simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
HTB/derailed/results/derailed.htb/report/local.txt Normal file
View File

8
HTB/derailed/results/derailed.htb/report/notes.txt Normal file
View File

@@ -0,0 +1,8 @@
[*] ssh found on tcp/22.
[*] http found on tcp/3000.

0
HTB/derailed/results/derailed.htb/report/proof.txt Normal file
View File

29
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Commands.md Normal file
View File

@@ -0,0 +1,29 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml" derailed.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml" derailed.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml" derailed.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" derailed.htb
feroxbuster -u http://derailed.htb:3000/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt"
curl -sSikf http://derailed.htb:3000/.well-known/security.txt
curl -sSikf http://derailed.htb:3000/robots.txt
curl -sSik http://derailed.htb:3000/
nmap -vv --reason -Pn -T4 -sV -p 3000 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/xml/tcp_3000_http_nmap.xml" derailed.htb
curl -sk -o /dev/null -H "Host: NkoFGoOnXcvbfluPanbk.derailed.htb" http://derailed.htb:3000/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://derailed.htb:3000 2>&1
wkhtmltoimage --format png http://derailed.htb:3000/ /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_screenshot.png
ffuf -u http://derailed.htb:3000/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.derailed.htb" -fs 4774 -noninteractive -s | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt"
```

35
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Manual Commands.md Normal file
View File

@@ -0,0 +1,35 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://derailed.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h derailed.htb
[*] http on tcp/3000
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://derailed.htb:3000 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 3000 -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_auth_hydra.txt" http-get://derailed.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 3000 -O "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_auth_medusa.txt" -M http -h derailed.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 3000 -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_form_hydra.txt" http-post-form://derailed.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 3000 -O "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_form_medusa.txt" -M web-form -h derailed.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://derailed.htb:3000 2>&1 | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://derailed.htb:3000/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_wpscan.txt"
```

2
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Patterns.md Normal file
View File

@@ -0,0 +1,2 @@
Identified HTTP Server: nginx/1.18.0

63
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,63 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml derailed.htb
adjust_timeouts2: packet supposedly had rtt of -408552 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -408552 microseconds. Ignoring time.
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.033s latency).
Scanned at 2023-02-16 16:44:44 CET for 129s
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=
| 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=
| 256 0abd9223df44026f278da6abb4077837 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT
3000/tcp open http syn-ack ttl 63 nginx 1.18.0
|_http-title: derailed.htb
|_http-server-header: nginx/1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.6 (92%), Linux 5.0 - 5.4 (91%), Linux 5.3 - 5.4 (91%), Linux 2.6.32 (91%), Linux 5.0 (90%), Linux 5.0 - 5.3 (90%), Linux 5.4 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/16%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE4FED%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10C%TI=Z%TS=A)
SEQ(SP=103%GCD=1%ISR=10C%TI=Z%II=I%TS=A)
OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 41.758 days (since Thu Jan 5 22:35:19 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 29.13 ms 10.10.16.1
2 29.31 ms derailed.htb (10.10.11.190)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:46:53 2023 -- 1 IP address (1 host up) scanned in 130.27 seconds
```

32
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Port Scans/PortScan - Top 100 UDP Ports.md Normal file
View File

@@ -0,0 +1,32 @@
```bash
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.053s latency).
Scanned at 2023-02-16 16:44:44 CET for 1810s
All 100 scanned ports on derailed.htb (10.10.11.190) are in ignored states.
Not shown: 100 open|filtered udp ports (no-response)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/16%OT=%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE567E%P=x86_64-pc-linux-gnu)
SEQ(II=I)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 41.15 ms 10.10.16.1
2 60.48 ms derailed.htb (10.10.11.190)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 17:14:54 2023 -- 1 IP address (1 host up) scanned in 1812.15 seconds
```

60
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,60 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.048s latency).
Scanned at 2023-02-16 16:44:44 CET for 26s
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=
| 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=
| 256 0abd9223df44026f278da6abb4077837 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT
3000/tcp open http syn-ack ttl 63 nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-title: derailed.htb
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.6 (92%), Linux 5.0 - 5.4 (91%), Linux 5.3 - 5.4 (91%), Linux 2.6.32 (91%), Linux 5.0 (90%), Linux 5.0 - 5.3 (90%), Linux 5.4 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/16%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE4F87%P=x86_64-pc-linux-gnu)
SEQ(SP=101%GCD=1%ISR=10C%TI=Z%II=I%TS=A)
OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 41.757 days (since Thu Jan 5 22:35:19 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 56.03 ms 10.10.16.1
2 56.06 ms derailed.htb (10.10.11.190)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:45:11 2023 -- 1 IP address (1 host up) scanned in 28.24 seconds
```

70
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,70 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:45:11 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.028s latency).
Scanned at 2023-02-16 16:45:12 CET for 1s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=
| 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=
| 256 0abd9223df44026f278da6abb4077837 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (1)
|_ none
|_banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:45:13 2023 -- 1 IP address (1 host up) scanned in 2.07 seconds
```

20
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
curl -sSikf http://derailed.htb:3000/robots.txt
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl-robots.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl-robots.txt):
```
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 16 Feb 2023 15:45:11 GMT
Content-Type: text/plain
Content-Length: 99
Connection: keep-alive
Last-Modified: Wed, 25 May 2022 19:18:45 GMT
Expires: Thu, 16 Feb 2023 15:45:10 GMT
Cache-Control: no-cache
# See https://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file
```

159
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Curl.md Normal file
View File

@@ -0,0 +1,159 @@
```bash
curl -sSik http://derailed.htb:3000/
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl.html](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl.html):
```
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 16 Feb 2023 15:45:11 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Link: </packs/js/application-135b5cfa2df817d08f14.js>; rel=preload; as=script; nopush
Vary: Accept
ETag: W/"b91a8efb6a825d68e38d6699074408ae"
Cache-Control: no-cache
Set-Cookie: _simple_rails_session=VeYoCmGHghenr7wwQLcf%2BDrNgdM5%2BGsQ2gl5%2F4I3btsVC2BeWkmYQDiwN2UeS9mIsuUFx9bZyboVLrJ%2B%2BJgowTMU9QppzJaDqcIC%2FlUlfLLDQ7lDx2CUj1RWEQvmqVQ4j7oLknpuUTBQyHZHI8uTfQA7wYBOlgfgvn6LYdXpvVkx03gI%2FtDpcgRuBkxvw3h9ndQ7MBA8OXp9iNwUiiCiGi%2FOb%2FWlaKZqjokfuTGw2qIKk0vbZAA6Q4ltvI8eaGhbKwCITJo4jXeiM8LxUtJGSQU6Mpw1hpcY21ULB%2Bs%3D--FFPX%2FtBnxMH8Fo52--emykyQaq2bu%2BZnwDa8c95g%3D%3D; path=/; HttpOnly; SameSite=Lax
X-Request-Id: 61fbfc99-63b4-484e-8fd3-afa3eaef39f8
X-Runtime: 0.020045
Expires: Thu, 16 Feb 2023 15:45:10 GMT
<!DOCTYPE html>
<html>
<head>
<title>derailed.htb</title>
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
<meta name="csrf-param" content="authenticity_token" />
<meta name="csrf-token" content="z-Eg9OBMxBOJWX_qhFXu6ZMNJGg8gqxLwrBzYc_woqNdutrMr8d4B3lCt3k2-BKh7WnC-2RS5UkccnXbyumWZg" />
<!-- Warning !! ensure that "stylesheet_pack_tag" is used, line below -->
<script src="/packs/js/application-135b5cfa2df817d08f14.js" data-turbolinks-track="reload"></script>
<link href="/js/vs/editor/editor.main.css" rel="stylesheet"/>
<!-- Favicon-->
<link rel="icon" type="image/x-icon" href="/assets/favicon.ico"/>
<!-- Font Awesome icons (free version)-->
<script src="https://use.fontawesome.com/releases/v6.1.0/js/all.js" crossorigin="anonymous"></script>
<!-- Google fonts-->
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css"/>
<link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css"/>
<!-- Core theme CSS (includes Bootstrap)-->
<link href="/css/styles.css" rel="stylesheet"/>
</head>
<body id="page-top">
<!-- Navigation-->
<nav class="navbar navbar-expand-lg bg-secondary text-uppercase fixed-top" id="mainNav">
<div class="container">
<a class="navbar-brand" href="/">CLIPNOTES</a>
<button class="navbar-toggler text-uppercase font-weight-bold bg-primary text-white rounded" type="button" data-bs-toggle="collapse" data-bs-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation">
Menu
<i class="fas fa-bars"></i>
</button>
<div class="collapse navbar-collapse" id="navbarResponsive">
<ul class="navbar-nav ms-auto">
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded" href="/login">Login</a>
</li>
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded" href="/register">Sign Up</a>
</li>
</ul>
</div>
</div>
</nav>
<header class="masthead bg-primary text-white text-center">
<div class="container">
<form action="/create" accept-charset="UTF-8" method="post"><input type="hidden" name="authenticity_token" value="-alilGD1Y-OjXpjBgQ9Xf1QesExsR0441HGTWFfBEKlC55TEUOoSglwJnPNLw5j-kR6GkzJOVcBTFElq4YcItA" autocomplete="off" />
<div class="form-group">
<h2 class="page-section-heading text-center text-uppercase text-white">New Clipnote</h2>
<textarea rows="12" class="form-control" name="note[content]" id="note_content">
</textarea>
</div>
<div class="text-center mt-4">
<button name="button" type="submit" class="btn btn-xl btn-outline-light">
<i class="fas fa-plus me-2"></i>
Create New Clipnote
</button>
</div>
</form>
</div>
</header>
<!-- Footer-->
<footer class="footer text-center">
<div class="container">
<div class="row">
<!-- Footer Location-->
<div class="col-lg-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4">Location</h4>
<p class="lead mb-0">
2215 John Daniel Drive
<br/>
Clark, MO 65243
</p>
</div>
<!-- Footer Social Icons-->
<div class="col-lg-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4"><a href="http://derailed.htb">derailed.htb</a></h4>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-facebook-f"></i></a>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-twitter"></i></a>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-linkedin-in"></i></a>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-dribbble"></i></a>
</div>
<!-- Footer About Text-->
<div class="col-lg-4">
<h4 class="text-uppercase mb-4">About derailed.htb</h4>
<p class="lead mb-0">
derailed.htb is a free to use service, which allows users to create notes within a few seconds.
</p>
</div>
</div>
</div>
</footer>
<!-- Copyright Section-->
<div class="copyright py-4 text-center text-white">
<div class="container"><small>Copyright &copy; derailed.htb 2022</small></div>
</div>
<!-- Bootstrap core JS-->
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"></script>
<script src="/js/scripts.js"></script>
<script src="https://cdn.startbootstrap.com/sb-forms-latest.js"></script>
</body>
</html>
```

49
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,49 @@
```bash
feroxbuster -u http://derailed.htb:3000/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt"
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt):
```
200 GET 153l 397w 0c http://derailed.htb:3000/register
200 GET 8l 29w 23462c http://derailed.htb:3000/assets/favicon.ico
200 GET 6l 1408w 77302c http://derailed.htb:3000/js/vs/editor/editor.main.css
200 GET 54l 134w 1648c http://derailed.htb:3000/js/scripts.js
200 GET 11509l 21777w 211255c http://derailed.htb:3000/css/styles.css
200 GET 7219l 79688w 1008873c http://derailed.htb:3000/packs/js/application-135b5cfa2df817d08f14.js
200 GET 144l 381w 0c http://derailed.htb:3000/login
200 GET 128l 341w 0c http://derailed.htb:3000/
200 GET 67l 181w 1722c http://derailed.htb:3000/404
200 GET 66l 165w 1635c http://derailed.htb:3000/500
200 GET 67l 181w 1722c http://derailed.htb:3000/404.html
200 GET 66l 165w 1635c http://derailed.htb:3000/500.html
302 GET 1l 5w 0c http://derailed.htb:3000/administration => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.txt => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.html => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.php => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.asp => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.aspx => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.jsp => http://derailed.htb:3000/login
200 GET 0l 0w 0c http://derailed.htb:3000/favicon.ico
200 GET 144l 381w 0c http://derailed.htb:3000/login.html
200 GET 144l 381w 0c http://derailed.htb:3000/login.php
200 GET 144l 381w 0c http://derailed.htb:3000/login.asp
200 GET 144l 381w 0c http://derailed.htb:3000/login.aspx
200 GET 144l 381w 0c http://derailed.htb:3000/login.jsp
302 GET 1l 5w 0c http://derailed.htb:3000/logout => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.txt => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.html => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.php => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.asp => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.aspx => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.jsp => http://derailed.htb:3000/
200 GET 153l 397w 0c http://derailed.htb:3000/register.html
200 GET 153l 397w 0c http://derailed.htb:3000/register.php
200 GET 153l 397w 0c http://derailed.htb:3000/register.asp
200 GET 153l 397w 0c http://derailed.htb:3000/register.aspx
200 GET 153l 397w 0c http://derailed.htb:3000/register.jsp
200 GET 1l 12w 99c http://derailed.htb:3000/robots.txt
200 GET 67l 176w 1705c http://derailed.htb:3000/422
200 GET 67l 176w 1705c http://derailed.htb:3000/422.html
```

3
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Known Security.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://derailed.htb:3000/.well-known/security.txt
```

348
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,348 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 3000 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/xml/tcp_3000_http_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:45:11 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3000 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/xml/tcp_3000_http_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.025s latency).
Scanned at 2023-02-16 16:45:14 CET for 516s
PORT STATE SERVICE REASON VERSION
3000/tcp open http syn-ack ttl 63 nginx 1.18.0
| http-errors:
| Spidering limited to: maxpagecount=40; withinhost=derailed.htb
| Found the following error pages:
|
| Error Code: 404
|_ http://derailed.htb:3000/create
| http-referer-checker:
| Spidering limited to: maxpagecount=30
| https://cdn.jsdelivr.net:443/npm/bootstrap15.1.3/dist/js/bootstrap.bundle.min.js
| https://cdn.startbootstrap.com:443/sb-forms-0.4.1.js
|_ https://use.fontawesome.com:443/releases/v6.1.0/js/all.js
| http-enum:
| /login.stm: Belkin G Wireless Router
| /login.php: Possible admin folder
| /login.html: Possible admin folder
| /login.cfm: Possible admin folder
| /login.asp: Possible admin folder
| /login.aspx: Possible admin folder
| /login.jsp: Possible admin folder
| /login/: Login page
| /login.htm: Login page
| /login.jsp: Login page
| /robots.txt: Robots file
|_ /register/: Potentially interesting folder
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-feed: Couldn't find any feeds.
|_http-malware-host: Host appears to be clean
|_http-chrono: Request times for /; avg: 580.84ms; min: 480.16ms; max: 721.99ms
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-internal-ip-disclosure: ERROR: Script execution failed (use -d to debug)
|_http-title: derailed.htb
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sitemap-generator:
| Directory structure:
| /
| Other: 3
| /assets/
| ico: 1
| /css/
| css: 1
| /js/
| js: 1
| /js/vs/editor/
| css: 1
| Longest directory structure:
| Depth: 3
| Dir: /js/vs/editor/
| Total files found (by extension):
|_ Other: 3; css: 2; ico: 1; js: 1
| http-vhosts:
|_128 names had status 200
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-devframework: RoR detected. Found properties file on /rails/info/properties/
| http-auth-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=derailed.htb
| url method
| http://derailed.htb:3000/register FORM
|_ http://derailed.htb:3000/login FORM
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-mobileversion-checker: No mobile version detected.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-server-header: nginx/1.18.0
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=derailed.htb
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 7717
| Comment:
| /* rtl:end:remove */
|
| Path: http://derailed.htb:3000/register
| Line number: 63
| Comment:
| <!-- Contact Section Heading-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 29
| Comment:
| // Shrink the navbar when page is scrolled
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 6
| Comment:
|
| //
|
| Path: http://derailed.htb:3000/register
| Line number: 20
| Comment:
| <!-- Font Awesome icons (free version)-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 4792
| Comment:
| /* rtl: var(--bs-breadcrumb-divider, "/") */
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 257
| Comment:
| /* rtl:ignore */
|
| Path: http://derailed.htb:3000/register
| Line number: 116
| Comment:
| <!-- Footer Location-->
|
| Path: http://derailed.htb:3000/register
| Line number: 18
| Comment:
| <!-- Favicon-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 6118
| Comment:
| /* rtl:options: {
| "autoRename": true,
| "stringMap":[ {
| "name" : "prev-next",
| "search" : "prev",
| "replace" : "next"
| } ]
| } */
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 7
| Comment:
| /*!
| * Bootstrap v5.1.3 (https://getbootstrap.com/)
| * Copyright 2011-2021 The Bootstrap Authors
| * Copyright 2011-2021 Twitter, Inc.
| * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
| */
|
| Path: http://derailed.htb:3000/register
| Line number: 148
| Comment:
| <!-- Bootstrap core JS-->
|
| Path: http://derailed.htb:3000/register
| Line number: 71
| Comment:
| <!-- Contact Section Form-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 6042
| Comment:
| /* rtl:end:ignore */
|
| Path: http://derailed.htb:3000/register
| Line number: 25
| Comment:
| <!-- Core theme CSS (includes Bootstrap)-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 2
| Comment:
| /*!
| * Start Bootstrap - Freelancer v7.0.6 (https://startbootstrap.com/theme/freelancer)
| * Copyright 2013-2022 Start Bootstrap
| * Licensed under MIT (https://github.com/StartBootstrap/startbootstrap-freelancer/blob/master/LICENSE)
| */
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 32
| Comment:
| // Activate Bootstrap scrollspy on the main nav element
|
| Path: http://derailed.htb:3000/register
| Line number: 22
| Comment:
| <!-- Google fonts-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 8
| Comment:
|
| //
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 41
| Comment:
| // Collapse responsive navbar when toggler is visible
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 7711
| Comment:
| /* rtl:begin:remove */
|
| Path: http://derailed.htb:3000/register
| Line number: 112
| Comment:
| <!-- Footer-->
|
| Path: http://derailed.htb:3000/js/vs/editor/editor.main.css
| Line number: 1
| Comment:
| /*!-----------------------------------------------------------
| * Copyright (c) Microsoft Corporation. All rights reserved.
| * Version: 0.33.0(c722ca6c7eed3d7987c0d5c3df5c45f6b15e77d1)
| * Released under the MIT license
| * https://github.com/microsoft/vscode/blob/main/LICENSE.txt
| *-----------------------------------------------------------*/
|
| Path: http://derailed.htb:3000/register
| Line number: 29
| Comment:
| <!-- Navigation-->
|
| Path: http://derailed.htb:3000/register
| Line number: 125
| Comment:
| <!-- Footer Social Icons-->
|
| Path: http://derailed.htb:3000/register
| Line number: 143
| Comment:
| <!-- Copyright Section-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 26
| Comment:
| // Shrink the navbar
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 6031
| Comment:
| /* rtl:begin:ignore */
|
| Path: http://derailed.htb:3000/register
| Line number: 13
| Comment:
| <!-- Warning !! ensure that "stylesheet_pack_tag" is used, line below -->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 441
| Comment:
| /* rtl:raw:
| [type="tel"],
| [type="url"],
| [type="email"],
| [type="number"] {
| direction: ltr;
| }
| */
|
| Path: http://derailed.htb:3000/register
| Line number: 133
| Comment:
| <!-- Footer About Text-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 12
| Comment:
| // Navbar shrink function
|
| Path: http://derailed.htb:3000/register
| Line number: 65
| Comment:
|_ <!-- Icon Divider-->
| http-security-headers:
| X_Frame_Options:
| Header: X-Frame-Options: SAMEORIGIN
| Description: The browser must not display this content in any frame from a page of different origin than the content itself.
| X_XSS_Protection:
| Header: X-XSS-Protection: 1; mode=block
| Description: The browser will prevent the rendering of the page when XSS is detected.
| X_Content_Type_Options:
| Header: X-Content-Type-Options: nosniff
| Description: Will prevent the browser from MIME-sniffing a response away from the declared content-type.
| X_Permitted_Cross_Domain_Policies:
| Header: X-Permitted-Cross-Domain-Policies: none
| Description: No policy files are allowed anywhere on the target server, including this master policy file.
| Cache_Control:
| Header: Cache-Control: no-cache
| Expires:
|_ Header: Expires: Thu, 16 Feb 2023 15:45:33 GMT
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-date: Thu, 16 Feb 2023 15:45:26 GMT; -1s from local time.
| http-waf-detect: IDS/IPS/WAF detected:
|_derailed.htb:3000/?p4yl04d3=<script>alert(document.cookie)</script>
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
| http-headers:
| Server: nginx/1.18.0
| Date: Thu, 16 Feb 2023 15:45:28 GMT
| Content-Type: text/html; charset=utf-8
| Connection: close
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| X-Content-Type-Options: nosniff
| X-Download-Options: noopen
| X-Permitted-Cross-Domain-Policies: none
| Referrer-Policy: strict-origin-when-cross-origin
| Link: </packs/js/application-135b5cfa2df817d08f14.js>; rel=preload; as=script; nopush
| ETag: W/"6522e3db327e482cccc280f692e86223"
| Cache-Control: no-cache
| Set-Cookie: _simple_rails_session=tDEdGZWSZGtkgu2XC5L73pxfqWqr2qeigxOB%2FdvvzAJvk2Ml%2Bcv6SQiEAql4e10Q6Zqf8eNjwl8aVzYdzFk01%2BDD8q7MTzI9IvKNKOX4eH2OjAGtigHRYTuU%2FtBalnWdPGp7GTlhpao9vV93qZQKfxEnLRhblJvP%2BcdcvuDFdIaKjnuyCyUE5b5M%2FO%2B5R8yv57IJmT7shL%2B83e2n2awfNFV9aCFmp90T25y0J8JVEmhkew1treuNsCpjnwUqaIzMyQCo%2BuzHOGDtZJfOszvkAA7tJgnDI3eA9%2Fj2w5Y%3D--cauerDqmrGarteSZ--T%2B%2FFM%2Bp55gejSi%2F7zEKoQw%3D%3D; path=/; HttpOnly; SameSite=Lax
| X-Request-Id: bd64859a-760b-4731-bca1-a5ab5ac3e25d
| X-Runtime: 0.080271
| Expires: Thu, 16 Feb 2023 15:45:27 GMT
|
|_ (Request type: HEAD)
| http-php-version: Logo query returned unknown hash 3f4c876cfd945d09e6f8361405950437
|_Credits query returned unknown hash 2c8e1b7fab02fb0e5a929337403ba4ef
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:53:50 2023 -- 1 IP address (1 host up) scanned in 519.37 seconds
```

11
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
curl -sk -o /dev/null -H "Host: NkoFGoOnXcvbfluPanbk.derailed.htb" http://derailed.htb:3000/ -w "%{size_download}"
``````bash
ffuf -u http://derailed.htb:3000/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.derailed.htb" -fs 4774 -noninteractive -s | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt):
```
```

109
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/whatweb.md Normal file
View File

@@ -0,0 +1,109 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://derailed.htb:3000 2>&1
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_whatweb.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_whatweb.txt):
```
WhatWeb report for http://derailed.htb:3000
Status : 200 OK
Title : derailed.htb
IP : 10.10.11.190
Country : RESERVED, ZZ
Summary : Bootstrap, Cookies[_simple_rails_session], HTML5, HTTPServer[nginx/1.18.0], HttpOnly[_simple_rails_session], nginx[1.18.0], Script, UncommonHeaders[x-content-type-options,x-download-options,x-permitted-cross-domain-policies,referrer-policy,link,x-request-id], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : _simple_rails_session
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : nginx/1.18.0 (from server string)
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
http://en.wikipedia.org/wiki/HTTP_cookie
String : _simple_rails_session
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-content-type-options,x-download-options,x-permitted-cross-domain-policies,referrer-policy,link,x-request-id (from headers)
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : SAMEORIGIN
[ X-XSS-Protection ]
This plugin retrieves the X-XSS-Protection value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : 1; mode=block
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 16 Feb 2023 15:45:26 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Link: </packs/js/application-135b5cfa2df817d08f14.js>; rel=preload; as=script; nopush
Vary: Accept
ETag: W/"a8b4d805b5090dd0b87e4821d2df7ca2"
Cache-Control: no-cache
Set-Cookie: _simple_rails_session=ooOfNpkyasLDwPiGVBqcrsfpqvfn50Pzf5IOqMAZ4zvaaOD8nCfa2gZ3JEAatSg4sVB%2B%2Fh7eq%2FkvjmIi8FJ%2FX64W1fP2%2BFurosNX64n15W6Wsif%2FYyitQXvbOf455kZaGXDOwkfpWt%2BFFgsNxJuufcOgUmJQpA1CE%2Fp2ydvBS6xppKfA2ZVbk%2F9lYgt4D0lVQhxERvN4N3gob8HoV%2BqVnVVHDdAkvA1%2F7co%2Bjpmh2E0owj2yvPG38wNjvUeRREyr21onFQ64Tp%2FygnM0fp2w3YoByHIPcsI%2Baie8Jqg%3D--l9hl7fBfRLBW%2Fgf0--Y%2BJUAftY8y15nt45Jhn95Q%3D%3D; path=/; HttpOnly; SameSite=Lax
X-Request-Id: d5c74b03-6bb3-4325-9fac-e115d437c25f
X-Runtime: 0.035284
Expires: Thu, 16 Feb 2023 15:45:25 GMT
```

3
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://derailed.htb:3000/ /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_screenshot.png
```