At first, we can notice that there is more than one page we can access to. At looking at it more closely we can see that we can access it by two ways : HTTPS and HTTP. One of the solution could be to only authorize HTTPS connection for more safety.
Then by pinging the website with the command :
ping lab.epidoc.eu
We succeeded in getting the IP adress of the website (217.182.188.20). Thanks to this IP, we can now do more things on the website :
- First of all, retrace it to know more about the location of it.
- See open ports
- See other domains linked to this IP
You'll find the picture by looking at "IP1.png"
Then, after seeing that port 22 was open, but also seeing a domain name and hostname (even more : geolocation, name...etc.), we went to see the domain name to see if there are more interesting things :
You'll find results as "DomainName.jpg".
We can notice that there more than one domaine under the name of baptisteheraud.com with each one differents open ports. We tried to see if some of this ports were also open is the website. We tried first the 8080 port by typing lab.epidoc.eu:8080/ and the server returned us an admin page with some infos on it, such as user names and some nologin.
You'll find these results as Port8080.jpg
The thing is, beyond the fact that we can access several domains of the owner, is that we can also see a lot of infos about him, like his name, geolocation...etc. And this could be a security problem regarding the privacy of the user. Furthermore if we dig a little bit more with some technos that we can find on GitHub (such as Maigret or Holehe), we can easily access some "confidential" datas like his email, phone number, adress...etc.
Because of the crash of the server, the IP changed for : 217.182.188.20
Firts, we checked with nmap to see witch ports were open
This time, there were more opened ports, so we went back to [Shodan.io] to try and get more infos
At this try, shodan returns us numbers of vulnérabilities, especially some linked to Apache2 and HTTP protocol. Some interested us, like the CVE-2019-0217 and CVE-2021-3449. Those mistakes could be resolved by upgrading Apache to get a more recent version, and those vulerabilites should be fixed
Then we asked ourselves if it was possible to log in as gtp. We typed the command ftp 217.182.188.20 and we logged in as anonymous user and password "root" et we accessed to different files. Solution here, could be to desactive authentication as anonymous user.
Furthermor, on admin page, without logging we can find by examining the page, a salted password that is not hashed yes, it should be possible to decode it and use it with full efficencex6LvvMPG7DD4pqNX3bscd3w866mAP442
DISCLAIMER : Our purpose was not to impair the website or to down it. We just looked for some vulnerabilites in order to reinforce its safety after the entreprise asked for it.
cf. pentest.odt for more informations.