/all.min.cs
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port5003-TCP:V=7.93%I=7%D=1/7%Time=63B8E9E5%P=x86_64-pc-linux-gnu%r(Get
SF:Request,1EC5,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2006\x20Jan\x202
SF:023\x2017:50:54\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\.6
SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x2
SF:0DENY\r\nVary:\x20Cookie\r\nContent-Length:\x207453\r\nX-Content-Type-O
SF:ptions:\x20nosniff\r\nReferrer-Policy:\x20same-origin\r\nSet-Cookie:\x2
SF:0\x20csrftoken=obgHa0HHJkyNjvxBYjcTTEVXuToGDaYSMlcFhzXxNY3UbCH9mCTnrFMR
SF:naCBzIIP;\x20expires=Fri,\x2005\x20Jan\x202024\x2017:50:54\x20GMT;\x20M
SF:ax-Age=31449600;\x20Path=/;\x20SameSite=Lax\r\n\r\n\n<!DOCTYPE\x20html>
SF:\n<html\x20lang=\"en\">\n\n<head>\n\n\x20\x20<meta\x20charset=\"utf-8\"
SF:>\n\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\
SF:x20initial-scale=1,\x20shrink-to-fit=no\">\n\x20\x20<meta\x20name=\"des
SF:cription\"\x20content=\"\">\n\x20\x20<meta\x20name=\"author\"\x20conten
SF:t=\"\">\n\n\x20\x20<title>\[Un\]baked\x20\|\x20/</title>\n\n\x20\x20<!-
SF:-\x20Bootstrap\x20core\x20CSS\x20-->\n\x20\x20<link\x20href=\"/static/v
SF:endor/bootstrap/css/bootstrap\.min\.css\"\x20rel=\"stylesheet\">\n\n\x2
SF:0\x20<!--\x20Custom\x20fonts\x20for\x20this\x20template\x20-->\n\x20\x2
SF:0<link\x20href=\"/static/vendor/fontawesome-free/css/all\.min\.cs")%r(H
SF:TTPOptions,1EC5,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2006\x20Jan\x
SF:202023\x2017:50:54\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8
SF:\.6\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:
SF:\x20DENY\r\nVary:\x20Cookie\r\nContent-Length:\x207453\r\nX-Content-Typ
SF:e-Options:\x20nosniff\r\nReferrer-Policy:\x20same-origin\r\nSet-Cookie:
SF:\x20\x20csrftoken=zMMSMqWmdsZyfiSatCvTn2y3QILZn2VE5xhRCPOlAI6Kn6ERPIJJY
SF:LrIEjG8pgyZ;\x20expires=Fri,\x2005\x20Jan\x202024\x2017:50:54\x20GMT;\x
SF:20Max-Age=31449600;\x20Path=/;\x20SameSite=Lax\r\n\r\n\n<!DOCTYPE\x20ht
SF:ml>\n<html\x20lang=\"en\">\n\n<head>\n\n\x20\x20<meta\x20charset=\"utf-
SF:8\">\n\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=device-widt
SF:h,\x20initial-scale=1,\x20shrink-to-fit=no\">\n\x20\x20<meta\x20name=\"
SF:description\"\x20content=\"\">\n\x20\x20<meta\x20name=\"author\"\x20con
SF:tent=\"\">\n\n\x20\x20<title>\[Un\]baked\x20\|\x20/</title>\n\n\x20\x20
SF:<!--\x20Bootstrap\x20core\x20CSS\x20-->\n\x20\x20<link\x20href=\"/stati
SF:c/vendor/bootstrap/css/bootstrap\.min\.css\"\x20rel=\"stylesheet\">\n\n
SF:\x20\x20<!--\x20Custom\x20fonts\x20for\x20this\x20template\x20-->\n\x20
SF:\x20<link\x20href=\"/static/vendor/fontawesome-free/css/all\.min\.cs");
From the scan, we get a Python webserver.
We get a couple of usernames ramsey, wan, and oliver.
There is a search feature.
When we searched hello, we can see a cookie is set.
search_cookie="gASVCQAAAAAAAACMBWhlbGxvlC4=";
Decoding gives the following.
From cyberchef, if we convert it to hex, it looks as follows.
\x80\x04\x95\x09\x00\x00\x00\x00\x00\x00\x00\x8c\x05\x68\x65\x6c\x6c\x6f\x94\x2e
We can do a similar thing using python.
>>> from base64 import b64decode
>>> hello = b64decode('gASVCQAAAAAAAACMBWhlbGxvlC4=')
>>> print(hello)
b'\x80\x04\x95\t\x00\x00\x00\x00\x00\x00\x00\x8c\x05hello\x94.'
>>>