📖 Table of Contents
Writeup by: GoProSlowYo
Website: InfosecStreams
# Nmap 7.80 scan initiated Wed Nov 17 13:48:30 2021 as: nmap -vvv -p 22,80,443 -sS -sV -sC -oN 10.10.11.122.nunchucks.nmap.txt 10.10.11.122
Nmap scan report for 10.10.11.122
Host is up, received echo-reply ttl 63 (0.078s latency).
Scanned at 2021-11-17 13:48:31 PST for 16s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to <https://nunchucks.htb/>
443/tcp open ssl/http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 4BD6ED13BE03ECBBD7F9FA7BAA036F95
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Nunchucks - Landing Page
| ssl-cert: Subject: commonName=nunchucks.htb/organizationName=Nunchucks-Certificates/stateOrProvinceName=Dorset/countryName=UK/localityName=Bournemouth
| Subject Alternative Name: DNS:localhost, DNS:nunchucks.htb
| Issuer: commonName=Nunchucks-CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-08-30T15:42:24
| Not valid after: 2031-08-28T15:42:24
| MD5: 57fc 410d e809 1ce6 82f9 7bee 4f39 6fe4
| SHA-1: 518c 0fd1 6903 75c0 f26b a6cb e37d 53b8 a3ff 858b
| -----BEGIN CERTIFICATE-----
| MIIDfzCCAmegAwIBAgIUKxAbJZWVom8Q586tlGzfX5kvDOowDQYJKoZIhvcNAQEL
| BQAwJDELMAkGA1UEBhMCVVMxFTATBgNVBAMMDE51bmNodWNrcy1DQTAeFw0yMTA4
| MzAxNTQyMjRaFw0zMTA4MjgxNTQyMjRaMG0xCzAJBgNVBAYTAlVLMQ8wDQYDVQQI
| DAZEb3JzZXQxFDASBgNVBAcMC0JvdXJuZW1vdXRoMR8wHQYDVQQKDBZOdW5jaHVj
| a3MtQ2VydGlmaWNhdGVzMRYwFAYDVQQDDA1udW5jaHVja3MuaHRiMIIBIjANBgkq
| hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7f8kUO3+Tg/tliYC6DTdaQMz8kQflhXE
| SFcXtvq0YW7+d83N1eHl1Cofk31roKIloTsWk+WvQfzBnzDT9Jlo2CT/c2Q8pxAD
| rJDvmrRlx5g6lGfB44/YUx1crjka44FPcwWbSUQ3RJznJ8jbD+mVuGXIK36BAd0l
| SYcIYbDwoE+7DTpP5FI+u8usIFyHo8CBllv6eXf2vOSAZ2xfyEG9fKC2fA3QOn9k
| kFQS7jM8QDnfi3El6nz2LkceIR6j4yCBTMP0306Q1h5HxzBRN61vHatbgZBHMuk5
| J6SU17lDk0ZWOAndm8GZ5oqXb1izqCI+br98gmNiDI3O8iXXD+WUXwIDAQABo2Aw
| XjAfBgNVHSMEGDAWgBTGviN/t7q7DX8/lk5dNecH/45EDjAJBgNVHRMEAjAAMAsG
| A1UdDwQEAwIE8DAjBgNVHREEHDAagglsb2NhbGhvc3SCDW51bmNodWNrcy5odGIw
| DQYJKoZIhvcNAQELBQADggEBAFBbtVQXf2UcbXroFdEjCGfjcAH9ftCFtCD8ptBm
| CMD8W/WyFnJ17IVjVoatfZimg5KunneNEHfMpxXe7+YMHY3qxgHmJCeVJA2l04hS
| PTWljwqfaK50zivBs7+TYTccZPz/F83upQsPVdWCIOtH3Qq9A4Ox+dLvIVA+geGH
| Bbp0uZowM3k/rW2nqBaBkpxOlHrahxgUr4Hz9/j4dilw/Y3OUEvegDN9D5Cvh69f
| pQ8UwDx0nqYtCRF/M44LFGlmgjQBZqqijvkCVV4jZRNfPQEeuxd7OnDddgQLwMK1
| DKIK3Eqo7fLLlXqQBQgg6X0UbN9RsWjD8vq1uc2iQDUH9To=
|_-----END CERTIFICATE-----
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Wed Nov 17 13:48:47 2021 -- 1 IP address (1 host up) scanned in 17.19 seconds
Ports 80, 443, and 22 are open.
When visiting the web server listening on port 80 we're automatically redirected to the HTTPS site on 443 and redirected to the host nunchucks.htb. Let's add that host to our /etc/hosts file so that it properly resolves DNS at the system's level before going out to a DNS resolver to recursively query.
Browsing around the web page we don't find too much to work with. We found an email address [email protected]. We also find login and sign up forms. On those pages we also find some custom JavaScript being loading in to make XHR POST requests to an API on the web server.
// Signup Code
document.getElementById('form').addEventListener('submit', e => {
e.preventDefault();
fetch('/api/signup', {
method: 'POST',
body: JSON.stringify({
'email': document.querySelector('input[type=email]').value,
'name' : document.querySelector('input[type=text]').value,
'password' : document.querySelector('input[type=password]').value
}),
headers: {'Content-Type': 'application/json'}
}).then(resp => {
return resp.json();
}).then(data => {
document.getElementById('output').innerHTML = data.response;
});
});
// Login Code
document.getElementById('login-form').addEventListener('submit', e => {
e.preventDefault();
fetch('/api/login', {
method: 'POST',
body: JSON.stringify({
'email': document.querySelector('input[type=email]').value,
'password' : document.querySelector('input[type=password]').value
}),
headers: {'Content-Type': 'application/json'}
}).then(resp => {
return resp.json();
}).then(data => {
document.getElementById('output').innerHTML = data.response;
});
});
Unfortunately looking around this main web page didn't give us much more information to go on. The website hints that it might be hosting other webpages based on the following sentence:
Nunchucks is a SaaS application that enables it's users to create web stores with ease using our latest fully flexible designer software which has been designed for simplicity, afterall, simplicity is what makes work interaction smoother right?
So to explore further I decided the subdomain or vhost enumeration would make sense as a next step. Since we're not really dealing with any DNS servers subdomain enumeration makes less sense so let's bust out gobuster and try some vhost enumeration.
$ gobuster vhost -ku <https://nunchucks.htb/> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <https://nunchucks.htb/>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/17 14:44:03 Starting gobuster in VHOST enumeration mode
===============================================================
Found: store.nunchucks.htb (Status: 200) [Size: 4029]
===============================================================
2021/11/17 14:44:46 Finished
===============================================================