TryHackMe Challenge Room:
Probe

It's not initially clear which services are running on some of these ports, so I proceeded to do a more in-depth scan.

Again using Nmap, I scanned the 8 open ports (listed after -p) using the -sV option for service version detection and the -sC option to use the Nmap default scripts.

This scan outputs some useful information about our target, including the answers to a few of the challenge questions.

Note: Mosquitto is running on port 1883, but is irrelevant to this challenge.

Although we previously knew that HTTP and HTTPS servers were running on ports 80 and 443 respectively (as is the standard), we now know that an HTTPS server is running on port 1443, and that HTTP servers are running on ports 8000 and 9007. The version listed for 4 of these servers is Apache httpd 2.4.41, which provides the answer to Question 1 of the challenge:

• What is the version of the Apache server?

However, the HTTP server on port 80 is using lighttpd 1.4.55, which provides the answer to Question 12 of the challenge:

• What is the name of the software being used on the standard HTTP port?

As indicated by the Nmap scan, the websites on ports 80 and 443 return a 403 Forbidden response when attempting to access them. However, the website on port 1443 is accessible, so I opened it in Firefox with https://MACHINE-IP:1443/ which reveals it to be a PHP information page. 

The SSL certificate information on this page lists the website's common name as dev.probe.thm and associated email address as probe@probe.thm. The common name had also been listed in the certificate information that was retrieved by the Nmap scan. This provides the answers to questions 3 and 4 of the challenge:

• What is the FQDN for the website hosted using a self-signed certificate and contains critical server information as the homepage?

• What is the email address associated with the SSL certificate used to sign the website mentioned in Q3?

Note that a server's common name (CN) is also known as its fully qualified domain name (FQDN) and includes a hostname, domain name, and top-level domain. Also note that we know that this website's certificate is self-signed because the information for the subject and the issuer are the same. This can be seen more clearly by clicking the padlock icon in the Firefox address bar and viewing the certificate:

Also listed on the website is the PHP Extension Build, which provides the answer to Question 5 of the challenge:

• What is the value of the PHP Extension Build on the server?

Looking back at the Nmap scan, we found out that an FTP server is running on port 1338. This provides the answer to Question 2 of the challenge:

• What is the port number of the FTP service?

Connecting to the FTP server reveals a flag, providing the answer to Question 6 of the challenge:

• What is the banner for the FTP service?

We are left with the HTTP servers on ports 8000 and 9007. Going to http://MACHINE-IP:8000/ in Firefox reveals a blank page. I decided to use ffuf to fuzz for hidden content on this website using the common.txt wordlist for web content discovery from SecLists.

One of the pages discovered is a contactus page. Going to http://MACHINE-IP:8000/contactus/ reveals a flag, providing the answer to Question 13 of the challenge:

• What is the flag value associated with the web page hosted on port 8000?

Another page discovered is a phpmyadmin page. By searching on Google, I found out that phpMyAdmin is a web administration tool for MySQL and MariaDB. Going to http://MACHINE-IP:8000/phpmyadmin/ reveals the phpMyAdmin login page for this server. This would be a potential entry point if we were to move past the enumeration stage.

This provides the answer for Question 7 of the challenge:

• What software is used for managing the database on the server?

When attempting to access http://MACHINE-IP:9007/ we get a 400 Bad Request response with a message stating that this is an SSL-enabled server port and to use the HTTPS scheme instead. Changing the URL to https://MACHINE-IP:9007/ successfully loads the page, revealing a blogging site:

I decided to fuzz this website for hidden content as well, again using ffuf and the common.txt wordlist for web content discovery. Note that this website also has a phpmyadmin page.

More importantly for this challenge, we discover the wp-includes, wp-admin, wp-content, and xmlrpc.php pages. A quick Google search about what these actually are reveals that they are part of a WordPress installation, indicating that this blogging site uses WordPress. This provides the answer to Question 8 of the challenge:

• What is the Content Management System (CMS) hosted on the server?

Looking to see if I find anything else of interest, I fuzzed the website again, this time using the wordpress.fuzz.txt wordlist from SecLists. This reveals an overwhelming amount of content, so it's more useful to filter the output using grep. For example, I filtered it to show content containing the word "login":

One of the pages discovered is wp-login.php. Going to https://MACHINE-IP:9007/wp-login.php reveals a WordPress login page. This would be another potential entry point if we were to move past the enumeration stage.

Still not knowing what version of WordPress is being used, I decided to look into OSVDV-3092 mentioned in Question 11 of the challenge:

• During vulnerability scanning, OSVDB-3092 detects a file that may be used to identify the blogging site software. What is the name of the file?

Two of the files that I discovered while searching this vulnerability on Google are readme.html and license.txt. The blogging site contains both of these files and they both reveal it to be using WordPress. However, only one of them is the answer to Question 11.

Still looking for which version of WordPress is being used, I checked the page source of the blogging site's homepage. Here I found the meta generator tag indicating WordPress 6.2.2. Previously not knowing about it, I learned that the meta generator tag in the HTML of a webpage indicates the technology or platform used to build the website.

This provides the answer to Question 9 of the challenge:

• What is the version number of the CMS hosted on the server?

Finally, I found out from searching on Google that users on a WordPress site each have a page that lists their published posts found at http://site.com/?author=ID, with ID being the user's ID number. Knowing this can be used to enumerate usernames on a WordPress site. However, if it is the admin username we are looking for, then the user ID is likely 1, as this is the default for the initial admin account.

Going to https://MACHINE-IP:9007/?author=1 reveals the admin username.

This provides the answer to Question 10 of the challenge:

• What is the username for the admin panel of the CMS?

I confirmed the existence of the user by attempting to log in with their username at the wp-login.php page discovered earlier. Notice the difference in responses to the login attempts when the username does exist versus when it doesn't exist.

Note: I attempted these logins through modified POST requests using the developer tools in Firefox. Attempting to log in directly from the webpage sends the requests to myblog.thm, which doesn't work and should be changed to the MACHINE-IP.