simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
HTB/bagel/results/bagel.htb/report/local.txt Normal file
View File

12
HTB/bagel/results/bagel.htb/report/notes.txt Normal file
View File

@@ -0,0 +1,12 @@
[*] ssh found on tcp/22.
[*] upnp found on tcp/5000.
[*] http-alt found on tcp/8000.

0
HTB/bagel/results/bagel.htb/report/proof.txt Normal file
View File

37
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Commands.md Normal file
View File

@@ -0,0 +1,37 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_top_100_udp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" bagel.htb
feroxbuster -u http://bagel.htb:8000/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_feroxbuster_dirbuster.txt"
curl -sSikf http://bagel.htb:8000/.well-known/security.txt
curl -sSikf http://bagel.htb:8000/robots.txt
curl -sSik http://bagel.htb:8000/
nmap -vv --reason -Pn -T4 -sV -p 8000 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/xml/tcp_8000_http_nmap.xml" bagel.htb
curl -sk -o /dev/null -H "Host: uwiZBgyJsYtrBuccAqTH.bagel.htb" http://bagel.htb:8000/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://bagel.htb:8000 2>&1
wkhtmltoimage --format png http://bagel.htb:8000/ /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_screenshot.png
ffuf -u http://bagel.htb:8000/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.bagel.htb" -fs 263 -noninteractive -s | tee "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_bagel.htb_vhosts_subdomains-top1million-110000.txt"
```

41
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Errors.md Normal file
View File

@@ -0,0 +1,41 @@
```
[*] Service scan wkhtmltoimage (tcp/8000/http-alt/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
[-] Command: wkhtmltoimage --format png http://bagel.htb:8000/ /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_screenshot.png
[-] Error Output:
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
[> ] 0%
[============================> ] 47%
[============================> ] 47%
[============================> ] 48%
[============================> ] 48%
libva info: VA-API version 1.17.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_17
libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
libva info: va_openDriver() returns 1
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_1_8
libva info: va_openDriver() returns 0
[==============================> ] 50%
Warning: Failed to load http://bagel.htb:8000/static/images/broken_noise.png (ignore)
[============================================> ] 74%
Warning: Failed to load http://bagel.htb:8000/static/images/loader.gif (ignore)
[================================================> ] 80%
[==================================================> ] 84%
[====================================================> ] 88%
Error: Failed to load http://bagel.htb:8000/static/css/fonts/icomoon.ttf?1oniuf, with network status code 203 and http status code 404 - Error transferring http://bagel.htb:8000/static/css/fonts/icomoon.ttf?1oniuf - server replied: NOT FOUND
Error: Failed to load http://bagel.htb:8000/static/css/fonts/icomoon.woff?1oniuf, with network status code 203 and http status code 404 - Error transferring http://bagel.htb:8000/static/css/fonts/icomoon.woff?1oniuf - server replied: NOT FOUND
[======================================================> ] 90%
Error: Failed to load http://bagel.htb:8000/static/css/fonts/icomoon.svg?1oniuf#icomoon, with network status code 203 and http status code 404 - Error transferring http://bagel.htb:8000/static/css/fonts/icomoon.svg?1oniuf#icomoon - server replied: NOT FOUND
[============================================================] 100%
Rendering (2/2)
[> ] 0%
[===============> ] 25%
[============================================================] 100%
Done
Exit with code 1 due to network error: ContentNotFoundError
```

35
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Manual Commands.md Normal file
View File

@@ -0,0 +1,35 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://bagel.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h bagel.htb
[*] http-alt on tcp/8000
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://bagel.htb:8000 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 8000 -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_auth_hydra.txt" http-get://bagel.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 8000 -O "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_auth_medusa.txt" -M http -h bagel.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 8000 -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_form_hydra.txt" http-post-form://bagel.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 8000 -O "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_form_medusa.txt" -M web-form -h bagel.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://bagel.htb:8000 2>&1 | tee "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://bagel.htb:8000/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_wpscan.txt"
```

6
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Patterns.md Normal file
View File

@@ -0,0 +1,6 @@
Identified HTTP Server: Werkzeug/2.2.2 Python/3.10.9
Identified HTTP Server: Werkzeug/2.2.2 Python/3.10.9
Identified HTTP Server: Werkzeug/2.2.2 Python/3.10.9

229
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,229 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml" bagel.htb
```
[/home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt](file:///home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Sun Feb 19 22:35:24 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml bagel.htb
Increasing send delay for 10.129.132.58 from 0 to 5 due to 584 out of 1459 dropped probes since last increase.
Increasing send delay for 10.129.132.58 from 5 to 10 due to 11 out of 21 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of -138516 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138516 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -107250 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -107250 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -132207 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -132207 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -130059 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -130059 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138986 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138986 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138941 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138941 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -154613 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -154613 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -206524 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -206524 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -467997 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -467997 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -482893 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -482893 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -426312 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -426312 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -451382 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -451382 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -121961 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -121961 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1082462 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1082462 microseconds. Ignoring time.
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.12s latency).
Scanned at 2023-02-19 22:35:25 CET for 1000s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.8 (protocol 2.0)
| ssh-hostkey:
| 256 6e4e1341f2fed9e0f7275bededcc68c2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwHzrBpcTXWKbxBWhc6yfWMiWfWjPmUJv2QqB/c2tJDuGt/97OvgzC+Zs31X/IW2WM6P0rtrKemiz3C5mUE67k=
| 256 80a7cd10e72fdb958b869b1b20652a98 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnQ9frzL5hKjBf6oUklfUhQCMFuM0EtdYJOIxUiDuFl
5000/tcp open upnp? syn-ack ttl 63
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:15 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:31 GMT
| Connection: close
| Hello:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:41 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (parts).)</h1>
| Help, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:42 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (parts).)</h1>
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:15 GMT
| Content-Length: 54
| Connection: close
| Keep-Alive: true
|_ <h1>Bad Request (Invalid request line (version).)</h1>
8000/tcp open http-alt syn-ack ttl 63 Werkzeug/2.2.2 Python/3.10.9
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:47:16 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:47:10 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 263
| Location: http://bagel.htb:8000/?page=index.html
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.
| Socks5:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| ').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
| http-title: Bagel &mdash; Free Website Template, Free HTML5 Template by fr...
|_Requested resource was http://bagel.htb:8000/?page=index.html
|_http-server-header: Werkzeug/2.2.2 Python/3.10.9
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.93%I=9%D=2/19%Time=63F298E6%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,73,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x20Microsoft
SF:-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:47:15\x20GMT\
SF:r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,E8,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\x20Microsoft-N
SF:etCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:47:15\x20GMT\r\
SF:nContent-Length:\x2054\r\nConnection:\x20close\r\nKeep-Alive:\x20true\r
SF:\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\x20\(version\)
SF:\.\)</h1>")%r(HTTPOptions,73,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSer
SF:ver:\x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2
SF:021:47:31\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(Hello,E6,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\x20
SF:Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:47:4
SF:1\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20close\r\nKeep-Alive
SF::\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\x20
SF:\(parts\)\.\)</h1>")%r(Help,E6,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/html\r\nServer:\x20Microsoft-NetCore/2\.0\r\nDate:
SF:\x20Sun,\x2019\x20Feb\x202023\x2021:47:42\x20GMT\r\nContent-Length:\x20
SF:52\r\nConnection:\x20close\r\nKeep-Alive:\x20true\r\n\r\n<h1>Bad\x20Req
SF:uest\x20\(Invalid\x20request\x20line\x20\(parts\)\.\)</h1>")%r(SSLSessi
SF:onReq,E6,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/h
SF:tml\r\nServer:\x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\
SF:x202023\x2021:47:42\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20c
SF:lose\r\nKeep-Alive:\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20r
SF:equest\x20line\x20\(parts\)\.\)</h1>")%r(TerminalServerCookie,E6,"HTTP/
SF:1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\
SF:x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:4
SF:7:42\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20close\r\nKeep-Al
SF:ive:\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\
SF:x20\(parts\)\.\)</h1>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=7.93%I=9%D=2/19%Time=63F298E1%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1EA,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.2\
SF:x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:47:10\x2
SF:0GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:
SF:\x20263\r\nLocation:\x20http://bagel\.htb:8000/\?page=index\.html\r\nCo
SF:nnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title
SF:>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20shoul
SF:d\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:\x
SF:20<a\x20href=\"http://bagel\.htb:8000/\?page=index\.html\">http://bagel
SF:\.htb:8000/\?page=index\.html</a>\.\x20If\x20not,\x20click\x20the\x20li
SF:nk\.\n")%r(FourOhFourRequest,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nS
SF:erver:\x20Werkzeug/2\.2\.2\x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x2
SF:0Feb\x202023\x2021:47:16\x20GMT\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r\n\r\n<!doc
SF:type\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<
SF:h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found
SF:\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manu
SF:ally\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.</p
SF:>\n")%r(Socks5,213,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTM
SF:L\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\.w3\.org
SF:/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\
SF:x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<p>Message:\x20Bad\x20request\x20syntax\x20\('\\x05\\x04\\x0
SF:0\\x01\\x02\\x80\\x05\\x01\\x00\\x03'\)\.</p>\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20
SF:-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x2
SF:0\x20\x20\x20</body>\n</html>\n");
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/19%OT=22%CT=1%CU=41239%PV=Y%DS=2%DC=T%G=Y%TM=63F29A0
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O
OS:3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 23.826 days (since Fri Jan 27 03:01:58 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 115.15 ms 10.10.16.1
2 115.37 ms bagel.htb (10.129.132.58)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:52:05 2023 -- 1 IP address (1 host up) scanned in 1001.59 seconds
```

51
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Port Scans/PortScan - Top 100 UDP Ports.md Normal file
View File

@@ -0,0 +1,51 @@
```bash
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_top_100_udp_nmap.xml" bagel.htb
```
[/home/simon/htb/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt](file:///home/simon/htb/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt):
```
# Nmap 7.93 scan initiated Sun Feb 19 22:35:24 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/htb/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/xml/_top_100_udp_nmap.xml bagel.htb
Warning: 10.129.132.58 giving up on port because retransmission cap hit (6).
Increasing send delay for 10.129.132.58 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.129.132.58 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.129.132.58 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.20s latency).
Scanned at 2023-02-19 22:35:25 CET for 195s
Not shown: 88 closed udp ports (port-unreach)
PORT STATE SERVICE REASON VERSION
53/udp open|filtered domain no-response
111/udp open|filtered rpcbind no-response
137/udp open|filtered netbios-ns no-response
1027/udp open|filtered unknown no-response
1433/udp open|filtered ms-sql-s no-response
1645/udp open|filtered radius no-response
1900/udp open|filtered upnp no-response
4500/udp open|filtered nat-t-ike no-response
32815/udp open|filtered unknown no-response
33281/udp open|filtered unknown no-response
49152/udp open|filtered unknown no-response
49185/udp open|filtered unknown no-response
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/19%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63F296E0%P=x86_64-pc-linux-gnu)
SEQ(CI=Z%II=I)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 32769/udp)
HOP RTT ADDRESS
1 130.31 ms 10.10.16.1
2 130.44 ms bagel.htb (10.129.132.58)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:38:40 2023 -- 1 IP address (1 host up) scanned in 196.66 seconds
```

199
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,199 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml" bagel.htb
```
[/home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt](file:///home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Sun Feb 19 22:35:24 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml bagel.htb
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.19s latency).
Scanned at 2023-02-19 22:35:24 CET for 323s
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.8 (protocol 2.0)
| ssh-hostkey:
| 256 6e4e1341f2fed9e0f7275bededcc68c2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwHzrBpcTXWKbxBWhc6yfWMiWfWjPmUJv2QqB/c2tJDuGt/97OvgzC+Zs31X/IW2WM6P0rtrKemiz3C5mUE67k=
| 256 80a7cd10e72fdb958b869b1b20652a98 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnQ9frzL5hKjBf6oUklfUhQCMFuM0EtdYJOIxUiDuFl
5000/tcp open upnp? syn-ack ttl 63
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:35:36 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:35:53 GMT
| Connection: close
| Hello, Help:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:36:04 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (parts).)</h1>
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:35:37 GMT
| Content-Length: 54
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (version).)</h1>
| SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:36:05 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
|_ <h1>Bad Request (Invalid request line (parts).)</h1>
8000/tcp open http-alt syn-ack ttl 63 Werkzeug/2.2.2 Python/3.10.9
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:35:37 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:35:31 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 263
| Location: http://bagel.htb:8000/?page=index.html
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.
| Socks5:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| ').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
|_http-server-header: Werkzeug/2.2.2 Python/3.10.9
| http-title: Bagel &mdash; Free Website Template, Free HTML5 Template by fr...
|_Requested resource was http://bagel.htb:8000/?page=index.html
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.93%I=9%D=2/19%Time=63F2962B%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,73,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x20Microsoft
SF:-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:35:36\x20GMT\
SF:r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,E8,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\x20Microsoft-N
SF:etCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:35:37\x20GMT\r\
SF:nContent-Length:\x2054\r\nConnection:\x20close\r\nKeep-Alive:\x20true\r
SF:\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\x20\(version\)
SF:\.\)</h1>")%r(HTTPOptions,73,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSer
SF:ver:\x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2
SF:021:35:53\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(Hello,E6,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\x20
SF:Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:36:0
SF:4\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20close\r\nKeep-Alive
SF::\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\x20
SF:\(parts\)\.\)</h1>")%r(Help,E6,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/html\r\nServer:\x20Microsoft-NetCore/2\.0\r\nDate:
SF:\x20Sun,\x2019\x20Feb\x202023\x2021:36:04\x20GMT\r\nContent-Length:\x20
SF:52\r\nConnection:\x20close\r\nKeep-Alive:\x20true\r\n\r\n<h1>Bad\x20Req
SF:uest\x20\(Invalid\x20request\x20line\x20\(parts\)\.\)</h1>")%r(SSLSessi
SF:onReq,E6,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/h
SF:tml\r\nServer:\x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\
SF:x202023\x2021:36:05\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20c
SF:lose\r\nKeep-Alive:\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20r
SF:equest\x20line\x20\(parts\)\.\)</h1>")%r(TerminalServerCookie,E6,"HTTP/
SF:1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\
SF:x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:3
SF:6:05\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20close\r\nKeep-Al
SF:ive:\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\
SF:x20\(parts\)\.\)</h1>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=7.93%I=9%D=2/19%Time=63F29626%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1EA,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.2\
SF:x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:35:31\x2
SF:0GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:
SF:\x20263\r\nLocation:\x20http://bagel\.htb:8000/\?page=index\.html\r\nCo
SF:nnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title
SF:>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20shoul
SF:d\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:\x
SF:20<a\x20href=\"http://bagel\.htb:8000/\?page=index\.html\">http://bagel
SF:\.htb:8000/\?page=index\.html</a>\.\x20If\x20not,\x20click\x20the\x20li
SF:nk\.\n")%r(FourOhFourRequest,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nS
SF:erver:\x20Werkzeug/2\.2\.2\x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x2
SF:0Feb\x202023\x2021:35:37\x20GMT\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r\n\r\n<!doc
SF:type\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<
SF:h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found
SF:\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manu
SF:ally\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.</p
SF:>\n")%r(Socks5,213,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTM
SF:L\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\.w3\.org
SF:/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\
SF:x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<p>Message:\x20Bad\x20request\x20syntax\x20\('\\x05\\x04\\x0
SF:0\\x01\\x02\\x80\\x05\\x01\\x00\\x03'\)\.</p>\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20
SF:-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x2
SF:0\x20\x20\x20</body>\n</html>\n");
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/19%OT=22%CT=1%CU=44394%PV=Y%DS=2%DC=T%G=Y%TM=63F2975
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST1
OS:1NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Uptime guess: 23.819 days (since Fri Jan 27 03:01:59 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 214.27 ms 10.10.16.1
2 215.23 ms bagel.htb (10.129.132.58)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:40:47 2023 -- 1 IP address (1 host up) scanned in 323.76 seconds
```

65
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,65 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" bagel.htb
```
[/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Sun Feb 19 22:40:48 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml bagel.htb
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.22s latency).
Scanned at 2023-02-19 22:40:48 CET for 5s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.8 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (5)
| aes256-gcm@openssh.com
| chacha20-poly1305@openssh.com
| aes256-ctr
| aes128-gcm@openssh.com
| aes128-ctr
| mac_algorithms: (8)
| hmac-sha2-256-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha2-256
| hmac-sha1
| umac-128@openssh.com
| hmac-sha2-512
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
| gssapi-keyex
|_ gssapi-with-mic
|_banner: SSH-2.0-OpenSSH_8.8
| ssh-hostkey:
| 256 6e4e1341f2fed9e0f7275bededcc68c2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwHzrBpcTXWKbxBWhc6yfWMiWfWjPmUJv2QqB/c2tJDuGt/97OvgzC+Zs31X/IW2WM6P0rtrKemiz3C5mUE67k=
| 256 80a7cd10e72fdb958b869b1b20652a98 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnQ9frzL5hKjBf6oUklfUhQCMFuM0EtdYJOIxUiDuFl
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:40:53 2023 -- 1 IP address (1 host up) scanned in 5.68 seconds
```

3
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Services/Service - tcp-8000-http-alt/Curl Robots.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://bagel.htb:8000/robots.txt
```

23
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Services/Service - tcp-8000-http-alt/Curl.md Normal file
View File

@@ -0,0 +1,23 @@
```bash
curl -sSik http://bagel.htb:8000/
```
[/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_curl.html](file:///home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_curl.html):
```
HTTP/1.1 302 FOUND
Server: Werkzeug/2.2.2 Python/3.10.9
Date: Sun, 19 Feb 2023 21:40:46 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 263
Location: http://bagel.htb:8000/?page=index.html
Connection: close
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.
```

11
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Services/Service - tcp-8000-http-alt/Directory Buster.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
feroxbuster -u http://bagel.htb:8000/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_feroxbuster_dirbuster.txt"
```
[/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_feroxbuster_dirbuster.txt](file:///home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_feroxbuster_dirbuster.txt):
```
302 GET 5l 22w 263c http://bagel.htb:8000/ => http://bagel.htb:8000/?page=index.html
200 GET 3l 37w 267c http://bagel.htb:8000/orders
```

3
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Services/Service - tcp-8000-http-alt/Known Security.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://bagel.htb:8000/.well-known/security.txt
```

137
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Services/Service - tcp-8000-http-alt/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,137 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 8000 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/xml/tcp_8000_http_nmap.xml" bagel.htb
```
[/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt](file:///home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt):
```
# Nmap 7.93 scan initiated Sun Feb 19 22:40:48 2023 as: nmap -vv --reason -Pn -T4 -sV -p 8000 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/xml/tcp_8000_http_nmap.xml bagel.htb
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.22s latency).
Scanned at 2023-02-19 22:40:50 CET for 639s
PORT STATE SERVICE REASON VERSION
8000/tcp open http-alt syn-ack ttl 63 Werkzeug/2.2.2 Python/3.10.9
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:41:00 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:40:54 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 263
| Location: http://bagel.htb:8000/?page=index.html
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.
| Socks5:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| ').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
| http-vhosts:
|_128 names had status 302
| http-passwd: Directory traversal found.
| Payload: "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd"
| Printing first 250 bytes:
| root:x:0:0:root:/root:/bin/bash
| bin:x:1:1:bin:/bin:/sbin/nologin
| daemon:x:2:2:daemon:/sbin:/sbin/nologin
| adm:x:3:4:adm:/var/adm:/sbin/nologin
| lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
| sync:x:5:0:sync:/sbin:/bin/sync
|_shutdown:x:6:0:shutdown:/sbin:/sbin
|_http-server-header: Werkzeug/2.2.2 Python/3.10.9
|_http-chrono: Request times for /; avg: 325.48ms; min: 304.48ms; max: 370.37ms
|_http-malware-host: Host appears to be clean
| http-headers:
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:42:26 GMT
| Content-Disposition: inline; filename=index.html
| Content-Type: text/html; charset=utf-8
| Content-Length: 8698
| Last-Modified: Thu, 26 Jan 2023 17:40:39 GMT
| Cache-Control: no-cache
| ETag: "1674754839.6421967-8698-149884447"
| Date: Sun, 19 Feb 2023 21:42:26 GMT
| Connection: close
|
|_ (Request type: HEAD)
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| http-title: Bagel &mdash; Free Website Template, Free HTML5 Template by fr...
|_Requested resource was http://bagel.htb:8000/?page=index.html
|_http-litespeed-sourcecode-download: Page: /index.php was not found. Try with an existing file.
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
| http-waf-detect: IDS/IPS/WAF detected:
|_bagel.htb:8000/?p4yl04d3=<script>alert(document.cookie)</script>
| http-php-version: Logo query returned unknown hash 91a775c1133a6a0e6a2427a19819309f
|_Credits query returned unknown hash 91a775c1133a6a0e6a2427a19819309f
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.93%I=7%D=2/19%Time=63F29769%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1EA,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.2\
SF:x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:40:54\x2
SF:0GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:
SF:\x20263\r\nLocation:\x20http://bagel\.htb:8000/\?page=index\.html\r\nCo
SF:nnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title
SF:>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20shoul
SF:d\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:\x
SF:20<a\x20href=\"http://bagel\.htb:8000/\?page=index\.html\">http://bagel
SF:\.htb:8000/\?page=index\.html</a>\.\x20If\x20not,\x20click\x20the\x20li
SF:nk\.\n")%r(FourOhFourRequest,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nS
SF:erver:\x20Werkzeug/2\.2\.2\x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x2
SF:0Feb\x202023\x2021:41:00\x20GMT\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r\n\r\n<!doc
SF:type\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<
SF:h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found
SF:\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manu
SF:ally\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.</p
SF:>\n")%r(Socks5,213,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTM
SF:L\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\.w3\.org
SF:/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\
SF:x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<p>Message:\x20Bad\x20request\x20syntax\x20\('\\x05\\x04\\x0
SF:0\\x01\\x02\\x80\\x05\\x01\\x00\\x03'\)\.</p>\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20
SF:-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x2
SF:0\x20\x20\x20</body>\n</html>\n");
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:51:29 2023 -- 1 IP address (1 host up) scanned in 641.14 seconds
```

11
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Services/Service - tcp-8000-http-alt/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
curl -sk -o /dev/null -H "Host: uwiZBgyJsYtrBuccAqTH.bagel.htb" http://bagel.htb:8000/ -w "%{size_download}"
``````bash
ffuf -u http://bagel.htb:8000/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.bagel.htb" -fs 263 -noninteractive -s | tee "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_bagel.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_bagel.htb_vhosts_subdomains-top1million-110000.txt](file:///home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_bagel.htb_vhosts_subdomains-top1million-110000.txt):
```
```

157
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Services/Service - tcp-8000-http-alt/whatweb.md Normal file
View File

@@ -0,0 +1,157 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://bagel.htb:8000 2>&1
```
[/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_whatweb.txt](file:///home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_whatweb.txt):
```
WhatWeb report for http://bagel.htb:8000
Status : 302 Found
Title : Redirecting...
IP : 10.129.132.58
Country : RESERVED, ZZ
Summary : HTML5, HTTPServer[Werkzeug/2.2.2 Python/3.10.9], Python[3.10.9], RedirectLocation[http://bagel.htb:8000/?page=index.html], Werkzeug[2.2.2]
Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/2.2.2 Python/3.10.9 (from server string)
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 3.10.9
Website : http://www.python.org/
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://bagel.htb:8000/?page=index.html (from location)
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 2.2.2
Website : http://werkzeug.pocoo.org/
HTTP Headers:
HTTP/1.1 302 FOUND
Server: Werkzeug/2.2.2 Python/3.10.9
Date: Sun, 19 Feb 2023 21:41:02 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 263
Location: http://bagel.htb:8000/?page=index.html
Connection: close
WhatWeb report for http://bagel.htb:8000/?page=index.html
Status : 200 OK
Title : Bagel &mdash; Free Website Template, Free HTML5 Template by freehtml5.co
IP : 10.129.132.58
Country : RESERVED, ZZ
Summary : Bootstrap, HTML5, HTTPServer[Werkzeug/2.2.2 Python/3.10.9], JQuery, Meta-Author[freehtml5.co], Modernizr[2.6.2.min], Open-Graph-Protocol, Python[3.10.9], Script, Werkzeug[2.2.2], X-UA-Compatible[IE=edge]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/2.2.2 Python/3.10.9 (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ Meta-Author ]
This plugin retrieves the author name from the meta name
tag - info:
http://www.webmarketingnow.com/tips/meta-tags-uncovered.html
#author
String : freehtml5.co
[ Modernizr ]
Modernizr adds classes to the <html> element which allow
you to target specific browser functionality in your
stylesheet. You don't actually need to write any Javascript
to use it. [JavaScript]
Version : 2.6.2.min
Website : http://www.modernizr.com/
[ Open-Graph-Protocol ]
The Open Graph protocol enables you to integrate your Web
pages into the social graph. It is currently designed for
Web pages representing profiles of real-world things .
things like movies, sports teams, celebrities, and
restaurants. Including Open Graph tags on your Web page,
makes your page equivalent to a Facebook Page.
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 3.10.9
Website : http://www.python.org/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 2.2.2
Website : http://werkzeug.pocoo.org/
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
HTTP Headers:
HTTP/1.1 200 OK
Server: Werkzeug/2.2.2 Python/3.10.9
Date: Sun, 19 Feb 2023 21:41:04 GMT
Content-Disposition: inline; filename=index.html
Content-Type: text/html; charset=utf-8
Content-Length: 8698
Last-Modified: Thu, 26 Jan 2023 17:40:39 GMT
Cache-Control: no-cache
ETag: "1674754839.6421967-8698-149884447"
Date: Sun, 19 Feb 2023 21:41:04 GMT
Connection: close
```

3
HTB/bagel/results/bagel.htb/report/report.md/bagel.htb/Services/Service - tcp-8000-http-alt/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://bagel.htb:8000/ /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_screenshot.png
```

34
HTB/bagel/results/bagel.htb/scans/_commands.log Normal file
View File

@@ -0,0 +1,34 @@
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/htb/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/xml/_top_100_udp_nmap.xml" bagel.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" bagel.htb
feroxbuster -u http://bagel.htb:8000/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_feroxbuster_dirbuster.txt"
curl -sSikf http://bagel.htb:8000/.well-known/security.txt
curl -sSikf http://bagel.htb:8000/robots.txt
curl -sSik http://bagel.htb:8000/
nmap -vv --reason -Pn -T4 -sV -p 8000 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt" -oX "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/xml/tcp_8000_http_nmap.xml" bagel.htb
curl -sk -o /dev/null -H "Host: uwiZBgyJsYtrBuccAqTH.bagel.htb" http://bagel.htb:8000/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://bagel.htb:8000 2>&1
wkhtmltoimage --format png http://bagel.htb:8000/ /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_screenshot.png
ffuf -u http://bagel.htb:8000/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.bagel.htb" -fs 263 -noninteractive -s | tee "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_bagel.htb_vhosts_subdomains-top1million-110000.txt"

23
HTB/bagel/results/bagel.htb/scans/_errors.log Normal file
View File

@@ -0,0 +1,23 @@
[*] Service scan wkhtmltoimage (tcp/8000/http-alt/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
[-] Command: wkhtmltoimage --format png http://bagel.htb:8000/ /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_screenshot.png
[-] Error Output:
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
[> ] 0%
[============================> ] 47%
[============================> ] 47%
[============================> ] 48%
[============================> ] 48%
libva info: VA-API version 1.17.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_17
libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
libva info: va_openDriver() returns 1
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_1_8
libva info: va_openDriver() returns 0
[==============================> ] 50%
Warning: Failed to load http://bagel.htb:8000/static/images/broken_noise.png (ignore)
[============================================> ] 74%
Warning: Failed to load http://bagel.htb:8000/static/images/loader.gif (ignore)
[================================================> ] 80%

220
HTB/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,220 @@
# Nmap 7.93 scan initiated Sun Feb 19 22:35:24 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/htb/bagel/results/bagel.htb/scans/_full_tcp_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml bagel.htb
Increasing send delay for 10.129.132.58 from 0 to 5 due to 584 out of 1459 dropped probes since last increase.
Increasing send delay for 10.129.132.58 from 5 to 10 due to 11 out of 21 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of -138516 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138516 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -107250 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -107250 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -132207 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -132207 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -130059 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -130059 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138986 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138986 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138941 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -138941 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -154613 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -154613 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -206524 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -206524 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -467997 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -467997 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -482893 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -482893 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -426312 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -426312 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -451382 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -451382 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -121961 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -121961 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1082462 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1082462 microseconds. Ignoring time.
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.12s latency).
Scanned at 2023-02-19 22:35:25 CET for 1000s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.8 (protocol 2.0)
| ssh-hostkey:
| 256 6e4e1341f2fed9e0f7275bededcc68c2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwHzrBpcTXWKbxBWhc6yfWMiWfWjPmUJv2QqB/c2tJDuGt/97OvgzC+Zs31X/IW2WM6P0rtrKemiz3C5mUE67k=
| 256 80a7cd10e72fdb958b869b1b20652a98 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnQ9frzL5hKjBf6oUklfUhQCMFuM0EtdYJOIxUiDuFl
5000/tcp open upnp? syn-ack ttl 63
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:15 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:31 GMT
| Connection: close
| Hello:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:41 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (parts).)</h1>
| Help, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:42 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (parts).)</h1>
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:47:15 GMT
| Content-Length: 54
| Connection: close
| Keep-Alive: true
|_ <h1>Bad Request (Invalid request line (version).)</h1>
8000/tcp open http-alt syn-ack ttl 63 Werkzeug/2.2.2 Python/3.10.9
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:47:16 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:47:10 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 263
| Location: http://bagel.htb:8000/?page=index.html
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.
| Socks5:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| ').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
| http-title: Bagel &mdash; Free Website Template, Free HTML5 Template by fr...
|_Requested resource was http://bagel.htb:8000/?page=index.html
|_http-server-header: Werkzeug/2.2.2 Python/3.10.9
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.93%I=9%D=2/19%Time=63F298E6%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,73,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x20Microsoft
SF:-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:47:15\x20GMT\
SF:r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,E8,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\x20Microsoft-N
SF:etCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:47:15\x20GMT\r\
SF:nContent-Length:\x2054\r\nConnection:\x20close\r\nKeep-Alive:\x20true\r
SF:\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\x20\(version\)
SF:\.\)</h1>")%r(HTTPOptions,73,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSer
SF:ver:\x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2
SF:021:47:31\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(Hello,E6,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\x20
SF:Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:47:4
SF:1\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20close\r\nKeep-Alive
SF::\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\x20
SF:\(parts\)\.\)</h1>")%r(Help,E6,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/html\r\nServer:\x20Microsoft-NetCore/2\.0\r\nDate:
SF:\x20Sun,\x2019\x20Feb\x202023\x2021:47:42\x20GMT\r\nContent-Length:\x20
SF:52\r\nConnection:\x20close\r\nKeep-Alive:\x20true\r\n\r\n<h1>Bad\x20Req
SF:uest\x20\(Invalid\x20request\x20line\x20\(parts\)\.\)</h1>")%r(SSLSessi
SF:onReq,E6,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/h
SF:tml\r\nServer:\x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\
SF:x202023\x2021:47:42\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20c
SF:lose\r\nKeep-Alive:\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20r
SF:equest\x20line\x20\(parts\)\.\)</h1>")%r(TerminalServerCookie,E6,"HTTP/
SF:1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\
SF:x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:4
SF:7:42\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20close\r\nKeep-Al
SF:ive:\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\
SF:x20\(parts\)\.\)</h1>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=7.93%I=9%D=2/19%Time=63F298E1%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1EA,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.2\
SF:x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:47:10\x2
SF:0GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:
SF:\x20263\r\nLocation:\x20http://bagel\.htb:8000/\?page=index\.html\r\nCo
SF:nnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title
SF:>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20shoul
SF:d\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:\x
SF:20<a\x20href=\"http://bagel\.htb:8000/\?page=index\.html\">http://bagel
SF:\.htb:8000/\?page=index\.html</a>\.\x20If\x20not,\x20click\x20the\x20li
SF:nk\.\n")%r(FourOhFourRequest,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nS
SF:erver:\x20Werkzeug/2\.2\.2\x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x2
SF:0Feb\x202023\x2021:47:16\x20GMT\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r\n\r\n<!doc
SF:type\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<
SF:h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found
SF:\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manu
SF:ally\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.</p
SF:>\n")%r(Socks5,213,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTM
SF:L\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\.w3\.org
SF:/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\
SF:x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<p>Message:\x20Bad\x20request\x20syntax\x20\('\\x05\\x04\\x0
SF:0\\x01\\x02\\x80\\x05\\x01\\x00\\x03'\)\.</p>\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20
SF:-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x2
SF:0\x20\x20\x20</body>\n</html>\n");
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/19%OT=22%CT=1%CU=41239%PV=Y%DS=2%DC=T%G=Y%TM=63F29A0
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O
OS:3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 23.826 days (since Fri Jan 27 03:01:58 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 115.15 ms 10.10.16.1
2 115.37 ms bagel.htb (10.129.132.58)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:52:05 2023 -- 1 IP address (1 host up) scanned in 1001.59 seconds

32
HTB/bagel/results/bagel.htb/scans/_manual_commands.txt Normal file
View File

@@ -0,0 +1,32 @@
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://bagel.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h bagel.htb
[*] http-alt on tcp/8000
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://bagel.htb:8000 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 8000 -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_auth_hydra.txt" http-get://bagel.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 8000 -O "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_auth_medusa.txt" -M http -h bagel.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 8000 -o "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_form_hydra.txt" http-post-form://bagel.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 8000 -O "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_form_medusa.txt" -M web-form -h bagel.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://bagel.htb:8000 2>&1 | tee "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://bagel.htb:8000/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_wpscan.txt"

6
HTB/bagel/results/bagel.htb/scans/_patterns.log Normal file
View File

@@ -0,0 +1,6 @@
Identified HTTP Server: Werkzeug/2.2.2 Python/3.10.9
Identified HTTP Server: Werkzeug/2.2.2 Python/3.10.9
Identified HTTP Server: Werkzeug/2.2.2 Python/3.10.9

190
HTB/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,190 @@
# Nmap 7.93 scan initiated Sun Feb 19 22:35:24 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/htb/bagel/results/bagel.htb/scans/_quick_tcp_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml bagel.htb
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.19s latency).
Scanned at 2023-02-19 22:35:24 CET for 323s
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.8 (protocol 2.0)
| ssh-hostkey:
| 256 6e4e1341f2fed9e0f7275bededcc68c2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwHzrBpcTXWKbxBWhc6yfWMiWfWjPmUJv2QqB/c2tJDuGt/97OvgzC+Zs31X/IW2WM6P0rtrKemiz3C5mUE67k=
| 256 80a7cd10e72fdb958b869b1b20652a98 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnQ9frzL5hKjBf6oUklfUhQCMFuM0EtdYJOIxUiDuFl
5000/tcp open upnp? syn-ack ttl 63
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:35:36 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:35:53 GMT
| Connection: close
| Hello, Help:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:36:04 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (parts).)</h1>
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:35:37 GMT
| Content-Length: 54
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (version).)</h1>
| SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Sun, 19 Feb 2023 21:36:05 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
|_ <h1>Bad Request (Invalid request line (parts).)</h1>
8000/tcp open http-alt syn-ack ttl 63 Werkzeug/2.2.2 Python/3.10.9
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:35:37 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:35:31 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 263
| Location: http://bagel.htb:8000/?page=index.html
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.
| Socks5:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| ').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
|_http-server-header: Werkzeug/2.2.2 Python/3.10.9
| http-title: Bagel &mdash; Free Website Template, Free HTML5 Template by fr...
|_Requested resource was http://bagel.htb:8000/?page=index.html
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.93%I=9%D=2/19%Time=63F2962B%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,73,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x20Microsoft
SF:-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:35:36\x20GMT\
SF:r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,E8,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\x20Microsoft-N
SF:etCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:35:37\x20GMT\r\
SF:nContent-Length:\x2054\r\nConnection:\x20close\r\nKeep-Alive:\x20true\r
SF:\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\x20\(version\)
SF:\.\)</h1>")%r(HTTPOptions,73,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSer
SF:ver:\x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2
SF:021:35:53\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(Hello,E6,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\x20
SF:Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:36:0
SF:4\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20close\r\nKeep-Alive
SF::\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\x20
SF:\(parts\)\.\)</h1>")%r(Help,E6,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/html\r\nServer:\x20Microsoft-NetCore/2\.0\r\nDate:
SF:\x20Sun,\x2019\x20Feb\x202023\x2021:36:04\x20GMT\r\nContent-Length:\x20
SF:52\r\nConnection:\x20close\r\nKeep-Alive:\x20true\r\n\r\n<h1>Bad\x20Req
SF:uest\x20\(Invalid\x20request\x20line\x20\(parts\)\.\)</h1>")%r(SSLSessi
SF:onReq,E6,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/h
SF:tml\r\nServer:\x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\
SF:x202023\x2021:36:05\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20c
SF:lose\r\nKeep-Alive:\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20r
SF:equest\x20line\x20\(parts\)\.\)</h1>")%r(TerminalServerCookie,E6,"HTTP/
SF:1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nServer:\
SF:x20Microsoft-NetCore/2\.0\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:3
SF:6:05\x20GMT\r\nContent-Length:\x2052\r\nConnection:\x20close\r\nKeep-Al
SF:ive:\x20true\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20request\x20line\
SF:x20\(parts\)\.\)</h1>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=7.93%I=9%D=2/19%Time=63F29626%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1EA,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.2\
SF:x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:35:31\x2
SF:0GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:
SF:\x20263\r\nLocation:\x20http://bagel\.htb:8000/\?page=index\.html\r\nCo
SF:nnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title
SF:>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20shoul
SF:d\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:\x
SF:20<a\x20href=\"http://bagel\.htb:8000/\?page=index\.html\">http://bagel
SF:\.htb:8000/\?page=index\.html</a>\.\x20If\x20not,\x20click\x20the\x20li
SF:nk\.\n")%r(FourOhFourRequest,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nS
SF:erver:\x20Werkzeug/2\.2\.2\x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x2
SF:0Feb\x202023\x2021:35:37\x20GMT\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r\n\r\n<!doc
SF:type\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<
SF:h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found
SF:\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manu
SF:ally\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.</p
SF:>\n")%r(Socks5,213,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTM
SF:L\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\.w3\.org
SF:/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\
SF:x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<p>Message:\x20Bad\x20request\x20syntax\x20\('\\x05\\x04\\x0
SF:0\\x01\\x02\\x80\\x05\\x01\\x00\\x03'\)\.</p>\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20
SF:-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x2
SF:0\x20\x20\x20</body>\n</html>\n");
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/19%OT=22%CT=1%CU=44394%PV=Y%DS=2%DC=T%G=Y%TM=63F2975
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST1
OS:1NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Uptime guess: 23.819 days (since Fri Jan 27 03:01:59 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 214.27 ms 10.10.16.1
2 215.23 ms bagel.htb (10.129.132.58)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:40:47 2023 -- 1 IP address (1 host up) scanned in 323.76 seconds

42
HTB/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt Normal file
View File

@@ -0,0 +1,42 @@
# Nmap 7.93 scan initiated Sun Feb 19 22:35:24 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/htb/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/xml/_top_100_udp_nmap.xml bagel.htb
Warning: 10.129.132.58 giving up on port because retransmission cap hit (6).
Increasing send delay for 10.129.132.58 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.129.132.58 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.129.132.58 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.20s latency).
Scanned at 2023-02-19 22:35:25 CET for 195s
Not shown: 88 closed udp ports (port-unreach)
PORT STATE SERVICE REASON VERSION
53/udp open|filtered domain no-response
111/udp open|filtered rpcbind no-response
137/udp open|filtered netbios-ns no-response
1027/udp open|filtered unknown no-response
1433/udp open|filtered ms-sql-s no-response
1645/udp open|filtered radius no-response
1900/udp open|filtered upnp no-response
4500/udp open|filtered nat-t-ike no-response
32815/udp open|filtered unknown no-response
33281/udp open|filtered unknown no-response
49152/udp open|filtered unknown no-response
49185/udp open|filtered unknown no-response
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/19%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63F296E0%P=x86_64-pc-linux-gnu)
SEQ(CI=Z%II=I)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 32769/udp)
HOP RTT ADDRESS
1 130.31 ms 10.10.16.1
2 130.44 ms bagel.htb (10.129.132.58)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:38:40 2023 -- 1 IP address (1 host up) scanned in 196.66 seconds

56
HTB/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt Normal file
View File

@@ -0,0 +1,56 @@
# Nmap 7.93 scan initiated Sun Feb 19 22:40:48 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml bagel.htb
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.22s latency).
Scanned at 2023-02-19 22:40:48 CET for 5s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.8 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (5)
| aes256-gcm@openssh.com
| chacha20-poly1305@openssh.com
| aes256-ctr
| aes128-gcm@openssh.com
| aes128-ctr
| mac_algorithms: (8)
| hmac-sha2-256-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha2-256
| hmac-sha1
| umac-128@openssh.com
| hmac-sha2-512
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
| gssapi-keyex
|_ gssapi-with-mic
|_banner: SSH-2.0-OpenSSH_8.8
| ssh-hostkey:
| 256 6e4e1341f2fed9e0f7275bededcc68c2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwHzrBpcTXWKbxBWhc6yfWMiWfWjPmUJv2QqB/c2tJDuGt/97OvgzC+Zs31X/IW2WM6P0rtrKemiz3C5mUE67k=
| 256 80a7cd10e72fdb958b869b1b20652a98 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnQ9frzL5hKjBf6oUklfUhQCMFuM0EtdYJOIxUiDuFl
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:40:53 2023 -- 1 IP address (1 host up) scanned in 5.68 seconds

92
HTB/bagel/results/bagel.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml Normal file
View File

@@ -0,0 +1,92 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sun Feb 19 22:40:48 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml bagel.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/bagel/results/bagel.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml bagel.htb" start="1676842848" startstr="Sun Feb 19 22:40:48 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="22"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1676842848"/>
<taskend task="NSE" time="1676842848"/>
<taskbegin task="NSE" time="1676842848"/>
<taskend task="NSE" time="1676842848"/>
<taskbegin task="SYN Stealth Scan" time="1676842848"/>
<taskend task="SYN Stealth Scan" time="1676842848" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1676842849"/>
<taskend task="Service scan" time="1676842849" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1676842849"/>
<taskend task="NSE" time="1676842853"/>
<taskbegin task="NSE" time="1676842853"/>
<taskend task="NSE" time="1676842853"/>
<host starttime="1676842848" endtime="1676842853"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.129.132.58" addrtype="ipv4"/>
<hostnames>
<hostname name="bagel.htb" type="user"/>
<hostname name="bagel.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.8" extrainfo="protocol 2.0" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.8</cpe></service><script id="ssh2-enum-algos" output="&#xa; kex_algorithms: (9)&#xa; curve25519-sha256&#xa; curve25519-sha256@libssh.org&#xa; ecdh-sha2-nistp256&#xa; ecdh-sha2-nistp384&#xa; ecdh-sha2-nistp521&#xa; diffie-hellman-group-exchange-sha256&#xa; diffie-hellman-group14-sha256&#xa; diffie-hellman-group16-sha512&#xa; diffie-hellman-group18-sha512&#xa; server_host_key_algorithms: (4)&#xa; rsa-sha2-512&#xa; rsa-sha2-256&#xa; ecdsa-sha2-nistp256&#xa; ssh-ed25519&#xa; encryption_algorithms: (5)&#xa; aes256-gcm@openssh.com&#xa; chacha20-poly1305@openssh.com&#xa; aes256-ctr&#xa; aes128-gcm@openssh.com&#xa; aes128-ctr&#xa; mac_algorithms: (8)&#xa; hmac-sha2-256-etm@openssh.com&#xa; hmac-sha1-etm@openssh.com&#xa; umac-128-etm@openssh.com&#xa; hmac-sha2-512-etm@openssh.com&#xa; hmac-sha2-256&#xa; hmac-sha1&#xa; umac-128@openssh.com&#xa; hmac-sha2-512&#xa; compression_algorithms: (2)&#xa; none&#xa; zlib@openssh.com"><table key="kex_algorithms">
<elem>curve25519-sha256</elem>
<elem>curve25519-sha256@libssh.org</elem>
<elem>ecdh-sha2-nistp256</elem>
<elem>ecdh-sha2-nistp384</elem>
<elem>ecdh-sha2-nistp521</elem>
<elem>diffie-hellman-group-exchange-sha256</elem>
<elem>diffie-hellman-group14-sha256</elem>
<elem>diffie-hellman-group16-sha512</elem>
<elem>diffie-hellman-group18-sha512</elem>
</table>
<table key="server_host_key_algorithms">
<elem>rsa-sha2-512</elem>
<elem>rsa-sha2-256</elem>
<elem>ecdsa-sha2-nistp256</elem>
<elem>ssh-ed25519</elem>
</table>
<table key="encryption_algorithms">
<elem>aes256-gcm@openssh.com</elem>
<elem>chacha20-poly1305@openssh.com</elem>
<elem>aes256-ctr</elem>
<elem>aes128-gcm@openssh.com</elem>
<elem>aes128-ctr</elem>
</table>
<table key="mac_algorithms">
<elem>hmac-sha2-256-etm@openssh.com</elem>
<elem>hmac-sha1-etm@openssh.com</elem>
<elem>umac-128-etm@openssh.com</elem>
<elem>hmac-sha2-512-etm@openssh.com</elem>
<elem>hmac-sha2-256</elem>
<elem>hmac-sha1</elem>
<elem>umac-128@openssh.com</elem>
<elem>hmac-sha2-512</elem>
</table>
<table key="compression_algorithms">
<elem>none</elem>
<elem>zlib@openssh.com</elem>
</table>
</script><script id="ssh-auth-methods" output="&#xa; Supported authentication methods: &#xa; publickey&#xa; gssapi-keyex&#xa; gssapi-with-mic"><table key="Supported authentication methods">
<elem>publickey</elem>
<elem>gssapi-keyex</elem>
<elem>gssapi-with-mic</elem>
</table>
</script><script id="banner" output="SSH-2.0-OpenSSH_8.8"/><script id="ssh-hostkey" output="&#xa; 256 6e4e1341f2fed9e0f7275bededcc68c2 (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwHzrBpcTXWKbxBWhc6yfWMiWfWjPmUJv2QqB/c2tJDuGt/97OvgzC+Zs31X/IW2WM6P0rtrKemiz3C5mUE67k=&#xa; 256 80a7cd10e72fdb958b869b1b20652a98 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnQ9frzL5hKjBf6oUklfUhQCMFuM0EtdYJOIxUiDuFl"><table>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="fingerprint">6e4e1341f2fed9e0f7275bededcc68c2</elem>
<elem key="bits">256</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwHzrBpcTXWKbxBWhc6yfWMiWfWjPmUJv2QqB/c2tJDuGt/97OvgzC+Zs31X/IW2WM6P0rtrKemiz3C5mUE67k=</elem>
</table>
<table>
<elem key="type">ssh-ed25519</elem>
<elem key="fingerprint">80a7cd10e72fdb958b869b1b20652a98</elem>
<elem key="bits">256</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAINnQ9frzL5hKjBf6oUklfUhQCMFuM0EtdYJOIxUiDuFl</elem>
</table>
</script></port>
</ports>
<times srtt="219535" rttvar="219535" to="1097675"/>
</host>
<taskbegin task="NSE" time="1676842853"/>
<taskend task="NSE" time="1676842853"/>
<taskbegin task="NSE" time="1676842853"/>
<taskend task="NSE" time="1676842853"/>
<runstats><finished time="1676842853" timestr="Sun Feb 19 22:40:53 2023" summary="Nmap done at Sun Feb 19 22:40:53 2023; 1 IP address (1 host up) scanned in 5.68 seconds" elapsed="5.68" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

0
HTB/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_bagel.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

14
HTB/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_curl.html Normal file
View File

@@ -0,0 +1,14 @@
HTTP/1.1 302 FOUND
Server: Werkzeug/2.2.2 Python/3.10.9
Date: Sun, 19 Feb 2023 21:40:46 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 263
Location: http://bagel.htb:8000/?page=index.html
Connection: close
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.

2
HTB/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_feroxbuster_dirbuster.txt Normal file
View File

@@ -0,0 +1,2 @@
302 GET 5l 22w 263c http://bagel.htb:8000/ => http://bagel.htb:8000/?page=index.html
200 GET 3l 37w 267c http://bagel.htb:8000/orders

128
HTB/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt Normal file
View File

@@ -0,0 +1,128 @@
# Nmap 7.93 scan initiated Sun Feb 19 22:40:48 2023 as: nmap -vv --reason -Pn -T4 -sV -p 8000 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/xml/tcp_8000_http_nmap.xml bagel.htb
Nmap scan report for bagel.htb (10.129.132.58)
Host is up, received user-set (0.22s latency).
Scanned at 2023-02-19 22:40:50 CET for 639s
PORT STATE SERVICE REASON VERSION
8000/tcp open http-alt syn-ack ttl 63 Werkzeug/2.2.2 Python/3.10.9
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:41:00 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:40:54 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 263
| Location: http://bagel.htb:8000/?page=index.html
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.
| Socks5:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| ').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
| http-vhosts:
|_128 names had status 302
| http-passwd: Directory traversal found.
| Payload: "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd"
| Printing first 250 bytes:
| root:x:0:0:root:/root:/bin/bash
| bin:x:1:1:bin:/bin:/sbin/nologin
| daemon:x:2:2:daemon:/sbin:/sbin/nologin
| adm:x:3:4:adm:/var/adm:/sbin/nologin
| lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
| sync:x:5:0:sync:/sbin:/bin/sync
|_shutdown:x:6:0:shutdown:/sbin:/sbin
|_http-server-header: Werkzeug/2.2.2 Python/3.10.9
|_http-chrono: Request times for /; avg: 325.48ms; min: 304.48ms; max: 370.37ms
|_http-malware-host: Host appears to be clean
| http-headers:
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Sun, 19 Feb 2023 21:42:26 GMT
| Content-Disposition: inline; filename=index.html
| Content-Type: text/html; charset=utf-8
| Content-Length: 8698
| Last-Modified: Thu, 26 Jan 2023 17:40:39 GMT
| Cache-Control: no-cache
| ETag: "1674754839.6421967-8698-149884447"
| Date: Sun, 19 Feb 2023 21:42:26 GMT
| Connection: close
|
|_ (Request type: HEAD)
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| http-title: Bagel &mdash; Free Website Template, Free HTML5 Template by fr...
|_Requested resource was http://bagel.htb:8000/?page=index.html
|_http-litespeed-sourcecode-download: Page: /index.php was not found. Try with an existing file.
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
| http-waf-detect: IDS/IPS/WAF detected:
|_bagel.htb:8000/?p4yl04d3=<script>alert(document.cookie)</script>
| http-php-version: Logo query returned unknown hash 91a775c1133a6a0e6a2427a19819309f
|_Credits query returned unknown hash 91a775c1133a6a0e6a2427a19819309f
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.93%I=7%D=2/19%Time=63F29769%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1EA,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.2\
SF:x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:40:54\x2
SF:0GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:
SF:\x20263\r\nLocation:\x20http://bagel\.htb:8000/\?page=index\.html\r\nCo
SF:nnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title
SF:>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20shoul
SF:d\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:\x
SF:20<a\x20href=\"http://bagel\.htb:8000/\?page=index\.html\">http://bagel
SF:\.htb:8000/\?page=index\.html</a>\.\x20If\x20not,\x20click\x20the\x20li
SF:nk\.\n")%r(FourOhFourRequest,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nS
SF:erver:\x20Werkzeug/2\.2\.2\x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x2
SF:0Feb\x202023\x2021:41:00\x20GMT\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r\n\r\n<!doc
SF:type\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<
SF:h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found
SF:\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manu
SF:ally\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.</p
SF:>\n")%r(Socks5,213,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTM
SF:L\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\.w3\.org
SF:/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\
SF:x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<p>Message:\x20Bad\x20request\x20syntax\x20\('\\x05\\x04\\x0
SF:0\\x01\\x02\\x80\\x05\\x01\\x00\\x03'\)\.</p>\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20
SF:-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x2
SF:0\x20\x20\x20</body>\n</html>\n");
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 19 22:51:29 2023 -- 1 IP address (1 host up) scanned in 641.14 seconds

BIN
HTB/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_screenshot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 MiB

148
HTB/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_whatweb.txt Normal file
View File

@@ -0,0 +1,148 @@
WhatWeb report for http://bagel.htb:8000
Status : 302 Found
Title : Redirecting...
IP : 10.129.132.58
Country : RESERVED, ZZ
Summary : HTML5, HTTPServer[Werkzeug/2.2.2 Python/3.10.9], Python[3.10.9], RedirectLocation[http://bagel.htb:8000/?page=index.html], Werkzeug[2.2.2]
Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/2.2.2 Python/3.10.9 (from server string)
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 3.10.9
Website : http://www.python.org/
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://bagel.htb:8000/?page=index.html (from location)
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 2.2.2
Website : http://werkzeug.pocoo.org/
HTTP Headers:
HTTP/1.1 302 FOUND
Server: Werkzeug/2.2.2 Python/3.10.9
Date: Sun, 19 Feb 2023 21:41:02 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 263
Location: http://bagel.htb:8000/?page=index.html
Connection: close
WhatWeb report for http://bagel.htb:8000/?page=index.html
Status : 200 OK
Title : Bagel &mdash; Free Website Template, Free HTML5 Template by freehtml5.co
IP : 10.129.132.58
Country : RESERVED, ZZ
Summary : Bootstrap, HTML5, HTTPServer[Werkzeug/2.2.2 Python/3.10.9], JQuery, Meta-Author[freehtml5.co], Modernizr[2.6.2.min], Open-Graph-Protocol, Python[3.10.9], Script, Werkzeug[2.2.2], X-UA-Compatible[IE=edge]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/2.2.2 Python/3.10.9 (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ Meta-Author ]
This plugin retrieves the author name from the meta name
tag - info:
http://www.webmarketingnow.com/tips/meta-tags-uncovered.html
#author
String : freehtml5.co
[ Modernizr ]
Modernizr adds classes to the <html> element which allow
you to target specific browser functionality in your
stylesheet. You don't actually need to write any Javascript
to use it. [JavaScript]
Version : 2.6.2.min
Website : http://www.modernizr.com/
[ Open-Graph-Protocol ]
The Open Graph protocol enables you to integrate your Web
pages into the social graph. It is currently designed for
Web pages representing profiles of real-world things .
things like movies, sports teams, celebrities, and
restaurants. Including Open Graph tags on your Web page,
makes your page equivalent to a Facebook Page.
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 3.10.9
Website : http://www.python.org/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 2.2.2
Website : http://werkzeug.pocoo.org/
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
HTTP Headers:
HTTP/1.1 200 OK
Server: Werkzeug/2.2.2 Python/3.10.9
Date: Sun, 19 Feb 2023 21:41:04 GMT
Content-Disposition: inline; filename=index.html
Content-Type: text/html; charset=utf-8
Content-Length: 8698
Last-Modified: Thu, 26 Jan 2023 17:40:39 GMT
Cache-Control: no-cache
ETag: "1674754839.6421967-8698-149884447"
Date: Sun, 19 Feb 2023 21:41:04 GMT
Connection: close

72
HTB/bagel/results/bagel.htb/scans/tcp8000/xml/tcp_8000_http_nmap.xml Normal file
View File

@@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sun Feb 19 22:40:48 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 8000 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/xml/tcp_8000_http_nmap.xml bagel.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 8000 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/tcp_8000_http_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/tcp8000/xml/tcp_8000_http_nmap.xml bagel.htb" start="1676842848" startstr="Sun Feb 19 22:40:48 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="8000"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1676842850"/>
<taskend task="NSE" time="1676842850"/>
<taskbegin task="NSE" time="1676842850"/>
<taskend task="NSE" time="1676842850"/>
<taskbegin task="NSE" time="1676842850"/>
<taskend task="NSE" time="1676842850"/>
<taskbegin task="SYN Stealth Scan" time="1676842850"/>
<taskend task="SYN Stealth Scan" time="1676842851" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1676842851"/>
<taskend task="Service scan" time="1676842947" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1676842947"/>
<taskprogress task="NSE" time="1676842978" percent="98.98" remaining="1" etc="1676842978"/>
<taskprogress task="NSE" time="1676843008" percent="98.98" remaining="1" etc="1676843009"/>
<taskprogress task="NSE" time="1676843038" percent="99.66" remaining="1" etc="1676843038"/>
<taskprogress task="NSE" time="1676843068" percent="99.66" remaining="1" etc="1676843068"/>
<taskprogress task="NSE" time="1676843098" percent="99.66" remaining="1" etc="1676843099"/>
<taskprogress task="NSE" time="1676843128" percent="99.66" remaining="1" etc="1676843129"/>
<taskprogress task="NSE" time="1676843158" percent="99.66" remaining="1" etc="1676843159"/>
<taskprogress task="NSE" time="1676843188" percent="99.66" remaining="1" etc="1676843189"/>
<taskprogress task="NSE" time="1676843218" percent="99.66" remaining="1" etc="1676843219"/>
<taskprogress task="NSE" time="1676843248" percent="99.66" remaining="2" etc="1676843249"/>
<taskprogress task="NSE" time="1676843278" percent="99.66" remaining="2" etc="1676843279"/>
<taskprogress task="NSE" time="1676843308" percent="99.66" remaining="2" etc="1676843309"/>
<taskprogress task="NSE" time="1676843338" percent="99.66" remaining="2" etc="1676843339"/>
<taskprogress task="NSE" time="1676843368" percent="99.66" remaining="2" etc="1676843369"/>
<taskprogress task="NSE" time="1676843398" percent="99.66" remaining="2" etc="1676843400"/>
<taskprogress task="NSE" time="1676843428" percent="99.66" remaining="2" etc="1676843430"/>
<taskprogress task="NSE" time="1676843458" percent="99.66" remaining="2" etc="1676843460"/>
<taskend task="NSE" time="1676843486"/>
<taskbegin task="NSE" time="1676843486"/>
<taskend task="NSE" time="1676843489"/>
<taskbegin task="NSE" time="1676843489"/>
<taskend task="NSE" time="1676843489"/>
<host starttime="1676842850" endtime="1676843489"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.129.132.58" addrtype="ipv4"/>
<hostnames>
<hostname name="bagel.htb" type="user"/>
<hostname name="bagel.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="8000"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http-alt" product="Werkzeug/2.2.2 Python/3.10.9" servicefp="SF-Port8000-TCP:V=7.93%I=7%D=2/19%Time=63F29769%P=x86_64-pc-linux-gnu%r(GetRequest,1EA,&quot;HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.2\x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:40:54\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20263\r\nLocation:\x20http://bagel\.htb:8000/\?page=index\.html\r\nConnection:\x20close\r\n\r\n&lt;!doctype\x20html&gt;\n&lt;html\x20lang=en&gt;\n&lt;title&gt;Redirecting\.\.\.&lt;/title&gt;\n&lt;h1&gt;Redirecting\.\.\.&lt;/h1&gt;\n&lt;p&gt;You\x20should\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:\x20&lt;a\x20href=\&quot;http://bagel\.htb:8000/\?page=index\.html\&quot;&gt;http://bagel\.htb:8000/\?page=index\.html&lt;/a&gt;\.\x20If\x20not,\x20click\x20the\x20link\.\n&quot;)%r(FourOhFourRequest,184,&quot;HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.2\x20Python/3\.10\.9\r\nDate:\x20Sun,\x2019\x20Feb\x202023\x2021:41:00\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r\n\r\n&lt;!doctype\x20html&gt;\n&lt;html\x20lang=en&gt;\n&lt;title&gt;404\x20Not\x20Found&lt;/title&gt;\n&lt;h1&gt;Not\x20Found&lt;/h1&gt;\n&lt;p&gt;The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.&lt;/p&gt;\n&quot;)%r(Socks5,213,&quot;&lt;!DOCTYPE\x20HTML\x20PUBLIC\x20\&quot;-//W3C//DTD\x20HTML\x204\.01//EN\&quot;\n\x20\x20\x20\x20\x20\x20\x20\x20\&quot;http://www\.w3\.org/TR/html4/strict\.dtd\&quot;&gt;\n&lt;html&gt;\n\x20\x20\x20\x20&lt;head&gt;\n\x20\x20\x20\x20\x20\x20\x20\x20&lt;meta\x20http-equiv=\&quot;Content-Type\&quot;\x20content=\&quot;text/html;charset=utf-8\&quot;&gt;\n\x20\x20\x20\x20\x20\x20\x20\x20&lt;title&gt;Error\x20response&lt;/title&gt;\n\x20\x20\x20\x20&lt;/head&gt;\n\x20\x20\x20\x20&lt;body&gt;\n\x20\x20\x20\x20\x20\x20\x20\x20&lt;h1&gt;Error\x20response&lt;/h1&gt;\n\x20\x20\x20\x20\x20\x20\x20\x20&lt;p&gt;Error\x20code:\x20400&lt;/p&gt;\n\x20\x20\x20\x20\x20\x20\x20\x20&lt;p&gt;Message:\x20Bad\x20request\x20syntax\x20\(&apos;\\x05\\x04\\x00\\x01\\x02\\x80\\x05\\x01\\x00\\x03&apos;\)\.&lt;/p&gt;\n\x20\x20\x20\x20\x20\x20\x20\x20&lt;p&gt;Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.&lt;/p&gt;\n\x20\x20\x20\x20&lt;/body&gt;\n&lt;/html&gt;\n&quot;);" method="probed" conf="10"/><script id="http-drupal-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args number=&lt;number|all&gt; for deeper analysis)"/><script id="http-fetch" output="Please enter the complete path of the directory to save data in."><elem key="ERROR">Please enter the complete path of the directory to save data in.</elem>
</script><script id="http-wordpress-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args search-limit=&lt;number|all&gt; for deeper analysis)"/><script id="http-wordpress-users" output="[Error] Wordpress installation was not found. We couldn&apos;t find wp-login.php"/><script id="fingerprint-strings" output="&#xa; FourOhFourRequest: &#xa; HTTP/1.1 404 NOT FOUND&#xa; Server: Werkzeug/2.2.2 Python/3.10.9&#xa; Date: Sun, 19 Feb 2023 21:41:00 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 207&#xa; Connection: close&#xa; &lt;!doctype html&gt;&#xa; &lt;html lang=en&gt;&#xa; &lt;title&gt;404 Not Found&lt;/title&gt;&#xa; &lt;h1&gt;Not Found&lt;/h1&gt;&#xa; &lt;p&gt;The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.&lt;/p&gt;&#xa; GetRequest: &#xa; HTTP/1.1 302 FOUND&#xa; Server: Werkzeug/2.2.2 Python/3.10.9&#xa; Date: Sun, 19 Feb 2023 21:40:54 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 263&#xa; Location: http://bagel.htb:8000/?page=index.html&#xa; Connection: close&#xa; &lt;!doctype html&gt;&#xa; &lt;html lang=en&gt;&#xa; &lt;title&gt;Redirecting...&lt;/title&gt;&#xa; &lt;h1&gt;Redirecting...&lt;/h1&gt;&#xa; &lt;p&gt;You should be redirected automatically to the target URL: &lt;a href=&quot;http://bagel.htb:8000/?page=index.html&quot;&gt;http://bagel.htb:8000/?page=index.html&lt;/a&gt;. If not, click the link.&#xa; Socks5: &#xa; &lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.01//EN&quot;&#xa; &quot;http://www.w3.org/TR/html4/strict.dtd&quot;&gt;&#xa; &lt;html&gt;&#xa; &lt;head&gt;&#xa; &lt;meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html;charset=utf-8&quot;&gt;&#xa; &lt;title&gt;Error response&lt;/title&gt;&#xa; &lt;/head&gt;&#xa; &lt;body&gt;&#xa; &lt;h1&gt;Error response&lt;/h1&gt;&#xa; &lt;p&gt;Error code: 400&lt;/p&gt;&#xa; &lt;p&gt;Message: Bad request syntax (&apos;&#xa; &apos;).&lt;/p&gt;&#xa; &lt;p&gt;Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.&lt;/p&gt;&#xa; &lt;/body&gt;&#xa; &lt;/html&gt;"><elem key="FourOhFourRequest">&#xa; HTTP/1.1 404 NOT FOUND&#xa; Server: Werkzeug/2.2.2 Python/3.10.9&#xa; Date: Sun, 19 Feb 2023 21:41:00 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 207&#xa; Connection: close&#xa; &lt;!doctype html&gt;&#xa; &lt;html lang=en&gt;&#xa; &lt;title&gt;404 Not Found&lt;/title&gt;&#xa; &lt;h1&gt;Not Found&lt;/h1&gt;&#xa; &lt;p&gt;The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.&lt;/p&gt;</elem>
<elem key="GetRequest">&#xa; HTTP/1.1 302 FOUND&#xa; Server: Werkzeug/2.2.2 Python/3.10.9&#xa; Date: Sun, 19 Feb 2023 21:40:54 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 263&#xa; Location: http://bagel.htb:8000/?page=index.html&#xa; Connection: close&#xa; &lt;!doctype html&gt;&#xa; &lt;html lang=en&gt;&#xa; &lt;title&gt;Redirecting...&lt;/title&gt;&#xa; &lt;h1&gt;Redirecting...&lt;/h1&gt;&#xa; &lt;p&gt;You should be redirected automatically to the target URL: &lt;a href=&quot;http://bagel.htb:8000/?page=index.html&quot;&gt;http://bagel.htb:8000/?page=index.html&lt;/a&gt;. If not, click the link.</elem>
<elem key="Socks5">&#xa; &lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.01//EN&quot;&#xa; &quot;http://www.w3.org/TR/html4/strict.dtd&quot;&gt;&#xa; &lt;html&gt;&#xa; &lt;head&gt;&#xa; &lt;meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html;charset=utf-8&quot;&gt;&#xa; &lt;title&gt;Error response&lt;/title&gt;&#xa; &lt;/head&gt;&#xa; &lt;body&gt;&#xa; &lt;h1&gt;Error response&lt;/h1&gt;&#xa; &lt;p&gt;Error code: 400&lt;/p&gt;&#xa; &lt;p&gt;Message: Bad request syntax (&apos;&#xa; &apos;).&lt;/p&gt;&#xa; &lt;p&gt;Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.&lt;/p&gt;&#xa; &lt;/body&gt;&#xa; &lt;/html&gt;</elem>
</script><script id="http-vhosts" output="&#xa;128 names had status 302"/><script id="http-passwd" output="Directory traversal found.&#xa;Payload: &quot;%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd&quot;&#xa;Printing first 250 bytes:&#xa;root:x:0:0:root:/root:/bin/bash&#xa;bin:x:1:1:bin:/bin:/sbin/nologin&#xa;daemon:x:2:2:daemon:/sbin:/sbin/nologin&#xa;adm:x:3:4:adm:/var/adm:/sbin/nologin&#xa;lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin&#xa;sync:x:5:0:sync:/sbin:/bin/sync&#xa;shutdown:x:6:0:shutdown:/sbin:/sbin"/><script id="http-server-header" output="Werkzeug/2.2.2 Python/3.10.9"><elem>Werkzeug/2.2.2 Python/3.10.9</elem>
</script><script id="http-chrono" output="Request times for /; avg: 325.48ms; min: 304.48ms; max: 370.37ms"/><script id="http-malware-host" output="Host appears to be clean"/><script id="http-headers" output="&#xa; Server: Werkzeug/2.2.2 Python/3.10.9&#xa; Date: Sun, 19 Feb 2023 21:42:26 GMT&#xa; Content-Disposition: inline; filename=index.html&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 8698&#xa; Last-Modified: Thu, 26 Jan 2023 17:40:39 GMT&#xa; Cache-Control: no-cache&#xa; ETag: &quot;1674754839.6421967-8698-149884447&quot;&#xa; Date: Sun, 19 Feb 2023 21:42:26 GMT&#xa; Connection: close&#xa; &#xa; (Request type: HEAD)&#xa;"/><script id="http-jsonp-detection" output="Couldn&apos;t find any JSONP endpoints."/><script id="http-config-backup" output="ERROR: Script execution failed (use -d to debug)"/><script id="http-title" output="Bagel &amp;mdash; Free Website Template, Free HTML5 Template by fr...&#xa;Requested resource was http://bagel.htb:8000/?page=index.html"><elem key="title">Bagel &amp;mdash; Free Website Template, Free HTML5 Template by freehtml5.co</elem>
<elem key="redirect_url">http://bagel.htb:8000/?page=index.html</elem>
</script><script id="http-litespeed-sourcecode-download" output="Page: /index.php was not found. Try with an existing file."/><script id="http-methods" output="&#xa; Supported Methods: OPTIONS HEAD GET"><table key="Supported Methods">
<elem>OPTIONS</elem>
<elem>HEAD</elem>
<elem>GET</elem>
</table>
</script><script id="http-waf-detect" output="IDS/IPS/WAF detected:&#xa;bagel.htb:8000/?p4yl04d3=&lt;script&gt;alert(document.cookie)&lt;/script&gt;"/><script id="http-php-version" output="Logo query returned unknown hash 91a775c1133a6a0e6a2427a19819309f&#xa;Credits query returned unknown hash 91a775c1133a6a0e6a2427a19819309f"/></port>
</ports>
<times srtt="224891" rttvar="224891" to="1124455"/>
</host>
<taskbegin task="NSE" time="1676843489"/>
<taskend task="NSE" time="1676843489"/>
<taskbegin task="NSE" time="1676843489"/>
<taskend task="NSE" time="1676843489"/>
<taskbegin task="NSE" time="1676843489"/>
<taskend task="NSE" time="1676843489"/>
<runstats><finished time="1676843489" timestr="Sun Feb 19 22:51:29 2023" summary="Nmap done at Sun Feb 19 22:51:29 2023; 1 IP address (1 host up) scanned in 641.14 seconds" elapsed="641.14" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

146
HTB/bagel/results/bagel.htb/scans/xml/_full_tcp_nmap.xml Normal file
View File

File diff suppressed because one or more lines are too long

128
HTB/bagel/results/bagel.htb/scans/xml/_quick_tcp_nmap.xml Normal file
View File

File diff suppressed because one or more lines are too long

71
HTB/bagel/results/bagel.htb/scans/xml/_top_100_udp_nmap.xml Normal file
View File

@@ -0,0 +1,71 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sun Feb 19 22:35:24 2023 as: nmap -vv -&#45;reason -Pn -T4 -sU -A -&#45;top-ports 100 -oN /home/simon/htb/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/xml/_top_100_udp_nmap.xml bagel.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sU -A -&#45;top-ports 100 -oN /home/simon/htb/bagel/results/bagel.htb/scans/_top_100_udp_nmap.txt -oX /home/simon/htb/bagel/results/bagel.htb/scans/xml/_top_100_udp_nmap.xml bagel.htb" start="1676842524" startstr="Sun Feb 19 22:35:24 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="udp" protocol="udp" numservices="100" services="7,9,17,19,49,53,67-69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,631,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1676842525"/>
<taskend task="NSE" time="1676842525"/>
<taskbegin task="NSE" time="1676842525"/>
<taskend task="NSE" time="1676842525"/>
<taskbegin task="NSE" time="1676842525"/>
<taskend task="NSE" time="1676842525"/>
<taskbegin task="UDP Scan" time="1676842525"/>
<taskend task="UDP Scan" time="1676842610" extrainfo="100 total ports"/>
<taskbegin task="Service scan" time="1676842610"/>
<taskprogress task="Service scan" time="1676842676" percent="8.33" remaining="726" etc="1676843402"/>
<taskend task="Service scan" time="1676842684" extrainfo="12 services on 1 host"/>
<taskbegin task="Traceroute" time="1676842686"/>
<taskend task="Traceroute" time="1676842686"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1676842686"/>
<taskend task="Parallel DNS resolution of 1 host." time="1676842686"/>
<taskbegin task="NSE" time="1676842686"/>
<taskprogress task="NSE" time="1676842717" percent="99.70" remaining="1" etc="1676842717"/>
<taskend task="NSE" time="1676842719"/>
<taskbegin task="NSE" time="1676842719"/>
<taskend task="NSE" time="1676842720"/>
<taskbegin task="NSE" time="1676842720"/>
<taskend task="NSE" time="1676842720"/>
<host starttime="1676842525" endtime="1676842720"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.129.132.58" addrtype="ipv4"/>
<hostnames>
<hostname name="bagel.htb" type="user"/>
<hostname name="bagel.htb" type="PTR"/>
</hostnames>
<ports><extraports state="closed" count="88">
<extrareasons reason="port-unreach" count="88" proto="udp" ports="7,9,17,19,49,67-69,80,88,120,123,135-136,138-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,631,996-999,1022-1023,1025-1026,1028-1030,1434,1646,1701,1718-1719,1812-1813,2000,2048-2049,2222-2223,3283,3456,3703,4444,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,49153-49154,49156,49181-49182,49186,49188,49190-49194,49200-49201,65024"/>
</extraports>
<port protocol="udp" portid="53"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="domain" method="table" conf="3"/></port>
<port protocol="udp" portid="111"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="rpcbind" method="table" conf="3"/></port>
<port protocol="udp" portid="137"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="netbios-ns" method="table" conf="3"/></port>
<port protocol="udp" portid="1027"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="1433"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="ms-sql-s" method="table" conf="3"/></port>
<port protocol="udp" portid="1645"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="radius" method="table" conf="3"/></port>
<port protocol="udp" portid="1900"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="upnp" method="table" conf="3"/></port>
<port protocol="udp" portid="4500"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="nat-t-ike" method="table" conf="3"/></port>
<port protocol="udp" portid="32815"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="33281"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49152"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49185"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
</ports>
<os><portused state="closed" proto="udp" portid="7"/>
<osfingerprint fingerprint="SCAN(V=7.93%E=4%D=2/19%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63F296E0%P=x86_64-pc-linux-gnu)&#xa;SEQ(CI=Z%II=I)&#xa;T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)&#xa;IE(R=Y%DFI=N%T=40%CD=S)&#xa;"/>
</os>
<distance value="2"/>
<trace port="32769" proto="udp">
<hop ttl="1" ipaddr="10.10.16.1" rtt="130.31"/>
<hop ttl="2" ipaddr="10.129.132.58" rtt="130.44" host="bagel.htb"/>
</trace>
<times srtt="196036" rttvar="40655" to="358656"/>
</host>
<taskbegin task="NSE" time="1676842720"/>
<taskend task="NSE" time="1676842720"/>
<taskbegin task="NSE" time="1676842720"/>
<taskend task="NSE" time="1676842720"/>
<taskbegin task="NSE" time="1676842720"/>
<taskend task="NSE" time="1676842720"/>
<runstats><finished time="1676842720" timestr="Sun Feb 19 22:38:40 2023" summary="Nmap done at Sun Feb 19 22:38:40 2023; 1 IP address (1 host up) scanned in 196.66 seconds" elapsed="196.66" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>