Challenge - Sometimes, the only info we have on a target is an IP address. Can we complete the challenge and conduct an in-depth probe on the target?
LET'S GO!
Q1: What is the version of the Apache server?
As is typically the case, we start with a basic nmap scan:
nmap -sS -sC -A -v [target_ip]
And we can answer Q1.
Q2: What is the port number of the FTP service?
I ran a second scan, using:
nmap -sS -sC -A -v -p 1000-9999 [target_ip]
Now we have a bit more info, and can answer Q2.
Q3: What is the FQDN for the website hosted using a self-signed certificate and contains critical server information as the homepage?
We can refer to the second nmap scan to find this.
Q4: What is the email address associated with the SSL certificate used to sign the website mentioned in Q3?
I navigate to the standard http port 80, and get a 403 forbidden error, likewise with port 443. Next I try 1443,
I finally get to the target using:
https://[machine_ip]:1443
Here we get a warning about an invalid security certificate:
Clicking on "Learn more...", we get the following:
And finally, choose "View Certificate" and in the next tab we see the Issuer and can answer Q4.
Q5: What is the value of the PHP Extension Build on the server?
Going back to the target website at port 1443 (the warning), click on "Accept the Risk and Continue"
And it brings us to the public php info page created for the server.
But, according to this tutorial found on DigitalOcean this page should be removed. This might come in handy? We'll see!
Nevertheless, we can answer Q5.
Q6: What is the banner for the FTP service?
Referring back to the nmap scan, we see the FTP service running on port 1338.
I had to find the info on how to get nmap to show the FTP banner here
The command is:
nmap -sV --script=banner -p 1338 [target_ip]
Interesting! And we have the answer to Q6.
Q7: What software is used for managing the database on the server?
I did a web search for this..."software used to manage wordpress server" and found the answer right away.
Q8: What is the Content Management System hosted on the server? Q9: What is the version number of the CMS hosted on the server?
For Q8 and Q9, refer back to the nmap results.
Q10: What is the username for the admin panel of the CMS?
So, earlier in the task I navigated to the website at port 9007.
Not much here. After some digging, I let it go and came back to it after finishing the rest.
This one I had to research. I knew it involved changing a parameter in the URL, but I was on the wrong track using page numbers and trying to access directories of the other services.
Ultimately, I searched "username for wp admin panel" and one result stood out right away. Needless to say, I found the answer using this method.
Q11: Again, I just did a web search for "OSVDB-3092 wordpress" and found the answer.
Q12: Refer back to the initial nmap scan and it's pretty obvious.
Q13: What is the flag value associated with the web page hosted on port 8000.
For this I used gobuster to find any hidden directories:
`gobuster dir -u http://[machine_ip]:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`
I tried the first one and got the flag!
That's all! Nice room that was really about scanning, digging, and as a last resort just look up a term or thought. That's how we learn and reinforce things we may have already learned.
Thanks for reading!