The team wastes no time and jumps right into the enumeration phase. You correlate IP addresses and DNS records, filter out the ones that do not seem to lead anywhere, and sort by interesting subdomains. Then, you feed the list into Aquatone and examine the results.
One target catches your eye:
dmz.risottocorp.lan. You call the team’s attention to this endpoint because the Aquatone results indicate that it is running a stock Wordpress site. Interestingly, it’s using HTTP clear text, not HTTPS.
After more enumeration, your team identifies a few more sites that all live at this DNS record:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 0a:14:86:fb:5e:4e:18:bb:19:6b:5b:c7:eb:5d:cb:6b (RSA) | 256 2e:95:e2:03:a2:f7:da:7a:54:2e:d5:bd:99:92:e1:50 (ECDSA) |_ 256 47:2c:90:55:98:0d:a4:c7:a8:07:53:49:12:a3:83:5d (ED25519) 8000/tcp open http Apache httpd 2.4.54 ((Debian)) |_http-server-header: Apache/2.4.54 (Debian) |_http-generator: WordPress 6.0.3 |_http-open-proxy: Proxy might be redirecting requests |_http-title: RisottoCorp – Just another WordPress site 8081/tcp open blackice-icecap? | fingerprint-strings: | FourOhFourRequest, GetRequest: | HTTP/1.0 200 OK | Cache-Control: no-cache, no-store, must-revalidate | Content-Type: text/html; charset=utf-8 | X-Xss-Protection: 1; mode=block | Date: Sun, 23 Oct 2022 15:06:09 GMT |_ <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no"><title>File Browser</title><link rel="icon" type="image/png" sizes="32x32" href="/filebrowser/static/img/icons/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/filebrowser/static/img/icons/favicon-16x16.png"><link rel="manifest" id="manifestPlaceholder" crossorigin="use-credentials"><meta name="theme-color" content="#2979ff"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="apple-mobile-web-app-title" content= 8082/tcp open http Jetty 9.4.36.v20210114 |_http-title: Spark Master at spark://0749ee93b67c:7077 |_http-server-header: Jetty(9.4.36.v20210114) ...
This looks like an excellent target of opportunity! Your team lead, however, is skeptical.
“If this isn’t a honeypot, I’ll be shocked”, she says.
One of your teammates also adds “Usually, it’s not advisable to go after unencrypted sites unless we have no other better options. We can exploit them, but it will be a bit more tricky in terms of data safety and responsibility.
I’ll continue to do recon against the remaining endpoints and see if we can find something else, but in the mean time, go ahead and continue to enumerate that DMZ server.”
You continue to perform light reconnaissance against this server and identify the following:
A default WordPress site at port 8000:
Some kind of file share site at port 8081:
And an instance of Apache Spark at port 8082, with no authentication required:
Each of these present excellent targets of opportunity.
What do you do?
Enumerate the Apache Spark page and determine if there’s a code execution vulnerability that we can leverage.