# Exploring the caverns ### Enumerating Web Servers It is important to enumerate what is running on a web server further than just a scan. To get an understanding of what services are on the network and what could possibly be used as an attack vector. #### Enumerating THROWBACK-PROD's Production Server Upon initial access to the production server, we can see that it is a company website advertising themselves as a private penetration testing and analysis firm. ![Landingpage of Throwback Hacks](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FufoxyyACllkqWxuHP8Sm%2Fwebpage01.png?alt=media\&token=2de21641-fb62-46d3-b9ac-ef3229004c77) Further inspection of the website reveals a list of employees, location of the company, and an email address. These details can be important to note for later attacks and enumeration. #### Exploring Throwback Hacks Website ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FQiONYpXQz1Dv5MAUP6E5%2Fteam.png?alt=media\&token=b1ed2ab5-3176-4697-8255-bc569964de45) Company Members: * Summers Winters (CEO\&Founder) * Jeff Davies (CFO) * Hugh Gongo (CTO) * Rikka Foxx (Lead Developer) #### Enumerating THROWBACK-MAIL's Mail Server When enumerating the THROWBACK-MAIL web server we find from the source code that it is running squirrel mail as a mail service for the company. ![page source code revelases that squirrel mail is running as a mailservice](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FvQeeSQIy3VUuwCFYSay9%2Fwebpage02.png?alt=media\&token=4bb65e40-a339-4bd7-bdfa-9639b81a7bcd) ![Throwback Hacks Mailserver login](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FfgMVfEI76hAzgHLNd5Rf%2Fwebpage03.png?alt=media\&token=bb62f539-7f73-4625-adee-1bacae42e311) When viewing the banner we find that there is a guest login account that anyone can use. We will need these credentials for later attacks. #### Login with guest Account ![Adress Book](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FIAAi6QkNN1xZrvsbD0qI%2Fusers01.png?alt=media\&token=2ee8b86f-2b75-41ec-968f-c7c98f9570e7) #### Possible Usernames * HumphreyW * SummersW * FoxxR * DaibaN * PeanutbutterM * PetersJ * DaviesJ * BlaireJ * GongoH * MurphyF * JeffersD * HoresemanB #### Enumerating THROWBACK-FW01's Service Immediately upon visiting THROWBACK-FW01 we can tell that it is running a new version of pfSense. As this firewall is accessible to the public we can assume that is is an outside firewall designed to keep attackers out. ![pfsense Login page](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FwxjuuiOS9eRr10JSOsqu%2Fwebpage04.png?alt=media\&token=13fea27a-197c-46a1-b2fb-1d41cd63454f) Your team informs you that it is your decision of what target to attack first, all can be good attack paths. They suggest attacking THROWBACK-FW01 first however the decision is yours. ### Questions ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FDbEtUgRUN8r6YvlaftZg%2Fquestions_task08.png?alt=media\&token=6dcedccd-a458-4aa2-b1a6-4e8dce355301)