Bounty - Hackthebox.eu

Enumeration

As always, lets start with a full nmap scan

 

[bash]

Nmap scan report for 10.10.10.93
Host is up (0.021s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
3389/tcp open ms-wbt-server?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

[/bash]

Nmap shows a http service at port 80 and some weird Microsoft service at 3389. Lets browse to see what we can find.

 

PICTURE MERLIN

 

A wizard… That’s weird. Maybe a Marlin exploit? Anyway, the source inspection didn’t show anything. Lets fire up gobuster to get some info on the site.

[bash]

gobuster -u 10.10.10.93 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -t 50

=====================================================
Gobuster v2.0.0 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.93/
[+] Threads : 50
[+] Wordlist : /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2018/11/16 20:29:20 Starting gobuster
=====================================================
/aspnet_client (Status: 301)
/uploadedfiles (Status: 301)
=====================================================
2018/11/16 20:29:22 Finished
=====================================================

[/bash]

 

Show Comments