PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/textpattern/textpattern
|_http-title: driftingblues
|_http-server-header: Apache/2.2.22 (Debian)
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u <http://192.168.195.219/> -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.htaccess (Status: 403) [Size: 292]
/.hta (Status: 403) [Size: 287]
/cgi-bin/ (Status: 403) [Size: 291]
/db (Status: 200) [Size: 53656]
/index (Status: 200) [Size: 750]
/index.html (Status: 200) [Size: 750]
/robots (Status: 200) [Size: 110]
/robots.txt (Status: 200) [Size: 110]
/server-status (Status: 403) [Size: 296]
/textpattern (Status: 301) [Size: 324] [--> <http://192.168.195.219/textpattern/>]
/.htpasswd (Status: 403) [Size: 292]
Seems like a lame website
More directory fuzzing, 1 /textpattern
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u <http://192.168.195.219/textpattern> -w /usr/share/wordlists/dirb/common.txt -q -t 100 -x zip
/.htpasswd (Status: 403) [Size: 304]
/.htpasswd.zip (Status: 403) [Size: 308]
/.htaccess (Status: 403) [Size: 304]
/.hta (Status: 403) [Size: 299]
/.htaccess.zip (Status: 403) [Size: 308]
/.hta.zip (Status: 403) [Size: 303]
/files (Status: 301) [Size: 330] [--> <http://192.168.195.219/textpattern/files/>]
/images (Status: 301) [Size: 331] [--> <http://192.168.195.219/textpattern/images/>]
/index.php (Status: 200) [Size: 12413]
/LICENSE (Status: 200) [Size: 15170]
/rpc (Status: 301) [Size: 328] [--> <http://192.168.195.219/textpattern/rpc/>]
/README (Status: 200) [Size: 6311]
/textpattern (Status: 301) [Size: 336] [--> <http://192.168.195.219/textpattern/textpattern/>]
/themes (Status: 301) [Size: 331] [--> <http://192.168.195.219/textpattern/themes/>]
And here comes 2 /textpattern/textpattern
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u <http://192.168.195.219/textpattern/textpattern> -w /usr/share/wordlists/dirb/common.txt -q -t 100 -x zip
/.htaccess.zip (Status: 403) [Size: 320]
/.htpasswd (Status: 403) [Size: 316]
/.htaccess (Status: 403) [Size: 316]
/.htpasswd.zip (Status: 403) [Size: 320]
/include (Status: 301) [Size: 344] [--> <http://192.168.195.219/textpattern/textpattern/include/>]
/index.php (Status: 200) [Size: 4553]
/lang (Status: 301) [Size: 341] [--> <http://192.168.195.219/textpattern/textpattern/lang/>]
/lib (Status: 301) [Size: 340] [--> <http://192.168.195.219/textpattern/textpattern/lib/>]
/plugins (Status: 301) [Size: 344] [--> <http://192.168.195.219/textpattern/textpattern/plugins/>]
/publish (Status: 301) [Size: 344] [--> <http://192.168.195.219/textpattern/textpattern/publish/>]
/setup (Status: 301) [Size: 342] [--> <http://192.168.195.219/textpattern/textpattern/setup/>]
/tmp (Status: 301) [Size: 340] [--> <http://192.168.195.219/textpattern/textpattern/tmp/>]
/textpattern (Status: 200) [Size: 82294]
/update (Status: 301) [Size: 343] [--> <http://192.168.195.219/textpattern/textpattern/update/>]
/vendors (Status: 301) [Size: 344] [--> <http://192.168.195.219/textpattern/textpattern/vendors/>]
Tried the default credentials managing-editor732 but does not work, and since the /robots says there is a .zip file but we can’t find it with common.txt , so we will try another wordlist here
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u <http://192.168.195.219/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -t 200 -x zip
/index (Status: 200) [Size: 750]
/db (Status: 200) [Size: 53656]
/robots (Status: 200) [Size: 110]
/spammer.zip (Status: 200) [Size: 179]
/spammer (Status: 200) [Size: 179]
^C
[!] Keyboard interrupt detected, terminating.
Maybe we found what we want?
Tried to unzip the spammer.zip but we need credentials
┌──(kali㉿kali)-[~]
└─$ unzip spammer.zip
Archive: spammer.zip
[spammer.zip] creds.txt password:
skipping: creds.txt incorrect password
zip2john spammer.zip > hash