Excellent. ’Tis a dead end. Except for maybe that line at the bottom. We’ve got ourselves a web server name and version. This is a good time to practice your Googling skills (or Binging, I don’t judge). Search for the OpenResty site, look at the Github page for it, skim through the documentation, and search for any interesting exploits for that version. It’s an incredibly valuable skill to learn. I’ll save you an hour or two here by saying it’s a dead end. But keep practicing.

Back to enumeration.

Let’s crank out Gobuster and bust some dirs.

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.69 -x php,html -t 100 -s 200,204,301,302,307,403

=====================================================

[+] Mode : dir

[+] Url/Domain :

[+] Threads : 100

[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

[+] Status codes : 200,204,301,302,307,403

[+] Extensions : .php,.html

=====================================================

/index.html (Status: 200)

/sync (Status: 200)

/sync.php (Status: 200)

/sync.html (Status: 200)

/synctoy (Status: 200)

/synctoy.php (Status: 200)

/synctoy.html (Status: 200)

/synching (Status: 200)

/synching.php (Status: 200)

/synching.html (Status: 200)

/sync_scan (Status: 200)

/sync_scan.php (Status: 200)

/sync_scan.html (Status: 200)

/syncbackse (Status: 200)

/syncbackse.php (Status: 200)

/syncbackse.html (Status: 200)

/synch (Status: 200)

/synch.php (Status: 200)

/synch.html (Status: 200) Gobuster v1.2 OJ Reeves ( @TheColonial =====================================================[+] Mode : dir[+] Url/Domain : http://10.10.10.69/ [+] Threads : 100[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Status codes : 200,204,301,302,307,403[+] Extensions : .php,.html=====================================================/index.html (Status: 200)/sync (Status: 200)/sync.php (Status: 200)/sync.html (Status: 200)/synctoy (Status: 200)/synctoy.php (Status: 200)/synctoy.html (Status: 200)/synching (Status: 200)/synching.php (Status: 200)/synching.html (Status: 200)/sync_scan (Status: 200)/sync_scan.php (Status: 200)/sync_scan.html (Status: 200)/syncbackse (Status: 200)/syncbackse.php (Status: 200)/syncbackse.html (Status: 200)/synch (Status: 200)/synch.php (Status: 200)/synch.html (Status: 200)

Just a hunch, but I think the server doesn’t want us to know what file extension /sync is. It just doesn’t truncate anything past sync.

We can confirm this by adding a bunch of random characters in front of /sync. We still get a 403. But if we remove the ‘sync’ part, or add characters before it, we get a 404 not found. Great.

Also wat. When we went to /sync in our browser, we got a 403 forbidden status code. Gobuster, though, seems to be on good terms with the server. It got a 200 OK code.

Stifle your jealousy for now and figure out why the server doesn’t like us.

Let’s open up Wireshark and compare the HTTP requests from both sources and see where we went wrong. Run Gobuster again and run Wireshark on tun0, the interface for the HtB VPN.

Now right click on any of the TCP packets going to 10.10.10.69 and click on Follow->TCP Stream. That’ll give you a nicely formatted HTTP request, so you don’t have to learn to read hex encoding. Ew.

GET /43 HTTP/1.1

Host: 10.10.10.69

User-Agent: Go-http-client/1.1

Accept-Encoding: gzip HTTP/1.1 404 Not Found

Date: Sun, 13 May 2018 18:36:33 GMT

Content-Type: text/html

Content-Length: 175

Connection: keep-alive <html>

<head><title>404 Not Found</title></head>

<body bgcolor="white">

<center><h1>404 Not Found</h1></center>

<hr><center>openresty/1.13.6.1</center>

</body>

</html>

Do the same with the browser. Run wireshark (change the interface to ‘any’, since browser HTTP requests take a different road), go to /sync in Firefox and let’s see what packets we get.

Follow the TCP/HTTP Stream.

GET /sync HTTP/1.1

Host: 10.10.10.69

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Connection: keep-alive

Upgrade-Insecure-Requests: 1

Pragma: no-cache

Cache-Control: no-cache HTTP/1.1 403 Forbidden

Date: Sun, 13 May 2018 18:45:39 GMT

Content-Type: text/html

Content-Length: 175

Connection: keep-alive <html>

<head><title>403 Forbidden</title></head>

<body bgcolor="white">

<center><h1>403 Forbidden</h1></center>

<hr><center>openresty/1.13.6.1</center>

</body>

</html>

The html content itself doesn’t matter, since that can always vary. Same deal with the GET request contents. Look closely at the HTTP headers in both requests and compare them.

Gobuster:

GET /43 HTTP/1.1

Host: 10.10.10.69

User-Agent: Go-http-client/1.1

Accept-Encoding: gzip

Browser (Firefox):

GET /sync HTTP/1.1

Host: 10.10.10.69

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Connection: keep-alive

Upgrade-Insecure-Requests: 1

Pragma: no-cache

Cache-Control: no-cache

It’s the User-Agent. Always knew there was something up with him. Our browser’s been blacklisted for whatever reason. You can play around a bit here. It seems to just look for the word ‘Mozilla’ in User-Agent and forbid all traffic from it. Maybe it blacklists other browsers as well. Who knows. If you try wget or curl to get the webpage, it lets you in.

But that’s not pretty, so we’re going to intercept our browser request with a Burpsuite proxy, modify it, and send it on its way.

Open up BurpSuite. The free edition has everything we need. Go to the Proxy -> Intercept tab at the top and make sure that Intercept is on.