Enumeration

We begin with the usual port scan which reveals 2 open ports:

/tmp/tmp.nYvdc4oywB ❯ hping3 -S --scan 1-65535 10.10.10.60 | grep -v "Not" | tee general/hping3/syn_scan                                        root@kali
Scanning 10.10.10.60 (10.10.10.60), port 1-65535
65535 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
All replies received. Done.
   80 http       : .S..A...  63  6343 65228    44
  443 https      : .S..A...  63 38316 65228    44

Other than the fact that the server is running lighttpd 1.4.35, a more detailed scan reveals nothing of consequence:

/tmp/tmp.nYvdc4oywB ❯ nmap -A -p80,443 -oA general/nmap/safe_scan 10.10.10.60                                                                   root@kali
Starting Nmap 7.92 ( <https://nmap.org> ) at 2024-06-21 03:59 NZST
Nmap scan report for 10.10.10.60
Host is up (0.048s latency).

PORT    STATE SERVICE  VERSION
80/tcp  open  http     lighttpd 1.4.35
|_http-title: Did not follow redirect to <https://10.10.10.60/>
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/http lighttpd 1.4.35
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time
|_http-server-header: lighttpd/1.4.35
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), FreeBSD 8.X (85%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:freebsd:freebsd:8.1 cpe:/o:openbsd:openbsd:4.3
Aggressive OS guesses: Comau C4G robot control unit (92%), FreeBSD 8.1 (85%), OpenBSD 4.3 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   53.83 ms 10.10.16.1
2   53.77 ms 10.10.10.60

OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 22.40 seconds

Port 80

Visiting the page hosted at port 80 results in a redirect to port 443 so we move on to enumeration on port 443

Untitled

Port 443

Visiting the page, reveals that it is a pfsense router’s login page:

Untitled

Running nmap’s http-enum script on the page reveals a few interesting resources that we make note of.

# Nmap 7.92 scan initiated Fri Jun 21 04:12:05 2024 as: nmap --script=http-enum -p443 -oA 443/http-enum 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.029s latency).

PORT    STATE SERVICE
443/tcp open  https
| http-enum:
|   /javascript/sorttable.js: Secunia NSI
|   /changelog.txt: Interesting, a changelog.
|_  /tree/: Potentially interesting folder

# Nmap done at Fri Jun 21 04:13:09 2024 -- 1 IP address (1 host up) scanned in 64.71 seconds

Running gobuster reveals a few more interesting resources:

/tmp/tmp.jRIxtZZGBw/443 ❯ gobuster dir -k -r -u <https://10.10.10.60> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 100 | tee 443/gobuster_dir_scan
tee: 443/gobuster_dir_scan: No such file or directory
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <https://10.10.10.60>
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,txt
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2024/06/21 19:16:00 Starting gobuster in directory enumeration mode
===============================================================
/help.php             (Status: 200) [Size: 6689]
/index.php            (Status: 200) [Size: 6690]
/stats.php            (Status: 200) [Size: 6690]
/edit.php             (Status: 200) [Size: 6689]
/license.php          (Status: 200) [Size: 6692]
/status.php           (Status: 200) [Size: 6691]
/system.php           (Status: 200) [Size: 6691]
/changelog.txt        (Status: 200) [Size: 271]
/exec.php             (Status: 200) [Size: 6689]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 200) [Size: 7492]
/wizard.php           (Status: 200) [Size: 6691]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 200) [Size: 6113]
/xmlrpc.php           (Status: 200) [Size: 384]
/reboot.php           (Status: 200) [Size: 6691]
/interfaces.php       (Status: 200) [Size: 6695]
/system-users.txt     (Status: 200) [Size: 106]
/%7Echeckout%7E       (Status: 403) [Size: 345]

Visiting each of the pages, reveals a file with some interesting notes: