Pwned Date - 5th June 2022

Enumeration (FAILED)

┌──(kali㉿VirtualBox)-[~]
└─$ rustscan -a 192.168.56.83

PORT     STATE SERVICE    REASON
21/tcp   open  ftp        syn-ack
22/tcp   open  ssh        syn-ack
7080/tcp open  empowerid  syn-ack
8088/tcp open  radan-http syn-ack
8715/tcp open  unknown    syn-ack

┌──(kali㉿VirtualBox)-[~]
└─$ nmap -sC -sV  192.168.56.83 -p 21,22,7080,8088,8715

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
22/tcp   open  ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 89:4f:3a:54:01:f8:dc:b6:6e:e0:78:fc:60:a6:de:35 (RSA)
|   256 dd:ac:cc:4e:43:81:6b:e3:2d:f3:12:a1:3e:4b:a3:22 (ECDSA)
|_  256 cc:e6:25:c0:c6:11:9f:88:f6:c4:26:1e:de:fa:e9:8b (ED25519)
7080/tcp open  ssl/empowerid LiteSpeed
|_http-server-header: LiteSpeed
|_http-title: Did not follow redirect to <https://192.168.56.83:7080/>
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
| ssl-cert: Subject: commonName=katana/organizationName=webadmin/countryName=US
| Not valid before: 2020-05-11T13:57:36
|_Not valid after:  2022-05-11T13:57:36
|_ssl-date: TLS randomness does not represent time
8088/tcp open  http          LiteSpeed httpd
|_http-title: Katana X
|_http-server-header: LiteSpeed
8715/tcp open  http          nginx 1.14.2
|_http-title: 401 Authorization Required
| http-auth: 
| HTTP/1.1 401 Unauthorized\\x0D
|_  Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Going to the IP alone

Untitled

Going to port 7080will show us an warning

Untitled

Going to port 8088 will show us the default webpage

Untitled

Going to port 8715 will show us this sign in prompt

Untitled

Time to GoBuster

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.56.83 -w /usr/share/wordlists/dirb/common.txt -q -t 100
/ebook                (Status: 301) [Size: 314] [--> <http://192.168.56.83/ebook/>]
/index.html           (Status: 200) [Size: 655]                                  
/server-status        (Status: 403) [Size: 278]

Untitled

Browsing around and found this admin login tab

Untitled

Since this is so, what about fuzz again on the /ebook tab?

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.56.83/ebook/ -w /usr/share/wordlists/dirb/common.txt -q -t 100
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.hta                 (Status: 403) [Size: 278]
/admin.php            (Status: 200) [Size: 3153]
/controllers          (Status: 301) [Size: 326] [--> <http://192.168.56.83/ebook/controllers/>]
/database             (Status: 301) [Size: 323] [--> <http://192.168.56.83/ebook/database/>]   
/functions            (Status: 301) [Size: 324] [--> <http://192.168.56.83/ebook/functions/>]  
/index.php            (Status: 200) [Size: 3998]                                             
/info.php             (Status: 200) [Size: 94935]                                            
/models               (Status: 301) [Size: 321] [--> <http://192.168.56.83/ebook/models/>]     
/template             (Status: 301) [Size: 323] [--> <http://192.168.56.83/ebook/template/>]

Found there is something interesting on /ebook/database