simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
HTB/forgot/results/forgot.htb/report/local.txt Normal file
View File

8
HTB/forgot/results/forgot.htb/report/notes.txt Normal file
View File

@@ -0,0 +1,8 @@
[*] ssh found on tcp/22.
[*] http-proxy found on tcp/80.

0
HTB/forgot/results/forgot.htb/report/proof.txt Normal file
View File

29
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Commands.md Normal file
View File

@@ -0,0 +1,29 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/forgot/results/forgot.htb/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/xml/_quick_tcp_nmap.xml" forgot.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/forgot/results/forgot.htb/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/xml/_full_tcp_nmap.xml" forgot.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/forgot/results/forgot.htb/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/xml/_top_100_udp_nmap.xml" forgot.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/forgot/results/forgot.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" forgot.htb
feroxbuster -u http://forgot.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://forgot.htb:80/.well-known/security.txt
curl -sSikf http://forgot.htb:80/robots.txt
curl -sSik http://forgot.htb:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/xml/tcp_80_http_nmap.xml" forgot.htb
curl -sk -o /dev/null -H "Host: MrJvhmHVtVZlJeqmWLpS.forgot.htb" http://forgot.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://forgot.htb:80 2>&1
wkhtmltoimage --format png http://forgot.htb:80/ /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://forgot.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.forgot.htb" -fs 263 -noninteractive -s | tee "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_forgot.htb_vhosts_subdomains-top1million-110000.txt"
```

36
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Errors.md Normal file
View File

@@ -0,0 +1,36 @@
```
[*] Service scan wkhtmltoimage (tcp/80/http-proxy/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
[-] Command: wkhtmltoimage --format png http://forgot.htb:80/ /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_screenshot.png
[-] Error Output:
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
[> ] 0%
[=======================> ] 39%
Warning: Failed to load http://forgot.htb/static/js/457284.js (ignore)
Warning: Failed to load http://forgot.htb/static/js/check.js (ignore)
Warning: Failed to load http://forgot.htb/static/js/api.js (ignore)
Warning: Failed to load http://forgot.htb/static/js/pay.js (ignore)
Warning: Failed to load http://forgot.htb/static/js/cgi.js (ignore)
Warning: Failed to load http://forgot.htb/static/js/download.js (ignore)
Warning: Failed to load http://forgot.htb/static/js/status.js (ignore)
[========================> ] 41%
Warning: Failed to load https://cpwebassets.codepen.io/assets/common/stopExecutionOnTimeout-1b93190375e9ccc259df3a57c1abc0e64599724ae30d7ea4c6877eb615f89387.js (ignore)
QNetworkReplyImplPrivate::error: Internal problem, this method must only be called once.
Warning: Failed to load https://js.hsleadflows.net/leadflows.js (ignore)
Warning: Failed to load https://js.hs-analytics.net/analytics/1657365900000/5514032.js (ignore)
Error: Failed to load http://forgot.htb/null/sdk/bc-v4.min.html, with network status code 203 and http status code 404 - Error transferring http://forgot.htb/null/sdk/bc-v4.min.html - server replied: NOT FOUND
[========================================> ] 68%
[=================================================> ] 83%
[====================================================> ] 87%
[=====================================================> ] 89%
[============================================================] 100%
Rendering (2/2)
[> ] 0%
[===============> ] 25%
[============================================================] 100%
Done
Exit with code 1 due to network error: ContentNotFoundError
```

35
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Manual Commands.md Normal file
View File

@@ -0,0 +1,35 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/forgot/results/forgot.htb/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://forgot.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/forgot/results/forgot.htb/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h forgot.htb
[*] http-proxy on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://forgot.htb:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://forgot.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h forgot.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://forgot.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h forgot.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://forgot.htb:80 2>&1 | tee "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://forgot.htb:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_wpscan.txt"
```

8
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Patterns.md Normal file
View File

@@ -0,0 +1,8 @@
Identified HTTP Server: Werkzeug/2.1.2 Python/3.8.10
Identified HTTP Server: Werkzeug/2.1.2 Python/3.8.10
Identified HTTP Server: Werkzeug/2.1.2 Python/3.8.10
Identified HTTP Server: Werkzeug/2.1.2 Python/3.8.10

56
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,56 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/forgot/results/forgot.htb/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/xml/_full_tcp_nmap.xml" forgot.htb
```
[/home/kali/htb/forgot/results/forgot.htb/scans/_full_tcp_nmap.txt](file:///home/kali/htb/forgot/results/forgot.htb/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 9 22:04:00 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/forgot/results/forgot.htb/scans/_full_tcp_nmap.txt -oX /home/kali/htb/forgot/results/forgot.htb/scans/xml/_full_tcp_nmap.xml forgot.htb
Nmap scan report for forgot.htb (10.10.11.188)
Host is up, received user-set (0.038s latency).
Scanned at 2023-02-09 22:04:01 CET for 207s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
| 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
80/tcp open http-proxy syn-ack ttl 63 Varnish http accelerator
|_http-server-header: Werkzeug/2.1.2 Python/3.8.10
|_http-title: Login
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 - 5.4 (93%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/9%OT=22%CT=1%CU=43705%PV=Y%DS=2%DC=T%G=Y%TM=63E56090
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11
OS:NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Uptime guess: 8.449 days (since Wed Feb 1 11:20:45 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 25.55 ms 10.10.16.1
2 61.54 ms forgot.htb (10.10.11.188)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 9 22:07:28 2023 -- 1 IP address (1 host up) scanned in 207.95 seconds
```

147
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Port Scans/PortScan - Top 100 UDP Ports.md Normal file
View File

@@ -0,0 +1,147 @@
```bash
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/forgot/results/forgot.htb/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/xml/_top_100_udp_nmap.xml" forgot.htb
```
[/home/kali/htb/forgot/results/forgot.htb/scans/_top_100_udp_nmap.txt](file:///home/kali/htb/forgot/results/forgot.htb/scans/_top_100_udp_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 9 22:04:00 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/kali/htb/forgot/results/forgot.htb/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/forgot/results/forgot.htb/scans/xml/_top_100_udp_nmap.xml forgot.htb
Increasing send delay for 10.10.11.188 from 50 to 100 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.10.11.188 from 100 to 200 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 10.10.11.188 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.10.11.188 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of -102117 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -102117 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -531089 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -531089 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -122973 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -122973 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -148304 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -148304 microseconds. Ignoring time.
Nmap scan report for forgot.htb (10.10.11.188)
Host is up, received user-set (0.031s latency).
Scanned at 2023-02-09 22:04:01 CET for 330s
PORT STATE SERVICE REASON VERSION
7/udp closed echo port-unreach ttl 63
9/udp open|filtered discard no-response
17/udp open|filtered qotd no-response
19/udp closed chargen port-unreach ttl 63
49/udp closed tacacs port-unreach ttl 63
53/udp open|filtered domain no-response
67/udp open|filtered dhcps no-response
68/udp open|filtered dhcpc no-response
69/udp closed tftp port-unreach ttl 63
80/udp open|filtered http no-response
88/udp closed kerberos-sec port-unreach ttl 63
111/udp open|filtered rpcbind no-response
120/udp closed cfdptkt port-unreach ttl 63
123/udp closed ntp port-unreach ttl 63
135/udp closed msrpc port-unreach ttl 63
136/udp open|filtered profile no-response
137/udp open|filtered netbios-ns no-response
138/udp open|filtered netbios-dgm no-response
139/udp closed netbios-ssn port-unreach ttl 63
158/udp closed pcmail-srv port-unreach ttl 63
161/udp closed snmp port-unreach ttl 63
162/udp closed snmptrap port-unreach ttl 63
177/udp open|filtered xdmcp no-response
427/udp closed svrloc port-unreach ttl 63
443/udp closed https port-unreach ttl 63
445/udp closed microsoft-ds port-unreach ttl 63
497/udp open|filtered retrospect no-response
500/udp closed isakmp port-unreach ttl 63
514/udp open|filtered syslog no-response
515/udp closed printer port-unreach ttl 63
518/udp closed ntalk port-unreach ttl 63
520/udp closed route port-unreach ttl 63
593/udp open|filtered http-rpc-epmap no-response
623/udp open|filtered asf-rmcp no-response
626/udp closed serialnumberd port-unreach ttl 63
631/udp closed ipp port-unreach ttl 63
996/udp open|filtered vsinet no-response
997/udp closed maitrd port-unreach ttl 63
998/udp closed puparp port-unreach ttl 63
999/udp open|filtered applix no-response
1022/udp closed exp2 port-unreach ttl 63
1023/udp open|filtered unknown no-response
1025/udp closed blackjack port-unreach ttl 63
1026/udp closed win-rpc port-unreach ttl 63
1027/udp closed unknown port-unreach ttl 63
1028/udp closed ms-lsa port-unreach ttl 63
1029/udp closed solid-mux port-unreach ttl 63
1030/udp open|filtered iad1 no-response
1433/udp open|filtered ms-sql-s no-response
1434/udp closed ms-sql-m port-unreach ttl 63
1645/udp open|filtered radius no-response
1646/udp open|filtered radacct no-response
1701/udp closed L2TP port-unreach ttl 63
1718/udp open|filtered h225gatedisc no-response
1719/udp open|filtered h323gatestat no-response
1812/udp closed radius port-unreach ttl 63
1813/udp open|filtered radacct no-response
1900/udp open|filtered upnp no-response
2000/udp open|filtered cisco-sccp no-response
2048/udp closed dls-monitor port-unreach ttl 63
2049/udp closed nfs port-unreach ttl 63
2222/udp open|filtered msantipiracy no-response
2223/udp closed rockwell-csp2 port-unreach ttl 63
3283/udp closed netassistant port-unreach ttl 63
3456/udp closed IISrpc-or-vat port-unreach ttl 63
3703/udp open|filtered adobeserver-3 no-response
4444/udp open|filtered krb524 no-response
4500/udp closed nat-t-ike port-unreach ttl 63
5000/udp closed upnp port-unreach ttl 63
5060/udp closed sip port-unreach ttl 63
5353/udp closed zeroconf port-unreach ttl 63
5632/udp closed pcanywherestat port-unreach ttl 63
9200/udp closed wap-wsp port-unreach ttl 63
10000/udp open|filtered ndmp no-response
17185/udp open|filtered wdbrpc no-response
20031/udp open|filtered bakbonenetvault no-response
30718/udp open|filtered unknown no-response
31337/udp closed BackOrifice port-unreach ttl 63
32768/udp open|filtered omad no-response
32769/udp closed filenet-rpc port-unreach ttl 63
32771/udp open|filtered sometimes-rpc6 no-response
32815/udp closed unknown port-unreach ttl 63
33281/udp closed unknown port-unreach ttl 63
49152/udp open|filtered unknown no-response
49153/udp closed unknown port-unreach ttl 63
49154/udp closed unknown port-unreach ttl 63
49156/udp closed unknown port-unreach ttl 63
49181/udp closed unknown port-unreach ttl 63
49182/udp open|filtered unknown no-response
49185/udp open|filtered unknown no-response
49186/udp closed unknown port-unreach ttl 63
49188/udp open|filtered unknown no-response
49190/udp closed unknown port-unreach ttl 63
49191/udp closed unknown port-unreach ttl 63
49192/udp closed unknown port-unreach ttl 63
49193/udp closed unknown port-unreach ttl 63
49194/udp closed unknown port-unreach ttl 63
49200/udp open|filtered unknown no-response
49201/udp open|filtered unknown no-response
65024/udp closed unknown port-unreach ttl 63
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/9%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63E5610B%P=x86_64-pc-linux-gnu)
SEQ(CI=Z)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 5060/udp)
HOP RTT ADDRESS
1 38.23 ms 10.10.16.1
2 38.25 ms forgot.htb (10.10.11.188)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 9 22:09:31 2023 -- 1 IP address (1 host up) scanned in 331.30 seconds
```

56
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,56 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/forgot/results/forgot.htb/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/xml/_quick_tcp_nmap.xml" forgot.htb
```
[/home/kali/htb/forgot/results/forgot.htb/scans/_quick_tcp_nmap.txt](file:///home/kali/htb/forgot/results/forgot.htb/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 9 22:04:00 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/forgot/results/forgot.htb/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/forgot/results/forgot.htb/scans/xml/_quick_tcp_nmap.xml forgot.htb
Nmap scan report for forgot.htb (10.10.11.188)
Host is up, received user-set (0.045s latency).
Scanned at 2023-02-09 22:04:01 CET for 198s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
| 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
80/tcp open http-proxy syn-ack ttl 63 Varnish http accelerator
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-title: Login
|_http-server-header: Werkzeug/2.1.2 Python/3.8.10
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.1 - 3.2 (92%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/9%OT=22%CT=1%CU=39442%PV=Y%DS=2%DC=T%G=Y%TM=63E56087
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11N
OS:W7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R
OS:=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=
OS:40%CD=S)
Uptime guess: 8.449 days (since Wed Feb 1 11:20:45 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 25.44 ms 10.10.16.1
2 58.31 ms forgot.htb (10.10.11.188)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 9 22:07:19 2023 -- 1 IP address (1 host up) scanned in 198.89 seconds
```

71
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,71 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/forgot/results/forgot.htb/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml" forgot.htb
```
[/home/kali/htb/forgot/results/forgot.htb/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/kali/htb/forgot/results/forgot.htb/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 9 22:07:19 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/forgot/results/forgot.htb/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/forgot/results/forgot.htb/scans/tcp22/xml/tcp_22_ssh_nmap.xml forgot.htb
Nmap scan report for forgot.htb (10.10.11.188)
Host is up, received user-set (0.032s latency).
Scanned at 2023-02-09 22:07:20 CET for 1s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
| 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
|_banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 9 22:07:21 2023 -- 1 IP address (1 host up) scanned in 1.71 seconds
```

3
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Services/Service - tcp-80-http-proxy/Curl Robots.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://forgot.htb:80/robots.txt
```

266
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Services/Service - tcp-80-http-proxy/Curl.md Normal file
View File

@@ -0,0 +1,266 @@
```bash
curl -sSik http://forgot.htb:80/
```
[/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_curl.html](file:///home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 200 OK
Server: Werkzeug/2.1.2 Python/3.8.10
Date: Thu, 09 Feb 2023 21:07:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 5188
X-Varnish: 491542 49
Age: 2
Via: 1.1 varnish (Varnish/6.2)
Accept-Ranges: bytes
Connection: keep-alive
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>Login</title>
<style>
@import url("https://fonts.googleapis.com/css2?family=Poppins:ital,wght@0,100;0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,100;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap");
* {
margin: 0;
padding: 0;
box-sizing: border-box;
font-family: "Poppins", sans-serif;
}
:root {
--dark-dimmed: #fff;
--accent: #008080;
--accent-dimmed: #008080;
--light: #fff;
}
body {
display: flex;
justify-content: center;
align-items: center;
min-height: 100vh;
margin: 10px;
background: var(--dark-dimmed);
}
.container {
position: relative;
width: 350px;
min-height: 500px;
display: flex;
justify-content: center;
align-items: center;
background: var(--dark-dimmed);
box-shadow: 25px 25px 75px rgba(0, 0, 0, 0.25),
10px 10px 70px rgba(0, 0, 0, 0.25), inset 5px 5px 10px rgba(0, 0, 0, 0.5),
inset 5px 5px 10px rgba(255, 255, 255, 0.2),
inset -5px -5px 15px rgba(0, 0, 0, 0.75);
border-radius: 50px;
padding: 50px;
}
form {
position: relative;
width: 100%;
}
.container h3 {
color: #000;
font-weight: 600;
font-size: 2em;
width: 100%;
text-align: center;
margin-bottom: 30px;
letter-spacing: 2px;
text-transform: uppercase;
}
.inputBox {
position: relative;
width: 100%;
margin-bottom: 15px;
}
.inputBox span {
display: inline;
color: #000;
margin-bottom: 10px;
text-transform: uppercase;
letter-spacing: 1px;
font-size: 0.75em;
border-left: 4px solid #008080;
padding-left: 4px;
line-height: 1em;
}
.inputBox .box {
display: flex;
}
.inputBox .box .icon {
position: relative;
width: 48px;
height: 40px;
background: var(--accent);
display: flex;
justify-content: center;
align-items: center;
border-radius: 50%;
margin-right: 10px;
color: var(--light);
font-size: 1.15em;
box-shadow: 5px 5px 7px rgba(0, 0, 0, 0.25),
inset 2px 2px 5px rgba(255, 255, 255, 0.25),
inset -3px -3px 5px rgba(0, 0, 0, 0.5);
}
.inputBox .box input {
position: relative;
width: 100%;
border: none;
outline: none;
letter-spacing: 1px;
font-size: 0.85em;
padding: 10px 20px;
border-radius: 30px;
box-shadow: 5px 5px 7px rgba(0, 0, 0, 0.25),
inset 2px 2px 5px rgba(0, 0, 0, 0.35),
inset -3px -3px 5px rgba(0, 0, 0, 0.5);
}
.inputBox .box input[type="submit"] {
background: var(--accent-dimmed);
box-shadow: 5px 5px 7px rgba(0, 0, 0, 0.25),
inset 2px 2px 5px rgba(255, 255, 255, 0.25),
inset -3px -3px 5px rgba(0, 0, 0, 0.5);
color: var(--light);
cursor: pointer;
text-transform: uppercase;
font-weight: 600;
margin-top: 10px;
}
.inputBox .box input[type="submit"]:hover {
filter: brightness(1.05);
}
label {
color: #000;
text-transform: uppercase;
letter-spacing: 1px;
font-size: 0.85em;
display: flex;
align-items: center;
}
label input {
margin-right: 5px;
}
.forgot {
color: #000;
text-transform: uppercase;
letter-spacing: 1px;
font-size: 0.85em;
text-decoration: none;
}
.forgot:hover {
text-decoration: underline;
}
</style>
<!-- Q1 release fix by robert-dev-1453792 -->
<script>
window.console = window.console || function(t) {};
</script>
<script>
if (document.location.search.match(/type=embed/gi)) {
window.parent.postMessage("resize", "*");
}
</script>
</head>
<body>
<div class="container">
<form method="POST" action="/login">
<h3>Log In</h3>
<div class="inputBox">
<span>Username</span>
<div class="box">
<input id="username" name="username" type="text">
</div>
</div>
<div class="inputBox">
<span>Password</span>
<div class="box">
<input id="password" name="password" type="password">
</div>
</div>
<label>
<input type="checkbox">Remember me
</label>
<div class="inputBox">
<div class="box">
<input type="submit" value="Log in">
</div>
</div>
<a href="/forgot" class="forgot">Forgot the password?</a>
<br/><br/>
<div id="err" style="color:red;"></div>
</form>
</div>
<!-- IonIcons -->
<script type="module" src="https://unpkg.com/ionicons@5.5.2/dist/ionicons/ionicons.esm.js"></script>
<script nomodule src="https://unpkg.com/ionicons@5.5.2/dist/ionicons/ionicons.js"></script>
</body>
</html>
<script src="https://cpwebassets.codepen.io/assets/common/stopExecutionOnTimeout-1b93190375e9ccc259df3a57c1abc0e64599724ae30d7ea4c6877eb615f89387.js"></script>
<script id="rendered-js" >
"use strict";
//# sourceURL=pen.js
</script>
<script src="/static/js/5514032.js"></script>
<script src="/static/js/457284.js"></script>
<script src="/static/js/check.js"></script>
<script src="/static/js/api.js"></script>
<script src="/static/js/pay.js"></script>
<script src="/static/js/cgi.js"></script>
<script src="/static/js/download.js"></script>
<script src="/static/js/status.js"></script>
<script src="/static/js/uc.js"></script>
<script src="/static/js/highcharts.js"></script>
</body>
</html>
```

18
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Services/Service - tcp-80-http-proxy/Directory Buster.md Normal file
View File

@@ -0,0 +1,18 @@
```bash
feroxbuster -u http://forgot.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
```
[/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt):
```
200 GET 1l 19w 1838c http://forgot.htb/static/js/5514032.js
200 GET 602l 3373w 303580c http://forgot.htb/static/js/highcharts.js
200 GET 2l 873w 102052c http://forgot.htb/static/js/uc.js
200 GET 246l 484w 5189c http://forgot.htb/login
200 GET 253l 498w 5227c http://forgot.htb/forgot
200 GET 246l 484w 5188c http://forgot.htb/
302 GET 5l 22w 189c http://forgot.htb/home => http://forgot.htb/
302 GET 5l 22w 189c http://forgot.htb/tickets => http://forgot.htb/
200 GET 261l 517w 5523c http://forgot.htb/reset
```

3
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Services/Service - tcp-80-http-proxy/Known Security.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://forgot.htb:80/.well-known/security.txt
```

233
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Services/Service - tcp-80-http-proxy/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,233 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/xml/tcp_80_http_nmap.xml" forgot.htb
```
[/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nmap.txt](file:///home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Thu Feb 9 22:07:19 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/xml/tcp_80_http_nmap.xml forgot.htb
Nmap scan report for forgot.htb (10.10.11.188)
Host is up, received user-set (0.033s latency).
Scanned at 2023-02-09 22:07:20 CET for 269s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Werkzeug/2.1.2 Python/3.8.10
| http-auth-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=forgot.htb
| url method
| http://forgot.htb:80/ FORM
|_ http://forgot.htb:80/login FORM
|_http-feed: Couldn't find any feeds.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-server-header: Werkzeug/2.1.2 Python/3.8.10
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=forgot.htb
|
| Path: http://forgot.htb:80/login
| Line number: 218
| Comment:
| <!-- IonIcons -->
|
| Path: http://forgot.htb:80/login
| Line number: 169
| Comment:
| <!-- Q1 release fix by -->
|
| Path: http://forgot.htb:80/login
| Line number: 229
| Comment:
|
| //# sourceURL=pen.js
|
| Path: http://forgot.htb:80/
| Line number: 169
| Comment:
|_ <!-- Q1 release fix by robert-dev-10025 -->
|_http-chrono: Request times for /; avg: 1912.75ms; min: 656.22ms; max: 4371.75ms
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=forgot.htb
| Found the following possible CSRF vulnerabilities:
|
| Path: http://forgot.htb:80/
| Form id: username
| Form action: /login
|
| Path: http://forgot.htb:80/login
| Form id: username
|_ Form action: /login
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
| http-errors:
| Spidering limited to: maxpagecount=40; withinhost=forgot.htb
| Found the following error pages:
|
| Error Code: 404
| http://forgot.htb:80/static/js/cgi.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/pay.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/status.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/download.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/api.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/457284.js
|
| Error Code: 404
|_ http://forgot.htb:80/static/js/check.js
| http-headers:
| Server: Werkzeug/2.1.2 Python/3.8.10
| Date: Thu, 09 Feb 2023 21:09:25 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 5186
| X-Varnish: 11534348 329367
| Age: 23
| Via: 1.1 varnish (Varnish/6.2)
| Accept-Ranges: bytes
| Connection: close
|
|_ (Request type: HEAD)
|_http-mobileversion-checker: No mobile version detected.
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.1.2 Python/3.8.10
| Date: Thu, 09 Feb 2023 21:07:30 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| X-Varnish: 819491
| Age: 0
| Via: 1.1 varnish (Varnish/6.2)
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/2.1.2 Python/3.8.10
| Date: Thu, 09 Feb 2023 21:07:25 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 219
| Location: http://127.0.0.1
| X-Varnish: 1114114
| Age: 0
| Via: 1.1 varnish (Varnish/6.2)
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://127.0.0.1">http://127.0.0.1</a>. If not, click the link.
| HTTPOptions:
| HTTP/1.1 200 OK
| Server: Werkzeug/2.1.2 Python/3.8.10
| Date: Thu, 09 Feb 2023 21:07:25 GMT
| Content-Type: text/html; charset=utf-8
| Allow: GET, HEAD, OPTIONS
| Content-Length: 0
| X-Varnish: 524300
| Age: 0
| Via: 1.1 varnish (Varnish/6.2)
| Accept-Ranges: bytes
| Connection: close
| RTSPRequest, SIPOptions:
|_ HTTP/1.1 400 Bad Request
|_http-userdir-enum: Potential Users: guest
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
| http-sitemap-generator:
| Directory structure:
| /
| Other: 2
| /static/js/
| js: 1
| Longest directory structure:
| Depth: 2
| Dir: /static/js/
| Total files found (by extension):
|_ Other: 2; js: 1
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| http-referer-checker:
| Spidering limited to: maxpagecount=30
| https://cpwebassets.codepen.io:443/assets/common/stopExecutionOnTimeout-1b93190375e9ccc259df3a57c1abc0e64599724ae30d7ea4c6877eb615f89387.js
| https://unpkg.com:443/ionicons15.5.2/dist/ionicons/ionicons.esm.js
|_ https://unpkg.com:443/ionicons15.5.2/dist/ionicons/ionicons.js
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.0.1
|_http-date: Thu, 09 Feb 2023 21:09:25 GMT; -24s from local time.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| http-vhosts:
| mx1.htb : 503
|_127 names had status 302
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-title: Login
| http-php-version: Logo query returned unknown hash 981422263a4cb5d87cca48028a07cde0
|_Credits query returned unknown hash 44fd73eb3fb0fa9c308b25d9334d0a89
|_http-malware-host: Host appears to be clean
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.93%I=7%D=2/9%Time=63E5608D%P=x86_64-pc-linux-gnu%r(GetRe
SF:quest,1E4,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.1\.2\x20
SF:Python/3\.8\.10\r\nDate:\x20Thu,\x2009\x20Feb\x202023\x2021:07:25\x20GM
SF:T\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2
SF:0219\r\nLocation:\x20http://127\.0\.0\.1\r\nX-Varnish:\x201114114\r\nAg
SF:e:\x200\r\nVia:\x201\.1\x20varnish\x20\(Varnish/6\.2\)\r\nConnection:\x
SF:20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title>Redirectin
SF:g\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20should\x20be\x20
SF:redirected\x20automatically\x20to\x20the\x20target\x20URL:\x20<a\x20hre
SF:f=\"http://127\.0\.0\.1\">http://127\.0\.0\.1</a>\.\x20If\x20not,\x20cl
SF:ick\x20the\x20link\.\n")%r(HTTPOptions,118,"HTTP/1\.1\x20200\x20OK\r\nS
SF:erver:\x20Werkzeug/2\.1\.2\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2009\x2
SF:0Feb\x202023\x2021:07:25\x20GMT\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS\r\nContent-Length:\x200\
SF:r\nX-Varnish:\x20524300\r\nAge:\x200\r\nVia:\x201\.1\x20varnish\x20\(Va
SF:rnish/6\.2\)\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20close\r\n\r\n
SF:")%r(RTSPRequest,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(Fou
SF:rOhFourRequest,1BF,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werk
SF:zeug/2\.1\.2\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2009\x20Feb\x202023\x
SF:2021:07:30\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nCo
SF:ntent-Length:\x20207\r\nX-Varnish:\x20819491\r\nAge:\x200\r\nVia:\x201\
SF:.1\x20varnish\x20\(Varnish/6\.2\)\r\nConnection:\x20close\r\n\r\n<!doct
SF:ype\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<h
SF:1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found\
SF:x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manua
SF:lly\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.</p>
SF:\n")%r(SIPOptions,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n");
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 9 22:11:49 2023 -- 1 IP address (1 host up) scanned in 270.20 seconds
```

112798
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Services/Service - tcp-80-http-proxy/Virtual Host Enumeration.md Normal file
View File

File diff suppressed because it is too large Load Diff

92
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Services/Service - tcp-80-http-proxy/whatweb.md Normal file
View File

@@ -0,0 +1,92 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://forgot.htb:80 2>&1
```
[/home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://forgot.htb:80
Status : 200 OK
Title : Login
IP : 10.10.11.188
Country : RESERVED, ZZ
Summary : HTML5, HTTPServer[Werkzeug/2.1.2 Python/3.8.10], PasswordField[password], Python[3.8.10], Script[module], UncommonHeaders[x-varnish], Varnish, Via-Proxy[1.1 varnish (Varnish/6.2)], Werkzeug[2.1.2]
Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/2.1.2 Python/3.8.10 (from server string)
[ PasswordField ]
find password fields
String : password (from field name)
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 3.8.10
Website : http://www.python.org/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : module
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-varnish (from headers)
[ Varnish ]
Varnish is an HTTP accelerator written in C designed for
content-heavy dynamic web sites. In contrast to other HTTP
accelerators, such as Squid, which began life as a
client-side cache, or Apache, which is primarily an origin
server, Varnish was designed from the ground up as an HTTP
accelerator.
Website : http://www.varnish-cache.org/
[ Via-Proxy ]
This plugin extracts the proxy server details from the Via
param of the HTTP header.
String : 1.1 varnish (Varnish/6.2)
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 2.1.2
Website : http://werkzeug.pocoo.org/
HTTP Headers:
HTTP/1.1 200 OK
Server: Werkzeug/2.1.2 Python/3.8.10
Date: Thu, 09 Feb 2023 21:07:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 5188
X-Varnish: 524298 49
Age: 4
Via: 1.1 varnish (Varnish/6.2)
Accept-Ranges: bytes
Connection: close
```

3
HTB/forgot/results/forgot.htb/report/report.md/forgot.htb/Services/Service - tcp-80-http-proxy/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://forgot.htb:80/ /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_screenshot.png
```