┌──(kali㉿VirtualBox)-[~]
└─$ nmap -sC -sV 192.168.201.111 -p 22,80,33060
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b2:d8:51:6e:c5:84:05:19:08:eb:c8:58:27:13:13:2f (RSA)
| 256 b0:de:97:03:a7:2f:f4:e2:ab:4a:9c:d9:43:9b:8a:48 (ECDSA)
|_ 256 9d:0f:9a:26:38:4f:01:80:a7:a6:80:9d:d1:d4:cf:ec (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_gym
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port33060-TCP:V=7.92%I=7%D=6/27%Time=62B95AD7%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Seems like there is nothing on port 33060, we will do fuzzing on port 80
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.201.111 -w /usr/share/wordlists/dirb/common.txt -q -t 100
/admin (Status: 301) [Size: 318] [--> <http://192.168.201.111/admin/>]
/index.html (Status: 200) [Size: 10918]
/index.php (Status: 200) [Size: 3468]
/robots.txt (Status: 200) [Size: 14]
/secret (Status: 301) [Size: 319] [--> <http://192.168.201.111/secret/>]
/server-status (Status: 403) [Size: 280]
/store (Status: 301) [Size: 318] [--> <http://192.168.201.111/store/>]
We have this /admin portal
Meanwhile /secret seems there has nothing
Lastly seems like the /store has promising way to look around as its a web app
On /robots.txt disallow gym
So when we go to /gym and this is what we get
There are so many things going on in this webserver so I will test one by one
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.201.111 -w /usr/share/wordlists/dirb/common.txt -q -t 100 -x .php
/.htpasswd (Status: 403) [Size: 280]
/.htpasswd.php (Status: 403) [Size: 280]
/.htaccess (Status: 403) [Size: 280]
/.hta (Status: 403) [Size: 280]
/.htaccess.php (Status: 403) [Size: 280]
/.hta.php (Status: 403) [Size: 280]
/admin (Status: 301) [Size: 318] [--> <http://192.168.201.111/admin/>]
/dashboard.php (Status: 302) [Size: 10272] [--> <http://192.168.201.111/index.php>]
/forgot-password.php (Status: 200) [Size: 2763]
/header.php (Status: 200) [Size: 1666]
/index.html (Status: 200) [Size: 10918]
/index.php (Status: 200) [Size: 3468]
/index.php (Status: 200) [Size: 3468]
/logout.php (Status: 200) [Size: 75]
/profile.php (Status: 302) [Size: 7247] [--> <http://192.168.201.111/index.php>]
/registration.php (Status: 200) [Size: 9409]
/robots.txt (Status: 200) [Size: 14]
/secret (Status: 301) [Size: 319] [--> <http://192.168.201.111/secret/>]
/server-status (Status: 403) [Size: 280]
/store (Status: 301) [Size: 318] [--> <http://192.168.201.111/store/>]
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.201.111/store -w /usr/share/wordlists/dirb/common.txt -q -t 100
/admin.php (Status: 200) [Size: 3153]
/.htaccess (Status: 403) [Size: 280]
/.htpasswd (Status: 403) [Size: 280]
/.hta (Status: 403) [Size: 280]
/controllers (Status: 301) [Size: 330] [--> <http://192.168.201.111/store/controllers/>]
/database (Status: 301) [Size: 327] [--> <http://192.168.201.111/store/database/>]
/functions (Status: 301) [Size: 328] [--> <http://192.168.201.111/store/functions/>]
/index.php (Status: 200) [Size: 3998]
/models (Status: 301) [Size: 325] [--> <http://192.168.201.111/store/models/>]
/template (Status: 301) [Size: 327] [--> <http://192.168.201.111/store/template/>]