InfoSec LAB

Hetemit_Web_18000

Created: 2 min read

Web

Nmap discovered a Web server on the target port 18000 The running service has not been identified.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ curl -I http://192.168.218.117:18000/
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: text/html; charset=utf-8
ETag: W/"cf60271f088073778d9523431427cbd3"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _register_hetemit_session=vr8l%2B2oIovQg0Bn5FGKepMo9Vn%2FzxlTNRTf9FzeDodUSIvDABKlqH2eUIdnIZaVYHE0caDbiCcV4PjyNp15m03JxMwjZP24WDgOtH%2FOfYwoD53R6SX5Cpeze9N%2F%2BB%2FBsW0yWk%2FN3FgiRjpMewqToxAuSDYLeNFc1B2QVWrPDBrJLh3oe0cPb8S5tA%2F%2FoVThNr1Ru69t%2BLubWDBS1fYgIIgMz2G4tvLHGHi%2BgKrLIyFu3FF7NO2fJ0L3D82gmVxIBHFgUoMagzpM26Ng4sW4b%2FAGNVMxuhG0nizEVjh2UmzsA--iU0HOnAx573NvnF9--OBrt09z48lom%2FbQHQSDHzA%3D%3D; path=/; HttpOnly
X-Request-Id: 8188913c-11c8-4dc5-ae98-d2712c6f632d
X-Runtime: 0.005957

Webroot

Wappalyzer identified technologies involved It’s built on Ruby on Rails

Both registration and logging in appear available

Registration

Registration requires an “invite code”

Logging in

Authentication endpoint

API

Burp Suite mapped an interesting endpoint; /rails/info/routes?path=

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ curl -s http://$IP:18000/rails/info/routes?path= | jq
{
  "exact": [
    "/",
    "/"
  ],
  "fuzzy": [
    "/rails/info/properties(.:format)",
    "/rails/info/routes(.:format)",
    "/rails/info(.:format)",
    "/rails/mailers(.:format)",
    "/rails/mailers/*path(.:format)",
    "/assets",
    "/cable",
    "/login(.:format)",
    "/login(.:format)",
    "/logout(.:format)",
    "/users(.:format)",
    "/users(.:format)",
    "/users/new(.:format)",
    "/users/:id/edit(.:format)",
    "/users/:id(.:format)",
    "/users/:id(.:format)",
    "/users/:id(.:format)",
    "/users/:id(.:format)",
    "/",
    "/rails/action_mailbox/postmark/inbound_emails(.:format)",
    "/rails/action_mailbox/relay/inbound_emails(.:format)",
    "/rails/action_mailbox/sendgrid/inbound_emails(.:format)",
    "/rails/action_mailbox/mandrill/inbound_emails(.:format)",
    "/rails/action_mailbox/mandrill/inbound_emails(.:format)",
    "/rails/action_mailbox/mailgun/inbound_emails/mime(.:format)",
    "/rails/conductor/action_mailbox/inbound_emails(.:format)",
    "/rails/conductor/action_mailbox/inbound_emails(.:format)",
    "/rails/conductor/action_mailbox/inbound_emails/new(.:format)",
    "/rails/conductor/action_mailbox/inbound_emails/:id/edit(.:format)",
    "/rails/conductor/action_mailbox/inbound_emails/:id(.:format)",
    "/rails/conductor/action_mailbox/inbound_emails/:id(.:format)",
    "/rails/conductor/action_mailbox/inbound_emails/:id(.:format)",
    "/rails/conductor/action_mailbox/inbound_emails/:id(.:format)",
    "/rails/conductor/action_mailbox/:inbound_email_id/reroute(.:format)",
    "/rails/active_storage/blobs/:signed_id/*filename(.:format)",
    "/rails/active_storage/representations/:signed_blob_id/:variation_key/*filename(.:format)",
    "/rails/active_storage/disk/:encoded_key/*filename(.:format)",
    "/rails/active_storage/disk/:encoded_token(.:format)",
    "/rails/active_storage/direct_uploads(.:format)",
    "/"
  ]
}

The /rails/info/routes?path= endpoint exposes all the available routes for API access

One of the endpoints, /rails/info/properties, reveals the inner working of the application;

  • Rails version 6.0.3.4
  • Ruby version ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-linux]
  • RubyGems version 3.0.8
  • Rack version 2.2.3
  • Application root /home/cmeeks/register_hetemit
  • Environment development
  • Database adapter postgresql
  • Database schema version 20201112191834

Interactive Graph View

Backlinks