simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

257
HTB/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_curl.html Normal file
View File

@@ -0,0 +1,257 @@
HTTP/1.1 200 OK
Server: Werkzeug/2.1.2 Python/3.8.10
Date: Thu, 09 Feb 2023 21:07:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 5188
X-Varnish: 491542 49
Age: 2
Via: 1.1 varnish (Varnish/6.2)
Accept-Ranges: bytes
Connection: keep-alive
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>Login</title>
<style>
@import url("https://fonts.googleapis.com/css2?family=Poppins:ital,wght@0,100;0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,100;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap");
* {
margin: 0;
padding: 0;
box-sizing: border-box;
font-family: "Poppins", sans-serif;
}
:root {
--dark-dimmed: #fff;
--accent: #008080;
--accent-dimmed: #008080;
--light: #fff;
}
body {
display: flex;
justify-content: center;
align-items: center;
min-height: 100vh;
margin: 10px;
background: var(--dark-dimmed);
}
.container {
position: relative;
width: 350px;
min-height: 500px;
display: flex;
justify-content: center;
align-items: center;
background: var(--dark-dimmed);
box-shadow: 25px 25px 75px rgba(0, 0, 0, 0.25),
10px 10px 70px rgba(0, 0, 0, 0.25), inset 5px 5px 10px rgba(0, 0, 0, 0.5),
inset 5px 5px 10px rgba(255, 255, 255, 0.2),
inset -5px -5px 15px rgba(0, 0, 0, 0.75);
border-radius: 50px;
padding: 50px;
}
form {
position: relative;
width: 100%;
}
.container h3 {
color: #000;
font-weight: 600;
font-size: 2em;
width: 100%;
text-align: center;
margin-bottom: 30px;
letter-spacing: 2px;
text-transform: uppercase;
}
.inputBox {
position: relative;
width: 100%;
margin-bottom: 15px;
}
.inputBox span {
display: inline;
color: #000;
margin-bottom: 10px;
text-transform: uppercase;
letter-spacing: 1px;
font-size: 0.75em;
border-left: 4px solid #008080;
padding-left: 4px;
line-height: 1em;
}
.inputBox .box {
display: flex;
}
.inputBox .box .icon {
position: relative;
width: 48px;
height: 40px;
background: var(--accent);
display: flex;
justify-content: center;
align-items: center;
border-radius: 50%;
margin-right: 10px;
color: var(--light);
font-size: 1.15em;
box-shadow: 5px 5px 7px rgba(0, 0, 0, 0.25),
inset 2px 2px 5px rgba(255, 255, 255, 0.25),
inset -3px -3px 5px rgba(0, 0, 0, 0.5);
}
.inputBox .box input {
position: relative;
width: 100%;
border: none;
outline: none;
letter-spacing: 1px;
font-size: 0.85em;
padding: 10px 20px;
border-radius: 30px;
box-shadow: 5px 5px 7px rgba(0, 0, 0, 0.25),
inset 2px 2px 5px rgba(0, 0, 0, 0.35),
inset -3px -3px 5px rgba(0, 0, 0, 0.5);
}
.inputBox .box input[type="submit"] {
background: var(--accent-dimmed);
box-shadow: 5px 5px 7px rgba(0, 0, 0, 0.25),
inset 2px 2px 5px rgba(255, 255, 255, 0.25),
inset -3px -3px 5px rgba(0, 0, 0, 0.5);
color: var(--light);
cursor: pointer;
text-transform: uppercase;
font-weight: 600;
margin-top: 10px;
}
.inputBox .box input[type="submit"]:hover {
filter: brightness(1.05);
}
label {
color: #000;
text-transform: uppercase;
letter-spacing: 1px;
font-size: 0.85em;
display: flex;
align-items: center;
}
label input {
margin-right: 5px;
}
.forgot {
color: #000;
text-transform: uppercase;
letter-spacing: 1px;
font-size: 0.85em;
text-decoration: none;
}
.forgot:hover {
text-decoration: underline;
}
</style>
<!-- Q1 release fix by robert-dev-1453792 -->
<script>
window.console = window.console || function(t) {};
</script>
<script>
if (document.location.search.match(/type=embed/gi)) {
window.parent.postMessage("resize", "*");
}
</script>
</head>
<body>
<div class="container">
<form method="POST" action="/login">
<h3>Log In</h3>
<div class="inputBox">
<span>Username</span>
<div class="box">
<input id="username" name="username" type="text">
</div>
</div>
<div class="inputBox">
<span>Password</span>
<div class="box">
<input id="password" name="password" type="password">
</div>
</div>
<label>
<input type="checkbox">Remember me
</label>
<div class="inputBox">
<div class="box">
<input type="submit" value="Log in">
</div>
</div>
<a href="/forgot" class="forgot">Forgot the password?</a>
<br/><br/>
<div id="err" style="color:red;"></div>
</form>
</div>
<!-- IonIcons -->
<script type="module" src="https://unpkg.com/ionicons@5.5.2/dist/ionicons/ionicons.esm.js"></script>
<script nomodule src="https://unpkg.com/ionicons@5.5.2/dist/ionicons/ionicons.js"></script>
</body>
</html>
<script src="https://cpwebassets.codepen.io/assets/common/stopExecutionOnTimeout-1b93190375e9ccc259df3a57c1abc0e64599724ae30d7ea4c6877eb615f89387.js"></script>
<script id="rendered-js" >
"use strict";
//# sourceURL=pen.js
</script>
<script src="/static/js/5514032.js"></script>
<script src="/static/js/457284.js"></script>
<script src="/static/js/check.js"></script>
<script src="/static/js/api.js"></script>
<script src="/static/js/pay.js"></script>
<script src="/static/js/cgi.js"></script>
<script src="/static/js/download.js"></script>
<script src="/static/js/status.js"></script>
<script src="/static/js/uc.js"></script>
<script src="/static/js/highcharts.js"></script>
</body>
</html>

9
HTB/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt Normal file
View File

@@ -0,0 +1,9 @@
200 GET 1l 19w 1838c http://forgot.htb/static/js/5514032.js
200 GET 602l 3373w 303580c http://forgot.htb/static/js/highcharts.js
200 GET 2l 873w 102052c http://forgot.htb/static/js/uc.js
200 GET 246l 484w 5189c http://forgot.htb/login
200 GET 253l 498w 5227c http://forgot.htb/forgot
200 GET 246l 484w 5188c http://forgot.htb/
302 GET 5l 22w 189c http://forgot.htb/home => http://forgot.htb/
302 GET 5l 22w 189c http://forgot.htb/tickets => http://forgot.htb/
200 GET 261l 517w 5523c http://forgot.htb/reset

112787
HTB/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_forgot.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

File diff suppressed because it is too large Load Diff

224
HTB/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nmap.txt Normal file
View File

@@ -0,0 +1,224 @@
# Nmap 7.93 scan initiated Thu Feb 9 22:07:19 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/xml/tcp_80_http_nmap.xml forgot.htb
Nmap scan report for forgot.htb (10.10.11.188)
Host is up, received user-set (0.033s latency).
Scanned at 2023-02-09 22:07:20 CET for 269s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Werkzeug/2.1.2 Python/3.8.10
| http-auth-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=forgot.htb
| url method
| http://forgot.htb:80/ FORM
|_ http://forgot.htb:80/login FORM
|_http-feed: Couldn't find any feeds.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-server-header: Werkzeug/2.1.2 Python/3.8.10
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=forgot.htb
|
| Path: http://forgot.htb:80/login
| Line number: 218
| Comment:
| <!-- IonIcons -->
|
| Path: http://forgot.htb:80/login
| Line number: 169
| Comment:
| <!-- Q1 release fix by -->
|
| Path: http://forgot.htb:80/login
| Line number: 229
| Comment:
|
| //# sourceURL=pen.js
|
| Path: http://forgot.htb:80/
| Line number: 169
| Comment:
|_ <!-- Q1 release fix by robert-dev-10025 -->
|_http-chrono: Request times for /; avg: 1912.75ms; min: 656.22ms; max: 4371.75ms
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=forgot.htb
| Found the following possible CSRF vulnerabilities:
|
| Path: http://forgot.htb:80/
| Form id: username
| Form action: /login
|
| Path: http://forgot.htb:80/login
| Form id: username
|_ Form action: /login
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
| http-errors:
| Spidering limited to: maxpagecount=40; withinhost=forgot.htb
| Found the following error pages:
|
| Error Code: 404
| http://forgot.htb:80/static/js/cgi.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/pay.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/status.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/download.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/api.js
|
| Error Code: 404
| http://forgot.htb:80/static/js/457284.js
|
| Error Code: 404
|_ http://forgot.htb:80/static/js/check.js
| http-headers:
| Server: Werkzeug/2.1.2 Python/3.8.10
| Date: Thu, 09 Feb 2023 21:09:25 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 5186
| X-Varnish: 11534348 329367
| Age: 23
| Via: 1.1 varnish (Varnish/6.2)
| Accept-Ranges: bytes
| Connection: close
|
|_ (Request type: HEAD)
|_http-mobileversion-checker: No mobile version detected.
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.1.2 Python/3.8.10
| Date: Thu, 09 Feb 2023 21:07:30 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| X-Varnish: 819491
| Age: 0
| Via: 1.1 varnish (Varnish/6.2)
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/2.1.2 Python/3.8.10
| Date: Thu, 09 Feb 2023 21:07:25 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 219
| Location: http://127.0.0.1
| X-Varnish: 1114114
| Age: 0
| Via: 1.1 varnish (Varnish/6.2)
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://127.0.0.1">http://127.0.0.1</a>. If not, click the link.
| HTTPOptions:
| HTTP/1.1 200 OK
| Server: Werkzeug/2.1.2 Python/3.8.10
| Date: Thu, 09 Feb 2023 21:07:25 GMT
| Content-Type: text/html; charset=utf-8
| Allow: GET, HEAD, OPTIONS
| Content-Length: 0
| X-Varnish: 524300
| Age: 0
| Via: 1.1 varnish (Varnish/6.2)
| Accept-Ranges: bytes
| Connection: close
| RTSPRequest, SIPOptions:
|_ HTTP/1.1 400 Bad Request
|_http-userdir-enum: Potential Users: guest
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
| http-sitemap-generator:
| Directory structure:
| /
| Other: 2
| /static/js/
| js: 1
| Longest directory structure:
| Depth: 2
| Dir: /static/js/
| Total files found (by extension):
|_ Other: 2; js: 1
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| http-referer-checker:
| Spidering limited to: maxpagecount=30
| https://cpwebassets.codepen.io:443/assets/common/stopExecutionOnTimeout-1b93190375e9ccc259df3a57c1abc0e64599724ae30d7ea4c6877eb615f89387.js
| https://unpkg.com:443/ionicons15.5.2/dist/ionicons/ionicons.esm.js
|_ https://unpkg.com:443/ionicons15.5.2/dist/ionicons/ionicons.js
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.0.1
|_http-date: Thu, 09 Feb 2023 21:09:25 GMT; -24s from local time.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| http-vhosts:
| mx1.htb : 503
|_127 names had status 302
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-title: Login
| http-php-version: Logo query returned unknown hash 981422263a4cb5d87cca48028a07cde0
|_Credits query returned unknown hash 44fd73eb3fb0fa9c308b25d9334d0a89
|_http-malware-host: Host appears to be clean
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.93%I=7%D=2/9%Time=63E5608D%P=x86_64-pc-linux-gnu%r(GetRe
SF:quest,1E4,"HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.1\.2\x20
SF:Python/3\.8\.10\r\nDate:\x20Thu,\x2009\x20Feb\x202023\x2021:07:25\x20GM
SF:T\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2
SF:0219\r\nLocation:\x20http://127\.0\.0\.1\r\nX-Varnish:\x201114114\r\nAg
SF:e:\x200\r\nVia:\x201\.1\x20varnish\x20\(Varnish/6\.2\)\r\nConnection:\x
SF:20close\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title>Redirectin
SF:g\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20should\x20be\x20
SF:redirected\x20automatically\x20to\x20the\x20target\x20URL:\x20<a\x20hre
SF:f=\"http://127\.0\.0\.1\">http://127\.0\.0\.1</a>\.\x20If\x20not,\x20cl
SF:ick\x20the\x20link\.\n")%r(HTTPOptions,118,"HTTP/1\.1\x20200\x20OK\r\nS
SF:erver:\x20Werkzeug/2\.1\.2\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2009\x2
SF:0Feb\x202023\x2021:07:25\x20GMT\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS\r\nContent-Length:\x200\
SF:r\nX-Varnish:\x20524300\r\nAge:\x200\r\nVia:\x201\.1\x20varnish\x20\(Va
SF:rnish/6\.2\)\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20close\r\n\r\n
SF:")%r(RTSPRequest,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(Fou
SF:rOhFourRequest,1BF,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werk
SF:zeug/2\.1\.2\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2009\x20Feb\x202023\x
SF:2021:07:30\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nCo
SF:ntent-Length:\x20207\r\nX-Varnish:\x20819491\r\nAge:\x200\r\nVia:\x201\
SF:.1\x20varnish\x20\(Varnish/6\.2\)\r\nConnection:\x20close\r\n\r\n<!doct
SF:ype\x20html>\n<html\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<h
SF:1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found\
SF:x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manua
SF:lly\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.</p>
SF:\n")%r(SIPOptions,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n");
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 9 22:11:49 2023 -- 1 IP address (1 host up) scanned in 270.20 seconds

BIN
HTB/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_screenshot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 MiB

83
HTB/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_whatweb.txt Normal file
View File

@@ -0,0 +1,83 @@
WhatWeb report for http://forgot.htb:80
Status : 200 OK
Title : Login
IP : 10.10.11.188
Country : RESERVED, ZZ
Summary : HTML5, HTTPServer[Werkzeug/2.1.2 Python/3.8.10], PasswordField[password], Python[3.8.10], Script[module], UncommonHeaders[x-varnish], Varnish, Via-Proxy[1.1 varnish (Varnish/6.2)], Werkzeug[2.1.2]
Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/2.1.2 Python/3.8.10 (from server string)
[ PasswordField ]
find password fields
String : password (from field name)
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 3.8.10
Website : http://www.python.org/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : module
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-varnish (from headers)
[ Varnish ]
Varnish is an HTTP accelerator written in C designed for
content-heavy dynamic web sites. In contrast to other HTTP
accelerators, such as Squid, which began life as a
client-side cache, or Apache, which is primarily an origin
server, Varnish was designed from the ground up as an HTTP
accelerator.
Website : http://www.varnish-cache.org/
[ Via-Proxy ]
This plugin extracts the proxy server details from the Via
param of the HTTP header.
String : 1.1 varnish (Varnish/6.2)
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 2.1.2
Website : http://werkzeug.pocoo.org/
HTTP Headers:
HTTP/1.1 200 OK
Server: Werkzeug/2.1.2 Python/3.8.10
Date: Thu, 09 Feb 2023 21:07:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 5188
X-Varnish: 524298 49
Age: 4
Via: 1.1 varnish (Varnish/6.2)
Accept-Ranges: bytes
Connection: close

82
HTB/forgot/results/forgot.htb/scans/tcp80/xml/tcp_80_http_nmap.xml Normal file
View File

@@ -0,0 +1,82 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Thu Feb 9 22:07:19 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/xml/tcp_80_http_nmap.xml forgot.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/forgot/results/forgot.htb/scans/tcp80/xml/tcp_80_http_nmap.xml forgot.htb" start="1675976839" startstr="Thu Feb 9 22:07:19 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="80"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1675976840"/>
<taskend task="NSE" time="1675976840"/>
<taskbegin task="NSE" time="1675976840"/>
<taskend task="NSE" time="1675976840"/>
<taskbegin task="NSE" time="1675976840"/>
<taskend task="NSE" time="1675976840"/>
<taskbegin task="SYN Stealth Scan" time="1675976840"/>
<taskend task="SYN Stealth Scan" time="1675976840" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1675976840"/>
<taskend task="Service scan" time="1675976967" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1675976967"/>
<taskprogress task="NSE" time="1675976998" percent="93.11" remaining="3" etc="1675977000"/>
<taskprogress task="NSE" time="1675977028" percent="99.67" remaining="1" etc="1675977028"/>
<taskprogress task="NSE" time="1675977058" percent="99.67" remaining="1" etc="1675977058"/>
<taskprogress task="NSE" time="1675977088" percent="99.67" remaining="1" etc="1675977088"/>
<taskend task="NSE" time="1675977108"/>
<taskbegin task="NSE" time="1675977108"/>
<taskend task="NSE" time="1675977109"/>
<taskbegin task="NSE" time="1675977109"/>
<taskend task="NSE" time="1675977109"/>
<host starttime="1675976840" endtime="1675977109"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.188" addrtype="ipv4"/>
<hostnames>
<hostname name="forgot.htb" type="user"/>
<hostname name="forgot.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Werkzeug/2.1.2 Python/3.8.10" servicefp="SF-Port80-TCP:V=7.93%I=7%D=2/9%Time=63E5608D%P=x86_64-pc-linux-gnu%r(GetRequest,1E4,&quot;HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/2\.1\.2\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2009\x20Feb\x202023\x2021:07:25\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20219\r\nLocation:\x20http://127\.0\.0\.1\r\nX-Varnish:\x201114114\r\nAge:\x200\r\nVia:\x201\.1\x20varnish\x20\(Varnish/6\.2\)\r\nConnection:\x20close\r\n\r\n&lt;!doctype\x20html&gt;\n&lt;html\x20lang=en&gt;\n&lt;title&gt;Redirecting\.\.\.&lt;/title&gt;\n&lt;h1&gt;Redirecting\.\.\.&lt;/h1&gt;\n&lt;p&gt;You\x20should\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL:\x20&lt;a\x20href=\&quot;http://127\.0\.0\.1\&quot;&gt;http://127\.0\.0\.1&lt;/a&gt;\.\x20If\x20not,\x20click\x20the\x20link\.\n&quot;)%r(HTTPOptions,118,&quot;HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/2\.1\.2\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2009\x20Feb\x202023\x2021:07:25\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS\r\nContent-Length:\x200\r\nX-Varnish:\x20524300\r\nAge:\x200\r\nVia:\x201\.1\x20varnish\x20\(Varnish/6\.2\)\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20close\r\n\r\n&quot;)%r(RTSPRequest,1C,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n&quot;)%r(FourOhFourRequest,1BF,&quot;HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/2\.1\.2\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2009\x20Feb\x202023\x2021:07:30\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20207\r\nX-Varnish:\x20819491\r\nAge:\x200\r\nVia:\x201\.1\x20varnish\x20\(Varnish/6\.2\)\r\nConnection:\x20close\r\n\r\n&lt;!doctype\x20html&gt;\n&lt;html\x20lang=en&gt;\n&lt;title&gt;404\x20Not\x20Found&lt;/title&gt;\n&lt;h1&gt;Not\x20Found&lt;/h1&gt;\n&lt;p&gt;The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\.&lt;/p&gt;\n&quot;)%r(SIPOptions,1C,&quot;HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n&quot;);" method="probed" conf="10"/><script id="http-auth-finder" output="&#xa;Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=forgot.htb&#xa; url method&#xa; http://forgot.htb:80/ FORM&#xa; http://forgot.htb:80/login FORM&#xa;"/><script id="http-feed" output="Couldn&apos;t find any feeds."/><script id="http-useragent-tester" output="&#xa; Status for browser useragent: 200&#xa; Allowed User Agents: &#xa; Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)&#xa; libwww&#xa; lwp-trivial&#xa; libcurl-agent/1.0&#xa; PHP/&#xa; Python-urllib/2.5&#xa; GT::WWW&#xa; Snoopy&#xa; MFC_Tear_Sample&#xa; HTTP::Lite&#xa; PHPCrawl&#xa; URI::Fetch&#xa; Zend_Http_Client&#xa; http client&#xa; PECL::HTTP&#xa; Wget/1.13.4 (linux-gnu)&#xa; WWW-Mechanize/1.34"><elem key="Status for browser useragent">200</elem>
<table key="Allowed User Agents">
<elem>Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)</elem>
<elem>libwww</elem>
<elem>lwp-trivial</elem>
<elem>libcurl-agent/1.0</elem>
<elem>PHP/</elem>
<elem>Python-urllib/2.5</elem>
<elem>GT::WWW</elem>
<elem>Snoopy</elem>
<elem>MFC_Tear_Sample</elem>
<elem>HTTP::Lite</elem>
<elem>PHPCrawl</elem>
<elem>URI::Fetch</elem>
<elem>Zend_Http_Client</elem>
<elem>http client</elem>
<elem>PECL::HTTP</elem>
<elem>Wget/1.13.4 (linux-gnu)</elem>
<elem>WWW-Mechanize/1.34</elem>
</table>
</script><script id="http-drupal-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args number=&lt;number|all&gt; for deeper analysis)"/><script id="http-stored-xss" output="Couldn&apos;t find any stored XSS vulnerabilities."/><script id="http-wordpress-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args search-limit=&lt;number|all&gt; for deeper analysis)"/><script id="http-server-header" output="Werkzeug/2.1.2 Python/3.8.10"><elem>Werkzeug/2.1.2 Python/3.8.10</elem>
</script><script id="http-comments-displayer" output="&#xa;Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=forgot.htb&#xa; &#xa; Path: http://forgot.htb:80/login&#xa; Line number: 218&#xa; Comment: &#xa; &lt;!-&#45; IonIcons -&#45;&gt;&#xa; &#xa; Path: http://forgot.htb:80/login&#xa; Line number: 169&#xa; Comment: &#xa; &lt;!-&#45; Q1 release fix by -&#45;&gt;&#xa; &#xa; Path: http://forgot.htb:80/login&#xa; Line number: 229&#xa; Comment: &#xa; &#xa; //# sourceURL=pen.js&#xa; &#xa; Path: http://forgot.htb:80/&#xa; Line number: 169&#xa; Comment: &#xa; &lt;!-&#45; Q1 release fix by robert-dev-10025 -&#45;&gt;&#xa;"/><script id="http-chrono" output="Request times for /; avg: 1912.75ms; min: 656.22ms; max: 4371.75ms"/><script id="http-dombased-xss" output="Couldn&apos;t find any DOM based XSS."/><script id="http-csrf" output="&#xa;Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=forgot.htb&#xa; Found the following possible CSRF vulnerabilities: &#xa; &#xa; Path: http://forgot.htb:80/&#xa; Form id: username&#xa; Form action: /login&#xa; &#xa; Path: http://forgot.htb:80/login&#xa; Form id: username&#xa; Form action: /login&#xa;"/><script id="http-devframework" output="Couldn&apos;t determine the underlying framework or CMS. Try increasing &apos;httpspider.maxpagecount&apos; value to spider more pages."/><script id="http-errors" output="&#xa;Spidering limited to: maxpagecount=40; withinhost=forgot.htb&#xa; Found the following error pages: &#xa; &#xa; Error Code: 404&#xa; &#x9;http://forgot.htb:80/static/js/cgi.js&#xa; &#xa; Error Code: 404&#xa; &#x9;http://forgot.htb:80/static/js/pay.js&#xa; &#xa; Error Code: 404&#xa; &#x9;http://forgot.htb:80/static/js/status.js&#xa; &#xa; Error Code: 404&#xa; &#x9;http://forgot.htb:80/static/js/download.js&#xa; &#xa; Error Code: 404&#xa; &#x9;http://forgot.htb:80/static/js/api.js&#xa; &#xa; Error Code: 404&#xa; &#x9;http://forgot.htb:80/static/js/457284.js&#xa; &#xa; Error Code: 404&#xa; &#x9;http://forgot.htb:80/static/js/check.js&#xa;"/><script id="http-headers" output="&#xa; Server: Werkzeug/2.1.2 Python/3.8.10&#xa; Date: Thu, 09 Feb 2023 21:09:25 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 5186&#xa; X-Varnish: 11534348 329367&#xa; Age: 23&#xa; Via: 1.1 varnish (Varnish/6.2)&#xa; Accept-Ranges: bytes&#xa; Connection: close&#xa; &#xa; (Request type: HEAD)&#xa;"/><script id="http-mobileversion-checker" output="No mobile version detected."/><script id="http-fetch" output="Please enter the complete path of the directory to save data in."><elem key="ERROR">Please enter the complete path of the directory to save data in.</elem>
</script><script id="http-config-backup" output="ERROR: Script execution failed (use -d to debug)"/><script id="fingerprint-strings" output="&#xa; FourOhFourRequest: &#xa; HTTP/1.1 404 NOT FOUND&#xa; Server: Werkzeug/2.1.2 Python/3.8.10&#xa; Date: Thu, 09 Feb 2023 21:07:30 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 207&#xa; X-Varnish: 819491&#xa; Age: 0&#xa; Via: 1.1 varnish (Varnish/6.2)&#xa; Connection: close&#xa; &lt;!doctype html&gt;&#xa; &lt;html lang=en&gt;&#xa; &lt;title&gt;404 Not Found&lt;/title&gt;&#xa; &lt;h1&gt;Not Found&lt;/h1&gt;&#xa; &lt;p&gt;The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.&lt;/p&gt;&#xa; GetRequest: &#xa; HTTP/1.1 302 FOUND&#xa; Server: Werkzeug/2.1.2 Python/3.8.10&#xa; Date: Thu, 09 Feb 2023 21:07:25 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 219&#xa; Location: http://127.0.0.1&#xa; X-Varnish: 1114114&#xa; Age: 0&#xa; Via: 1.1 varnish (Varnish/6.2)&#xa; Connection: close&#xa; &lt;!doctype html&gt;&#xa; &lt;html lang=en&gt;&#xa; &lt;title&gt;Redirecting...&lt;/title&gt;&#xa; &lt;h1&gt;Redirecting...&lt;/h1&gt;&#xa; &lt;p&gt;You should be redirected automatically to the target URL: &lt;a href=&quot;http://127.0.0.1&quot;&gt;http://127.0.0.1&lt;/a&gt;. If not, click the link.&#xa; HTTPOptions: &#xa; HTTP/1.1 200 OK&#xa; Server: Werkzeug/2.1.2 Python/3.8.10&#xa; Date: Thu, 09 Feb 2023 21:07:25 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Allow: GET, HEAD, OPTIONS&#xa; Content-Length: 0&#xa; X-Varnish: 524300&#xa; Age: 0&#xa; Via: 1.1 varnish (Varnish/6.2)&#xa; Accept-Ranges: bytes&#xa; Connection: close&#xa; RTSPRequest, SIPOptions: &#xa; HTTP/1.1 400 Bad Request"><elem key="FourOhFourRequest">&#xa; HTTP/1.1 404 NOT FOUND&#xa; Server: Werkzeug/2.1.2 Python/3.8.10&#xa; Date: Thu, 09 Feb 2023 21:07:30 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 207&#xa; X-Varnish: 819491&#xa; Age: 0&#xa; Via: 1.1 varnish (Varnish/6.2)&#xa; Connection: close&#xa; &lt;!doctype html&gt;&#xa; &lt;html lang=en&gt;&#xa; &lt;title&gt;404 Not Found&lt;/title&gt;&#xa; &lt;h1&gt;Not Found&lt;/h1&gt;&#xa; &lt;p&gt;The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.&lt;/p&gt;</elem>
<elem key="GetRequest">&#xa; HTTP/1.1 302 FOUND&#xa; Server: Werkzeug/2.1.2 Python/3.8.10&#xa; Date: Thu, 09 Feb 2023 21:07:25 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Content-Length: 219&#xa; Location: http://127.0.0.1&#xa; X-Varnish: 1114114&#xa; Age: 0&#xa; Via: 1.1 varnish (Varnish/6.2)&#xa; Connection: close&#xa; &lt;!doctype html&gt;&#xa; &lt;html lang=en&gt;&#xa; &lt;title&gt;Redirecting...&lt;/title&gt;&#xa; &lt;h1&gt;Redirecting...&lt;/h1&gt;&#xa; &lt;p&gt;You should be redirected automatically to the target URL: &lt;a href=&quot;http://127.0.0.1&quot;&gt;http://127.0.0.1&lt;/a&gt;. If not, click the link.</elem>
<elem key="HTTPOptions">&#xa; HTTP/1.1 200 OK&#xa; Server: Werkzeug/2.1.2 Python/3.8.10&#xa; Date: Thu, 09 Feb 2023 21:07:25 GMT&#xa; Content-Type: text/html; charset=utf-8&#xa; Allow: GET, HEAD, OPTIONS&#xa; Content-Length: 0&#xa; X-Varnish: 524300&#xa; Age: 0&#xa; Via: 1.1 varnish (Varnish/6.2)&#xa; Accept-Ranges: bytes&#xa; Connection: close</elem>
<elem key="RTSPRequest, SIPOptions">&#xa; HTTP/1.1 400 Bad Request</elem>
</script><script id="http-userdir-enum" output="Potential Users: guest"/><script id="http-methods" output="&#xa; Supported Methods: GET HEAD OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>OPTIONS</elem>
</table>
</script><script id="http-sitemap-generator" output="&#xa; Directory structure:&#xa; /&#xa; Other: 2&#xa; /static/js/&#xa; js: 1&#xa; Longest directory structure:&#xa; Depth: 2&#xa; Dir: /static/js/&#xa; Total files found (by extension):&#xa; Other: 2; js: 1&#xa;"/><script id="http-jsonp-detection" output="Couldn&apos;t find any JSONP endpoints."/><script id="http-referer-checker" output="&#xa;Spidering limited to: maxpagecount=30&#xa; https://cpwebassets.codepen.io:443/assets/common/stopExecutionOnTimeout-1b93190375e9ccc259df3a57c1abc0e64599724ae30d7ea4c6877eb615f89387.js&#xa; https://unpkg.com:443/ionicons15.5.2/dist/ionicons/ionicons.esm.js&#xa; https://unpkg.com:443/ionicons15.5.2/dist/ionicons/ionicons.js&#xa;"/><script id="http-internal-ip-disclosure" output="&#xa; Internal IP Leaked: 127.0.0.1"><elem key="Internal IP Leaked">127.0.0.1</elem>
</script><script id="http-date" output="Thu, 09 Feb 2023 21:09:25 GMT; -24s from local time."><elem key="date">2023-02-09T21:09:25+00:00</elem>
<elem key="delta">-24.0</elem>
</script><script id="http-wordpress-users" output="[Error] Wordpress installation was not found. We couldn&apos;t find wp-login.php"/><script id="http-vhosts" output="&#xa;mx1.htb : 503&#xa;127 names had status 302"/><script id="http-litespeed-sourcecode-download" output="Request with null byte did not work. This web server might not be vulnerable"/><script id="http-security-headers" output=""></script><script id="http-title" output="Login"><elem key="title">Login</elem>
</script><script id="http-php-version" output="Logo query returned unknown hash 981422263a4cb5d87cca48028a07cde0&#xa;Credits query returned unknown hash 44fd73eb3fb0fa9c308b25d9334d0a89"/><script id="http-malware-host" output="Host appears to be clean"/></port>
</ports>
<times srtt="33029" rttvar="33029" to="165145"/>
</host>
<taskbegin task="NSE" time="1675977109"/>
<taskend task="NSE" time="1675977109"/>
<taskbegin task="NSE" time="1675977109"/>
<taskend task="NSE" time="1675977109"/>
<taskbegin task="NSE" time="1675977109"/>
<taskend task="NSE" time="1675977109"/>
<runstats><finished time="1675977109" timestr="Thu Feb 9 22:11:49 2023" summary="Nmap done at Thu Feb 9 22:11:49 2023; 1 IP address (1 host up) scanned in 270.20 seconds" elapsed="270.20" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>