simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
HTB/admirer/results/report/report.md/admirer.htb/Commands.md Normal file
View File

@@ -0,0 +1,33 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/admirer/results/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/xml/_quick_tcp_nmap.xml" admirer.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/admirer/results/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/xml/_full_tcp_nmap.xml" admirer.htb
nmap -vv --reason -Pn -T4 -sV -p 21 --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/htb/admirer/results/scans/tcp21/tcp_21_ftp_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/tcp21/xml/tcp_21_ftp_nmap.xml" admirer.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/admirer/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" admirer.htb
gobuster dir -u http://admirer.htb:80/ -t 200 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -x "php,html,txt" -z -o "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_common.txt"
curl -sSikf http://admirer.htb:80/.well-known/security.txt
curl -sSikf http://admirer.htb:80/robots.txt
curl -sSik http://admirer.htb:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/tcp80/xml/tcp_80_http_nmap.xml" admirer.htb
curl -sk -o /dev/null -H "Host: xnciztvwFSMdYfigwUAw.admirer.htb" http://admirer.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://admirer.htb:80 2>&1
wkhtmltoimage --format png http://admirer.htb:80/ /home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://admirer.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.admirer.htb" -fs 6051 -noninteractive -s | tee "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_admirer.htb_vhosts_subdomains-top1million-110000.txt"
gobuster dir -u http://admirer.htb:80/ -t 200 -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -x "php,html,txt" -z -o "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_big.txt"
gobuster dir -u http://admirer.htb:80/ -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "php,html,txt" -z -o "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_directory-list-2.3-medium.txt"
```

43
HTB/admirer/results/report/report.md/admirer.htb/Manual Commands.md Normal file
View File

@@ -0,0 +1,43 @@
```bash
[*] ftp on tcp/21
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 21 -o "/home/simon/htb/admirer/results/scans/tcp21/tcp_21_ftp_hydra.txt" ftp://admirer.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 21 -O "/home/simon/htb/admirer/results/scans/tcp21/tcp_21_ftp_medusa.txt" -M ftp -h admirer.htb
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/simon/htb/admirer/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://admirer.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/simon/htb/admirer/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h admirer.htb
[*] http on tcp/80
[-] (gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:
gobuster dir -u http://admirer.htb:80/ -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "php,html,txt" -o "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_dirbuster.txt"
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://admirer.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h admirer.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://admirer.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h admirer.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://admirer.htb:80 2>&1 | tee "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://admirer.htb:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_wpscan.txt"
```

2
HTB/admirer/results/report/report.md/admirer.htb/Patterns.md Normal file
View File

@@ -0,0 +1,2 @@
Identified HTTP Server: Apache/2.4.25 (Debian)

36
HTB/admirer/results/report/report.md/admirer.htb/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,36 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/admirer/results/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/xml/_full_tcp_nmap.xml" admirer.htb
```
[/home/simon/htb/admirer/results/scans/_full_tcp_nmap.txt](file:///home/simon/htb/admirer/results/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Fri Jan 20 19:49:56 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/htb/admirer/results/scans/_full_tcp_nmap.txt -oX /home/simon/htb/admirer/results/scans/xml/_full_tcp_nmap.xml admirer.htb
Nmap scan report for admirer.htb (10.129.228.103)
Host is up, received user-set (0.055s latency).
Scanned at 2023-01-20 19:50:01 UTC for 13s
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 4a71e92163699dcbdd84021a2397e1b9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaQHjxkc8zeXPgI5C7066uFJaB6EjvTGDEwbfl0cwM95npP9G8icv1F/YQgKxqqcGzl+pVaAybRnQxiZkrZHbnJlMzUzNTxxI5cy+7W0dRZN4VH4YjkXFrZRw6dx/5L1wP4qLtdQ0tLHmgzwJZO+111mrAGXMt0G+SCnQ30U7vp95EtIC0gbiGDx0dDVgMeg43+LkzWG+Nj+mQ5KCQBjDLFaZXwCp5Pqfrpf3AmERjoFHIE8Df4QO3lKT9Ov1HWcnfFuqSH/pl5+m83ecQGS1uxAaokNfn9Nkg12dZP1JSk+Tt28VrpOZDKhVvAQhXWONMTyuRJmVg/hnrSfxTwbM9
| 256 c595b6214d46a425557a873e19a8e702 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNHgxoAB6NHTQnBo+/MqdfMsEet9jVzP94okTOAWWMpWkWkT+X4EEWRzlxZKwb/dnt99LS8WNZkR0P9HQxMcIII=
| 256 d02dddd05c42f87b315abe57c4a9a756 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqp21lADoWZ+184z0m9zCpORbmmngq+h498H9JVf7kP
80/tcp open http syn-ack Apache httpd 2.4.25 ((Debian))
|_http-title: Admirer
| http-robots.txt: 1 disallowed entry
|_/admin-dir
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 20 19:50:14 2023 -- 1 IP address (1 host up) scanned in 18.98 seconds
```

36
HTB/admirer/results/report/report.md/admirer.htb/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,36 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/admirer/results/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/xml/_quick_tcp_nmap.xml" admirer.htb
```
[/home/simon/htb/admirer/results/scans/_quick_tcp_nmap.txt](file:///home/simon/htb/admirer/results/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Fri Jan 20 19:49:56 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/htb/admirer/results/scans/_quick_tcp_nmap.txt -oX /home/simon/htb/admirer/results/scans/xml/_quick_tcp_nmap.xml admirer.htb
Nmap scan report for admirer.htb (10.129.228.103)
Host is up, received user-set (0.021s latency).
Scanned at 2023-01-20 19:50:01 UTC for 9s
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 4a71e92163699dcbdd84021a2397e1b9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaQHjxkc8zeXPgI5C7066uFJaB6EjvTGDEwbfl0cwM95npP9G8icv1F/YQgKxqqcGzl+pVaAybRnQxiZkrZHbnJlMzUzNTxxI5cy+7W0dRZN4VH4YjkXFrZRw6dx/5L1wP4qLtdQ0tLHmgzwJZO+111mrAGXMt0G+SCnQ30U7vp95EtIC0gbiGDx0dDVgMeg43+LkzWG+Nj+mQ5KCQBjDLFaZXwCp5Pqfrpf3AmERjoFHIE8Df4QO3lKT9Ov1HWcnfFuqSH/pl5+m83ecQGS1uxAaokNfn9Nkg12dZP1JSk+Tt28VrpOZDKhVvAQhXWONMTyuRJmVg/hnrSfxTwbM9
| 256 c595b6214d46a425557a873e19a8e702 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNHgxoAB6NHTQnBo+/MqdfMsEet9jVzP94okTOAWWMpWkWkT+X4EEWRzlxZKwb/dnt99LS8WNZkR0P9HQxMcIII=
| 256 d02dddd05c42f87b315abe57c4a9a756 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqp21lADoWZ+184z0m9zCpORbmmngq+h498H9JVf7kP
80/tcp open http syn-ack Apache httpd 2.4.25 ((Debian))
|_http-title: Admirer
| http-robots.txt: 1 disallowed entry
|_/admin-dir
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 20 19:50:10 2023 -- 1 IP address (1 host up) scanned in 14.74 seconds
```

22
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-21-ftp/Nmap FTP.md Normal file
View File

@@ -0,0 +1,22 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 21 --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/htb/admirer/results/scans/tcp21/tcp_21_ftp_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/tcp21/xml/tcp_21_ftp_nmap.xml" admirer.htb
```
[/home/simon/htb/admirer/results/scans/tcp21/tcp_21_ftp_nmap.txt](file:///home/simon/htb/admirer/results/scans/tcp21/tcp_21_ftp_nmap.txt):
```
# Nmap 7.93 scan initiated Fri Jan 20 19:50:13 2023 as: nmap -vv --reason -Pn -T4 -sV -p 21 "--script=banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/htb/admirer/results/scans/tcp21/tcp_21_ftp_nmap.txt -oX /home/simon/htb/admirer/results/scans/tcp21/xml/tcp_21_ftp_nmap.xml admirer.htb
Nmap scan report for admirer.htb (10.129.228.103)
Host is up, received user-set (0.038s latency).
Scanned at 2023-01-20 19:50:15 UTC for 2s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
|_banner: 220 (vsFTPd 3.0.3)
Service Info: OS: Unix
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 20 19:50:17 2023 -- 1 IP address (1 host up) scanned in 4.65 seconds
```

72
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,72 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/admirer/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" admirer.htb
```
[/home/simon/htb/admirer/results/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/simon/htb/admirer/results/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Fri Jan 20 19:50:13 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/admirer/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/admirer/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml admirer.htb
Nmap scan report for admirer.htb (10.129.228.103)
Host is up, received user-set (0.018s latency).
Scanned at 2023-01-20 19:50:15 UTC for 2s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
|_banner: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| server_host_key_algorithms: (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-hostkey:
| 2048 4a71e92163699dcbdd84021a2397e1b9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaQHjxkc8zeXPgI5C7066uFJaB6EjvTGDEwbfl0cwM95npP9G8icv1F/YQgKxqqcGzl+pVaAybRnQxiZkrZHbnJlMzUzNTxxI5cy+7W0dRZN4VH4YjkXFrZRw6dx/5L1wP4qLtdQ0tLHmgzwJZO+111mrAGXMt0G+SCnQ30U7vp95EtIC0gbiGDx0dDVgMeg43+LkzWG+Nj+mQ5KCQBjDLFaZXwCp5Pqfrpf3AmERjoFHIE8Df4QO3lKT9Ov1HWcnfFuqSH/pl5+m83ecQGS1uxAaokNfn9Nkg12dZP1JSk+Tt28VrpOZDKhVvAQhXWONMTyuRJmVg/hnrSfxTwbM9
| 256 c595b6214d46a425557a873e19a8e702 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNHgxoAB6NHTQnBo+/MqdfMsEet9jVzP94okTOAWWMpWkWkT+X4EEWRzlxZKwb/dnt99LS8WNZkR0P9HQxMcIII=
| 256 d02dddd05c42f87b315abe57c4a9a756 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqp21lADoWZ+184z0m9zCpORbmmngq+h498H9JVf7kP
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 20 19:50:17 2023 -- 1 IP address (1 host up) scanned in 4.47 seconds
```

23
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,23 @@
```bash
curl -sSikf http://admirer.htb:80/robots.txt
```
[/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_curl-robots.txt](file:///home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_curl-robots.txt):
```
HTTP/1.1 200 OK
Date: Fri, 20 Jan 2023 19:50:25 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 29 Apr 2020 09:22:10 GMT
ETag: "8a-5a46a7b96e300"
Accept-Ranges: bytes
Content-Length: 138
Vary: Accept-Encoding
Content-Type: text/plain
User-agent: *
# This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
Disallow: /admin-dir
```

170
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,170 @@
```bash
curl -sSik http://admirer.htb:80/
```
[/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_curl.html](file:///home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 200 OK
Date: Fri, 20 Jan 2023 19:50:25 GMT
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Length: 6051
Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML>
<!--
Multiverse by HTML5 UP
html5up.net | @ajlkn
Free for personal and commercial use under the CCA 3.0 license (html5up.net/license)
-->
<html>
<head>
<title>Admirer</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
<link rel="stylesheet" href="assets/css/main.css" />
<noscript><link rel="stylesheet" href="assets/css/noscript.css" /></noscript>
</head>
<body class="is-preload">
<!-- Wrapper -->
<div id="wrapper">
<!-- Header -->
<header id="header">
<h1><a href="index.html"><strong>Admirer</strong> of skills and visuals</a></h1>
<nav>
<ul>
<li><a href="#footer" class="icon solid fa-info-circle">About</a></li>
</ul>
</nav>
</header>
<!-- Main -->
<div id="main">
<article class='thumb'>
<a href='images/fulls/art01.jpg' class='image'><img src='images/thumbs/thmb_art01.jpg' alt='' /></a>
<h2>Visual Art</h2>
<p>A pure showcase of skill and emotion.</p>
</article>
<article class='thumb'>
<a href='images/fulls/eng02.jpg' class='image'><img src='images/thumbs/thmb_eng02.jpg' alt='' /></a>
<h2>The Beauty and the Beast</h2>
<p>Besides the technology, there is also the eye candy...</p>
</article>
<article class='thumb'>
<a href='images/fulls/nat01.jpg' class='image'><img src='images/thumbs/thmb_nat01.jpg' alt='' /></a>
<h2>The uncontrollable lightshow</h2>
<p>When the sun decides to play at night.</p>
</article>
<article class='thumb'>
<a href='images/fulls/arch02.jpg' class='image'><img src='images/thumbs/thmb_arch02.jpg' alt='' /></a>
<h2>Nearly Monochromatic</h2>
<p>One could simply spend hours looking at this indoor square.</p>
</article>
<article class='thumb'>
<a href='images/fulls/mind01.jpg' class='image'><img src='images/thumbs/thmb_mind01.jpg' alt='' /></a>
<h2>Way ahead of his time</h2>
<p>You probably still use some of his inventions... 500yrs later.</p>
</article>
<article class='thumb'>
<a href='images/fulls/mus02.jpg' class='image'><img src='images/thumbs/thmb_mus02.jpg' alt='' /></a>
<h2>The outcomes of complexity</h2>
<p>Seriously, listen to Dust in Interstellar's OST. Thank me later.</p>
</article>
<article class='thumb'>
<a href='images/fulls/arch01.jpg' class='image'><img src='images/thumbs/thmb_arch01.jpg' alt='' /></a>
<h2>Back to basics</h2>
<p>And centuries later, we want to go back and live in nature... Sort of.</p>
</article>
<article class='thumb'>
<a href='images/fulls/mind02.jpg' class='image'><img src='images/thumbs/thmb_mind02.jpg' alt='' /></a>
<h2>We need him back</h2>
<p>He might have been a loner who allegedly slept with a pigeon, but that brain...</p>
</article>
<article class='thumb'>
<a href='images/fulls/eng01.jpg' class='image'><img src='images/thumbs/thmb_eng01.jpg' alt='' /></a>
<h2>In the name of Science</h2>
<p>Some theories need to be proven.</p>
</article>
<article class='thumb'>
<a href='images/fulls/mus01.jpg' class='image'><img src='images/thumbs/thmb_mus01.jpg' alt='' /></a>
<h2>Equal Temperament</h2>
<p>Because without him, music would not exist (as we know it today).</p>
</article>
<article class='thumb'>
<a href='images/fulls/nat02.jpg' class='image'><img src='images/thumbs/thmb_nat02.jpg' alt='' /></a>
<h2>Playful wind and water</h2>
<p>A colourful wave in the middle of the desert... Isn't Nature amazing?</p>
</article>
<article class='thumb'>
<a href='images/fulls/art02.jpg' class='image'><img src='images/thumbs/thmb_art02.jpg' alt='' /></a>
<h2>Attitude</h2>
<p>Art can provoke feelings... or convey powerful messages</p>
</article>
</div>
<!-- Footer -->
<footer id="footer" class="panel">
<div class="inner split">
<div>
<section>
<h2>Allow yourself to be amazed</h2>
<p>Skills are not to be envied, but to feel inspired by.<br>
Visual arts and music are there to take care of your soul.<br><br>
Let your senses soak up these wonders...<br><br><br><br>
</p>
</section>
<section>
<h2>Follow me on ...</h2>
<ul class="icons">
<li><a href="#" class="icon brands fa-twitter"><span class="label">Twitter</span></a></li>
<li><a href="#" class="icon brands fa-facebook-f"><span class="label">Facebook</span></a></li>
<li><a href="#" class="icon brands fa-instagram"><span class="label">Instagram</span></a></li>
<li><a href="#" class="icon brands fa-github"><span class="label">GitHub</span></a></li>
<li><a href="#" class="icon brands fa-dribbble"><span class="label">Dribbble</span></a></li>
<li><a href="#" class="icon brands fa-linkedin-in"><span class="label">LinkedIn</span></a></li>
</ul>
</section>
</div>
<div>
<section>
<h2>Get in touch</h2>
<form method="post" action="#"><!-- Still under development... This does not send anything yet, but it looks nice! -->
<div class="fields">
<div class="field half">
<input type="text" name="name" id="name" placeholder="Name" />
</div>
<div class="field half">
<input type="text" name="email" id="email" placeholder="Email" />
</div>
<div class="field">
<textarea name="message" id="message" rows="4" placeholder="Message"></textarea>
</div>
</div>
<ul class="actions">
<li><input type="submit" value="Send" class="primary" /></li>
<li><input type="reset" value="Reset" /></li>
</ul>
</form>
</section>
</div>
</div>
</footer>
</div>
<!-- Scripts -->
<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/jquery.poptrox.min.js"></script>
<script src="assets/js/browser.min.js"></script>
<script src="assets/js/breakpoints.min.js"></script>
<script src="assets/js/util.js"></script>
<script src="assets/js/main.js"></script>
</body>
</html>
```

70
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,70 @@
```bash
gobuster dir -u http://admirer.htb:80/ -t 200 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -x "php,html,txt" -z -o "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_common.txt"
```
[/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_common.txt](file:///home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_common.txt):
```
http://admirer.htb:80/assets (Status: 301) [Size: 311] [--> http://admirer.htb/assets/]
http://admirer.htb:80/.htpasswd.txt (Status: 403) [Size: 276]
http://admirer.htb:80/.htaccess.txt (Status: 403) [Size: 276]
http://admirer.htb:80/.htaccess.html (Status: 403) [Size: 276]
http://admirer.htb:80/.hta (Status: 403) [Size: 276]
http://admirer.htb:80/images (Status: 301) [Size: 311] [--> http://admirer.htb/images/]
http://admirer.htb:80/index.php (Status: 200) [Size: 6051]
http://admirer.htb:80/index.php (Status: 200) [Size: 6051]
http://admirer.htb:80/.hta.txt (Status: 403) [Size: 276]
http://admirer.htb:80/.htpasswd.php (Status: 403) [Size: 276]
http://admirer.htb:80/.htaccess.php (Status: 403) [Size: 276]
http://admirer.htb:80/.hta.php (Status: 403) [Size: 276]
http://admirer.htb:80/robots.txt (Status: 200) [Size: 138]
http://admirer.htb:80/robots.txt (Status: 200) [Size: 138]
http://admirer.htb:80/server-status (Status: 403) [Size: 276]
http://admirer.htb:80/.htpasswd.html (Status: 403) [Size: 276]
http://admirer.htb:80/.hta.html (Status: 403) [Size: 276]
http://admirer.htb:80/.htaccess (Status: 403) [Size: 276]
http://admirer.htb:80/.htpasswd (Status: 403) [Size: 276]
```
```bash
gobuster dir -u http://admirer.htb:80/ -t 200 -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -x "php,html,txt" -z -o "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_big.txt"
```
[/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_big.txt](file:///home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_big.txt):
```
http://admirer.htb:80/.htaccess (Status: 403) [Size: 276]
http://admirer.htb:80/.htaccess.html (Status: 403) [Size: 276]
http://admirer.htb:80/.htaccess.php (Status: 403) [Size: 276]
http://admirer.htb:80/.htaccess.txt (Status: 403) [Size: 276]
http://admirer.htb:80/.htpasswd (Status: 403) [Size: 276]
http://admirer.htb:80/.htpasswd.php (Status: 403) [Size: 276]
http://admirer.htb:80/.htpasswd.html (Status: 403) [Size: 276]
http://admirer.htb:80/.htpasswd.txt (Status: 403) [Size: 276]
http://admirer.htb:80/assets (Status: 301) [Size: 311] [--> http://admirer.htb/assets/]
http://admirer.htb:80/images (Status: 301) [Size: 311] [--> http://admirer.htb/images/]
http://admirer.htb:80/index.php (Status: 200) [Size: 6051]
http://admirer.htb:80/robots.txt (Status: 200) [Size: 138]
http://admirer.htb:80/robots.txt (Status: 200) [Size: 138]
http://admirer.htb:80/server-status (Status: 403) [Size: 276]
```
```bash
gobuster dir -u http://admirer.htb:80/ -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "php,html,txt" -z -o "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_directory-list-2.3-medium.txt"
```
[/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_directory-list-2.3-medium.txt](file:///home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_gobuster_directory-list-2.3-medium.txt):
```
http://admirer.htb:80/.html (Status: 403) [Size: 276]
http://admirer.htb:80/.php (Status: 403) [Size: 276]
http://admirer.htb:80/images (Status: 301) [Size: 311] [--> http://admirer.htb/images/]
http://admirer.htb:80/index.php (Status: 200) [Size: 6051]
http://admirer.htb:80/assets (Status: 301) [Size: 311] [--> http://admirer.htb/assets/]
http://admirer.htb:80/robots.txt (Status: 200) [Size: 138]
http://admirer.htb:80/.php (Status: 403) [Size: 276]
http://admirer.htb:80/.html (Status: 403) [Size: 276]
http://admirer.htb:80/server-status (Status: 403) [Size: 276]
http://admirer.htb:80/admin-dir (Status: 301) [Size: 314] [--> http://admirer.htb/admin-dir/]
```

3
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://admirer.htb:80/.well-known/security.txt
```

189
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,189 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/htb/admirer/results/scans/tcp80/xml/tcp_80_http_nmap.xml" admirer.htb
```
[/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_nmap.txt](file:///home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Fri Jan 20 19:50:13 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/htb/admirer/results/scans/tcp80/xml/tcp_80_http_nmap.xml admirer.htb
Nmap scan report for admirer.htb (10.129.228.103)
Host is up, received user-set (0.056s latency).
Scanned at 2023-01-20 19:50:17 UTC for 50s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.25 ((Debian))
|_http-referer-checker: Couldn't find any cross-domain scripts.
| http-enum:
|_ /robots.txt: Robots file
| http-php-version: Logo query returned unknown hash 123371a226c5565255e93ac3b0dc0f5a
|_Credits query returned unknown hash 123371a226c5565255e93ac3b0dc0f5a
|_http-feed: Couldn't find any feeds.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-chrono: Request times for /; avg: 1187.20ms; min: 279.25ms; max: 1851.02ms
|_http-malware-host: Host appears to be clean
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=admirer.htb
|
| Path: http://admirer.htb:80/
| Line number: 20
| Comment:
| <!-- Header -->
|
| Path: http://admirer.htb:80/
| Line number: 120
| Comment:
| <!-- Still under development... This does not send anything yet, but it looks nice! -->
|
| Path: http://admirer.htb:80/assets/js/util.js
| Line number: 521
| Comment:
|
|
|
|
| */
|
| Path: http://admirer.htb:80/
| Line number: 94
| Comment:
| <!-- Footer -->
|
| Path: http://admirer.htb:80/
| Line number: 30
| Comment:
| <!-- Main -->
|
| Path: http://admirer.htb:80/
| Line number: 144
| Comment:
| <!-- Scripts -->
|
| Path: http://admirer.htb:80/assets/js/util.js
| Line number: 299
| Comment:
|
|
|
| */
|
| Path: http://admirer.htb:80/assets/js/util.js
| Line number: 37
| Comment:
|
|
|
|
| */
|
| Path: http://admirer.htb:80/
| Line number: 2
| Comment:
| <!--
| Multiverse by HTML5 UP
| html5up.net | @ajlkn
| Free for personal and commercial use under the CCA 3.0 license (html5up.net/license)
| -->
|
| Path: http://admirer.htb:80/
| Line number: 17
| Comment:
| <!-- Wrapper -->
|
| Path: http://admirer.htb:80/assets/js/util.js
| Line number: 3
| Comment:
|
|
|
| */
|
| Path: http://admirer.htb:80/assets/js/browser.min.js
| Line number: 1
| Comment:
|_ /* browser.js v1.0 | @ajlkn | MIT licensed */
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-title: Admirer
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-vhosts:
| forum.htb
|_127 names had status 200
|_http-exif-spider: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=admirer.htb
| Found the following possible CSRF vulnerabilities:
|
| Path: http://admirer.htb:80/
| Form id: name
|_ Form action: #
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-server-header: Apache/2.4.25 (Debian)
|_http-mobileversion-checker: No mobile version detected.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
| http-errors:
| Spidering limited to: maxpagecount=40; withinhost=admirer.htb
| Found the following error pages:
|
| Error Code: 404
|_ http://admirer.htb:80/index.html
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1
| /assets/css/
| css: 1
| /assets/js/
| js: 2
| /images/fulls/
| jpg: 8
| /images/thumbs/
| jpg: 8
| Longest directory structure:
| Depth: 2
| Dir: /images/fulls/
| Total files found (by extension):
|_ Other: 1; css: 1; jpg: 16; js: 2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| http-robots.txt: 1 disallowed entry
|_/admin-dir
|_http-date: Fri, 20 Jan 2023 19:50:27 GMT; +1s from local time.
| http-headers:
| Date: Fri, 20 Jan 2023 19:50:27 GMT
| Server: Apache/2.4.25 (Debian)
| Connection: close
| Content-Type: text/html; charset=UTF-8
|
|_ (Request type: HEAD)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 20 19:51:07 2023 -- 1 IP address (1 host up) scanned in 54.64 seconds
```

11
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-80-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
curl -sk -o /dev/null -H "Host: xnciztvwFSMdYfigwUAw.admirer.htb" http://admirer.htb:80/ -w "%{size_download}"
``````bash
ffuf -u http://admirer.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.admirer.htb" -fs 6051 -noninteractive -s | tee "/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_admirer.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_admirer.htb_vhosts_subdomains-top1million-110000.txt](file:///home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_admirer.htb_vhosts_subdomains-top1million-110000.txt):
```
```

64
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,64 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://admirer.htb:80 2>&1
```
[/home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://admirer.htb:80
Status : 200 OK
Title : Admirer
IP : 10.129.228.103
Country : RESERVED, ZZ
Summary : Apache[2.4.25], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], JQuery, Script
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.25 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.25 (Debian) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
HTTP Headers:
HTTP/1.1 200 OK
Date: Fri, 20 Jan 2023 19:50:32 GMT
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1914
Connection: close
Content-Type: text/html; charset=UTF-8
```

3
HTB/admirer/results/report/report.md/admirer.htb/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://admirer.htb:80/ /home/simon/htb/admirer/results/scans/tcp80/tcp_80_http_screenshot.png
```