Return to forum

fironeDerbert · August 27, 2022 at 6:11 PM

Discussion about the new hard machine !

PORT  STATE SERVICE VERSION
22/tcp open  ssh    OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|  3072 38:c2:97:32:7b:9e:c5:65:b4:4b:4e:a3:30:a5:9a:a5 (RSA)
|  256 33:b3:55:f4:a1:7f:f8:4e:48:da:c5:29:63:13:83:3d (ECDSA)
|_  256 a1:f1:88:1c:3a:39:72:74:e6:30:1f:28:b6:80:25:4e (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Vessel
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)

farkow · August 27, 2022 at 7:13 PM

"git" :)

tom · August 27, 2022 at 9:26 PM

please can anyone confirm that we cannot create user ? thanks

ILoveNSA · August 27, 2022 at 9:27 PM

(August 27, 2022, 09:26 PM)tom Wrote: please can anyone confirm that we cannot create user ? thanks

I sure as hell haven't had any luck. As in, no sign of register or reset endpoints working in any other capacity but a simple redirect.

farkow · August 27, 2022 at 9:33 PM

Those endpoints are not active at all. You will see when you download the source (my first tip: "git")
Try to fuzz directories (recursive).

paulwatson42016 · August 27, 2022 at 9:40 PM

The subdomain is more important

tom · August 27, 2022 at 9:40 PM

thanks man i will do this. even i did this with feroxbuster with -e but nothing interesting !

yumi · August 27, 2022 at 11:43 PM

you can read the git index file with GIN

https://github.com/sbp/gin

and for find .git just FUZZ the dev web folder

ilost · August 28, 2022 at 1:53 AM

(August 27, 2022, 06:11 PM)fironeDerbert Wrote: Discussion about the new hard machine !

PORT  STATE SERVICE VERSION
22/tcp open  ssh    OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|  3072 38:c2:97:32:7b:9e:c5:65:b4:4b:4e:a3:30:a5:9a:a5 (RSA)
|  256 33:b3:55:f4:a1:7f:f8:4e:48:da:c5:29:63:13:83:3d (ECDSA)
|_  256 a1:f1:88:1c:3a:39:72:74:e6:30:1f:28:b6:80:25:4e (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Vessel
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)

nice

snowmanballs · August 28, 2022 at 3:20 AM

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named