simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
HTB/derailed/.idea/.gitignore generated vendored Normal file
View File

@@ -0,0 +1,3 @@
# Default ignored files
/shelf/
/workspace.xml

8
HTB/derailed/.idea/derailed.iml generated Normal file
View File

@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<module type="PYTHON_MODULE" version="4">
<component name="NewModuleRootManager">
<content url="file://$MODULE_DIR$" />
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
</component>
</module>

6
HTB/derailed/.idea/inspectionProfiles/profiles_settings.xml generated Normal file
View File

@@ -0,0 +1,6 @@
<component name="InspectionProjectProfileManager">
<settings>
<option name="USE_PROJECT_PROFILE" value="false" />
<version value="1.0" />
</settings>
</component>

4
HTB/derailed/.idea/misc.xml generated Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ProjectRootManager" version="2" project-jdk-name="Python 3.11" project-jdk-type="Python SDK" />
</project>

8
HTB/derailed/.idea/modules.xml generated Normal file
View File

@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ProjectModuleManager">
<modules>
<module fileurl="file://$PROJECT_DIR$/.idea/derailed.iml" filepath="$PROJECT_DIR$/.idea/derailed.iml" />
</modules>
</component>
</project>

6
HTB/derailed/.idea/vcs.xml generated Normal file
View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="VcsDirectoryMappings">
<mapping directory="$PROJECT_DIR$/.." vcs="Git" />
</component>
</project>

0
HTB/derailed/results/derailed.htb/report/local.txt Normal file
View File

8
HTB/derailed/results/derailed.htb/report/notes.txt Normal file
View File

@@ -0,0 +1,8 @@
[*] ssh found on tcp/22.
[*] http found on tcp/3000.

0
HTB/derailed/results/derailed.htb/report/proof.txt Normal file
View File

29
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Commands.md Normal file
View File

@@ -0,0 +1,29 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml" derailed.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml" derailed.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml" derailed.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" derailed.htb
feroxbuster -u http://derailed.htb:3000/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt"
curl -sSikf http://derailed.htb:3000/.well-known/security.txt
curl -sSikf http://derailed.htb:3000/robots.txt
curl -sSik http://derailed.htb:3000/
nmap -vv --reason -Pn -T4 -sV -p 3000 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/xml/tcp_3000_http_nmap.xml" derailed.htb
curl -sk -o /dev/null -H "Host: NkoFGoOnXcvbfluPanbk.derailed.htb" http://derailed.htb:3000/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://derailed.htb:3000 2>&1
wkhtmltoimage --format png http://derailed.htb:3000/ /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_screenshot.png
ffuf -u http://derailed.htb:3000/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.derailed.htb" -fs 4774 -noninteractive -s | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt"
```

35
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Manual Commands.md Normal file
View File

@@ -0,0 +1,35 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://derailed.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h derailed.htb
[*] http on tcp/3000
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://derailed.htb:3000 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 3000 -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_auth_hydra.txt" http-get://derailed.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 3000 -O "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_auth_medusa.txt" -M http -h derailed.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 3000 -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_form_hydra.txt" http-post-form://derailed.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 3000 -O "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_form_medusa.txt" -M web-form -h derailed.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://derailed.htb:3000 2>&1 | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://derailed.htb:3000/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_wpscan.txt"
```

2
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Patterns.md Normal file
View File

@@ -0,0 +1,2 @@
Identified HTTP Server: nginx/1.18.0

63
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,63 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml derailed.htb
adjust_timeouts2: packet supposedly had rtt of -408552 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -408552 microseconds. Ignoring time.
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.033s latency).
Scanned at 2023-02-16 16:44:44 CET for 129s
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=
| 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=
| 256 0abd9223df44026f278da6abb4077837 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT
3000/tcp open http syn-ack ttl 63 nginx 1.18.0
|_http-title: derailed.htb
|_http-server-header: nginx/1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.6 (92%), Linux 5.0 - 5.4 (91%), Linux 5.3 - 5.4 (91%), Linux 2.6.32 (91%), Linux 5.0 (90%), Linux 5.0 - 5.3 (90%), Linux 5.4 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/16%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE4FED%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10C%TI=Z%TS=A)
SEQ(SP=103%GCD=1%ISR=10C%TI=Z%II=I%TS=A)
OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 41.758 days (since Thu Jan 5 22:35:19 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 29.13 ms 10.10.16.1
2 29.31 ms derailed.htb (10.10.11.190)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:46:53 2023 -- 1 IP address (1 host up) scanned in 130.27 seconds
```

32
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Port Scans/PortScan - Top 100 UDP Ports.md Normal file
View File

@@ -0,0 +1,32 @@
```bash
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.053s latency).
Scanned at 2023-02-16 16:44:44 CET for 1810s
All 100 scanned ports on derailed.htb (10.10.11.190) are in ignored states.
Not shown: 100 open|filtered udp ports (no-response)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/16%OT=%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE567E%P=x86_64-pc-linux-gnu)
SEQ(II=I)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 41.15 ms 10.10.16.1
2 60.48 ms derailed.htb (10.10.11.190)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 17:14:54 2023 -- 1 IP address (1 host up) scanned in 1812.15 seconds
```

60
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,60 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.048s latency).
Scanned at 2023-02-16 16:44:44 CET for 26s
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=
| 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=
| 256 0abd9223df44026f278da6abb4077837 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT
3000/tcp open http syn-ack ttl 63 nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-title: derailed.htb
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.6 (92%), Linux 5.0 - 5.4 (91%), Linux 5.3 - 5.4 (91%), Linux 2.6.32 (91%), Linux 5.0 (90%), Linux 5.0 - 5.3 (90%), Linux 5.4 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/16%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE4F87%P=x86_64-pc-linux-gnu)
SEQ(SP=101%GCD=1%ISR=10C%TI=Z%II=I%TS=A)
OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 41.757 days (since Thu Jan 5 22:35:19 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 56.03 ms 10.10.16.1
2 56.06 ms derailed.htb (10.10.11.190)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:45:11 2023 -- 1 IP address (1 host up) scanned in 28.24 seconds
```

70
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,70 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:45:11 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.028s latency).
Scanned at 2023-02-16 16:45:12 CET for 1s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=
| 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=
| 256 0abd9223df44026f278da6abb4077837 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (1)
|_ none
|_banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:45:13 2023 -- 1 IP address (1 host up) scanned in 2.07 seconds
```

20
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
curl -sSikf http://derailed.htb:3000/robots.txt
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl-robots.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl-robots.txt):
```
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 16 Feb 2023 15:45:11 GMT
Content-Type: text/plain
Content-Length: 99
Connection: keep-alive
Last-Modified: Wed, 25 May 2022 19:18:45 GMT
Expires: Thu, 16 Feb 2023 15:45:10 GMT
Cache-Control: no-cache
# See https://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file
```

159
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Curl.md Normal file
View File

@@ -0,0 +1,159 @@
```bash
curl -sSik http://derailed.htb:3000/
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl.html](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl.html):
```
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 16 Feb 2023 15:45:11 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Link: </packs/js/application-135b5cfa2df817d08f14.js>; rel=preload; as=script; nopush
Vary: Accept
ETag: W/"b91a8efb6a825d68e38d6699074408ae"
Cache-Control: no-cache
Set-Cookie: _simple_rails_session=VeYoCmGHghenr7wwQLcf%2BDrNgdM5%2BGsQ2gl5%2F4I3btsVC2BeWkmYQDiwN2UeS9mIsuUFx9bZyboVLrJ%2B%2BJgowTMU9QppzJaDqcIC%2FlUlfLLDQ7lDx2CUj1RWEQvmqVQ4j7oLknpuUTBQyHZHI8uTfQA7wYBOlgfgvn6LYdXpvVkx03gI%2FtDpcgRuBkxvw3h9ndQ7MBA8OXp9iNwUiiCiGi%2FOb%2FWlaKZqjokfuTGw2qIKk0vbZAA6Q4ltvI8eaGhbKwCITJo4jXeiM8LxUtJGSQU6Mpw1hpcY21ULB%2Bs%3D--FFPX%2FtBnxMH8Fo52--emykyQaq2bu%2BZnwDa8c95g%3D%3D; path=/; HttpOnly; SameSite=Lax
X-Request-Id: 61fbfc99-63b4-484e-8fd3-afa3eaef39f8
X-Runtime: 0.020045
Expires: Thu, 16 Feb 2023 15:45:10 GMT
<!DOCTYPE html>
<html>
<head>
<title>derailed.htb</title>
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
<meta name="csrf-param" content="authenticity_token" />
<meta name="csrf-token" content="z-Eg9OBMxBOJWX_qhFXu6ZMNJGg8gqxLwrBzYc_woqNdutrMr8d4B3lCt3k2-BKh7WnC-2RS5UkccnXbyumWZg" />
<!-- Warning !! ensure that "stylesheet_pack_tag" is used, line below -->
<script src="/packs/js/application-135b5cfa2df817d08f14.js" data-turbolinks-track="reload"></script>
<link href="/js/vs/editor/editor.main.css" rel="stylesheet"/>
<!-- Favicon-->
<link rel="icon" type="image/x-icon" href="/assets/favicon.ico"/>
<!-- Font Awesome icons (free version)-->
<script src="https://use.fontawesome.com/releases/v6.1.0/js/all.js" crossorigin="anonymous"></script>
<!-- Google fonts-->
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css"/>
<link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css"/>
<!-- Core theme CSS (includes Bootstrap)-->
<link href="/css/styles.css" rel="stylesheet"/>
</head>
<body id="page-top">
<!-- Navigation-->
<nav class="navbar navbar-expand-lg bg-secondary text-uppercase fixed-top" id="mainNav">
<div class="container">
<a class="navbar-brand" href="/">CLIPNOTES</a>
<button class="navbar-toggler text-uppercase font-weight-bold bg-primary text-white rounded" type="button" data-bs-toggle="collapse" data-bs-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation">
Menu
<i class="fas fa-bars"></i>
</button>
<div class="collapse navbar-collapse" id="navbarResponsive">
<ul class="navbar-nav ms-auto">
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded" href="/login">Login</a>
</li>
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded" href="/register">Sign Up</a>
</li>
</ul>
</div>
</div>
</nav>
<header class="masthead bg-primary text-white text-center">
<div class="container">
<form action="/create" accept-charset="UTF-8" method="post"><input type="hidden" name="authenticity_token" value="-alilGD1Y-OjXpjBgQ9Xf1QesExsR0441HGTWFfBEKlC55TEUOoSglwJnPNLw5j-kR6GkzJOVcBTFElq4YcItA" autocomplete="off" />
<div class="form-group">
<h2 class="page-section-heading text-center text-uppercase text-white">New Clipnote</h2>
<textarea rows="12" class="form-control" name="note[content]" id="note_content">
</textarea>
</div>
<div class="text-center mt-4">
<button name="button" type="submit" class="btn btn-xl btn-outline-light">
<i class="fas fa-plus me-2"></i>
Create New Clipnote
</button>
</div>
</form>
</div>
</header>
<!-- Footer-->
<footer class="footer text-center">
<div class="container">
<div class="row">
<!-- Footer Location-->
<div class="col-lg-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4">Location</h4>
<p class="lead mb-0">
2215 John Daniel Drive
<br/>
Clark, MO 65243
</p>
</div>
<!-- Footer Social Icons-->
<div class="col-lg-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4"><a href="http://derailed.htb">derailed.htb</a></h4>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-facebook-f"></i></a>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-twitter"></i></a>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-linkedin-in"></i></a>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-dribbble"></i></a>
</div>
<!-- Footer About Text-->
<div class="col-lg-4">
<h4 class="text-uppercase mb-4">About derailed.htb</h4>
<p class="lead mb-0">
derailed.htb is a free to use service, which allows users to create notes within a few seconds.
</p>
</div>
</div>
</div>
</footer>
<!-- Copyright Section-->
<div class="copyright py-4 text-center text-white">
<div class="container"><small>Copyright &copy; derailed.htb 2022</small></div>
</div>
<!-- Bootstrap core JS-->
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"></script>
<script src="/js/scripts.js"></script>
<script src="https://cdn.startbootstrap.com/sb-forms-latest.js"></script>
</body>
</html>
```

49
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,49 @@
```bash
feroxbuster -u http://derailed.htb:3000/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt"
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt):
```
200 GET 153l 397w 0c http://derailed.htb:3000/register
200 GET 8l 29w 23462c http://derailed.htb:3000/assets/favicon.ico
200 GET 6l 1408w 77302c http://derailed.htb:3000/js/vs/editor/editor.main.css
200 GET 54l 134w 1648c http://derailed.htb:3000/js/scripts.js
200 GET 11509l 21777w 211255c http://derailed.htb:3000/css/styles.css
200 GET 7219l 79688w 1008873c http://derailed.htb:3000/packs/js/application-135b5cfa2df817d08f14.js
200 GET 144l 381w 0c http://derailed.htb:3000/login
200 GET 128l 341w 0c http://derailed.htb:3000/
200 GET 67l 181w 1722c http://derailed.htb:3000/404
200 GET 66l 165w 1635c http://derailed.htb:3000/500
200 GET 67l 181w 1722c http://derailed.htb:3000/404.html
200 GET 66l 165w 1635c http://derailed.htb:3000/500.html
302 GET 1l 5w 0c http://derailed.htb:3000/administration => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.txt => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.html => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.php => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.asp => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.aspx => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.jsp => http://derailed.htb:3000/login
200 GET 0l 0w 0c http://derailed.htb:3000/favicon.ico
200 GET 144l 381w 0c http://derailed.htb:3000/login.html
200 GET 144l 381w 0c http://derailed.htb:3000/login.php
200 GET 144l 381w 0c http://derailed.htb:3000/login.asp
200 GET 144l 381w 0c http://derailed.htb:3000/login.aspx
200 GET 144l 381w 0c http://derailed.htb:3000/login.jsp
302 GET 1l 5w 0c http://derailed.htb:3000/logout => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.txt => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.html => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.php => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.asp => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.aspx => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.jsp => http://derailed.htb:3000/
200 GET 153l 397w 0c http://derailed.htb:3000/register.html
200 GET 153l 397w 0c http://derailed.htb:3000/register.php
200 GET 153l 397w 0c http://derailed.htb:3000/register.asp
200 GET 153l 397w 0c http://derailed.htb:3000/register.aspx
200 GET 153l 397w 0c http://derailed.htb:3000/register.jsp
200 GET 1l 12w 99c http://derailed.htb:3000/robots.txt
200 GET 67l 176w 1705c http://derailed.htb:3000/422
200 GET 67l 176w 1705c http://derailed.htb:3000/422.html
```

3
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Known Security.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://derailed.htb:3000/.well-known/security.txt
```

348
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,348 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 3000 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/xml/tcp_3000_http_nmap.xml" derailed.htb
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 16 16:45:11 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3000 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/xml/tcp_3000_http_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.025s latency).
Scanned at 2023-02-16 16:45:14 CET for 516s
PORT STATE SERVICE REASON VERSION
3000/tcp open http syn-ack ttl 63 nginx 1.18.0
| http-errors:
| Spidering limited to: maxpagecount=40; withinhost=derailed.htb
| Found the following error pages:
|
| Error Code: 404
|_ http://derailed.htb:3000/create
| http-referer-checker:
| Spidering limited to: maxpagecount=30
| https://cdn.jsdelivr.net:443/npm/bootstrap15.1.3/dist/js/bootstrap.bundle.min.js
| https://cdn.startbootstrap.com:443/sb-forms-0.4.1.js
|_ https://use.fontawesome.com:443/releases/v6.1.0/js/all.js
| http-enum:
| /login.stm: Belkin G Wireless Router
| /login.php: Possible admin folder
| /login.html: Possible admin folder
| /login.cfm: Possible admin folder
| /login.asp: Possible admin folder
| /login.aspx: Possible admin folder
| /login.jsp: Possible admin folder
| /login/: Login page
| /login.htm: Login page
| /login.jsp: Login page
| /robots.txt: Robots file
|_ /register/: Potentially interesting folder
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-feed: Couldn't find any feeds.
|_http-malware-host: Host appears to be clean
|_http-chrono: Request times for /; avg: 580.84ms; min: 480.16ms; max: 721.99ms
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-internal-ip-disclosure: ERROR: Script execution failed (use -d to debug)
|_http-title: derailed.htb
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sitemap-generator:
| Directory structure:
| /
| Other: 3
| /assets/
| ico: 1
| /css/
| css: 1
| /js/
| js: 1
| /js/vs/editor/
| css: 1
| Longest directory structure:
| Depth: 3
| Dir: /js/vs/editor/
| Total files found (by extension):
|_ Other: 3; css: 2; ico: 1; js: 1
| http-vhosts:
|_128 names had status 200
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-devframework: RoR detected. Found properties file on /rails/info/properties/
| http-auth-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=derailed.htb
| url method
| http://derailed.htb:3000/register FORM
|_ http://derailed.htb:3000/login FORM
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-mobileversion-checker: No mobile version detected.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-server-header: nginx/1.18.0
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=derailed.htb
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 7717
| Comment:
| /* rtl:end:remove */
|
| Path: http://derailed.htb:3000/register
| Line number: 63
| Comment:
| <!-- Contact Section Heading-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 29
| Comment:
| // Shrink the navbar when page is scrolled
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 6
| Comment:
|
| //
|
| Path: http://derailed.htb:3000/register
| Line number: 20
| Comment:
| <!-- Font Awesome icons (free version)-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 4792
| Comment:
| /* rtl: var(--bs-breadcrumb-divider, "/") */
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 257
| Comment:
| /* rtl:ignore */
|
| Path: http://derailed.htb:3000/register
| Line number: 116
| Comment:
| <!-- Footer Location-->
|
| Path: http://derailed.htb:3000/register
| Line number: 18
| Comment:
| <!-- Favicon-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 6118
| Comment:
| /* rtl:options: {
| "autoRename": true,
| "stringMap":[ {
| "name" : "prev-next",
| "search" : "prev",
| "replace" : "next"
| } ]
| } */
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 7
| Comment:
| /*!
| * Bootstrap v5.1.3 (https://getbootstrap.com/)
| * Copyright 2011-2021 The Bootstrap Authors
| * Copyright 2011-2021 Twitter, Inc.
| * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
| */
|
| Path: http://derailed.htb:3000/register
| Line number: 148
| Comment:
| <!-- Bootstrap core JS-->
|
| Path: http://derailed.htb:3000/register
| Line number: 71
| Comment:
| <!-- Contact Section Form-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 6042
| Comment:
| /* rtl:end:ignore */
|
| Path: http://derailed.htb:3000/register
| Line number: 25
| Comment:
| <!-- Core theme CSS (includes Bootstrap)-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 2
| Comment:
| /*!
| * Start Bootstrap - Freelancer v7.0.6 (https://startbootstrap.com/theme/freelancer)
| * Copyright 2013-2022 Start Bootstrap
| * Licensed under MIT (https://github.com/StartBootstrap/startbootstrap-freelancer/blob/master/LICENSE)
| */
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 32
| Comment:
| // Activate Bootstrap scrollspy on the main nav element
|
| Path: http://derailed.htb:3000/register
| Line number: 22
| Comment:
| <!-- Google fonts-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 8
| Comment:
|
| //
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 41
| Comment:
| // Collapse responsive navbar when toggler is visible
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 7711
| Comment:
| /* rtl:begin:remove */
|
| Path: http://derailed.htb:3000/register
| Line number: 112
| Comment:
| <!-- Footer-->
|
| Path: http://derailed.htb:3000/js/vs/editor/editor.main.css
| Line number: 1
| Comment:
| /*!-----------------------------------------------------------
| * Copyright (c) Microsoft Corporation. All rights reserved.
| * Version: 0.33.0(c722ca6c7eed3d7987c0d5c3df5c45f6b15e77d1)
| * Released under the MIT license
| * https://github.com/microsoft/vscode/blob/main/LICENSE.txt
| *-----------------------------------------------------------*/
|
| Path: http://derailed.htb:3000/register
| Line number: 29
| Comment:
| <!-- Navigation-->
|
| Path: http://derailed.htb:3000/register
| Line number: 125
| Comment:
| <!-- Footer Social Icons-->
|
| Path: http://derailed.htb:3000/register
| Line number: 143
| Comment:
| <!-- Copyright Section-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 26
| Comment:
| // Shrink the navbar
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 6031
| Comment:
| /* rtl:begin:ignore */
|
| Path: http://derailed.htb:3000/register
| Line number: 13
| Comment:
| <!-- Warning !! ensure that "stylesheet_pack_tag" is used, line below -->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 441
| Comment:
| /* rtl:raw:
| [type="tel"],
| [type="url"],
| [type="email"],
| [type="number"] {
| direction: ltr;
| }
| */
|
| Path: http://derailed.htb:3000/register
| Line number: 133
| Comment:
| <!-- Footer About Text-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 12
| Comment:
| // Navbar shrink function
|
| Path: http://derailed.htb:3000/register
| Line number: 65
| Comment:
|_ <!-- Icon Divider-->
| http-security-headers:
| X_Frame_Options:
| Header: X-Frame-Options: SAMEORIGIN
| Description: The browser must not display this content in any frame from a page of different origin than the content itself.
| X_XSS_Protection:
| Header: X-XSS-Protection: 1; mode=block
| Description: The browser will prevent the rendering of the page when XSS is detected.
| X_Content_Type_Options:
| Header: X-Content-Type-Options: nosniff
| Description: Will prevent the browser from MIME-sniffing a response away from the declared content-type.
| X_Permitted_Cross_Domain_Policies:
| Header: X-Permitted-Cross-Domain-Policies: none
| Description: No policy files are allowed anywhere on the target server, including this master policy file.
| Cache_Control:
| Header: Cache-Control: no-cache
| Expires:
|_ Header: Expires: Thu, 16 Feb 2023 15:45:33 GMT
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-date: Thu, 16 Feb 2023 15:45:26 GMT; -1s from local time.
| http-waf-detect: IDS/IPS/WAF detected:
|_derailed.htb:3000/?p4yl04d3=<script>alert(document.cookie)</script>
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
| http-headers:
| Server: nginx/1.18.0
| Date: Thu, 16 Feb 2023 15:45:28 GMT
| Content-Type: text/html; charset=utf-8
| Connection: close
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| X-Content-Type-Options: nosniff
| X-Download-Options: noopen
| X-Permitted-Cross-Domain-Policies: none
| Referrer-Policy: strict-origin-when-cross-origin
| Link: </packs/js/application-135b5cfa2df817d08f14.js>; rel=preload; as=script; nopush
| ETag: W/"6522e3db327e482cccc280f692e86223"
| Cache-Control: no-cache
| Set-Cookie: _simple_rails_session=tDEdGZWSZGtkgu2XC5L73pxfqWqr2qeigxOB%2FdvvzAJvk2Ml%2Bcv6SQiEAql4e10Q6Zqf8eNjwl8aVzYdzFk01%2BDD8q7MTzI9IvKNKOX4eH2OjAGtigHRYTuU%2FtBalnWdPGp7GTlhpao9vV93qZQKfxEnLRhblJvP%2BcdcvuDFdIaKjnuyCyUE5b5M%2FO%2B5R8yv57IJmT7shL%2B83e2n2awfNFV9aCFmp90T25y0J8JVEmhkew1treuNsCpjnwUqaIzMyQCo%2BuzHOGDtZJfOszvkAA7tJgnDI3eA9%2Fj2w5Y%3D--cauerDqmrGarteSZ--T%2B%2FFM%2Bp55gejSi%2F7zEKoQw%3D%3D; path=/; HttpOnly; SameSite=Lax
| X-Request-Id: bd64859a-760b-4731-bca1-a5ab5ac3e25d
| X-Runtime: 0.080271
| Expires: Thu, 16 Feb 2023 15:45:27 GMT
|
|_ (Request type: HEAD)
| http-php-version: Logo query returned unknown hash 3f4c876cfd945d09e6f8361405950437
|_Credits query returned unknown hash 2c8e1b7fab02fb0e5a929337403ba4ef
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:53:50 2023 -- 1 IP address (1 host up) scanned in 519.37 seconds
```

11
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
curl -sk -o /dev/null -H "Host: NkoFGoOnXcvbfluPanbk.derailed.htb" http://derailed.htb:3000/ -w "%{size_download}"
``````bash
ffuf -u http://derailed.htb:3000/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.derailed.htb" -fs 4774 -noninteractive -s | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt):
```
```

109
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/whatweb.md Normal file
View File

@@ -0,0 +1,109 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://derailed.htb:3000 2>&1
```
[/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_whatweb.txt](file:///home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_whatweb.txt):
```
WhatWeb report for http://derailed.htb:3000
Status : 200 OK
Title : derailed.htb
IP : 10.10.11.190
Country : RESERVED, ZZ
Summary : Bootstrap, Cookies[_simple_rails_session], HTML5, HTTPServer[nginx/1.18.0], HttpOnly[_simple_rails_session], nginx[1.18.0], Script, UncommonHeaders[x-content-type-options,x-download-options,x-permitted-cross-domain-policies,referrer-policy,link,x-request-id], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : _simple_rails_session
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : nginx/1.18.0 (from server string)
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
http://en.wikipedia.org/wiki/HTTP_cookie
String : _simple_rails_session
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-content-type-options,x-download-options,x-permitted-cross-domain-policies,referrer-policy,link,x-request-id (from headers)
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : SAMEORIGIN
[ X-XSS-Protection ]
This plugin retrieves the X-XSS-Protection value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : 1; mode=block
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 16 Feb 2023 15:45:26 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Link: </packs/js/application-135b5cfa2df817d08f14.js>; rel=preload; as=script; nopush
Vary: Accept
ETag: W/"a8b4d805b5090dd0b87e4821d2df7ca2"
Cache-Control: no-cache
Set-Cookie: _simple_rails_session=ooOfNpkyasLDwPiGVBqcrsfpqvfn50Pzf5IOqMAZ4zvaaOD8nCfa2gZ3JEAatSg4sVB%2B%2Fh7eq%2FkvjmIi8FJ%2FX64W1fP2%2BFurosNX64n15W6Wsif%2FYyitQXvbOf455kZaGXDOwkfpWt%2BFFgsNxJuufcOgUmJQpA1CE%2Fp2ydvBS6xppKfA2ZVbk%2F9lYgt4D0lVQhxERvN4N3gob8HoV%2BqVnVVHDdAkvA1%2F7co%2Bjpmh2E0owj2yvPG38wNjvUeRREyr21onFQ64Tp%2FygnM0fp2w3YoByHIPcsI%2Baie8Jqg%3D--l9hl7fBfRLBW%2Fgf0--Y%2BJUAftY8y15nt45Jhn95Q%3D%3D; path=/; HttpOnly; SameSite=Lax
X-Request-Id: d5c74b03-6bb3-4325-9fac-e115d437c25f
X-Runtime: 0.035284
Expires: Thu, 16 Feb 2023 15:45:25 GMT
```

3
HTB/derailed/results/derailed.htb/report/report.md/derailed.htb/Services/Service - tcp-3000-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://derailed.htb:3000/ /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_screenshot.png
```

26
HTB/derailed/results/derailed.htb/scans/_commands.log Normal file
View File

@@ -0,0 +1,26 @@
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml" derailed.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml" derailed.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml" derailed.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" derailed.htb
feroxbuster -u http://derailed.htb:3000/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt"
curl -sSikf http://derailed.htb:3000/.well-known/security.txt
curl -sSikf http://derailed.htb:3000/robots.txt
curl -sSik http://derailed.htb:3000/
nmap -vv --reason -Pn -T4 -sV -p 3000 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt" -oX "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/xml/tcp_3000_http_nmap.xml" derailed.htb
curl -sk -o /dev/null -H "Host: NkoFGoOnXcvbfluPanbk.derailed.htb" http://derailed.htb:3000/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://derailed.htb:3000 2>&1
wkhtmltoimage --format png http://derailed.htb:3000/ /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_screenshot.png
ffuf -u http://derailed.htb:3000/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.derailed.htb" -fs 4774 -noninteractive -s | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt"

54
HTB/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,54 @@
# Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml derailed.htb
adjust_timeouts2: packet supposedly had rtt of -408552 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -408552 microseconds. Ignoring time.
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.033s latency).
Scanned at 2023-02-16 16:44:44 CET for 129s
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=
| 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=
| 256 0abd9223df44026f278da6abb4077837 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT
3000/tcp open http syn-ack ttl 63 nginx 1.18.0
|_http-title: derailed.htb
|_http-server-header: nginx/1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.6 (92%), Linux 5.0 - 5.4 (91%), Linux 5.3 - 5.4 (91%), Linux 2.6.32 (91%), Linux 5.0 (90%), Linux 5.0 - 5.3 (90%), Linux 5.4 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/16%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE4FED%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10C%TI=Z%TS=A)
SEQ(SP=103%GCD=1%ISR=10C%TI=Z%II=I%TS=A)
OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 41.758 days (since Thu Jan 5 22:35:19 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 29.13 ms 10.10.16.1
2 29.31 ms derailed.htb (10.10.11.190)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:46:53 2023 -- 1 IP address (1 host up) scanned in 130.27 seconds

32
HTB/derailed/results/derailed.htb/scans/_manual_commands.txt Normal file
View File

@@ -0,0 +1,32 @@
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://derailed.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h derailed.htb
[*] http on tcp/3000
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://derailed.htb:3000 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 3000 -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_auth_hydra.txt" http-get://derailed.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 3000 -O "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_auth_medusa.txt" -M http -h derailed.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 3000 -o "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_form_hydra.txt" http-post-form://derailed.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 3000 -O "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_form_medusa.txt" -M web-form -h derailed.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://derailed.htb:3000 2>&1 | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://derailed.htb:3000/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_wpscan.txt"

2
HTB/derailed/results/derailed.htb/scans/_patterns.log Normal file
View File

@@ -0,0 +1,2 @@
Identified HTTP Server: nginx/1.18.0

51
HTB/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,51 @@
# Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.048s latency).
Scanned at 2023-02-16 16:44:44 CET for 26s
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=
| 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=
| 256 0abd9223df44026f278da6abb4077837 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT
3000/tcp open http syn-ack ttl 63 nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-title: derailed.htb
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.6 (92%), Linux 5.0 - 5.4 (91%), Linux 5.3 - 5.4 (91%), Linux 2.6.32 (91%), Linux 5.0 (90%), Linux 5.0 - 5.3 (90%), Linux 5.4 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/16%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE4F87%P=x86_64-pc-linux-gnu)
SEQ(SP=101%GCD=1%ISR=10C%TI=Z%II=I%TS=A)
OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 41.757 days (since Thu Jan 5 22:35:19 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 56.03 ms 10.10.16.1
2 56.06 ms derailed.htb (10.10.11.190)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:45:11 2023 -- 1 IP address (1 host up) scanned in 28.24 seconds

23
HTB/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt Normal file
View File

@@ -0,0 +1,23 @@
# Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.053s latency).
Scanned at 2023-02-16 16:44:44 CET for 1810s
All 100 scanned ports on derailed.htb (10.10.11.190) are in ignored states.
Not shown: 100 open|filtered udp ports (no-response)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/16%OT=%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE567E%P=x86_64-pc-linux-gnu)
SEQ(II=I)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 41.15 ms 10.10.16.1
2 60.48 ms derailed.htb (10.10.11.190)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 17:14:54 2023 -- 1 IP address (1 host up) scanned in 1812.15 seconds

61
HTB/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt Normal file
View File

@@ -0,0 +1,61 @@
# Nmap 7.93 scan initiated Thu Feb 16 16:45:11 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.028s latency).
Scanned at 2023-02-16 16:45:12 CET for 1s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=
| 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=
| 256 0abd9223df44026f278da6abb4077837 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (1)
|_ none
|_banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:45:13 2023 -- 1 IP address (1 host up) scanned in 2.07 seconds

100
HTB/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml Normal file
View File

@@ -0,0 +1,100 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Thu Feb 16 16:45:11 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml derailed.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml derailed.htb" start="1676562311" startstr="Thu Feb 16 16:45:11 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="22"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1676562311"/>
<taskend task="NSE" time="1676562311"/>
<taskbegin task="NSE" time="1676562311"/>
<taskend task="NSE" time="1676562311"/>
<taskbegin task="SYN Stealth Scan" time="1676562312"/>
<taskend task="SYN Stealth Scan" time="1676562312" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1676562312"/>
<taskend task="Service scan" time="1676562312" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1676562312"/>
<taskend task="NSE" time="1676562313"/>
<taskbegin task="NSE" time="1676562313"/>
<taskend task="NSE" time="1676562313"/>
<host starttime="1676562312" endtime="1676562313"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.190" addrtype="ipv4"/>
<hostnames>
<hostname name="derailed.htb" type="user"/>
<hostname name="derailed.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.4p1 Debian 5+deb11u1" extrainfo="protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.4p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)&#xa;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=&#xa; 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=&#xa; 256 0abd9223df44026f278da6abb4077837 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT"><table>
<elem key="fingerprint">1623b09ade0e3492cb2b18170ff27b1a</elem>
<elem key="bits">3072</elem>
<elem key="type">ssh-rsa</elem>
<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=</elem>
</table>
<table>
<elem key="fingerprint">50445e886b3e4b5bf9341dede52d91df</elem>
<elem key="bits">256</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=</elem>
</table>
<table>
<elem key="fingerprint">0abd9223df44026f278da6abb4077837</elem>
<elem key="bits">256</elem>
<elem key="type">ssh-ed25519</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT</elem>
</table>
</script><script id="ssh2-enum-algos" output="&#xa; kex_algorithms: (9)&#xa; curve25519-sha256&#xa; curve25519-sha256@libssh.org&#xa; ecdh-sha2-nistp256&#xa; ecdh-sha2-nistp384&#xa; ecdh-sha2-nistp521&#xa; diffie-hellman-group-exchange-sha256&#xa; diffie-hellman-group16-sha512&#xa; diffie-hellman-group18-sha512&#xa; diffie-hellman-group14-sha256&#xa; server_host_key_algorithms: (5)&#xa; rsa-sha2-512&#xa; rsa-sha2-256&#xa; ssh-rsa&#xa; ecdsa-sha2-nistp256&#xa; ssh-ed25519&#xa; encryption_algorithms: (6)&#xa; chacha20-poly1305@openssh.com&#xa; aes128-ctr&#xa; aes192-ctr&#xa; aes256-ctr&#xa; aes128-gcm@openssh.com&#xa; aes256-gcm@openssh.com&#xa; mac_algorithms: (10)&#xa; umac-64-etm@openssh.com&#xa; umac-128-etm@openssh.com&#xa; hmac-sha2-256-etm@openssh.com&#xa; hmac-sha2-512-etm@openssh.com&#xa; hmac-sha1-etm@openssh.com&#xa; umac-64@openssh.com&#xa; umac-128@openssh.com&#xa; hmac-sha2-256&#xa; hmac-sha2-512&#xa; hmac-sha1&#xa; compression_algorithms: (1)&#xa; none"><table key="kex_algorithms">
<elem>curve25519-sha256</elem>
<elem>curve25519-sha256@libssh.org</elem>
<elem>ecdh-sha2-nistp256</elem>
<elem>ecdh-sha2-nistp384</elem>
<elem>ecdh-sha2-nistp521</elem>
<elem>diffie-hellman-group-exchange-sha256</elem>
<elem>diffie-hellman-group16-sha512</elem>
<elem>diffie-hellman-group18-sha512</elem>
<elem>diffie-hellman-group14-sha256</elem>
</table>
<table key="server_host_key_algorithms">
<elem>rsa-sha2-512</elem>
<elem>rsa-sha2-256</elem>
<elem>ssh-rsa</elem>
<elem>ecdsa-sha2-nistp256</elem>
<elem>ssh-ed25519</elem>
</table>
<table key="encryption_algorithms">
<elem>chacha20-poly1305@openssh.com</elem>
<elem>aes128-ctr</elem>
<elem>aes192-ctr</elem>
<elem>aes256-ctr</elem>
<elem>aes128-gcm@openssh.com</elem>
<elem>aes256-gcm@openssh.com</elem>
</table>
<table key="mac_algorithms">
<elem>umac-64-etm@openssh.com</elem>
<elem>umac-128-etm@openssh.com</elem>
<elem>hmac-sha2-256-etm@openssh.com</elem>
<elem>hmac-sha2-512-etm@openssh.com</elem>
<elem>hmac-sha1-etm@openssh.com</elem>
<elem>umac-64@openssh.com</elem>
<elem>umac-128@openssh.com</elem>
<elem>hmac-sha2-256</elem>
<elem>hmac-sha2-512</elem>
<elem>hmac-sha1</elem>
</table>
<table key="compression_algorithms">
<elem>none</elem>
</table>
</script><script id="banner" output="SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1"/><script id="ssh-auth-methods" output="&#xa; Supported authentication methods: &#xa; publickey&#xa; password"><table key="Supported authentication methods">
<elem>publickey</elem>
<elem>password</elem>
</table>
</script></port>
</ports>
<times srtt="27687" rttvar="27687" to="138435"/>
</host>
<taskbegin task="NSE" time="1676562313"/>
<taskend task="NSE" time="1676562313"/>
<taskbegin task="NSE" time="1676562313"/>
<taskend task="NSE" time="1676562313"/>
<runstats><finished time="1676562313" timestr="Thu Feb 16 16:45:13 2023" summary="Nmap done at Thu Feb 16 16:45:13 2023; 1 IP address (1 host up) scanned in 2.07 seconds" elapsed="2.07" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

11
HTB/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl-robots.txt Normal file
View File

@@ -0,0 +1,11 @@
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 16 Feb 2023 15:45:11 GMT
Content-Type: text/plain
Content-Length: 99
Connection: keep-alive
Last-Modified: Wed, 25 May 2022 19:18:45 GMT
Expires: Thu, 16 Feb 2023 15:45:10 GMT
Cache-Control: no-cache
# See https://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file

150
HTB/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_curl.html Normal file
View File

@@ -0,0 +1,150 @@
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 16 Feb 2023 15:45:11 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Link: </packs/js/application-135b5cfa2df817d08f14.js>; rel=preload; as=script; nopush
Vary: Accept
ETag: W/"b91a8efb6a825d68e38d6699074408ae"
Cache-Control: no-cache
Set-Cookie: _simple_rails_session=VeYoCmGHghenr7wwQLcf%2BDrNgdM5%2BGsQ2gl5%2F4I3btsVC2BeWkmYQDiwN2UeS9mIsuUFx9bZyboVLrJ%2B%2BJgowTMU9QppzJaDqcIC%2FlUlfLLDQ7lDx2CUj1RWEQvmqVQ4j7oLknpuUTBQyHZHI8uTfQA7wYBOlgfgvn6LYdXpvVkx03gI%2FtDpcgRuBkxvw3h9ndQ7MBA8OXp9iNwUiiCiGi%2FOb%2FWlaKZqjokfuTGw2qIKk0vbZAA6Q4ltvI8eaGhbKwCITJo4jXeiM8LxUtJGSQU6Mpw1hpcY21ULB%2Bs%3D--FFPX%2FtBnxMH8Fo52--emykyQaq2bu%2BZnwDa8c95g%3D%3D; path=/; HttpOnly; SameSite=Lax
X-Request-Id: 61fbfc99-63b4-484e-8fd3-afa3eaef39f8
X-Runtime: 0.020045
Expires: Thu, 16 Feb 2023 15:45:10 GMT
<!DOCTYPE html>
<html>
<head>
<title>derailed.htb</title>
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
<meta name="csrf-param" content="authenticity_token" />
<meta name="csrf-token" content="z-Eg9OBMxBOJWX_qhFXu6ZMNJGg8gqxLwrBzYc_woqNdutrMr8d4B3lCt3k2-BKh7WnC-2RS5UkccnXbyumWZg" />
<!-- Warning !! ensure that "stylesheet_pack_tag" is used, line below -->
<script src="/packs/js/application-135b5cfa2df817d08f14.js" data-turbolinks-track="reload"></script>
<link href="/js/vs/editor/editor.main.css" rel="stylesheet"/>
<!-- Favicon-->
<link rel="icon" type="image/x-icon" href="/assets/favicon.ico"/>
<!-- Font Awesome icons (free version)-->
<script src="https://use.fontawesome.com/releases/v6.1.0/js/all.js" crossorigin="anonymous"></script>
<!-- Google fonts-->
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css"/>
<link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css"/>
<!-- Core theme CSS (includes Bootstrap)-->
<link href="/css/styles.css" rel="stylesheet"/>
</head>
<body id="page-top">
<!-- Navigation-->
<nav class="navbar navbar-expand-lg bg-secondary text-uppercase fixed-top" id="mainNav">
<div class="container">
<a class="navbar-brand" href="/">CLIPNOTES</a>
<button class="navbar-toggler text-uppercase font-weight-bold bg-primary text-white rounded" type="button" data-bs-toggle="collapse" data-bs-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation">
Menu
<i class="fas fa-bars"></i>
</button>
<div class="collapse navbar-collapse" id="navbarResponsive">
<ul class="navbar-nav ms-auto">
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded" href="/login">Login</a>
</li>
<li class="nav-item mx-0 mx-lg-1">
<a class="nav-link py-3 px-0 px-lg-3 rounded" href="/register">Sign Up</a>
</li>
</ul>
</div>
</div>
</nav>
<header class="masthead bg-primary text-white text-center">
<div class="container">
<form action="/create" accept-charset="UTF-8" method="post"><input type="hidden" name="authenticity_token" value="-alilGD1Y-OjXpjBgQ9Xf1QesExsR0441HGTWFfBEKlC55TEUOoSglwJnPNLw5j-kR6GkzJOVcBTFElq4YcItA" autocomplete="off" />
<div class="form-group">
<h2 class="page-section-heading text-center text-uppercase text-white">New Clipnote</h2>
<textarea rows="12" class="form-control" name="note[content]" id="note_content">
</textarea>
</div>
<div class="text-center mt-4">
<button name="button" type="submit" class="btn btn-xl btn-outline-light">
<i class="fas fa-plus me-2"></i>
Create New Clipnote
</button>
</div>
</form>
</div>
</header>
<!-- Footer-->
<footer class="footer text-center">
<div class="container">
<div class="row">
<!-- Footer Location-->
<div class="col-lg-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4">Location</h4>
<p class="lead mb-0">
2215 John Daniel Drive
<br/>
Clark, MO 65243
</p>
</div>
<!-- Footer Social Icons-->
<div class="col-lg-4 mb-5 mb-lg-0">
<h4 class="text-uppercase mb-4"><a href="http://derailed.htb">derailed.htb</a></h4>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-facebook-f"></i></a>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-twitter"></i></a>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-linkedin-in"></i></a>
<a class="btn btn-outline-light btn-social mx-1" href="#!"><i class="fab fa-fw fa-dribbble"></i></a>
</div>
<!-- Footer About Text-->
<div class="col-lg-4">
<h4 class="text-uppercase mb-4">About derailed.htb</h4>
<p class="lead mb-0">
derailed.htb is a free to use service, which allows users to create notes within a few seconds.
</p>
</div>
</div>
</div>
</footer>
<!-- Copyright Section-->
<div class="copyright py-4 text-center text-white">
<div class="container"><small>Copyright &copy; derailed.htb 2022</small></div>
</div>
<!-- Bootstrap core JS-->
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"></script>
<script src="/js/scripts.js"></script>
<script src="https://cdn.startbootstrap.com/sb-forms-latest.js"></script>
</body>
</html>

0
HTB/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_derailed.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

40
HTB/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_feroxbuster_dirbuster.txt Normal file
View File

@@ -0,0 +1,40 @@
200 GET 153l 397w 0c http://derailed.htb:3000/register
200 GET 8l 29w 23462c http://derailed.htb:3000/assets/favicon.ico
200 GET 6l 1408w 77302c http://derailed.htb:3000/js/vs/editor/editor.main.css
200 GET 54l 134w 1648c http://derailed.htb:3000/js/scripts.js
200 GET 11509l 21777w 211255c http://derailed.htb:3000/css/styles.css
200 GET 7219l 79688w 1008873c http://derailed.htb:3000/packs/js/application-135b5cfa2df817d08f14.js
200 GET 144l 381w 0c http://derailed.htb:3000/login
200 GET 128l 341w 0c http://derailed.htb:3000/
200 GET 67l 181w 1722c http://derailed.htb:3000/404
200 GET 66l 165w 1635c http://derailed.htb:3000/500
200 GET 67l 181w 1722c http://derailed.htb:3000/404.html
200 GET 66l 165w 1635c http://derailed.htb:3000/500.html
302 GET 1l 5w 0c http://derailed.htb:3000/administration => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.txt => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.html => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.php => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.asp => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.aspx => http://derailed.htb:3000/login
302 GET 1l 5w 0c http://derailed.htb:3000/administration.jsp => http://derailed.htb:3000/login
200 GET 0l 0w 0c http://derailed.htb:3000/favicon.ico
200 GET 144l 381w 0c http://derailed.htb:3000/login.html
200 GET 144l 381w 0c http://derailed.htb:3000/login.php
200 GET 144l 381w 0c http://derailed.htb:3000/login.asp
200 GET 144l 381w 0c http://derailed.htb:3000/login.aspx
200 GET 144l 381w 0c http://derailed.htb:3000/login.jsp
302 GET 1l 5w 0c http://derailed.htb:3000/logout => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.txt => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.html => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.php => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.asp => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.aspx => http://derailed.htb:3000/
302 GET 1l 5w 0c http://derailed.htb:3000/logout.jsp => http://derailed.htb:3000/
200 GET 153l 397w 0c http://derailed.htb:3000/register.html
200 GET 153l 397w 0c http://derailed.htb:3000/register.php
200 GET 153l 397w 0c http://derailed.htb:3000/register.asp
200 GET 153l 397w 0c http://derailed.htb:3000/register.aspx
200 GET 153l 397w 0c http://derailed.htb:3000/register.jsp
200 GET 1l 12w 99c http://derailed.htb:3000/robots.txt
200 GET 67l 176w 1705c http://derailed.htb:3000/422
200 GET 67l 176w 1705c http://derailed.htb:3000/422.html

339
HTB/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt Normal file
View File

@@ -0,0 +1,339 @@
# Nmap 7.93 scan initiated Thu Feb 16 16:45:11 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3000 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/tcp3000/xml/tcp_3000_http_nmap.xml derailed.htb
Nmap scan report for derailed.htb (10.10.11.190)
Host is up, received user-set (0.025s latency).
Scanned at 2023-02-16 16:45:14 CET for 516s
PORT STATE SERVICE REASON VERSION
3000/tcp open http syn-ack ttl 63 nginx 1.18.0
| http-errors:
| Spidering limited to: maxpagecount=40; withinhost=derailed.htb
| Found the following error pages:
|
| Error Code: 404
|_ http://derailed.htb:3000/create
| http-referer-checker:
| Spidering limited to: maxpagecount=30
| https://cdn.jsdelivr.net:443/npm/bootstrap15.1.3/dist/js/bootstrap.bundle.min.js
| https://cdn.startbootstrap.com:443/sb-forms-0.4.1.js
|_ https://use.fontawesome.com:443/releases/v6.1.0/js/all.js
| http-enum:
| /login.stm: Belkin G Wireless Router
| /login.php: Possible admin folder
| /login.html: Possible admin folder
| /login.cfm: Possible admin folder
| /login.asp: Possible admin folder
| /login.aspx: Possible admin folder
| /login.jsp: Possible admin folder
| /login/: Login page
| /login.htm: Login page
| /login.jsp: Login page
| /robots.txt: Robots file
|_ /register/: Potentially interesting folder
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-feed: Couldn't find any feeds.
|_http-malware-host: Host appears to be clean
|_http-chrono: Request times for /; avg: 580.84ms; min: 480.16ms; max: 721.99ms
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-internal-ip-disclosure: ERROR: Script execution failed (use -d to debug)
|_http-title: derailed.htb
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sitemap-generator:
| Directory structure:
| /
| Other: 3
| /assets/
| ico: 1
| /css/
| css: 1
| /js/
| js: 1
| /js/vs/editor/
| css: 1
| Longest directory structure:
| Depth: 3
| Dir: /js/vs/editor/
| Total files found (by extension):
|_ Other: 3; css: 2; ico: 1; js: 1
| http-vhosts:
|_128 names had status 200
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-devframework: RoR detected. Found properties file on /rails/info/properties/
| http-auth-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=derailed.htb
| url method
| http://derailed.htb:3000/register FORM
|_ http://derailed.htb:3000/login FORM
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-mobileversion-checker: No mobile version detected.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-server-header: nginx/1.18.0
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=derailed.htb
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 7717
| Comment:
| /* rtl:end:remove */
|
| Path: http://derailed.htb:3000/register
| Line number: 63
| Comment:
| <!-- Contact Section Heading-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 29
| Comment:
| // Shrink the navbar when page is scrolled
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 6
| Comment:
|
| //
|
| Path: http://derailed.htb:3000/register
| Line number: 20
| Comment:
| <!-- Font Awesome icons (free version)-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 4792
| Comment:
| /* rtl: var(--bs-breadcrumb-divider, "/") */
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 257
| Comment:
| /* rtl:ignore */
|
| Path: http://derailed.htb:3000/register
| Line number: 116
| Comment:
| <!-- Footer Location-->
|
| Path: http://derailed.htb:3000/register
| Line number: 18
| Comment:
| <!-- Favicon-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 6118
| Comment:
| /* rtl:options: {
| "autoRename": true,
| "stringMap":[ {
| "name" : "prev-next",
| "search" : "prev",
| "replace" : "next"
| } ]
| } */
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 7
| Comment:
| /*!
| * Bootstrap v5.1.3 (https://getbootstrap.com/)
| * Copyright 2011-2021 The Bootstrap Authors
| * Copyright 2011-2021 Twitter, Inc.
| * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
| */
|
| Path: http://derailed.htb:3000/register
| Line number: 148
| Comment:
| <!-- Bootstrap core JS-->
|
| Path: http://derailed.htb:3000/register
| Line number: 71
| Comment:
| <!-- Contact Section Form-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 6042
| Comment:
| /* rtl:end:ignore */
|
| Path: http://derailed.htb:3000/register
| Line number: 25
| Comment:
| <!-- Core theme CSS (includes Bootstrap)-->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 2
| Comment:
| /*!
| * Start Bootstrap - Freelancer v7.0.6 (https://startbootstrap.com/theme/freelancer)
| * Copyright 2013-2022 Start Bootstrap
| * Licensed under MIT (https://github.com/StartBootstrap/startbootstrap-freelancer/blob/master/LICENSE)
| */
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 32
| Comment:
| // Activate Bootstrap scrollspy on the main nav element
|
| Path: http://derailed.htb:3000/register
| Line number: 22
| Comment:
| <!-- Google fonts-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 8
| Comment:
|
| //
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 41
| Comment:
| // Collapse responsive navbar when toggler is visible
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 7711
| Comment:
| /* rtl:begin:remove */
|
| Path: http://derailed.htb:3000/register
| Line number: 112
| Comment:
| <!-- Footer-->
|
| Path: http://derailed.htb:3000/js/vs/editor/editor.main.css
| Line number: 1
| Comment:
| /*!-----------------------------------------------------------
| * Copyright (c) Microsoft Corporation. All rights reserved.
| * Version: 0.33.0(c722ca6c7eed3d7987c0d5c3df5c45f6b15e77d1)
| * Released under the MIT license
| * https://github.com/microsoft/vscode/blob/main/LICENSE.txt
| *-----------------------------------------------------------*/
|
| Path: http://derailed.htb:3000/register
| Line number: 29
| Comment:
| <!-- Navigation-->
|
| Path: http://derailed.htb:3000/register
| Line number: 125
| Comment:
| <!-- Footer Social Icons-->
|
| Path: http://derailed.htb:3000/register
| Line number: 143
| Comment:
| <!-- Copyright Section-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 26
| Comment:
| // Shrink the navbar
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 6031
| Comment:
| /* rtl:begin:ignore */
|
| Path: http://derailed.htb:3000/register
| Line number: 13
| Comment:
| <!-- Warning !! ensure that "stylesheet_pack_tag" is used, line below -->
|
| Path: http://derailed.htb:3000/css/styles.css
| Line number: 441
| Comment:
| /* rtl:raw:
| [type="tel"],
| [type="url"],
| [type="email"],
| [type="number"] {
| direction: ltr;
| }
| */
|
| Path: http://derailed.htb:3000/register
| Line number: 133
| Comment:
| <!-- Footer About Text-->
|
| Path: http://derailed.htb:3000/js/scripts.js
| Line number: 12
| Comment:
| // Navbar shrink function
|
| Path: http://derailed.htb:3000/register
| Line number: 65
| Comment:
|_ <!-- Icon Divider-->
| http-security-headers:
| X_Frame_Options:
| Header: X-Frame-Options: SAMEORIGIN
| Description: The browser must not display this content in any frame from a page of different origin than the content itself.
| X_XSS_Protection:
| Header: X-XSS-Protection: 1; mode=block
| Description: The browser will prevent the rendering of the page when XSS is detected.
| X_Content_Type_Options:
| Header: X-Content-Type-Options: nosniff
| Description: Will prevent the browser from MIME-sniffing a response away from the declared content-type.
| X_Permitted_Cross_Domain_Policies:
| Header: X-Permitted-Cross-Domain-Policies: none
| Description: No policy files are allowed anywhere on the target server, including this master policy file.
| Cache_Control:
| Header: Cache-Control: no-cache
| Expires:
|_ Header: Expires: Thu, 16 Feb 2023 15:45:33 GMT
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-date: Thu, 16 Feb 2023 15:45:26 GMT; -1s from local time.
| http-waf-detect: IDS/IPS/WAF detected:
|_derailed.htb:3000/?p4yl04d3=<script>alert(document.cookie)</script>
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
| http-headers:
| Server: nginx/1.18.0
| Date: Thu, 16 Feb 2023 15:45:28 GMT
| Content-Type: text/html; charset=utf-8
| Connection: close
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| X-Content-Type-Options: nosniff
| X-Download-Options: noopen
| X-Permitted-Cross-Domain-Policies: none
| Referrer-Policy: strict-origin-when-cross-origin
| Link: </packs/js/application-135b5cfa2df817d08f14.js>; rel=preload; as=script; nopush
| ETag: W/"6522e3db327e482cccc280f692e86223"
| Cache-Control: no-cache
| Set-Cookie: _simple_rails_session=tDEdGZWSZGtkgu2XC5L73pxfqWqr2qeigxOB%2FdvvzAJvk2Ml%2Bcv6SQiEAql4e10Q6Zqf8eNjwl8aVzYdzFk01%2BDD8q7MTzI9IvKNKOX4eH2OjAGtigHRYTuU%2FtBalnWdPGp7GTlhpao9vV93qZQKfxEnLRhblJvP%2BcdcvuDFdIaKjnuyCyUE5b5M%2FO%2B5R8yv57IJmT7shL%2B83e2n2awfNFV9aCFmp90T25y0J8JVEmhkew1treuNsCpjnwUqaIzMyQCo%2BuzHOGDtZJfOszvkAA7tJgnDI3eA9%2Fj2w5Y%3D--cauerDqmrGarteSZ--T%2B%2FFM%2Bp55gejSi%2F7zEKoQw%3D%3D; path=/; HttpOnly; SameSite=Lax
| X-Request-Id: bd64859a-760b-4731-bca1-a5ab5ac3e25d
| X-Runtime: 0.080271
| Expires: Thu, 16 Feb 2023 15:45:27 GMT
|
|_ (Request type: HEAD)
| http-php-version: Logo query returned unknown hash 3f4c876cfd945d09e6f8361405950437
|_Credits query returned unknown hash 2c8e1b7fab02fb0e5a929337403ba4ef
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 16 16:53:50 2023 -- 1 IP address (1 host up) scanned in 519.37 seconds

BIN
HTB/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_screenshot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.4 MiB

100
HTB/derailed/results/derailed.htb/scans/tcp3000/tcp_3000_http_whatweb.txt Normal file
View File

@@ -0,0 +1,100 @@
WhatWeb report for http://derailed.htb:3000
Status : 200 OK
Title : derailed.htb
IP : 10.10.11.190
Country : RESERVED, ZZ
Summary : Bootstrap, Cookies[_simple_rails_session], HTML5, HTTPServer[nginx/1.18.0], HttpOnly[_simple_rails_session], nginx[1.18.0], Script, UncommonHeaders[x-content-type-options,x-download-options,x-permitted-cross-domain-policies,referrer-policy,link,x-request-id], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : _simple_rails_session
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : nginx/1.18.0 (from server string)
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
http://en.wikipedia.org/wiki/HTTP_cookie
String : _simple_rails_session
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-content-type-options,x-download-options,x-permitted-cross-domain-policies,referrer-policy,link,x-request-id (from headers)
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : SAMEORIGIN
[ X-XSS-Protection ]
This plugin retrieves the X-XSS-Protection value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : 1; mode=block
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 16 Feb 2023 15:45:26 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Link: </packs/js/application-135b5cfa2df817d08f14.js>; rel=preload; as=script; nopush
Vary: Accept
ETag: W/"a8b4d805b5090dd0b87e4821d2df7ca2"
Cache-Control: no-cache
Set-Cookie: _simple_rails_session=ooOfNpkyasLDwPiGVBqcrsfpqvfn50Pzf5IOqMAZ4zvaaOD8nCfa2gZ3JEAatSg4sVB%2B%2Fh7eq%2FkvjmIi8FJ%2FX64W1fP2%2BFurosNX64n15W6Wsif%2FYyitQXvbOf455kZaGXDOwkfpWt%2BFFgsNxJuufcOgUmJQpA1CE%2Fp2ydvBS6xppKfA2ZVbk%2F9lYgt4D0lVQhxERvN4N3gob8HoV%2BqVnVVHDdAkvA1%2F7co%2Bjpmh2E0owj2yvPG38wNjvUeRREyr21onFQ64Tp%2FygnM0fp2w3YoByHIPcsI%2Baie8Jqg%3D--l9hl7fBfRLBW%2Fgf0--Y%2BJUAftY8y15nt45Jhn95Q%3D%3D; path=/; HttpOnly; SameSite=Lax
X-Request-Id: d5c74b03-6bb3-4325-9fac-e115d437c25f
X-Runtime: 0.035284
Expires: Thu, 16 Feb 2023 15:45:25 GMT

112
HTB/derailed/results/derailed.htb/scans/tcp3000/xml/tcp_3000_http_nmap.xml Normal file
View File

File diff suppressed because one or more lines are too long

123
HTB/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml Normal file
View File

@@ -0,0 +1,123 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -p- -oN /home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml derailed.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -p- -oN /home/simon/htb/derailed/results/derailed.htb/scans/_full_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_full_tcp_nmap.xml derailed.htb" start="1676562283" startstr="Thu Feb 16 16:44:43 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1676562284"/>
<taskend task="NSE" time="1676562284"/>
<taskbegin task="NSE" time="1676562284"/>
<taskend task="NSE" time="1676562284"/>
<taskbegin task="NSE" time="1676562284"/>
<taskend task="NSE" time="1676562284"/>
<taskbegin task="SYN Stealth Scan" time="1676562284"/>
<taskprogress task="SYN Stealth Scan" time="1676562315" percent="22.44" remaining="108" etc="1676562422"/>
<taskprogress task="SYN Stealth Scan" time="1676562345" percent="56.62" remaining="47" etc="1676562392"/>
<taskend task="SYN Stealth Scan" time="1676562390" extrainfo="65535 total ports"/>
<taskbegin task="Service scan" time="1676562391"/>
<taskend task="Service scan" time="1676562402" extrainfo="2 services on 1 host"/>
<taskbegin task="Traceroute" time="1676562407"/>
<taskend task="Traceroute" time="1676562407"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1676562407"/>
<taskend task="Parallel DNS resolution of 1 host." time="1676562407"/>
<taskbegin task="NSE" time="1676562407"/>
<taskend task="NSE" time="1676562412"/>
<taskbegin task="NSE" time="1676562412"/>
<taskend task="NSE" time="1676562413"/>
<taskbegin task="NSE" time="1676562413"/>
<taskend task="NSE" time="1676562413"/>
<host starttime="1676562284" endtime="1676562413"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.190" addrtype="ipv4"/>
<hostnames>
<hostname name="derailed.htb" type="user"/>
<hostname name="derailed.htb" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="65533">
<extrareasons reason="no-response" count="65533" proto="tcp" ports="1-21,23-2999,3001-65535"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.4p1 Debian 5+deb11u1" extrainfo="protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.4p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)&#xa;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=&#xa; 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=&#xa; 256 0abd9223df44026f278da6abb4077837 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT"><table>
<elem key="bits">3072</elem>
<elem key="fingerprint">1623b09ade0e3492cb2b18170ff27b1a</elem>
<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=</elem>
<elem key="type">ssh-rsa</elem>
</table>
<table>
<elem key="bits">256</elem>
<elem key="fingerprint">50445e886b3e4b5bf9341dede52d91df</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
</table>
<table>
<elem key="bits">256</elem>
<elem key="fingerprint">0abd9223df44026f278da6abb4077837</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT</elem>
<elem key="type">ssh-ed25519</elem>
</table>
</script></port>
<port protocol="tcp" portid="3000"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="nginx" version="1.18.0" method="probed" conf="10"><cpe>cpe:/a:igor_sysoev:nginx:1.18.0</cpe></service><script id="http-title" output="derailed.htb"><elem key="title">derailed.htb</elem>
</script><script id="http-server-header" output="nginx/1.18.0"><elem>nginx/1.18.0</elem>
</script><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script><script id="http-favicon" output="Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E"/></port>
</ports>
<os><portused state="open" proto="tcp" portid="22"/>
<osmatch name="Linux 4.15 - 5.6" accuracy="92" line="67238">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="4.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:4</cpe></osclass>
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0 - 5.4" accuracy="91" line="68103">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="91"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.3 - 5.4" accuracy="91" line="68140">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="91"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 2.6.32" accuracy="91" line="55653">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="91"><cpe>cpe:/o:linux:linux_kernel:2.6.32</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0" accuracy="90" line="68042">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="90"><cpe>cpe:/o:linux:linux_kernel:5.0</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0 - 5.3" accuracy="90" line="68082">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="90"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.4" accuracy="90" line="68176">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="90"><cpe>cpe:/o:linux:linux_kernel:5.4</cpe></osclass>
</osmatch>
<osmatch name="Crestron XPanel control system" accuracy="90" line="19543">
<osclass type="specialized" vendor="Crestron" osfamily="2-Series" accuracy="90"><cpe>cpe:/o:crestron:2_series</cpe></osclass>
</osmatch>
<osmatch name="ASUS RT-N56U WAP (Linux 3.4)" accuracy="87" line="8398">
<osclass type="WAP" vendor="Asus" osfamily="embedded" accuracy="87"><cpe>cpe:/h:asus:rt-n56u</cpe></osclass>
<osclass type="WAP" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="87"><cpe>cpe:/o:linux:linux_kernel:3.4</cpe></osclass>
</osmatch>
<osmatch name="Linux 3.1" accuracy="87" line="62917">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="87"><cpe>cpe:/o:linux:linux_kernel:3.1</cpe></osclass>
</osmatch>
<osfingerprint fingerprint="SCAN(V=7.93%E=4%D=2/16%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE4FED%P=x86_64-pc-linux-gnu)&#xa;SEQ(SP=103%GCD=1%ISR=10C%TI=Z%TS=A)&#xa;SEQ(SP=103%GCD=1%ISR=10C%TI=Z%II=I%TS=A)&#xa;OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)&#xa;WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)&#xa;ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)&#xa;T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)&#xa;T2(R=N)&#xa;T3(R=N)&#xa;T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;U1(R=N)&#xa;IE(R=Y%DFI=N%TG=40%CD=S)&#xa;"/>
</os>
<uptime seconds="3607894" lastboot="Thu Jan 5 22:35:19 2023"/>
<distance value="2"/>
<tcpsequence index="259" difficulty="Good luck!" values="3A8C8581,5638AB41,937868F,7A21C3F8,B7896D4F,175FBF2B"/>
<ipidsequence class="All zeros" values="0,0,0,0,0,0"/>
<tcptssequence class="1000HZ" values="D70BFB61,D70BFBE5,D70BFC38,D70BFCA7,D70BFCFC,D70BFD76"/>
<trace port="22" proto="tcp">
<hop ttl="1" ipaddr="10.10.16.1" rtt="29.13"/>
<hop ttl="2" ipaddr="10.10.11.190" rtt="29.31" host="derailed.htb"/>
</trace>
<times srtt="33261" rttvar="6720" to="100000"/>
</host>
<taskbegin task="NSE" time="1676562413"/>
<taskend task="NSE" time="1676562413"/>
<taskbegin task="NSE" time="1676562413"/>
<taskend task="NSE" time="1676562413"/>
<taskbegin task="NSE" time="1676562413"/>
<taskend task="NSE" time="1676562413"/>
<runstats><finished time="1676562413" timestr="Thu Feb 16 16:46:53 2023" summary="Nmap done at Thu Feb 16 16:46:53 2023; 1 IP address (1 host up) scanned in 130.27 seconds" elapsed="130.27" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

121
HTB/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml Normal file
View File

@@ -0,0 +1,121 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -oN /home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml derailed.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -sC -&#45;version-all -A -&#45;osscan-guess -oN /home/simon/htb/derailed/results/derailed.htb/scans/_quick_tcp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_quick_tcp_nmap.xml derailed.htb" start="1676562283" startstr="Thu Feb 16 16:44:43 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1676562284"/>
<taskend task="NSE" time="1676562284"/>
<taskbegin task="NSE" time="1676562284"/>
<taskend task="NSE" time="1676562284"/>
<taskbegin task="NSE" time="1676562284"/>
<taskend task="NSE" time="1676562284"/>
<taskbegin task="SYN Stealth Scan" time="1676562284"/>
<taskend task="SYN Stealth Scan" time="1676562290" extrainfo="1000 total ports"/>
<taskbegin task="Service scan" time="1676562290"/>
<taskend task="Service scan" time="1676562301" extrainfo="2 services on 1 host"/>
<taskbegin task="Traceroute" time="1676562305"/>
<taskend task="Traceroute" time="1676562305"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1676562305"/>
<taskend task="Parallel DNS resolution of 1 host." time="1676562305"/>
<taskbegin task="NSE" time="1676562305"/>
<taskend task="NSE" time="1676562310"/>
<taskbegin task="NSE" time="1676562310"/>
<taskend task="NSE" time="1676562310"/>
<taskbegin task="NSE" time="1676562310"/>
<taskend task="NSE" time="1676562310"/>
<host starttime="1676562284" endtime="1676562310"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.190" addrtype="ipv4"/>
<hostnames>
<hostname name="derailed.htb" type="user"/>
<hostname name="derailed.htb" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="998">
<extrareasons reason="no-response" count="998" proto="tcp" ports="1,3-4,6-7,9,13,17,19-21,23-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.4p1 Debian 5+deb11u1" extrainfo="protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.4p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)&#xa;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=&#xa; 256 50445e886b3e4b5bf9341dede52d91df (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=&#xa; 256 0abd9223df44026f278da6abb4077837 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT"><table>
<elem key="bits">3072</elem>
<elem key="fingerprint">1623b09ade0e3492cb2b18170ff27b1a</elem>
<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABgQDdUXlqsdBNnvsMMjPnLQq5YmKAP1g4DZjG7087OK4/TnwDXw64YCRBT8n93hLtaESx4Mlv5b9FgsMY1dK48Bik9YdTrJeA4dHh2gp2f0Hpi0PN+fnnRjFEdfflnYesJYg+Q5QdOJWV/jVE+n1MEvuXKvpzz2HaSqL4fK/uWTfd/078xrGDJLMHRWKBlRg8y22T1RTPArXIFShFHIVTARkWDqVazH+Hw91hcxJQLc8aJ/x/6jjNifqeH0Xv5FJq8Cf0DxVkYVSuliGMQUWTHO5xwN04C9CIdzKmFOsnK5HRzIFxdn80SLDPC2tioCuEL+HJbmAvy4qxVbIQzt9siteZG83Ty/OGZ8kvgY1mXAIwdyR3i4SIXhEMJ6s/pUXyw+ZqQtiwms4foPnZ8zCrAZTIxMA63lwVlFg9o7dtyj4p1dKeyAqDDRGoLAl+MUv7S3vhXhBj5AD8ve6T0Oy00Hw8wgS4aLExqAgPPW33aEytksturHibKOyaKzt+Rw7Ayuk=</elem>
<elem key="type">ssh-rsa</elem>
</table>
<table>
<elem key="bits">256</elem>
<elem key="fingerprint">50445e886b3e4b5bf9341dede52d91df</elem>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOcuzOG7Q6l3ZLFmocqRTs2dXqiG3ii2rshcQ6a10XAVba0QPP9+ipfc/NyLuCZRYFJzbTb0ibspjj7/+Bdlqc0=</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
</table>
<table>
<elem key="bits">256</elem>
<elem key="fingerprint">0abd9223df44026f278da6abb4077837</elem>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIO78ti8QXn0bimoisaTT8uaxll+KTaGyXrQHpnBKuXoT</elem>
<elem key="type">ssh-ed25519</elem>
</table>
</script></port>
<port protocol="tcp" portid="3000"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="nginx" version="1.18.0" method="probed" conf="10"><cpe>cpe:/a:igor_sysoev:nginx:1.18.0</cpe></service><script id="http-server-header" output="nginx/1.18.0"><elem>nginx/1.18.0</elem>
</script><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script><script id="http-favicon" output="Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E"/><script id="http-title" output="derailed.htb"><elem key="title">derailed.htb</elem>
</script></port>
</ports>
<os><portused state="open" proto="tcp" portid="22"/>
<osmatch name="Linux 4.15 - 5.6" accuracy="92" line="67238">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="4.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:4</cpe></osclass>
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="92"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0 - 5.4" accuracy="91" line="68103">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="91"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.3 - 5.4" accuracy="91" line="68140">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="91"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 2.6.32" accuracy="91" line="55653">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="91"><cpe>cpe:/o:linux:linux_kernel:2.6.32</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0" accuracy="90" line="68042">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="90"><cpe>cpe:/o:linux:linux_kernel:5.0</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.0 - 5.3" accuracy="90" line="68082">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="90"><cpe>cpe:/o:linux:linux_kernel:5</cpe></osclass>
</osmatch>
<osmatch name="Linux 5.4" accuracy="90" line="68176">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="5.X" accuracy="90"><cpe>cpe:/o:linux:linux_kernel:5.4</cpe></osclass>
</osmatch>
<osmatch name="Crestron XPanel control system" accuracy="90" line="19543">
<osclass type="specialized" vendor="Crestron" osfamily="2-Series" accuracy="90"><cpe>cpe:/o:crestron:2_series</cpe></osclass>
</osmatch>
<osmatch name="ASUS RT-N56U WAP (Linux 3.4)" accuracy="87" line="8398">
<osclass type="WAP" vendor="Asus" osfamily="embedded" accuracy="87"><cpe>cpe:/h:asus:rt-n56u</cpe></osclass>
<osclass type="WAP" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="87"><cpe>cpe:/o:linux:linux_kernel:3.4</cpe></osclass>
</osmatch>
<osmatch name="Linux 3.1" accuracy="87" line="62917">
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="3.X" accuracy="87"><cpe>cpe:/o:linux:linux_kernel:3.1</cpe></osclass>
</osmatch>
<osfingerprint fingerprint="SCAN(V=7.93%E=4%D=2/16%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE4F87%P=x86_64-pc-linux-gnu)&#xa;SEQ(SP=101%GCD=1%ISR=10C%TI=Z%II=I%TS=A)&#xa;OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)&#xa;WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)&#xa;ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)&#xa;T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)&#xa;T2(R=N)&#xa;T3(R=N)&#xa;T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)&#xa;U1(R=N)&#xa;IE(R=Y%DFI=N%TG=40%CD=S)&#xa;"/>
</os>
<uptime seconds="3607792" lastboot="Thu Jan 5 22:35:19 2023"/>
<distance value="2"/>
<tcpsequence index="257" difficulty="Good luck!" values="8E4540D1,CAFF25EC,E988B5E3,8BF89F08,F166A66C,3949EFE0"/>
<ipidsequence class="All zeros" values="0,0,0,0,0,0"/>
<tcptssequence class="1000HZ" values="D70A6F8A,D70A6FF8,D70A704F,D70A70A5,D70A7117,D70A716B"/>
<trace port="22" proto="tcp">
<hop ttl="1" ipaddr="10.10.16.1" rtt="56.03"/>
<hop ttl="2" ipaddr="10.10.11.190" rtt="56.06" host="derailed.htb"/>
</trace>
<times srtt="47535" rttvar="14110" to="103975"/>
</host>
<taskbegin task="NSE" time="1676562311"/>
<taskend task="NSE" time="1676562311"/>
<taskbegin task="NSE" time="1676562311"/>
<taskend task="NSE" time="1676562311"/>
<taskbegin task="NSE" time="1676562311"/>
<taskend task="NSE" time="1676562311"/>
<runstats><finished time="1676562311" timestr="Thu Feb 16 16:45:11 2023" summary="Nmap done at Thu Feb 16 16:45:11 2023; 1 IP address (1 host up) scanned in 28.24 seconds" elapsed="28.24" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

106
HTB/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml Normal file
View File

@@ -0,0 +1,106 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Thu Feb 16 16:44:43 2023 as: nmap -vv -&#45;reason -Pn -T4 -sU -A -&#45;top-ports 100 -oN /home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml derailed.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sU -A -&#45;top-ports 100 -oN /home/simon/htb/derailed/results/derailed.htb/scans/_top_100_udp_nmap.txt -oX /home/simon/htb/derailed/results/derailed.htb/scans/xml/_top_100_udp_nmap.xml derailed.htb" start="1676562283" startstr="Thu Feb 16 16:44:43 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="udp" protocol="udp" numservices="100" services="7,9,17,19,49,53,67-69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,631,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1676562284"/>
<taskend task="NSE" time="1676562284"/>
<taskbegin task="NSE" time="1676562284"/>
<taskend task="NSE" time="1676562284"/>
<taskbegin task="NSE" time="1676562284"/>
<taskend task="NSE" time="1676562284"/>
<taskbegin task="UDP Scan" time="1676562284"/>
<taskend task="UDP Scan" time="1676562295" extrainfo="100 total ports"/>
<taskbegin task="Service scan" time="1676562295"/>
<taskprogress task="Service scan" time="1676562393" percent="1.00" remaining="9702" etc="1676572095"/>
<taskprogress task="Service scan" time="1676562490" percent="31.00" remaining="435" etc="1676562924"/>
<taskprogress task="Service scan" time="1676562588" percent="61.00" remaining="188" etc="1676562775"/>
<taskprogress task="Service scan" time="1676562685" percent="91.00" remaining="39" etc="1676562724"/>
<taskend task="Service scan" time="1676562685" extrainfo="100 services on 1 host"/>
<taskbegin task="Traceroute" time="1676562688"/>
<taskend task="Traceroute" time="1676562688"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1676562688"/>
<taskend task="Parallel DNS resolution of 1 host." time="1676562688"/>
<taskbegin task="NSE" time="1676562688"/>
<taskprogress task="NSE" time="1676562719" percent="98.56" remaining="1" etc="1676562719"/>
<taskprogress task="NSE" time="1676562749" percent="98.58" remaining="1" etc="1676562750"/>
<taskprogress task="NSE" time="1676562779" percent="98.61" remaining="2" etc="1676562780"/>
<taskprogress task="NSE" time="1676562809" percent="98.65" remaining="2" etc="1676562811"/>
<taskprogress task="NSE" time="1676562839" percent="98.67" remaining="3" etc="1676562841"/>
<taskprogress task="NSE" time="1676562869" percent="98.68" remaining="3" etc="1676562871"/>
<taskprogress task="NSE" time="1676562899" percent="98.72" remaining="3" etc="1676562902"/>
<taskprogress task="NSE" time="1676562929" percent="98.78" remaining="3" etc="1676562932"/>
<taskprogress task="NSE" time="1676562959" percent="98.81" remaining="4" etc="1676562962"/>
<taskprogress task="NSE" time="1676562989" percent="98.85" remaining="4" etc="1676562993"/>
<taskprogress task="NSE" time="1676563019" percent="98.86" remaining="4" etc="1676563023"/>
<taskprogress task="NSE" time="1676563049" percent="98.88" remaining="5" etc="1676563053"/>
<taskprogress task="NSE" time="1676563079" percent="98.91" remaining="5" etc="1676563083"/>
<taskprogress task="NSE" time="1676563109" percent="98.96" remaining="5" etc="1676563113"/>
<taskprogress task="NSE" time="1676563139" percent="98.99" remaining="5" etc="1676563144"/>
<taskprogress task="NSE" time="1676563169" percent="99.02" remaining="5" etc="1676563174"/>
<taskprogress task="NSE" time="1676563199" percent="99.05" remaining="5" etc="1676563204"/>
<taskprogress task="NSE" time="1676563229" percent="99.07" remaining="6" etc="1676563234"/>
<taskprogress task="NSE" time="1676563259" percent="99.11" remaining="6" etc="1676563264"/>
<taskprogress task="NSE" time="1676563289" percent="99.14" remaining="6" etc="1676563294"/>
<taskprogress task="NSE" time="1676563319" percent="99.17" remaining="6" etc="1676563324"/>
<taskprogress task="NSE" time="1676563349" percent="99.22" remaining="6" etc="1676563354"/>
<taskprogress task="NSE" time="1676563379" percent="99.23" remaining="6" etc="1676563384"/>
<taskprogress task="NSE" time="1676563409" percent="99.26" remaining="6" etc="1676563414"/>
<taskprogress task="NSE" time="1676563439" percent="99.31" remaining="6" etc="1676563444"/>
<taskprogress task="NSE" time="1676563469" percent="99.32" remaining="6" etc="1676563474"/>
<taskprogress task="NSE" time="1676563499" percent="99.34" remaining="6" etc="1676563504"/>
<taskprogress task="NSE" time="1676563529" percent="99.39" remaining="6" etc="1676563534"/>
<taskprogress task="NSE" time="1676563559" percent="99.43" remaining="5" etc="1676563564"/>
<taskprogress task="NSE" time="1676563589" percent="99.47" remaining="5" etc="1676563594"/>
<taskprogress task="NSE" time="1676563619" percent="99.48" remaining="5" etc="1676563624"/>
<taskprogress task="NSE" time="1676563649" percent="99.52" remaining="5" etc="1676563654"/>
<taskprogress task="NSE" time="1676563679" percent="99.56" remaining="5" etc="1676563683"/>
<taskprogress task="NSE" time="1676563709" percent="99.58" remaining="5" etc="1676563713"/>
<taskprogress task="NSE" time="1676563739" percent="99.61" remaining="5" etc="1676563743"/>
<taskprogress task="NSE" time="1676563769" percent="99.65" remaining="4" etc="1676563773"/>
<taskprogress task="NSE" time="1676563799" percent="99.67" remaining="4" etc="1676563803"/>
<taskprogress task="NSE" time="1676563829" percent="99.72" remaining="4" etc="1676563832"/>
<taskprogress task="NSE" time="1676563859" percent="99.74" remaining="4" etc="1676563862"/>
<taskprogress task="NSE" time="1676563889" percent="99.77" remaining="3" etc="1676563892"/>
<taskprogress task="NSE" time="1676563919" percent="99.79" remaining="3" etc="1676563922"/>
<taskprogress task="NSE" time="1676563949" percent="99.84" remaining="3" etc="1676563951"/>
<taskprogress task="NSE" time="1676563979" percent="99.87" remaining="2" etc="1676563981"/>
<taskprogress task="NSE" time="1676564009" percent="99.91" remaining="2" etc="1676564010"/>
<taskprogress task="NSE" time="1676564039" percent="99.92" remaining="2" etc="1676564040"/>
<taskprogress task="NSE" time="1676564069" percent="99.97" remaining="1" etc="1676564069"/>
<taskend task="NSE" time="1676564089"/>
<taskbegin task="NSE" time="1676564089"/>
<taskend task="NSE" time="1676564094"/>
<taskbegin task="NSE" time="1676564094"/>
<taskend task="NSE" time="1676564094"/>
<host starttime="1676562284" endtime="1676564094"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.190" addrtype="ipv4"/>
<hostnames>
<hostname name="derailed.htb" type="user"/>
<hostname name="derailed.htb" type="PTR"/>
</hostnames>
<ports><extraports state="open|filtered" count="100">
<extrareasons reason="no-response" count="100" proto="udp" ports="7,9,17,19,49,53,67-69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,631,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024"/>
</extraports>
</ports>
<os><osfingerprint fingerprint="SCAN(V=7.93%E=4%D=2/16%OT=%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=63EE567E%P=x86_64-pc-linux-gnu)&#xa;SEQ(II=I)&#xa;U1(R=N)&#xa;IE(R=Y%DFI=N%TG=40%CD=S)&#xa;"/>
</os>
<distance value="2"/>
<trace proto="icmp">
<hop ttl="1" ipaddr="10.10.16.1" rtt="41.15"/>
<hop ttl="2" ipaddr="10.10.11.190" rtt="60.48" host="derailed.htb"/>
</trace>
<times srtt="53465" rttvar="12869" to="104941"/>
</host>
<taskbegin task="NSE" time="1676564094"/>
<taskend task="NSE" time="1676564094"/>
<taskbegin task="NSE" time="1676564094"/>
<taskend task="NSE" time="1676564094"/>
<taskbegin task="NSE" time="1676564094"/>
<taskend task="NSE" time="1676564094"/>
<runstats><finished time="1676564094" timestr="Thu Feb 16 17:14:54 2023" summary="Nmap done at Thu Feb 16 17:14:54 2023; 1 IP address (1 host up) scanned in 1812.15 seconds" elapsed="1812.15" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>