We covered scanning hosts for services, open ports, running software, hidden directories using scanning tools such as Nmap and Nikto. We gathered details such as the ports the webserver is running on, the version of the webserver, domain and email information, hidden directories, the PHP version and the content management system running on the machine. We also discovered ssh and FTP server along with other services running on non-standard ports. This was part of TryHackMe Probe.
Initial Scanning & Web Enumeration
I started with a comprehensive Nmap scan to find all open ports on the target machine. I used sudo nmap -p- <IP_ADDRESS>
to scan all ports, and then added -T4
(sudo nmap -p- -T4 <IP_ADDRESS>
) to speed things up, even if it made the scan a bit noisier.
Next, I tried accessing the target IP in a web browser on both HTTP (port 80) and HTTPS (port 443). Both initially gave me a “403 Forbidden” error. From the HTTPS error page, I could identify the Apache version as 2.4.41. I also inspected the SSL certificate to find the fully qualified domain name (FQDN) and an associated email address, using Firefox to view the detailed certificate information.
Then, I used GoBuster to brute-force hidden directories on the web server. I ran gobuster dir -u <URL> -w <WORDLIST_PATH>
, initially on the default web server, and then specifically targeted port 8000 using gobuster dir -u http://<IP_ADDRESS>:8000 -w <WORDLIST_PATH>
. I used common.txt
and later medium.txt
as wordlists. This led me to a “contact-us” directory on port 8000, which contained one of the flags!
Detailed Service Enumeration
After my initial Nmap scan, I had a list of open ports: 22, 80, 443, 1338, 1443, 8000, and 907. I then performed more detailed Nmap scans on specific ports to get service versions. For example, I used sudo nmap -p 1338 -sV <IP_ADDRESS>
and sudo nmap -p 1443 -sV <IP_ADDRESS>
.
Port 1338 turned out to be an FTP server. I connected to it using ftp <IP_ADDRESS> 1338
, and right in the FTP banner, I found another flag! An attempt to log in anonymously failed, but I already had what I needed.
I also ran a more aggressive Nmap scan on all identified web server ports (sudo nmap -p 80,443,1443,8000 -A <IP_ADDRESS>
). This scan revealed that:
- Port 80 was running lighttpd.
- Port 443 was running Apache httpd 2.4.41.
- Port 1443 was also Apache httpd (same version) but with PHP version 7.4.3 enabled. I accessed the PHP info page on port 1443 to find the “PHP Extension Build.” I also noticed that PHPMyAdmin was running on the server with PHP.
Content Management System (CMS) Enumeration
Next, I investigated port 907. Accessing it in a browser showed a blog page. By viewing the page source and searching for “wp-“, I quickly identified it as a WordPress installation. Trying to access wp-admin
redirected me to myblog.thm
, which confirmed WordPress and meant I needed to add this domain to my /etc/hosts
file.
I then used WPScan to enumerate the WordPress installation. I ran sudo wpscan --url https://myblog.thm:907 --enumerate ap,at,cb --disable-tls-checks
to enumerate all plugins, themes, and config backups. This identified the WordPress version as 6.2.2. I also ran sudo wpscan --url https://myblog.thm:907 --enumerate u --disable-tls-checks
to enumerate users, which revealed a username “joomla.”
Vulnerability Scanning with Nikto
Finally, I used Nikto to scan the WordPress site for vulnerabilities. I ran nikto -h https://myblog.thm:907 --ssl
. I expected this scan to find a license.txt
file, which is a common way to identify blogging software, and I could also verify this by directly accessing the file in a browser.
Technical Commands Extracted
Here are the technical commands I used in the video:
sudo nmap -p- <IP_ADDRESS>
sudo nmap -p- -T4 <IP_ADDRESS>
gobuster dir -u <URL> -w <WORDLIST_PATH>
gobuster dir -u http://<IP_ADDRESS>:8000 -w <WORDLIST_PATH>
sudo nmap -p 1338 -sV <IP_ADDRESS>
sudo nmap -p 1443 -sV <IP_ADDRESS>
ftp <IP_ADDRESS> 1338
sudo nmap -p 80,443,1443,8000 -A <IP_ADDRESS>
sudo wpscan --url https://myblog.thm:907 --enumerate ap,at,cb --disable-tls-checks
sudo wpscan --url https://myblog.thm:907 --enumerate u --disable-tls-checks
nikto -h https://myblog.thm:907 --ssl
Room Answers
What is the port number of the FTP service?
What is the FQDN for the website hosted using a self-signed certificate and contains critical server information as the homepage?
What is the email address associated with the SSL certificate used to sign the website mentioned in Q3?
What is the value of the PHP Extension Build on the server?
What is the banner for the FTP service?
What software is used for managing the database on the server?
What is the Content Management System (CMS) hosted on the server?
What is the version number of the CMS hosted on the server?
What is the username for the admin panel of the CMS?
During vulnerability scanning, OSVDB-3092 detects a file that may be used to identify the blogging site software. What is the name of the file?
What is the name of the software being used on the standard HTTP port?
What is the flag value associated with the web page hosted on port 8000?