simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Commands.md Normal file
View File

@@ -0,0 +1,27 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/photobomb/results/10.10.11.182/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/photobomb/results/10.10.11.182/scans/xml/_quick_tcp_nmap.xml" 10.10.11.182
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/photobomb/results/10.10.11.182/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/photobomb/results/10.10.11.182/scans/xml/_full_tcp_nmap.xml" 10.10.11.182
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.182
feroxbuster -u http://10.10.11.182:80/ -t 10 -w /home/kali/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.10.11.182:80/.well-known/security.txt
curl -sSikf http://10.10.11.182:80/robots.txt
curl -sSik http://10.10.11.182:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.182
curl -sk -o /dev/null -H "Host: txKCMPIUqOtdqrlLcVuN.photobomb.htb" http://photobomb.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.10.11.182:80 2>&1
wkhtmltoimage --format png http://10.10.11.182:80/ /home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://photobomb.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.photobomb.htb" -fs 154 -noninteractive -s | tee "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_photobomb.htb_vhosts_subdomains-top1million-110000.txt"
```

35
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Manual Commands.md Normal file
View File

@@ -0,0 +1,35 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.10.11.182
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.10.11.182
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.10.11.182:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.10.11.182/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.10.11.182 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.10.11.182/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.10.11.182 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.10.11.182:80 2>&1 | tee "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.10.11.182:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_wpscan.txt"
```

8
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Patterns.md Normal file
View File

@@ -0,0 +1,8 @@
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Identified HTTP Server: nginx/1.18.0 (Ubuntu)

34
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,34 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/photobomb/results/10.10.11.182/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/photobomb/results/10.10.11.182/scans/xml/_full_tcp_nmap.xml" 10.10.11.182
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/_full_tcp_nmap.txt](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Mon Jan 23 08:34:02 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/photobomb/results/10.10.11.182/scans/_full_tcp_nmap.txt -oX /home/kali/htb/photobomb/results/10.10.11.182/scans/xml/_full_tcp_nmap.xml 10.10.11.182
Nmap scan report for photobomb.htb (10.10.11.182)
Host is up, received user-set (0.065s latency).
Scanned at 2023-01-23 08:34:03 EST for 29s
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwlzrcH3g6+RJ9JSdH4fFJPibAIpAZXAl7vCJA+98jmlaLCsANWQXth3UsQ+TCEf9YydmNXO2QAIocVR8y1NUEYBlN2xG4/7txjoXr9QShFwd10HNbULQyrGzPaFEN2O/7R90uP6lxQIDsoKJu2Ihs/4YFit79oSsCPMDPn8XS1fX/BRRhz1BDqKlLPdRIzvbkauo6QEhOiaOG1pxqOj50JVWO3XNpnzPxB01fo1GiaE4q5laGbktQagtqhz87SX7vWBwJXXKA/IennJIBPcyD1G6YUK0k6lDow+OUdXlmoxw+n370Knl6PYxyDwuDnvkPabPhkCnSvlgGKkjxvqks9axnQYxkieDqIgOmIrMheEqF6GXO5zz6WtN62UAIKAgxRPgIW0SjRw2sWBnT9GnLag74cmhpGaIoWunklT2c94J7t+kpLAcsES6+yFp9Wzbk1vsqThAss0BkVsyxzvL0U9HvcyyDKLGFlFPbsiFH7br/PuxGbqdO9Jbrrs9nx60=
| 256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBrVE9flXamwUY+wiBc9IhaQJRE40YpDsbOGPxLWCKKjNAnSBYA9CPsdgZhoV8rtORq/4n+SO0T80x1wW3g19Ew=
| 256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp8nHKD5peyVy3X3MsJCmH/HIUvJT+MONekDg5xYZ6D
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Photobomb
|_http-favicon: Unknown favicon MD5: 622B9ED3F0195B2D1811DF6F278518C2
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 23 08:34:32 2023 -- 1 IP address (1 host up) scanned in 30.44 seconds
```

34
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,34 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/photobomb/results/10.10.11.182/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/photobomb/results/10.10.11.182/scans/xml/_quick_tcp_nmap.xml" 10.10.11.182
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/_quick_tcp_nmap.txt](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Mon Jan 23 08:34:02 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/photobomb/results/10.10.11.182/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/photobomb/results/10.10.11.182/scans/xml/_quick_tcp_nmap.xml 10.10.11.182
Nmap scan report for photobomb.htb (10.10.11.182)
Host is up, received user-set (0.033s latency).
Scanned at 2023-01-23 08:34:03 EST for 8s
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwlzrcH3g6+RJ9JSdH4fFJPibAIpAZXAl7vCJA+98jmlaLCsANWQXth3UsQ+TCEf9YydmNXO2QAIocVR8y1NUEYBlN2xG4/7txjoXr9QShFwd10HNbULQyrGzPaFEN2O/7R90uP6lxQIDsoKJu2Ihs/4YFit79oSsCPMDPn8XS1fX/BRRhz1BDqKlLPdRIzvbkauo6QEhOiaOG1pxqOj50JVWO3XNpnzPxB01fo1GiaE4q5laGbktQagtqhz87SX7vWBwJXXKA/IennJIBPcyD1G6YUK0k6lDow+OUdXlmoxw+n370Knl6PYxyDwuDnvkPabPhkCnSvlgGKkjxvqks9axnQYxkieDqIgOmIrMheEqF6GXO5zz6WtN62UAIKAgxRPgIW0SjRw2sWBnT9GnLag74cmhpGaIoWunklT2c94J7t+kpLAcsES6+yFp9Wzbk1vsqThAss0BkVsyxzvL0U9HvcyyDKLGFlFPbsiFH7br/PuxGbqdO9Jbrrs9nx60=
| 256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBrVE9flXamwUY+wiBc9IhaQJRE40YpDsbOGPxLWCKKjNAnSBYA9CPsdgZhoV8rtORq/4n+SO0T80x1wW3g19Ew=
| 256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp8nHKD5peyVy3X3MsJCmH/HIUvJT+MONekDg5xYZ6D
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 622B9ED3F0195B2D1811DF6F278518C2
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Photobomb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 23 08:34:11 2023 -- 1 IP address (1 host up) scanned in 8.82 seconds
```

71
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,71 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.182
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Mon Jan 23 08:34:11 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/photobomb/results/10.10.11.182/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.182
Nmap scan report for photobomb.htb (10.10.11.182)
Host is up, received user-set (0.035s latency).
Scanned at 2023-01-23 08:34:12 EST for 1s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwlzrcH3g6+RJ9JSdH4fFJPibAIpAZXAl7vCJA+98jmlaLCsANWQXth3UsQ+TCEf9YydmNXO2QAIocVR8y1NUEYBlN2xG4/7txjoXr9QShFwd10HNbULQyrGzPaFEN2O/7R90uP6lxQIDsoKJu2Ihs/4YFit79oSsCPMDPn8XS1fX/BRRhz1BDqKlLPdRIzvbkauo6QEhOiaOG1pxqOj50JVWO3XNpnzPxB01fo1GiaE4q5laGbktQagtqhz87SX7vWBwJXXKA/IennJIBPcyD1G6YUK0k6lDow+OUdXlmoxw+n370Knl6PYxyDwuDnvkPabPhkCnSvlgGKkjxvqks9axnQYxkieDqIgOmIrMheEqF6GXO5zz6WtN62UAIKAgxRPgIW0SjRw2sWBnT9GnLag74cmhpGaIoWunklT2c94J7t+kpLAcsES6+yFp9Wzbk1vsqThAss0BkVsyxzvL0U9HvcyyDKLGFlFPbsiFH7br/PuxGbqdO9Jbrrs9nx60=
| 256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBrVE9flXamwUY+wiBc9IhaQJRE40YpDsbOGPxLWCKKjNAnSBYA9CPsdgZhoV8rtORq/4n+SO0T80x1wW3g19Ew=
| 256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp8nHKD5peyVy3X3MsJCmH/HIUvJT+MONekDg5xYZ6D
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
|_banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 23 08:34:13 2023 -- 1 IP address (1 host up) scanned in 2.24 seconds
```

24
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,24 @@
```bash
curl -sSikf http://10.10.11.182:80/robots.txt
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_curl-robots.txt](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_curl-robots.txt):
```
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 23 Jan 2023 13:34:12 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://photobomb.htb/
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
```

25
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,25 @@
```bash
curl -sSik http://10.10.11.182:80/
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_curl.html](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 23 Jan 2023 13:34:12 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://photobomb.htb/
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
```

11
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
feroxbuster -u http://10.10.11.182:80/ -t 10 -w /home/kali/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt):
```
WLD GET 7l 10w 154c Got 302 for http://10.10.11.182/8f7d9efab8454152b16c03f3977d789a (url length: 32)
WLD - - - http://10.10.11.182/8f7d9efab8454152b16c03f3977d789a => http://photobomb.htb/
```

23
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,23 @@
```bash
curl -sSikf http://10.10.11.182:80/.well-known/security.txt
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_known-security.txt](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_known-security.txt):
```
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 23 Jan 2023 13:34:12 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://photobomb.htb/
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
```

118
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,118 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.182
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_nmap.txt](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Mon Jan 23 08:34:11 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.182
Nmap scan report for photobomb.htb (10.10.11.182)
Host is up, received user-set (0.045s latency).
Scanned at 2023-01-23 08:34:13 EST for 162s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1; css: 1; js: 1
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_ Other: 1; css: 1; js: 1
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-title: Photobomb
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-date: Mon, 23 Jan 2023 13:34:21 GMT; -1s from local time.
|_http-favicon: Unknown favicon MD5: 622B9ED3F0195B2D1811DF6F278518C2
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| http-auth-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=photobomb.htb
| url method
|_ http://photobomb.htb:80/printer HTTP: Basic
|_http-feed: Couldn't find any feeds.
| http-errors:
| Spidering limited to: maxpagecount=40; withinhost=photobomb.htb
| Found the following error pages:
|
| Error Code: 401
|_ http://photobomb.htb:80/printer
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-fetch: Please enter the complete path of the directory to save data in.
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=photobomb.htb
|
| Path: http://photobomb.htb:80/photobomb.js
| Line number: 2
| Comment:
|_ // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
| http-vhosts:
|_128 names had status 302
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-malware-host: Host appears to be clean
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-mobileversion-checker: No mobile version detected.
| http-enum:
| /printer/image: Lexmark Printer (401 Unauthorized)
| /printer/: Potentially interesting folder (401 Unauthorized)
|_ /printers/: Potentially interesting folder (401 Unauthorized)
|_http-chrono: Request times for /; avg: 179.29ms; min: 160.96ms; max: 221.42ms
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| http-security-headers:
| X_Frame_Options:
| Header: X-Frame-Options: SAMEORIGIN
| Description: The browser must not display this content in any frame from a page of different origin than the content itself.
| X_XSS_Protection:
| Header: X-XSS-Protection: 1; mode=block
| Description: The browser will prevent the rendering of the page when XSS is detected.
| X_Content_Type_Options:
| Header: X-Content-Type-Options: nosniff
|_ Description: Will prevent the browser from MIME-sniffing a response away from the declared content-type.
| http-headers:
| Server: nginx/1.18.0 (Ubuntu)
| Date: Mon, 23 Jan 2023 13:34:21 GMT
| Content-Type: text/html;charset=utf-8
| Content-Length: 843
| Connection: close
| X-Xss-Protection: 1; mode=block
| X-Content-Type-Options: nosniff
| X-Frame-Options: SAMEORIGIN
|
|_ (Request type: HEAD)
| http-methods:
|_ Supported Methods: GET HEAD
| http-php-version: Logo query returned unknown hash ed7a2ffc4af7ec7577f2b6ff8d80b613
|_Credits query returned unknown hash ed7a2ffc4af7ec7577f2b6ff8d80b613
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 23 08:36:55 2023 -- 1 IP address (1 host up) scanned in 163.79 seconds
```

11
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Services/Service - tcp-80-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
curl -sk -o /dev/null -H "Host: txKCMPIUqOtdqrlLcVuN.photobomb.htb" http://photobomb.htb:80/ -w "%{size_download}"
``````bash
ffuf -u http://photobomb.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.photobomb.htb" -fs 154 -noninteractive -s | tee "/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_photobomb.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_photobomb.htb_vhosts_subdomains-top1million-110000.txt](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_photobomb.htb_vhosts_subdomains-top1million-110000.txt):
```
```

119
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,119 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://10.10.11.182:80 2>&1
```
[/home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://10.10.11.182:80
Status : 302 Found
Title : 302 Found
IP : 10.10.11.182
Country : RESERVED, ZZ
Summary : HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], nginx[1.18.0], RedirectLocation[http://photobomb.htb/]
Detected Plugins:
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : nginx/1.18.0 (Ubuntu) (from server string)
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://photobomb.htb/ (from location)
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 23 Jan 2023 13:34:18 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: http://photobomb.htb/
WhatWeb report for http://photobomb.htb/
Status : 200 OK
Title : Photobomb
IP : 10.10.11.182
Country : RESERVED, ZZ
Summary : HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], nginx[1.18.0], Script, UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block]
Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : nginx/1.18.0 (Ubuntu) (from server string)
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-content-type-options (from headers)
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : SAMEORIGIN
[ X-XSS-Protection ]
This plugin retrieves the X-XSS-Protection value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : 1; mode=block
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 23 Jan 2023 13:34:19 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Encoding: gzip
```

3
HTB/photobomb/results/10.10.11.182/report/report.md/10.10.11.182/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://10.10.11.182:80/ /home/kali/htb/photobomb/results/10.10.11.182/scans/tcp80/tcp_80_http_screenshot.png
```