simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
HTB/awkward/results/hat-valley.htb/report/local.txt Normal file
View File

16
HTB/awkward/results/hat-valley.htb/report/notes.txt Normal file
View File

@@ -0,0 +1,16 @@
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] ssh found on tcp/22.
[*] http found on tcp/80.

0
HTB/awkward/results/hat-valley.htb/report/proof.txt Normal file
View File

55
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Commands.md Normal file
View File

@@ -0,0 +1,55 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_quick_tcp_nmap.xml" hat-valley.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_full_tcp_nmap.xml" hat-valley.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_top_100_udp_nmap.xml" hat-valley.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" hat-valley.htb
feroxbuster -u http://hat-valley.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://hat-valley.htb:80/.well-known/security.txt
curl -sSikf http://hat-valley.htb:80/robots.txt
curl -sSik http://hat-valley.htb:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/xml/tcp_80_http_nmap.xml" hat-valley.htb
curl -sk -o /dev/null -H "Host: EGBPgNKZlNXXTPPMQaVH.hat-valley.htb" http://hat-valley.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://hat-valley.htb:80 2>&1
wkhtmltoimage --format png http://hat-valley.htb:80/ /home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://hat-valley.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.hat-valley.htb" -fs 132 -noninteractive -s | tee "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_hat-valley.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_quick_tcp_nmap.xml" hat-valley.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_full_tcp_nmap.xml" hat-valley.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_top_100_udp_nmap.xml" hat-valley.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" hat-valley.htb
feroxbuster -u http://hat-valley.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://hat-valley.htb:80/.well-known/security.txt
curl -sSikf http://hat-valley.htb:80/robots.txt
curl -sSik http://hat-valley.htb:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/xml/tcp_80_http_nmap.xml" hat-valley.htb
curl -sk -o /dev/null -H "Host: huCKKYPfSgpWqvlEZXkR.hat-valley.htb" http://hat-valley.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://hat-valley.htb:80 2>&1
wkhtmltoimage --format png http://hat-valley.htb:80/ /home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://hat-valley.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.hat-valley.htb" -fs 132 -noninteractive -s | tee "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_hat-valley.htb_vhosts_subdomains-top1million-110000.txt"
```

67
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Manual Commands.md Normal file
View File

@@ -0,0 +1,67 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://hat-valley.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h hat-valley.htb
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://hat-valley.htb:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://hat-valley.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h hat-valley.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://hat-valley.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h hat-valley.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://hat-valley.htb:80 2>&1 | tee "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://hat-valley.htb:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_wpscan.txt"
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://hat-valley.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h hat-valley.htb
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://hat-valley.htb:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://hat-valley.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h hat-valley.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://hat-valley.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h hat-valley.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://hat-valley.htb:80 2>&1 | tee "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://hat-valley.htb:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_wpscan.txt"
```

8
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Patterns.md Normal file
View File

@@ -0,0 +1,8 @@
Matched Pattern: Powered-By: Express
Identified HTTP Server: nginx/1.18.0 (Ubuntu)
Matched Pattern: Powered-By: Express
Identified HTTP Server: nginx/1.18.0 (Ubuntu)

70
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,70 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_full_tcp_nmap.xml" hat-valley.htb
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/_full_tcp_nmap.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 23:44:43 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/awkward/results/hat-valley.htb/scans/_full_tcp_nmap.txt -oX /home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_full_tcp_nmap.xml hat-valley.htb
adjust_timeouts2: packet supposedly had rtt of -426957 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -426957 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -432244 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -432244 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -434168 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -434168 microseconds. Ignoring time.
Nmap scan report for hat-valley.htb (10.10.11.185)
Host is up, received user-set (0.032s latency).
rDNS record for 10.10.11.185: awkward.htb
Scanned at 2023-02-07 23:44:44 CET for 56s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 7254afbaf6e2835941b7cd611c2f418b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCMaN1wQtPg5uk2w3xD0d0ND6JQgzw40PoqCSBDGB7Q0/f5lQSGU2eSTw4uCdL99hdM/+Uv84ffp2tNkCXyV8l8=
| 256 59365bba3c7821e326b37d23605aec38 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsq9sSC1uhq5CBWylh+yiC7jz4tuegMj/4FVTp6bzZy
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Hat Valley
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 56BF0DDEA4641BFDDD743E1B04149554
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 4.15 - 5.6 (93%), Linux 5.3 - 5.4 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Linux 2.6.32 (92%), Linux 5.0 - 5.3 (92%), Linux 3.1 (91%), Linux 3.2 (91%), Linux 5.0 (90%), Crestron XPanel control system (90%), Linux 5.0 - 5.4 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/7%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63E2D494%P=x86_64-pc-linux-gnu)
SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)
SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=N)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 45.425 days (since Sat Dec 24 13:34:05 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 29.03 ms 10.10.16.1
2 52.62 ms awkward.htb (10.10.11.185)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 23:45:40 2023 -- 1 IP address (1 host up) scanned in 56.65 seconds
```

53
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Port Scans/PortScan - Top 100 UDP Ports.md Normal file
View File

@@ -0,0 +1,53 @@
```bash
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_top_100_udp_nmap.xml" hat-valley.htb
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/_top_100_udp_nmap.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/_top_100_udp_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 23:44:43 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/kali/htb/awkward/results/hat-valley.htb/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_top_100_udp_nmap.xml hat-valley.htb
Warning: 10.10.11.185 giving up on port because retransmission cap hit (6).
Increasing send delay for 10.10.11.185 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.10.11.185 from 200 to 400 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 10.10.11.185 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for hat-valley.htb (10.10.11.185)
Host is up, received user-set (0.040s latency).
rDNS record for 10.10.11.185: awkward.htb
Scanned at 2023-02-07 23:44:44 CET for 244s
Not shown: 87 closed udp ports (port-unreach)
PORT STATE SERVICE REASON VERSION
17/udp open|filtered qotd no-response
19/udp open|filtered chargen no-response
68/udp open|filtered dhcpc no-response
136/udp open|filtered profile no-response
137/udp open|filtered netbios-ns no-response
999/udp open|filtered applix no-response
5000/udp open|filtered upnp no-response
5060/udp open|filtered sip no-response
5353/udp open|filtered zeroconf no-response
20031/udp open|filtered bakbonenetvault no-response
33281/udp open|filtered unknown no-response
49152/udp open|filtered unknown no-response
49186/udp open|filtered unknown no-response
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/7%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63E2D550%P=x86_64-pc-linux-gnu)
SEQ(CI=Z%II=I)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 518/udp)
HOP RTT ADDRESS
1 32.44 ms 10.10.16.1
2 32.45 ms awkward.htb (10.10.11.185)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 23:48:48 2023 -- 1 IP address (1 host up) scanned in 245.28 seconds
```

73
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,73 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_quick_tcp_nmap.xml" hat-valley.htb
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/_quick_tcp_nmap.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 23:44:43 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/awkward/results/hat-valley.htb/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/awkward/results/hat-valley.htb/scans/xml/_quick_tcp_nmap.xml hat-valley.htb
adjust_timeouts2: packet supposedly had rtt of -447742 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -447742 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -560595 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -560595 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -190646 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -190646 microseconds. Ignoring time.
Nmap scan report for hat-valley.htb (10.10.11.185)
Host is up, received user-set (0.043s latency).
rDNS record for 10.10.11.185: awkward.htb
Scanned at 2023-02-07 23:44:44 CET for 28s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 7254afbaf6e2835941b7cd611c2f418b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCMaN1wQtPg5uk2w3xD0d0ND6JQgzw40PoqCSBDGB7Q0/f5lQSGU2eSTw4uCdL99hdM/+Uv84ffp2tNkCXyV8l8=
| 256 59365bba3c7821e326b37d23605aec38 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsq9sSC1uhq5CBWylh+yiC7jz4tuegMj/4FVTp6bzZy
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Hat Valley
|_http-favicon: Unknown favicon MD5: 56BF0DDEA4641BFDDD743E1B04149554
|_http-server-header: nginx/1.18.0 (Ubuntu)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Linux 4.15 - 5.6 (92%), Linux 5.3 - 5.4 (91%), Linux 2.6.32 (91%), Linux 5.0 - 5.3 (91%), Linux 3.1 (89%), Linux 3.2 (89%), Linux 5.0 (89%), Linux 5.0 - 5.4 (89%), Crestron XPanel control system (88%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/7%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63E2D478%P=x86_64-pc-linux-gnu)
SEQ(SP=107%GCD=1%ISR=10A%TI=Z%TS=A)
SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%TS=A)
OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=N)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=N)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T6(R=N)
T6(R=Y%DF=Y%TG=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 45.424 days (since Sat Dec 24 13:34:05 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 40.62 ms 10.10.16.1
2 40.69 ms awkward.htb (10.10.11.185)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 23:45:12 2023 -- 1 IP address (1 host up) scanned in 29.31 seconds
```

70
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,70 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" hat-valley.htb
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 23:45:13 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/awkward/results/hat-valley.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml hat-valley.htb
Nmap scan report for hat-valley.htb (10.10.11.185)
Host is up, received user-set (0.041s latency).
rDNS record for 10.10.11.185: awkward.htb
Scanned at 2023-02-07 23:45:13 CET for 2s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 7254afbaf6e2835941b7cd611c2f418b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCMaN1wQtPg5uk2w3xD0d0ND6JQgzw40PoqCSBDGB7Q0/f5lQSGU2eSTw4uCdL99hdM/+Uv84ffp2tNkCXyV8l8=
| 256 59365bba3c7821e326b37d23605aec38 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsq9sSC1uhq5CBWylh+yiC7jz4tuegMj/4FVTp6bzZy
|_banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| sntrup761x25519-sha512@openssh.com
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 23:45:15 2023 -- 1 IP address (1 host up) scanned in 2.35 seconds
```

73
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,73 @@
```bash
curl -sSikf http://hat-valley.htb:80/robots.txt
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_curl-robots.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_curl-robots.txt):
```
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 07 Feb 2023 22:45:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2881
Connection: keep-alive
X-Powered-By: Express
Accept-Ranges: bytes
ETag: W/"b41-tn8t3x3qcvcm126OQ/i0AXwBj8M"
<!DOCTYPE html>
<html lang="">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<link rel = "stylesheet" href = "/css/main.css">
<link rel="stylesheet" href="/css/bootstrap.min.css">
<!-- style css -->
<link rel="stylesheet" href="/css/style.css">
<!-- Responsive-->
<link rel="stylesheet" href="/css/responsive.css">
<!-- fevicon -->
<link rel="icon" href="/static/blue.png" type="image/png" />
<!-- Scrollbar Custom CSS -->
<link rel="stylesheet" href="/css/jquery.mCustomScrollbar.min.css">
<!-- Tweaks for older IEs-->
<link rel="stylesheet" href="/css/font-awesome.css">
<link rel="stylesheet" href="/css/jquery.fancybox.min.css" media="screen">
<link rel="stylesheet" href="/static/vendors/mdi/css/materialdesignicons.min.css">
<link rel="stylesheet" href="/static/vendors/feather/feather.css">
<link rel="stylesheet" href="/static/vendors/base/vendor.bundle.base.css">
<link rel="stylesheet" href="/static/vendors/flag-icon-css/css/flag-icon.min.css">
<link rel="stylesheet" href="/static/vendors/font-awesome/css/font-awesome.min.css">
<link rel="stylesheet" href="/static/vendors/jquery-bar-rating/fontawesome-stars-o.css">
<link rel="stylesheet" href="/static/vendors/jquery-bar-rating/fontawesome-stars.css">
<link rel="stylesheet" href="/static/css/style.css">
<title>Hat Valley</title>
<link href="/js/app.js" rel="preload" as="script"><link href="/js/chunk-vendors.js" rel="preload" as="script"></head>
<body>
<noscript>
<strong>We're sorry but hat-valley doesn't work properly without JavaScript enabled. Please enable it to continue.</strong>
</noscript>
<div id="app"></div>
<!-- built files will be auto injected -->
<script src="/js/jquery.min.js"></script>
<script src="/js/popper.min.js"></script>
<script src="/js/bootstrap.bundle.min.js"></script>
<script src="/js/jquery-3.0.0.min.js"></script>
<script src="/js/plugin.js"></script>
<!-- sidebar -->
<script src="/js/jquery.mCustomScrollbar.concat.min.js"></script>
<script src="/js/custom.js"></script>
<script src="/js/jquery.fancybox.min.js"></script>
<script src="/static/vendors/base/vendor.bundle.base.js"></script>
<script src="/static/js/off-canvas.js"></script>
<script src="/static/js/hoverable-collapse.js"></script>
<script src="/static/js/template.js"></script>
<script src="/static/vendors/chart.js/Chart.min.js"></script>
<script src="/static/vendors/jquery-bar-rating/jquery.barrating.min.js"></script>
<script src="/static/js/dashboard.js"></script>
<script type="text/javascript" src="/js/chunk-vendors.js"></script><script type="text/javascript" src="/js/app.js"></script></body>
</html>
```

74
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,74 @@
```bash
curl -sSik http://hat-valley.htb:80/
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_curl.html](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 07 Feb 2023 22:45:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2881
Connection: keep-alive
X-Powered-By: Express
Accept-Ranges: bytes
ETag: W/"b41-tn8t3x3qcvcm126OQ/i0AXwBj8M"
<!DOCTYPE html>
<html lang="">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<link rel = "stylesheet" href = "/css/main.css">
<link rel="stylesheet" href="/css/bootstrap.min.css">
<!-- style css -->
<link rel="stylesheet" href="/css/style.css">
<!-- Responsive-->
<link rel="stylesheet" href="/css/responsive.css">
<!-- fevicon -->
<link rel="icon" href="/static/blue.png" type="image/png" />
<!-- Scrollbar Custom CSS -->
<link rel="stylesheet" href="/css/jquery.mCustomScrollbar.min.css">
<!-- Tweaks for older IEs-->
<link rel="stylesheet" href="/css/font-awesome.css">
<link rel="stylesheet" href="/css/jquery.fancybox.min.css" media="screen">
<link rel="stylesheet" href="/static/vendors/mdi/css/materialdesignicons.min.css">
<link rel="stylesheet" href="/static/vendors/feather/feather.css">
<link rel="stylesheet" href="/static/vendors/base/vendor.bundle.base.css">
<link rel="stylesheet" href="/static/vendors/flag-icon-css/css/flag-icon.min.css">
<link rel="stylesheet" href="/static/vendors/font-awesome/css/font-awesome.min.css">
<link rel="stylesheet" href="/static/vendors/jquery-bar-rating/fontawesome-stars-o.css">
<link rel="stylesheet" href="/static/vendors/jquery-bar-rating/fontawesome-stars.css">
<link rel="stylesheet" href="/static/css/style.css">
<title>Hat Valley</title>
<link href="/js/app.js" rel="preload" as="script"><link href="/js/chunk-vendors.js" rel="preload" as="script"></head>
<body>
<noscript>
<strong>We're sorry but hat-valley doesn't work properly without JavaScript enabled. Please enable it to continue.</strong>
</noscript>
<div id="app"></div>
<!-- built files will be auto injected -->
<script src="/js/jquery.min.js"></script>
<script src="/js/popper.min.js"></script>
<script src="/js/bootstrap.bundle.min.js"></script>
<script src="/js/jquery-3.0.0.min.js"></script>
<script src="/js/plugin.js"></script>
<!-- sidebar -->
<script src="/js/jquery.mCustomScrollbar.concat.min.js"></script>
<script src="/js/custom.js"></script>
<script src="/js/jquery.fancybox.min.js"></script>
<script src="/static/vendors/base/vendor.bundle.base.js"></script>
<script src="/static/js/off-canvas.js"></script>
<script src="/static/js/hoverable-collapse.js"></script>
<script src="/static/js/template.js"></script>
<script src="/static/vendors/chart.js/Chart.min.js"></script>
<script src="/static/vendors/jquery-bar-rating/jquery.barrating.min.js"></script>
<script src="/static/js/dashboard.js"></script>
<script type="text/javascript" src="/js/chunk-vendors.js"></script><script type="text/javascript" src="/js/app.js"></script></body>
</html>
```

19
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,19 @@
```bash
feroxbuster -u http://hat-valley.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt):
```
WLD GET 54l 163w 2881c Got 200 for http://hat-valley.htb/d24d1944513e4b5d8b7f4f60bcb0210e (url length: 32)
301 GET 10l 16w 173c http://hat-valley.htb/css => http://hat-valley.htb/css/
200 GET 1l 35w 4286c http://hat-valley.htb/favicon.ico
301 GET 10l 16w 171c http://hat-valley.htb/js => http://hat-valley.htb/js/
301 GET 10l 16w 179c http://hat-valley.htb/static => http://hat-valley.htb/static/
WLD GET 54l 163w 2881c Got 200 for http://hat-valley.htb/dda138e55e784b60b2e4c4dcc7ee80f5 (url length: 32)
301 GET 10l 16w 173c http://hat-valley.htb/css => http://hat-valley.htb/css/
200 GET 1l 35w 4286c http://hat-valley.htb/favicon.ico
301 GET 10l 16w 171c http://hat-valley.htb/js => http://hat-valley.htb/js/
301 GET 10l 16w 179c http://hat-valley.htb/static => http://hat-valley.htb/static/
```

73
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,73 @@
```bash
curl -sSikf http://hat-valley.htb:80/.well-known/security.txt
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_known-security.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_known-security.txt):
```
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 07 Feb 2023 22:45:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2881
Connection: keep-alive
X-Powered-By: Express
Accept-Ranges: bytes
ETag: W/"b41-tn8t3x3qcvcm126OQ/i0AXwBj8M"
<!DOCTYPE html>
<html lang="">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<link rel = "stylesheet" href = "/css/main.css">
<link rel="stylesheet" href="/css/bootstrap.min.css">
<!-- style css -->
<link rel="stylesheet" href="/css/style.css">
<!-- Responsive-->
<link rel="stylesheet" href="/css/responsive.css">
<!-- fevicon -->
<link rel="icon" href="/static/blue.png" type="image/png" />
<!-- Scrollbar Custom CSS -->
<link rel="stylesheet" href="/css/jquery.mCustomScrollbar.min.css">
<!-- Tweaks for older IEs-->
<link rel="stylesheet" href="/css/font-awesome.css">
<link rel="stylesheet" href="/css/jquery.fancybox.min.css" media="screen">
<link rel="stylesheet" href="/static/vendors/mdi/css/materialdesignicons.min.css">
<link rel="stylesheet" href="/static/vendors/feather/feather.css">
<link rel="stylesheet" href="/static/vendors/base/vendor.bundle.base.css">
<link rel="stylesheet" href="/static/vendors/flag-icon-css/css/flag-icon.min.css">
<link rel="stylesheet" href="/static/vendors/font-awesome/css/font-awesome.min.css">
<link rel="stylesheet" href="/static/vendors/jquery-bar-rating/fontawesome-stars-o.css">
<link rel="stylesheet" href="/static/vendors/jquery-bar-rating/fontawesome-stars.css">
<link rel="stylesheet" href="/static/css/style.css">
<title>Hat Valley</title>
<link href="/js/app.js" rel="preload" as="script"><link href="/js/chunk-vendors.js" rel="preload" as="script"></head>
<body>
<noscript>
<strong>We're sorry but hat-valley doesn't work properly without JavaScript enabled. Please enable it to continue.</strong>
</noscript>
<div id="app"></div>
<!-- built files will be auto injected -->
<script src="/js/jquery.min.js"></script>
<script src="/js/popper.min.js"></script>
<script src="/js/bootstrap.bundle.min.js"></script>
<script src="/js/jquery-3.0.0.min.js"></script>
<script src="/js/plugin.js"></script>
<!-- sidebar -->
<script src="/js/jquery.mCustomScrollbar.concat.min.js"></script>
<script src="/js/custom.js"></script>
<script src="/js/jquery.fancybox.min.js"></script>
<script src="/static/vendors/base/vendor.bundle.base.js"></script>
<script src="/static/js/off-canvas.js"></script>
<script src="/static/js/hoverable-collapse.js"></script>
<script src="/static/js/template.js"></script>
<script src="/static/vendors/chart.js/Chart.min.js"></script>
<script src="/static/vendors/jquery-bar-rating/jquery.barrating.min.js"></script>
<script src="/static/js/dashboard.js"></script>
<script type="text/javascript" src="/js/chunk-vendors.js"></script><script type="text/javascript" src="/js/app.js"></script></body>
</html>
```

92
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,92 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/xml/tcp_80_http_nmap.xml" hat-valley.htb
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_nmap.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 23:45:13 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/xml/tcp_80_http_nmap.xml hat-valley.htb
Nmap scan report for hat-valley.htb (10.10.11.185)
Host is up, received user-set (0.040s latency).
rDNS record for 10.10.11.185: awkward.htb
Scanned at 2023-02-07 23:45:13 CET for 816s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-chrono: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-devframework: Express detected. Found Express in X-Powered-By Header
| http-sitemap-generator:
| Directory structure:
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_
|_http-date: Tue, 07 Feb 2023 22:45:20 GMT; 0s from local time.
|_http-feed: Couldn't find any feeds.
| http-enum:
| /css/: Potentially interesting folder
|_ /js/: Potentially interesting folder
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-comments-displayer: Couldn't find any comments.
|_http-errors: Couldn't find any error pages.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-mobileversion-checker: No mobile version detected.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-title: Hat Valley
| http-php-version: Logo query returned unknown hash eec43f2e72fc1fa2be35d0ba190ea4fd
|_Credits query returned unknown hash eec43f2e72fc1fa2be35d0ba190ea4fd
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-malware-host: Host appears to be clean
|_http-favicon: Unknown favicon MD5: 56BF0DDEA4641BFDDD743E1B04149554
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| http-vhosts:
|_128 names had status 200
| http-headers:
| Server: nginx/1.18.0 (Ubuntu)
| Date: Tue, 07 Feb 2023 22:45:25 GMT
| Content-Type: text/html; charset=UTF-8
| Content-Length: 2881
| Connection: close
| X-Powered-By: Express
| Accept-Ranges: bytes
| ETag: W/"b41-tn8t3x3qcvcm126OQ/i0AXwBj8M"
|
|_ (Request type: HEAD)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 23:58:49 2023 -- 1 IP address (1 host up) scanned in 816.11 seconds
```

12
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Services/Service - tcp-80-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,12 @@
```bash
curl -sk -o /dev/null -H "Host: huCKKYPfSgpWqvlEZXkR.hat-valley.htb" http://hat-valley.htb:80/ -w "%{size_download}"
``````bash
ffuf -u http://hat-valley.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.hat-valley.htb" -fs 132 -noninteractive -s | tee "/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_hat-valley.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_hat-valley.htb_vhosts_subdomains-top1million-110000.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_hat-valley.htb_vhosts_subdomains-top1million-110000.txt):
```
store
```

87
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,87 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://hat-valley.htb:80 2>&1
```
[/home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://hat-valley.htb/
Status : 200 OK
Title : Hat Valley
IP : 10.10.11.185
Country : RESERVED, ZZ
Summary : Bootstrap[4.1.0], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], JQuery[3.0.0], nginx[1.18.0], Script[text/javascript], X-Powered-By[Express], X-UA-Compatible[IE=edge]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Version : 4.1.0
Version : 4.1.0
Version : 4.1.0
Version : 4.1.0
Version : 4.1.0
Version : 4.1.0
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : nginx/1.18.0 (Ubuntu) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 3.0.0
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : text/javascript
[ X-Powered-By ]
X-Powered-By HTTP header
String : Express (from x-powered-by string)
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 07 Feb 2023 22:45:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: Express
ETag: W/"b41-tn8t3x3qcvcm126OQ/i0AXwBj8M"
Content-Encoding: gzip
```

3
HTB/awkward/results/hat-valley.htb/report/report.md/hat-valley.htb/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://hat-valley.htb:80/ /home/kali/htb/awkward/results/hat-valley.htb/scans/tcp80/tcp_80_http_screenshot.png
```