INFORMATION DISCLOSURE THROUGH AN ORGANIZATION’S NETWORK

HackHive
3 min readJul 2, 2024

--

ABSTRACT:
During network security assessment using Nmap, we inadvertently conducted a port scan on a local computer connected to our LAN. The scan revealed several open ports, which, upon further investigation, were found to expose sensitive information. This information disclosure included critical details that could be exploited to gain unauthorized access to server-side systems. The vulnerability posed a significant risk, potentially leading to a server-side takeover.

PROOF OF CONCEPT:

In the initial phase of our assessment, we conducted a comprehensive port scan within the local IP range of xxx.xxx.xxx.1 to xxx.xxx.xxx.254 using Nmap. This scan aimed to identify active IP addresses and detect open ports across the network. The results revealed multiple IP addresses with open ports, indicating active devices within the specified range. This discovery provided a foundation for further investigation into potential vulnerabilities and security weaknesses present in the network.

Nmap scan for IP range from x.x.x.1–254

The port scan identified the IP address xxx.xxx.xxx.156 having several open ports, indicating active services on the host. Attached evidence from the Nmap scan provides detailed information on the specific open ports and associated services. This finding highlights a potential security concern, as open ports can be entry points for unauthorized access or exploitation. The presence of these open ports necessitates a thorough examination of the services running on xxx.xxx.xxx.156 to assess their security posture and mitigate any identified vulnerabilities.

Scanning only the target IP

Upon further examination of the open ports on IP address xxx.xxx.xxx.156, we identified port 8080, commonly used for web servers, as active. Accessing this port revealed the presence of an Nginx server user interface. The exposure of the Nginx server interface through this port represents a significant security vulnerability, as it could be exploited by unauthorized users to gain control over the web server. This discovery underscores the necessity for immediate security measures to restrict access to the Nginx server and ensure that only authorized personnel can interact with this interface.

Subdomains

Exploiting this access, we were able to achieve complete server takeover, which included the ability to add or remove subdomains. This critical security lapse indicates that unauthorized users could manipulate server settings, potentially leading to severe consequences such as data breaches, service disruptions, and unauthorized access to sensitive information.

Further investigation on IP address xxx.xxx.xxx.156 on port 3000 revealed access to Node.js Express framework page. This page contained detailed source code documentation, including original source code snippets embedded with several admin passwords. The exposure of this sensitive information represents a significant security threat, as the disclosed admin passwords could be leveraged to gain elevated privileges and unauthorized control over various network resources.

CONCLUSION:

The network security assessment revealed critical vulnerabilities within our infrastructure, beginning with the identification of open ports on IP address xxx.xxx.xxx.156. Accessing port 8080 exposed an Nginx server interface, which was subsequently exploited for full server takeover, including the ability to manage subdomains. Further inspection uncovered a Node.js Express framework page containing source code documentation with embedded admin passwords. These findings highlight significant security gaps that necessitate immediate remediation.

--

--