We begin with the usual port scan revealing three open ports ie. 22, 80 and 443.
/tmp/tmp.W0d5S9Lwfc ❯ hping3 -S --scan 1-65535 10.10.11.143 | grep -v "Not"
Scanning 10.10.11.143 (10.10.11.143), port 1-65535
65535 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
All replies received. Done.
22 ssh : .S..A... 63 0 29200 44
80 http : .S..A... 63 0 29200 44
443 https : .S..A... 63 0 29200 44
A targeted nmap safe scan reveals nothing of consequence.
/tmp/tmp.W0d5S9Lwfc ❯ nmap -A -p22,80,443 -oA general/nmap/safe_scan 10.10.11.143 root@kali
Starting Nmap 7.92 ( <https://nmap.org> ) at 2024-06-15 15:22 NZST
Nmap scan report for target (10.10.11.143)
Host is up (0.047s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.18 (94%), Linux 3.16 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 5.1 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Android 4.1.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 54.91 ms 10.10.16.1
2 28.09 ms target (10.10.11.143)
Visiting the page hosted at the target ip reveals the Centos apache httpd test page.
Running whatweb exposes the hostname office.paper in addition to other server technology-related information such as the kernel version of the server(5.7.28) which was released in circa 2020.
/tmp/tmp.W0d5S9Lwfc ❯ whatweb -v 10.10.11.143 | tee 80/whatweb 24s root@kali
curl -s <http://10.10.11.143/robots.txt> | tee 80/robots.txt
WhatWeb report for <http://10.10.11.143>
Status : 403 Forbidden
Title : HTTP Server Test Page powered by CentOS
IP : 10.10.11.143
Country : RESERVED, ZZ
Summary : Apache[2.4.37][mod_fcgid/2.3.9], Email[[email protected]], HTML5, HTTPServer[CentOS][Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9], MetaGenerator[HTML Tidy for HTML5 for Linux version 5.7.28], OpenSSL[1.1.1k], PoweredBy[CentOS], UncommonHeaders[x-backend-server], X-Backend[office.paper]
Adding the hostname to the hosts file
/tmp/tmp.W0d5S9Lwfc ❯ echo "10.10.11.143 office.paper" >> /etc/hosts
/tmp/tmp.W0d5S9Lwfc ❯ cat /etc/hosts 17s root@kali
127.0.0.1 localhost
127.0.1.1 kali.lan kali
#The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.11.143 office.paper