simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
HTB/trick/results/report/local.txt Normal file
View File

16
HTB/trick/results/report/notes.txt Normal file
View File

@@ -0,0 +1,16 @@
[*] ssh found on tcp/22.
[*] smtp found on tcp/25.
[*] domain found on tcp/53.
[*] http found on tcp/80.

0
HTB/trick/results/report/proof.txt Normal file
View File

53
HTB/trick/results/report/report.md/10.129.227.180/Commands.md Normal file
View File

@@ -0,0 +1,53 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/trick/results/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/xml/_quick_tcp_nmap.xml" 10.129.227.180
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/trick/results/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/xml/_full_tcp_nmap.xml" 10.129.227.180
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/trick/results/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/xml/_quick_tcp_nmap.xml" 10.129.227.180
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/trick/results/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/xml/_full_tcp_nmap.xml" 10.129.227.180
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/trick/results/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/xml/_quick_tcp_nmap.xml" 10.129.227.180
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/trick/results/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/xml/_full_tcp_nmap.xml" 10.129.227.180
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/trick/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/trick/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.129.227.180
nmap -vv --reason -Pn -T4 -sV -p 25 --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/tcp25/xml/tcp_25_smtp_nmap.xml" 10.129.227.180
hydra smtp-enum://10.129.227.180:25/vrfy -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" 2>&1
dnsrecon -n 10.129.227.180 -d trick.htb 2>&1
dig -p 53 -x 10.129.227.180 @10.129.227.180
dig AXFR -p 53 @10.129.227.180 trick.htb
nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/htb/trick/results/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.227.180
gobuster dns -d trick.htb -r 10.129.227.180 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o "/home/simon/htb/trick/results/scans/tcp53/tcp_53_trick.htb_subdomains_subdomains-top1million-110000.txt"
feroxbuster -u http://10.129.227.180:80/ -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -q -e -o "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt"
curl -sSikf http://10.129.227.180:80/.well-known/security.txt
curl -sSikf http://10.129.227.180:80/robots.txt
curl -sSik http://10.129.227.180:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/htb/trick/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.227.180
curl -sk -o /dev/null -H "Host: fVtpogeXVjPkPqtnprUj.trick.htb" http://trick.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.129.227.180:80 2>&1
wkhtmltoimage --format png http://10.129.227.180:80/ /home/simon/htb/trick/results/scans/tcp80/tcp_80_http_screenshot.png
dig AXFR -p 53 @10.129.227.180
ffuf -u http://trick.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.trick.htb" -fs 5480 -noninteractive -s | tee "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_trick.htb_vhosts_subdomains-top1million-110000.txt"
hydra smtp-enum://10.129.227.180:25/expn -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" 2>&1
```

8
HTB/trick/results/report/report.md/10.129.227.180/Errors.md Normal file
View File

@@ -0,0 +1,8 @@
```
[*] Service scan DnsRecon Default Scan (tcp/53/domain/dnsrecon) ran a command which returned a non-zero exit code (1).
[-] Command: dnsrecon -n 10.129.227.180 -d trick.htb 2>&1
[-] Error Output:
```

51
HTB/trick/results/report/report.md/10.129.227.180/Manual Commands.md Normal file
View File

@@ -0,0 +1,51 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/simon/htb/trick/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.129.227.180
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/simon/htb/trick/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.129.227.180
[*] smtp on tcp/25
[-] Try User Enumeration using "RCPT TO". Replace <TARGET-DOMAIN> with the target's domain name:
hydra smtp-enum://10.129.227.180:25/rcpt -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -o "/home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_user-enum_hydra_rcpt.txt" -p <TARGET-DOMAIN>
[*] domain on tcp/53
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
dnsrecon -n 10.129.227.180 -d trick.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/htb/trick/results/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
dnsrecon -n 10.129.227.180 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/htb/trick/results/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.227.180:80 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -e -o /home/simon/htb/trick/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.227.180/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.227.180 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.227.180/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.227.180 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.227.180:80 2>&1 | tee "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.227.180:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_wpscan.txt"
```

8
HTB/trick/results/report/report.md/10.129.227.180/Patterns.md Normal file
View File

@@ -0,0 +1,8 @@
Identified HTTP Server: nginx/1.14.2
Nmap script found a potential vulnerability. (State: VULNERABLE)
CVE Identified: CVE-2011-3192
CVE Identified: CVE-2011-3192

39
HTB/trick/results/report/report.md/10.129.227.180/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,39 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/trick/results/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/xml/_full_tcp_nmap.xml" 10.129.227.180
```
[/home/simon/htb/trick/results/scans/_full_tcp_nmap.txt](file:///home/simon/htb/trick/results/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 21 18:30:21 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/htb/trick/results/scans/_full_tcp_nmap.txt -oX /home/simon/htb/trick/results/scans/xml/_full_tcp_nmap.xml 10.129.227.180
Nmap scan report for trick.htb (10.129.227.180)
Host is up, received user-set (0.071s latency).
Scanned at 2023-01-21 18:30:21 UTC for 602s
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61ff293b36bd9dacfbde1f56884cae2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
| 256 9ecdf2406196ea21a6ce2602af759a78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
| 256 7293f91158de34ad12b54b4a7364b970 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGY1WZWn9xuvXhfxFFm82J9eRGNYJ9NnfzECUm0faUXm
25/tcp open smtp? syn-ack
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain syn-ack ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http syn-ack nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 21 18:40:23 2023 -- 1 IP address (1 host up) scanned in 601.89 seconds
```

39
HTB/trick/results/report/report.md/10.129.227.180/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,39 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/trick/results/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/xml/_quick_tcp_nmap.xml" 10.129.227.180
```
[/home/simon/htb/trick/results/scans/_quick_tcp_nmap.txt](file:///home/simon/htb/trick/results/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 21 18:30:21 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/htb/trick/results/scans/_quick_tcp_nmap.txt -oX /home/simon/htb/trick/results/scans/xml/_quick_tcp_nmap.xml 10.129.227.180
Nmap scan report for trick.htb (10.129.227.180)
Host is up, received user-set (0.024s latency).
Scanned at 2023-01-21 18:30:21 UTC for 597s
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61ff293b36bd9dacfbde1f56884cae2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
| 256 9ecdf2406196ea21a6ce2602af759a78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
| 256 7293f91158de34ad12b54b4a7364b970 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGY1WZWn9xuvXhfxFFm82J9eRGNYJ9NnfzECUm0faUXm
25/tcp open smtp? syn-ack
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain syn-ack ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http syn-ack nginx 1.14.2
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-server-header: nginx/1.14.2
| http-methods:
|_ Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 21 18:40:18 2023 -- 1 IP address (1 host up) scanned in 596.60 seconds
```

72
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,72 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/trick/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/trick/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.129.227.180
```
[/home/simon/htb/trick/results/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/simon/htb/trick/results/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 21 18:40:18 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/trick/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/trick/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.129.227.180
Nmap scan report for trick.htb (10.129.227.180)
Host is up, received user-set (0.021s latency).
Scanned at 2023-01-21 18:40:19 UTC for 2s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61ff293b36bd9dacfbde1f56884cae2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Rh57OmAndXFukHce0Tr4BL8CWC8yACwWdu8VZcBPGuMUH8VkvzqseeC8MYxt5SPL1aJmAsZSgOUreAJNlYNBBKjMoFwyDdArWhqDThlgBf6aqwqMRo3XWIcbQOBkrisgqcPnRKlwh+vqArsj5OAZaUq8zs7Q3elE6HrDnj779JHCc5eba+DR+Cqk1u4JxfC6mGsaNMAXoaRKsAYlwf4Yjhonl6A6MkWszz7t9q5r2bImuYAC0cvgiHJdgLcr0WJh+lV8YIkPyya1vJFp1gN4Pg7I6CmMaiWSMgSem5aVlKmrLMX10MWhewnyuH2ekMFXUKJ8wv4DgifiAIvd6AGR
| 256 9ecdf2406196ea21a6ce2602af759a78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoXvyMKuWhQvWx52EFXK9ytX/pGmjZptG8Kb+DOgKcGeBgGPKX3ZpryuGR44av0WnKP0gnRLWk7UCbqY3mxXU0=
| 256 7293f91158de34ad12b54b4a7364b970 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGY1WZWn9xuvXhfxFFm82J9eRGNYJ9NnfzECUm0faUXm
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
|_banner: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 21 18:40:21 2023 -- 1 IP address (1 host up) scanned in 2.84 seconds
```

21
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-25-smtp/Nmap SMTP.md Normal file
View File

@@ -0,0 +1,21 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 25 --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_nmap.txt" -oX "/home/simon/htb/trick/results/scans/tcp25/xml/tcp_25_smtp_nmap.xml" 10.129.227.180
```
[/home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_nmap.txt](file:///home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 21 18:40:18 2023 as: nmap -vv --reason -Pn -T4 -sV -p 25 "--script=banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_nmap.txt -oX /home/simon/htb/trick/results/scans/tcp25/xml/tcp_25_smtp_nmap.xml 10.129.227.180
Nmap scan report for trick.htb (10.129.227.180)
Host is up, received user-set (0.035s latency).
Scanned at 2023-01-21 18:40:19 UTC for 328s
PORT STATE SERVICE REASON VERSION
25/tcp open smtp? syn-ack
|_smtp-commands: Couldn't establish connection on port 25
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 21 18:45:47 2023 -- 1 IP address (1 host up) scanned in 329.52 seconds
```

37
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-25-smtp/SMTP-User-Enum.md Normal file
View File

@@ -0,0 +1,37 @@
```bash
hydra smtp-enum://10.129.227.180:25/vrfy -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" 2>&1
```
[/home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_user-enum_hydra_vrfy.txt](file:///home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_user-enum_hydra_vrfy.txt):
```
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-21 18:40:18
[DATA] max 16 tasks per 1 server, overall 16 tasks, 17 login tries (l:17/p:1), ~2 tries per task
[DATA] attacking smtp-enum://10.129.227.180:25/vrfy
[25][smtp-enum] host: 10.129.227.180 login: root
[25][smtp-enum] host: 10.129.227.180 login: mysql
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-21 18:40:39
```
```bash
hydra smtp-enum://10.129.227.180:25/expn -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" 2>&1
```
[/home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_user-enum_hydra_expn.txt](file:///home/simon/htb/trick/results/scans/tcp25/tcp_25_smtp_user-enum_hydra_expn.txt):
```
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-21 18:40:39
[DATA] max 16 tasks per 1 server, overall 16 tasks, 17 login tries (l:17/p:1), ~2 tries per task
[DATA] attacking smtp-enum://10.129.227.180:25/expn
[ERROR] command is disabled on the server (choose different method): 502 5.5.2 Error: command not recognized
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-21 18:41:00
```

38
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-53-domain/DNS Reverse Lookup.md Normal file
View File

@@ -0,0 +1,38 @@
```bash
dig -p 53 -x 10.129.227.180 @10.129.227.180
```
[/home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_reverse-lookup.txt](file:///home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_reverse-lookup.txt):
```
; <<>> DiG 9.18.10-2-Debian <<>> -p 53 -x 10.129.227.180 @10.129.227.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2715
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 63e094b751cb83e696be7bd063cc3195d664dedba48aae71 (good)
;; QUESTION SECTION:
;180.227.129.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
180.227.129.10.in-addr.arpa. 604800 IN PTR trick.htb.
;; AUTHORITY SECTION:
227.129.10.in-addr.arpa. 604800 IN NS trick.htb.
;; ADDITIONAL SECTION:
trick.htb. 604800 IN A 127.0.0.1
trick.htb. 604800 IN AAAA ::1
;; Query time: 47 msec
;; SERVER: 10.129.227.180#53(10.129.227.180) (UDP)
;; WHEN: Sat Jan 21 18:40:18 UTC 2023
;; MSG SIZE rcvd: 165
```

43
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-53-domain/DNS Zone Transfer.md Normal file
View File

@@ -0,0 +1,43 @@
```bash
dig AXFR -p 53 @10.129.227.180 trick.htb
```
[/home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_zone-transfer-domain.txt](file:///home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_zone-transfer-domain.txt):
```
; <<>> DiG 9.18.10-2-Debian <<>> AXFR -p 53 @10.129.227.180 trick.htb
; (1 server found)
;; global options: +cmd
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb. 604800 IN NS trick.htb.
trick.htb. 604800 IN A 127.0.0.1
trick.htb. 604800 IN AAAA ::1
preprod-payroll.trick.htb. 604800 IN CNAME trick.htb.
trick.htb. 604800 IN SOA trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
;; Query time: 47 msec
;; SERVER: 10.129.227.180#53(10.129.227.180) (TCP)
;; WHEN: Sat Jan 21 18:40:18 UTC 2023
;; XFR size: 6 records (messages 1, bytes 231)
```
```bash
dig AXFR -p 53 @10.129.227.180
```
[/home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_zone-transfer.txt](file:///home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_zone-transfer.txt):
```
; <<>> DiG 9.18.10-2-Debian <<>> AXFR -p 53 @10.129.227.180
; (1 server found)
;; global options: +cmd
;; Query time: 23 msec
;; SERVER: 10.129.227.180#53(10.129.227.180) (UDP)
;; WHEN: Sat Jan 21 18:40:18 UTC 2023
;; MSG SIZE rcvd: 56
```

12
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-53-domain/DnsRecon Default Scan.md Normal file
View File

@@ -0,0 +1,12 @@
```bash
dnsrecon -n 10.129.227.180 -d trick.htb 2>&1
```
[/home/simon/htb/trick/results/scans/tcp53/tcp_53_dnsrecon_default.txt](file:///home/simon/htb/trick/results/scans/tcp53/tcp_53_dnsrecon_default.txt):
```
[*] std: Performing General Enumeration against: trick.htb...
[-] Could not resolve domain: trick.htb
```

31
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-53-domain/Nmap DNS.md Normal file
View File

@@ -0,0 +1,31 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/htb/trick/results/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.227.180
```
[/home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_nmap.txt](file:///home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 21 18:40:18 2023 as: nmap -vv --reason -Pn -T4 -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/htb/trick/results/scans/tcp53/tcp_53_dns_nmap.txt -oX /home/simon/htb/trick/results/scans/tcp53/xml/tcp_53_dns_nmap.xml 10.129.227.180
Nmap scan report for trick.htb (10.129.227.180)
Host is up, received user-set (0.021s latency).
Scanned at 2023-01-21 18:40:20 UTC for 455s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
| dns-nsec-enum:
|_ No NSEC records found
| dns-nsec3-enum:
|_ DNSSEC NSEC3 not supported
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| dns-brute:
|_ DNS Brute-force hostnames: No results.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 21 18:47:55 2023 -- 1 IP address (1 host up) scanned in 457.45 seconds
```

9
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-53-domain/Subdomain Enumeration.md Normal file
View File

@@ -0,0 +1,9 @@
```bash
gobuster dns -d trick.htb -r 10.129.227.180 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o "/home/simon/htb/trick/results/scans/tcp53/tcp_53_trick.htb_subdomains_subdomains-top1million-110000.txt"
```
[/home/simon/htb/trick/results/scans/tcp53/tcp_53_trick.htb_subdomains_subdomains-top1million-110000.txt](file:///home/simon/htb/trick/results/scans/tcp53/tcp_53_trick.htb_subdomains_subdomains-top1million-110000.txt):
```
```

3
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://10.129.227.180:80/robots.txt
```

102
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,102 @@
```bash
curl -sSik http://10.129.227.180:80/
```
[/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_curl.html](file:///home/simon/htb/trick/results/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 21 Jan 2023 18:40:21 GMT
Content-Type: text/html
Content-Length: 5480
Last-Modified: Wed, 23 Mar 2022 16:34:04 GMT
Connection: keep-alive
ETag: "623b4bfc-1568"
Accept-Ranges: bytes
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
<meta name="description" content="" />
<meta name="author" content="" />
<title>Coming Soon - Start Bootstrap Theme</title>
<link rel="icon" type="image/x-icon" href="assets/favicon.ico" />
<!-- Font Awesome icons (free version)-->
<script src="https://use.fontawesome.com/releases/v6.1.0/js/all.js" crossorigin="anonymous"></script>
<!-- Google fonts-->
<link rel="preconnect" href="https://fonts.gstatic.com" />
<link href="https://fonts.googleapis.com/css2?family=Tinos:ital,wght@0,400;0,700;1,400;1,700&amp;display=swap" rel="stylesheet" />
<link href="https://fonts.googleapis.com/css2?family=DM+Sans:ital,wght@0,400;0,500;0,700;1,400;1,500;1,700&amp;display=swap" rel="stylesheet" />
<!-- Core theme CSS (includes Bootstrap)-->
<link href="css/styles.css" rel="stylesheet" />
</head>
<body>
<!-- Background Video-->
<video class="bg-video" playsinline="playsinline" autoplay="autoplay" muted="muted" loop="loop"><source src="assets/mp4/bg.mp4" type="video/mp4" /></video>
<!-- Masthead-->
<div class="masthead">
<div class="masthead-content text-white">
<div class="container-fluid px-4 px-lg-0">
<h1 class="fst-italic lh-1 mb-4">Our Website is Coming Soon</h1>
<p class="mb-5">We're working hard to finish the development of this site. Sign up below to receive updates and to be notified when we launch!</p>
<!-- * * * * * * * * * * * * * * *-->
<!-- * * SB Forms Contact Form * *-->
<!-- * * * * * * * * * * * * * * *-->
<!-- This form is pre-integrated with SB Forms.-->
<!-- To make this form functional, sign up at-->
<!-- https://startbootstrap.com/solution/contact-forms-->
<!-- to get an API token!-->
<form id="contactForm" data-sb-form-api-token="API_TOKEN">
<!-- Email address input-->
<div class="row input-group-newsletter">
<div class="col"><input class="form-control" id="email" type="email" placeholder="Enter email address..." aria-label="Enter email address..." data-sb-validations="required,email" /></div>
<div class="col-auto"><button class="btn btn-primary disabled" id="submitButton" type="submit">Notify Me!</button></div>
</div>
<div class="invalid-feedback mt-2" data-sb-feedback="email:required">An email is required.</div>
<div class="invalid-feedback mt-2" data-sb-feedback="email:email">Email is not valid.</div>
<!-- Submit success message-->
<!---->
<!-- This is what your users will see when the form-->
<!-- has successfully submitted-->
<div class="d-none" id="submitSuccessMessage">
<div class="text-center mb-3 mt-2">
<div class="fw-bolder">Form submission successful!</div>
To activate this form, sign up at
<br />
<a href="https://startbootstrap.com/solution/contact-forms">https://startbootstrap.com/solution/contact-forms</a>
</div>
</div>
<!-- Submit error message-->
<!---->
<!-- This is what your users will see when there is-->
<!-- an error submitting the form-->
<div class="d-none" id="submitErrorMessage"><div class="text-center text-danger mb-3 mt-2">Error sending message!</div></div>
</form>
</div>
</div>
</div>
<!-- Social Icons-->
<!-- For more icon options, visit https://fontawesome.com/icons?d=gallery&p=2&s=brands-->
<div class="social-icons">
<div class="d-flex flex-row flex-lg-column justify-content-center align-items-center h-100 mt-3 mt-lg-0">
<a class="btn btn-dark m-3" href="#!"><i class="fab fa-twitter"></i></a>
<a class="btn btn-dark m-3" href="#!"><i class="fab fa-facebook-f"></i></a>
<a class="btn btn-dark m-3" href="#!"><i class="fab fa-instagram"></i></a>
</div>
</div>
<!-- Bootstrap core JS-->
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"></script>
<!-- Core theme JS-->
<script src="js/scripts.js"></script>
<!-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *-->
<!-- * * SB Forms JS * *-->
<!-- * * Activate your form at https://startbootstrap.com/solution/contact-forms * *-->
<!-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *-->
<script src="https://cdn.startbootstrap.com/sb-forms-latest.js"></script>
</body>
</html>
```

22
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,22 @@
```bash
feroxbuster -u http://10.129.227.180:80/ -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -q -e -o "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt"
```
[/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt](file:///home/simon/htb/trick/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt):
```
200 GET 83l 475w 5480c http://10.129.227.180/index.html
200 GET 8l 29w 23462c http://10.129.227.180/assets/favicon.ico
200 GET 7l 36w 321c http://10.129.227.180/js/scripts.js
403 GET 7l 10w 169c http://10.129.227.180/css/
301 GET 7l 12w 185c http://10.129.227.180/assets/img => http://10.129.227.180/assets/img/
403 GET 7l 10w 169c http://10.129.227.180/assets/
200 GET 11431l 21730w 209654c http://10.129.227.180/css/styles.css
200 GET 83l 475w 5480c http://10.129.227.180/
301 GET 7l 12w 185c http://10.129.227.180/assets => http://10.129.227.180/assets/
403 GET 7l 10w 169c http://10.129.227.180/js/
301 GET 7l 12w 185c http://10.129.227.180/css => http://10.129.227.180/css/
301 GET 7l 12w 185c http://10.129.227.180/js => http://10.129.227.180/js/
301 GET 7l 12w 185c http://10.129.227.180/assets/mp4 => http://10.129.227.180/assets/mp4/
```

3
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://10.129.227.180:80/.well-known/security.txt
```

114
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,114 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/htb/trick/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.227.180
```
[/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_nmap.txt](file:///home/simon/htb/trick/results/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Jan 21 18:40:18 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/htb/trick/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/htb/trick/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.227.180
Nmap scan report for trick.htb (10.129.227.180)
Host is up, received user-set (0.026s latency).
Scanned at 2023-01-21 18:40:20 UTC for 56s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack nginx 1.14.2
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1
| /assets/
| ico: 1
| /assets/mp4/
| mp4: 1
| /css/
| css: 1
| /js/
| js: 1
| Longest directory structure:
| Depth: 2
| Dir: /assets/mp4/
| Total files found (by extension):
|_ Other: 1; css: 1; ico: 1; js: 1; mp4: 1
|_http-errors: Couldn't find any error pages.
|_http-feed: Couldn't find any feeds.
| http-php-version: Logo query returned unknown hash e716b8bf5e0fdacb3997e7f14f599386
|_Credits query returned unknown hash e716b8bf5e0fdacb3997e7f14f599386
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| http-vhosts:
|_128 names had status 200
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| http-headers:
| Server: nginx/1.14.2
| Date: Sat, 21 Jan 2023 18:40:30 GMT
| Content-Type: text/html
| Content-Length: 5480
| Last-Modified: Wed, 23 Mar 2022 16:34:04 GMT
| Connection: close
| ETag: "623b4bfc-1568"
| Accept-Ranges: bytes
|
|_ (Request type: HEAD)
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-mobileversion-checker: No mobile version detected.
|_http-comments-displayer: Couldn't find any comments.
|_http-date: Sat, 21 Jan 2023 18:40:29 GMT; +2s from local time.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 BID:49303
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.tenable.com/plugins/nessus/55976
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| https://www.securityfocus.com/bid/49303
|_ https://seclists.org/fulldisclosure/2011/Aug/175
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-chrono: Request times for /; avg: 222.14ms; min: 163.13ms; max: 317.35ms
|_http-server-header: nginx/1.14.2
| http-referer-checker:
| Spidering limited to: maxpagecount=30
| https://cdn.jsdelivr.net:443/npm/bootstrap15.1.3/dist/js/bootstrap.bundle.min.js
| https://cdn.startbootstrap.com:443/sb-forms-0.4.1.js
|_ https://use.fontawesome.com:443/releases/v6.1.0/js/all.js
|_http-malware-host: Host appears to be clean
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Coming Soon - Start Bootstrap Theme
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 21 18:41:16 2023 -- 1 IP address (1 host up) scanned in 57.78 seconds
```

11
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-80-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
curl -sk -o /dev/null -H "Host: fVtpogeXVjPkPqtnprUj.trick.htb" http://trick.htb:80/ -w "%{size_download}"
``````bash
ffuf -u http://trick.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.trick.htb" -fs 5480 -noninteractive -s | tee "/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_trick.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_trick.htb_vhosts_subdomains-top1million-110000.txt](file:///home/simon/htb/trick/results/scans/tcp80/tcp_80_http_trick.htb_vhosts_subdomains-top1million-110000.txt):
```
```

59
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,59 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://10.129.227.180:80 2>&1
```
[/home/simon/htb/trick/results/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/simon/htb/trick/results/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://10.129.227.180:80
Status : 200 OK
Title : Coming Soon - Start Bootstrap Theme
IP : 10.129.227.180
Country : RESERVED, ZZ
Summary : Bootstrap, HTML5, HTTPServer[nginx/1.14.2], nginx[1.14.2], Script
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : nginx/1.14.2 (from server string)
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.14.2
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 21 Jan 2023 18:40:24 GMT
Content-Type: text/html
Last-Modified: Wed, 23 Mar 2022 16:34:04 GMT
Transfer-Encoding: chunked
Connection: close
ETag: W/"623b4bfc-1568"
Content-Encoding: gzip
```

3
HTB/trick/results/report/report.md/10.129.227.180/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://10.129.227.180:80/ /home/simon/htb/trick/results/scans/tcp80/tcp_80_http_screenshot.png
```