Playing around with pentestit.ru testlab v.10 – Part 1

Lets playing around with pentestit.ru testlab v.10. Target IP : 192.168.101.9 Nmap :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
$ nmap 192.168.101.9 -A Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-09 22:27 EDT Nmap scan report for gds.lab (192.168.101.9) Host is up (0.56s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0) | ssh-hostkey: | 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA) | 2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA) |_ 256 2c:58:fd:06:ea:46:8e:f7:b5:28:58:58:06:fa:dc:38 (ECDSA) 25/tcp open smtp CommuniGate Pro mail server 6.0.9 |_smtp-commands: SMTP EHLO gds.lab: failed to receive data: connection timeout 80/tcp open http nginx 1.10.1 |_http-server-header: nginx/1.10.1 | http-title: 400 Bad Request |_Requested resource was http://store.gds.lab 443/tcp open http nginx 1.2.1 |_http-server-header: nginx/1.2.1 |_http-title: Security Blog by GlobalDataSecurity 8100/tcp open http CommuniGate Pro httpd 6.0.9 | http-methods: |_ Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR |_http-server-header: CommuniGatePro/6.0.9 |_http-svn-info: ERROR: Script execution failed (use -d to debug) |_http-title: CommuniGate Pro gds.lab Entrance | http-webdav-scan: | Server Type: CommuniGatePro/6.0.9 | Public Options: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR | Allowed Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR | WebDAV type: Unkown | Server Date: Mon, 10 Apr 2017 02:28:28 GMT | Directory Listing: | / | /CalDAV/ | /CalDAV/INBOX/ | /CalDAV/Outbox/ | /WebDAV/private/caldav/ |_ /CalDAV/Notify/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 164.07 seconds |
Lets check HTTP header on port 80 :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ curl -I http://192.168.101.9 HTTP/1.1 200 OK Server: nginx/1.10.1 Date: Mon, 10 Apr 2017 00:34:08 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive X-Powered-By: PHP/5.4.45-0+deb7u5 Set-Cookie: PHPSESSID=fcll0vv9bgfv5t8qf2nklig4p3; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: default=963592ccd56622f61d552345b8; path=/; httponly Set-Cookie: language=en-gb; expires=Wed, 10-May-2017 00:34:08 GMT; path=/; domain=192.168.101.9 Set-Cookie: currency=USD; expires=Wed, 10-May-2017 00:34:08 GMT; path=/; domain=192.168.101.9 |
I tried to open the IP address through web browser but its like taking forever to load the page. 🙁 Ok, lets examine the source of the page:
1 2 3 4 5 6 7 8 9 10 |
<html dir="ltr" lang="en"> <!--<![endif]--> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>GDS WARE</title> <base href="http://store.gds.lab/" /> <meta name="description" content="GDS WARE" /> <meta name="keywords" content= "GDS WARE" /> |
I found store.gds.lab domain inside