simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
HTB/mentor/app_backkup.tar Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/.Dockerfile.swp Normal file
View File

Binary file not shown.

14
HTB/mentor/app_backkup/app/Dockerfile Normal file
View File

@@ -0,0 +1,14 @@
FROM python:3.6.9-alpine
RUN apk --update --upgrade add --no-cache gcc musl-dev jpeg-dev zlib-dev libffi-dev cairo-dev pango-dev gdk-pixbuf-dev
WORKDIR /app
ENV HOME /home/svc
ENV PATH /home/svc/.local/bin:${PATH}
RUN python -m pip install --upgrade pip --user svc
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt
RUN pip install pydantic[email] pyjwt
EXPOSE 8000
COPY . .
CMD ["python3", "-m", "uvicorn", "app.main:app", "--reload", "--workers", "100", "--host", "0.0.0.0", "--port" ,"8000"]

0
HTB/mentor/app_backkup/app/app/__init__.py Normal file
View File

BIN
HTB/mentor/app_backkup/app/app/__pycache__/__init__.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/__pycache__/__init__.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/__pycache__/__init__.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/__pycache__/db.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/__pycache__/db.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/__pycache__/db.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/__pycache__/main.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/__pycache__/main.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/__pycache__/main.cpython-39.pyc Normal file
View File

Binary file not shown.

0
HTB/mentor/app_backkup/app/app/api/__init__.py Normal file
View File

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/__init__.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/__init__.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/__init__.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/admin.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/admin.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/admin.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/auth.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/auth.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/auth.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/crud.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/crud.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/crud.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/hello.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/models.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/models.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/models.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/notes.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/ping.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/quotes.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/quotes.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/quotes.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/signup.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/users.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/users.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/users.cpython-39.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/utils.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/utils.cpython-36.pyc Normal file
View File

Binary file not shown.

BIN
HTB/mentor/app_backkup/app/app/api/__pycache__/utils.cpython-39.pyc Normal file
View File

Binary file not shown.

25
HTB/mentor/app_backkup/app/app/api/admin.py Normal file
View File

@@ -0,0 +1,25 @@
from fastapi import APIRouter, Depends
from app.api.utils import is_admin, is_logged
from app.api.models import backup
import os
router = APIRouter()
WORK_DIR = os.getenv('WORK_DIR', '/app')
DATABASE_URL = os.getenv('DATABASE_URL', 'postgresql://postgres:postgres@192.168.1.4/hello_fastapi_dev')
@router.get('/', dependencies=[Depends(is_logged), Depends(is_admin)],include_in_schema=False)
async def admin_funcs():
return {"admin_funcs":{"check db connection":"/check","backup the application": "/backup"}}
@router.get('/check',dependencies=[Depends(is_logged), Depends(is_admin)],include_in_schema=False)
async def check_connection():
return {"details": "Not implemented yet!"}
# Take a backup of the application
@router.post("/backup",dependencies=[Depends(is_logged), Depends(is_admin)],include_in_schema=False)
async def backup(payload: backup):
os.system(f'tar -c -f {str(payload.path)}/app_backkup.tar {str(WORK_DIR)} &')
return {"INFO": "Done!"}

39
HTB/mentor/app_backkup/app/app/api/auth.py Normal file
View File

@@ -0,0 +1,39 @@
from app.api import crud
from app.api.models import userDB, userSchema
from app.api.utils import create_jwt, is_a_user
from .utils import *
from fastapi import APIRouter, HTTPException, Header, Path, FastAPI, Depends, Request
from typing import List
import os
router = APIRouter()
SECRET = os.getenv('SECRET')
# Login a user
@router.post('/login')
async def login(payload: userSchema):
global SECRET
success = await crud.login(payload)
if success is None:
raise HTTPException(status_code=403, detail="Not authorized!")
else:
return create_jwt(payload.username, payload.email)
# Signing up a new user
@router.post("/signup", response_model=userDB, status_code=201)
async def create_user(payload: userSchema):
user = await is_a_user(payload)
if user is None:
pass
else:
raise HTTPException(status_code=424, detail="User already exists! ")
user_id = await crud.create_user(payload)
res = {
"id" : user_id,
"email" : payload.email,
"username" : payload.username
}
return res

54
HTB/mentor/app_backkup/app/app/api/crud.py Normal file
View File

@@ -0,0 +1,54 @@
from app.api.models import quoteSchema, userSchema
from app.db import quotes, database, users
import hashlib
# Quote crud
async def post(payload: quoteSchema):
query = quotes.insert().values(title=payload.title, description=payload.description)
return await database.execute(query=query)
async def get(id: int):
query = quotes.select().where(id == quotes.c.id)
return await database.fetch_one(query=query)
async def get_all():
query = quotes.select()
return await database.fetch_all(query=query)
async def put(id:int, payload=quoteSchema):
query = (
quotes.update().where(id == quotes.c.id).values(title=payload.title, description=payload.description)
.returning(quotes.c.id)
)
return await database.execute(query=query)
async def delete(id:int):
query = quotes.delete().where(id == quotes.c.id)
return await database.execute(query=query)
# User crud
async def get_user(id: int):
query = users.select().where(id == users.c.id)
return await database.fetch_one(query=query)
async def get_users():
query = users.select()
return await database.fetch_all(query=query)
async def create_user(payload: userSchema):
query = users.insert().values(email=payload.email, username=payload.username, password=hashlib.md5(str(payload.password).encode()).hexdigest())
return await database.execute(query=query)
async def login(payload: userSchema):
try:
query = users.select().where(payload.email == users.c.email, payload.username == users.c.username , hashlib.md5(str(payload.password).encode()).hexdigest() == users.c.password)
return await database.fetch_one(query=query)
except Exception as e:
return None

29
HTB/mentor/app_backkup/app/app/api/models.py Normal file
View File

@@ -0,0 +1,29 @@
from pydantic import BaseModel, Field, EmailStr
# Quote model
class quoteSchema(BaseModel):
title: str = Field(..., min_length=3, max_length=50) #additional validation for the inputs
description: str = Field(...,min_length=3, max_length=1500)
#
class quoteDB(quoteSchema):
id: int
# User model
class userSchema(BaseModel):
email: EmailStr
username: str = Field(...,min_length=5, max_length=50)
password: str = Field(...,min_length=8, max_length=50)
class userDB(BaseModel):
id: int
email: str
username: str
# Token model
class token(BaseModel):
token: str
# Backup data model
class backup(BaseModel):
path: str

57
HTB/mentor/app_backkup/app/app/api/quotes.py Normal file
View File

@@ -0,0 +1,57 @@
from app.api import crud
from .utils import is_logged, is_admin
from app.api.models import quoteDB, quoteSchema
from fastapi import APIRouter, HTTPException, Path, Depends ,FastAPI, Request, Header
from typing import List
router = APIRouter()
# Get all the quotes
@router.get("/", response_model=List[quoteDB], dependencies=[Depends(is_logged)])
async def read_all_quotes(request: Request):
return await crud.get_all()
# Add a quote
@router.post("/", response_model=quoteDB, status_code=201, dependencies=[Depends(is_logged), Depends(is_admin)])
async def create_quote(payload: quoteSchema,request: Request):
quote_id = await crud.post(payload)
response_object = {
"id": quote_id,
"title": payload.title,
"description": payload.description,
}
return response_object
# Get quote by id
@router.get("/{id}/", response_model=quoteDB, dependencies=[Depends(is_logged)])
async def read_quote(request: Request, id: int = Path(..., gt=0)):
quote = await crud.get(id)
if not quote:
raise HTTPException(status_code=404, detail="quote not found")
return quote
# Update quote
@router.put("/{id}/", response_model=quoteDB, dependencies=[Depends(is_logged), Depends(is_admin)])
async def update_quote(payload:quoteSchema,request: Request, id:int=Path(...,gt=0)): #Ensures the input is greater than 0
quote = await crud.get(id)
if not quote:
raise HTTPException(status_code=404, detail="quote not found")
quote_id = await crud.put(id, payload)
response_object = {
"id": quote_id,
"title": payload.title,
"description": payload.description
}
return response_object
# Delete quote
@router.delete("/{id}/", response_model=quoteDB, dependencies=[Depends(is_logged), Depends(is_admin)])
async def delete_quote(request: Request,id:int = Path(...,gt=0)):
quote = await crud.get(id)
if not quote:
raise HTTPException(status_code=404, detail="quote not found")
await crud.delete(id)
return quote

43
HTB/mentor/app_backkup/app/app/api/users.py Normal file
View File

@@ -0,0 +1,43 @@
from app.api import crud
from app.api.models import token, userDB, userSchema
from app.api.utils import is_admin, is_logged, is_a_user
from .utils import *
from fastapi import APIRouter, HTTPException, Header, Path, FastAPI, Depends, Request
from typing import List
import os
router = APIRouter()
SECRET = os.getenv('SECRET')
# List users
@router.get('/',response_model=List[userDB], status_code=201, dependencies=[Depends(is_logged), Depends(is_admin)])
async def get_users(request: Request):
return await crud.get_users()
# List user by id
@router.get('/{id}/',response_model=userDB, status_code=201, dependencies=[Depends(is_logged), Depends(is_admin)])
async def get_user_by_id(request: Request,id: int = Path(...,gt=0)):
user = await crud.get_user(id)
if not user:
raise HTTPException(status_code=404, detail="user not found")
return user
# Add a new user
@router.post("/add", response_model=userDB, status_code=201, dependencies=[Depends(is_logged), Depends(is_admin)])
async def create_user(payload: userSchema):
user = await is_a_user(payload)
if user is None:
pass
else:
raise HTTPException(status_code=424, detail="User already exists! ")
user_id = await crud.create_user(payload)
res = {
"id" : user_id,
"email" : payload.email,
"username" : payload.username
}
return res

54
HTB/mentor/app_backkup/app/app/api/utils.py Normal file
View File

@@ -0,0 +1,54 @@
import jwt, os
from typing import Optional
from fastapi import Request, HTTPException, Header
from app.api.models import userSchema
from app.db import database, users
SECRET = os.getenv('SECRET', 'secret123')
ADMIN_USER = os.getenv('ADMIN_USER')
# Create the JWT
def create_jwt(username, email):
global SECRET
payload = {"username":username,"email":email}
token = jwt.encode(payload,str(SECRET),algorithm='HS256')
return token
# Verify the JWT
def verify_jwt(token):
try:
global SECRET
payload = jwt.decode(token, str(SECRET), algorithms=['HS256'])
return True, payload
except Exception as e:
raise e
return False, None
# Check if the user is an admin.
async def is_admin(Authorization: str = Header(...)):
global ADMIN_USER
_, payload = verify_jwt(Authorization)
if payload['username'] == str(ADMIN_USER):
return True
else:
raise HTTPException(status_code=403, detail="Only admin users can access this resource")
# Check if an user exists
async def is_a_user(payload: userSchema):
query = users.select().where(payload.username == users.c.username, payload.email == users.c.email)
return await database.execute(query=query)
# check the user is logged in
async def is_logged(Authorization: str = Header(...)):
logged, body = verify_jwt(Authorization)
query = users.select().where(body['username'] == users.c.username, body['email'] == users.c.email)
user = await database.execute(query=query)
if (logged) and (user is not None):
return True, "Logged in as " + body['username']
else:
raise HTTPException(status_code=401, detail="Unauthorized")

0
HTB/mentor/app_backkup/app/app/config.py Normal file
View File

37
HTB/mentor/app_backkup/app/app/db.py Normal file
View File

@@ -0,0 +1,37 @@
import os
from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
from sqlalchemy.sql import func
from databases import Database
# Database url if none is passed the default one is used
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")
# SQLAlchemy for quotes
engine = create_engine(DATABASE_URL)
metadata = MetaData()
quotes = Table(
"quotes",
metadata,
Column("id", Integer, primary_key=True),
Column("title", String(50)),
Column("description", String(50)),
Column("created_date", DateTime, default=func.now(), nullable=False)
)
# SQLAlchemy for users
engine = create_engine(DATABASE_URL)
metadata = MetaData()
users = Table(
"users",
metadata,
Column("id", Integer, primary_key=True),
Column("email", String(50)),
Column("username", String(50)),
Column("password", String(128) ,nullable=False)
)
# Databases query builder
database = Database(DATABASE_URL)

52
HTB/mentor/app_backkup/app/app/main.py Normal file
View File

@@ -0,0 +1,52 @@
from fastapi import FastAPI, Request
from starlette.middleware.cors import CORSMiddleware
from app.api import quotes, admin, users, auth
from app.db import engine, metadata, database
metadata.create_all(engine)
app = FastAPI(
title="MentorQuotes",
description="Working towards helping people move forward",
version="0.0.1",
contact={
"name": "james",
"url": "http://mentorquotes.htb",
"email": "james@mentorquotes.htb",
}
)
origins = [
"http://localhost",
"http://localhost:8080",
"*"
]
app.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=True,
allow_methods=["DELETE", "GET", "POST", "PUT"],
allow_headers=["*"],
)
@app.on_event("startup")
async def startup():
await database.connect()
@app.on_event("shutdown")
async def shutdown():
await database.disconnect()
app.include_router(auth.router, prefix="/auth", tags=['Auth'])
app.include_router(users.router, prefix="/users", tags=['Users'])
app.include_router(quotes.router, prefix="/quotes", tags=["Quotes"])
app.include_router(admin.router,prefix='/admin', tags=['Admin'])

43
HTB/mentor/app_backkup/app/app/requirements.txt Normal file
View File

@@ -0,0 +1,43 @@
anyio==3.3.4
asgiref==3.4.1
astroid==2.8.4
asyncpg==0.24.0
attrs==21.2.0
certifi==2021.10.8
chardet==4.0.0
charset-normalizer==2.0.7
click==8.0.3
databases==0.5.3
fastapi==0.70.0
greenlet==1.1.2
h11==0.12.0
httptools==0.3.0
idna==3.3
iniconfig==1.1.1
isort==5.10.0
lazy-object-proxy==1.6.0
mccabe==0.6.1
more-itertools==8.10.0
packaging==21.2
platformdirs==2.4.0
pluggy==1.0.0
psycopg2-binary==2.9.1
py==1.11.0
pydantic==1.8.2
pylint==2.11.1
pyparsing==2.4.7
pytest==6.2.5
requests==2.26.0
six==1.16.0
sniffio==1.2.0
SQLAlchemy==1.4.26
starlette==0.16.0
toml==0.10.2
typing-extensions==3.10.0.2
urllib3==1.26.7
uvicorn==0.15.0
uvloop==0.16.0
wcwidth==0.2.5
websockets==10.0
wrapt==1.13.3
pydantic==1.9.1

41
HTB/mentor/app_backkup/app/requirements.txt Normal file
View File

@@ -0,0 +1,41 @@
anyio==3.3.4
asgiref==3.4.1
astroid==2.8.4
asyncpg==0.24.0
attrs==21.2.0
certifi==2021.10.8
chardet==4.0.0
charset-normalizer==2.0.7
click==8.0.3
databases==0.5.3
fastapi==0.70.0
greenlet==1.1.2
h11==0.12.0
httptools==0.3.0
idna==3.3
iniconfig==1.1.1
isort==5.10.0
lazy-object-proxy==1.6.0
mccabe==0.6.1
more-itertools==8.10.0
packaging==21.2
platformdirs==2.4.0
pluggy==1.0.0
psycopg2-binary==2.9.3
py==1.11.0
pylint==2.11.1
pyparsing==2.4.7
pytest==6.2.5
requests==2.26.0
six==1.16.0
sniffio==1.2.0
SQLAlchemy==1.4.26
starlette==0.16.0
toml==0.10.2
typing-extensions==3.10.0.2
urllib3==1.26.7
uvicorn==0.15.0
wcwidth==0.2.5
websockets==9.1
wrapt==1.13.3
pydantic==1.9.1

1
HTB/mentor/ferox-http_mentor_htb:80_-1675786335.state Normal file
View File

@@ -0,0 +1 @@
{"scans":[{"id":"e0c62a76639a492dacf3a0dd06c4fd96","url":"http://mentor.htb:80/","normalized_url":"http://mentor.htb:80/","scan_type":"Directory","status":"NotStarted","num_requests":833000}],"config":{"type":"configuration","wordlist":"/root/.local/share/AutoRecon/wordlists/dirbuster.txt","config":"/etc/feroxbuster/ferox-config.toml","proxy":"","replay_proxy":"","target_url":"http://mentor.htb:80/","status_codes":[200,204,301,302,307,308,401,403,405,500],"replay_codes":[200,204,301,302,307,308,401,403,405,500],"filter_status":[],"threads":10,"timeout":7,"verbosity":1,"silent":false,"quiet":true,"auto_bail":false,"auto_tune":false,"json":false,"output":"/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt","debug_log":"","user_agent":"feroxbuster/2.7.3","random_agent":false,"redirects":false,"insecure":true,"extensions":["txt","html","php","asp","aspx","jsp"],"methods":["GET"],"data":[],"headers":{},"queries":[],"no_recursion":true,"extract_links":true,"add_slash":false,"stdin":false,"depth":4,"scan_limit":0,"parallel":0,"rate_limit":0,"filter_size":[],"filter_line_count":[],"filter_word_count":[],"filter_regex":[],"dont_filter":false,"resumed":false,"resume_from":"","save_state":true,"time_limit":"","filter_similar":[],"url_denylist":[],"regex_denylist":[],"collect_extensions":false,"dont_collect":["tif","tiff","ico","cur","bmp","webp","svg","png","jpg","jpeg","jfif","gif","avif","apng","pjpeg","pjp","mov","wav","mpg","mpeg","mp3","mp4","m4a","m4p","m4v","ogg","webm","ogv","oga","flac","aac","3gp","css","zip","xls","xml","gz","tgz"],"collect_backups":false,"collect_words":false,"force_recursion":false},"responses":[],"statistics":{"type":"statistics","timeouts":0,"requests":2,"expected_per_scan":833000,"total_expected":833000,"errors":1,"successes":0,"redirects":1,"client_errors":0,"server_errors":0,"total_scans":1,"initial_targets":0,"links_extracted":0,"extensions_collected":0,"status_200s":0,"status_301s":0,"status_302s":1,"status_401s":0,"status_403s":0,"status_429s":0,"status_500s":0,"status_503s":0,"status_504s":0,"status_508s":0,"wildcards_filtered":0,"responses_filtered":0,"resources_discovered":0,"url_format_errors":0,"redirection_errors":0,"connection_errors":1,"request_errors":0,"directory_scan_times":[],"total_runtime":[0.0]},"collected_extensions":[],"filters":[]}

0
HTB/mentor/results/report/local.txt Normal file
View File

20
HTB/mentor/results/report/notes.txt Normal file
View File

@@ -0,0 +1,20 @@
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] snmp found on udp/161.

0
HTB/mentor/results/report/proof.txt Normal file
View File

79
HTB/mentor/results/report/report.md/mentor.htb/Commands.md Normal file
View File

@@ -0,0 +1,79 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/mentor/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_quick_tcp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/mentor/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_full_tcp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/mentor/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_top_100_udp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" mentor.htb
feroxbuster -u http://mentor.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://mentor.htb:80/.well-known/security.txt
curl -sSikf http://mentor.htb:80/robots.txt
curl -sSik http://mentor.htb:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml" mentor.htb
curl -sk -o /dev/null -H "Host: DkVAlVYhhsOjIxsCpgdD.mentor.htb" http://mentor.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://mentor.htb:80 2>&1
wkhtmltoimage --format png http://mentor.htb:80/ /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://mentor.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.mentor.htb" -fs 305 -noninteractive -s | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_mentor.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/mentor/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_quick_tcp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/mentor/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_full_tcp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/mentor/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_top_100_udp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" mentor.htb
feroxbuster -u http://mentor.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://mentor.htb:80/.well-known/security.txt
curl -sSikf http://mentor.htb:80/robots.txt
curl -sSik http://mentor.htb:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml" mentor.htb
curl -sk -o /dev/null -H "Host: WSNGRtYtRhMJqBsBbrHE.mentor.htb" http://mentor.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://mentor.htb:80 2>&1
wkhtmltoimage --format png http://mentor.htb:80/ /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://mentor.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.mentor.htb" -fs 305 -noninteractive -s | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_mentor.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sU -sV -p 161 --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp-nmap.txt" -oX "/home/kali/htb/mentor/results/scans/udp161/xml/udp_161_snmp_nmap.xml" mentor.htb
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd mentor.htb 2>&1
snmpwalk -c public -v 1 mentor.htb 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.1.6.0 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.4.2.1.2 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.4.2.1.4 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.2.3.1.4 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.2.3.1.4 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.4.1.77.1.2.25 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.6.13.1.3 2>&1
curl -sk -o /dev/null -H "Host: ulHLBfgwlNbtGPVJGIXe.mentorquotes.htb" http://mentorquotes.htb:80/ -w "%{size_download}"
ffuf -u http://mentorquotes.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.mentorquotes.htb" -fs 311 -noninteractive -s | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_mentorquotes.htb_vhosts_subdomains-top1million-110000.txt"
```

20
HTB/mentor/results/report/report.md/mentor.htb/Errors.md Normal file
View File

@@ -0,0 +1,20 @@
```
[*] Service scan wkhtmltoimage (tcp/80/http/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
[-] Command: wkhtmltoimage --format png http://mentor.htb:80/ /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_screenshot.png
[-] Error Output:
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
[> ] 0%
Error: Failed to load http://mentorquotes.htb/, with network status code 3 and http status code 0 - Host mentorquotes.htb not found
[============================================================] 100%
Error: Failed loading page http://mentor.htb:80/ (sometimes it will work just to ignore this error with --load-error-handling ignore)
Exit with code 1 due to network error: HostNotFoundError
[*] Service scan OneSixtyOne (udp/161/snmp/onesixtyone) ran a command which returned a non-zero exit code (1).
[-] Command: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd mentor.htb 2>&1
[-] Error Output:
```

67
HTB/mentor/results/report/report.md/mentor.htb/Manual Commands.md Normal file
View File

@@ -0,0 +1,67 @@
```bash
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://mentor.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h mentor.htb
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://mentor.htb:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://mentor.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h mentor.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://mentor.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h mentor.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://mentor.htb:80 2>&1 | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://mentor.htb:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_wpscan.txt"
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://mentor.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h mentor.htb
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://mentor.htb:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://mentor.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h mentor.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://mentor.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h mentor.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://mentor.htb:80 2>&1 | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://mentor.htb:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_wpscan.txt"
```

4
HTB/mentor/results/report/report.md/mentor.htb/Patterns.md Normal file
View File

@@ -0,0 +1,4 @@
Identified HTTP Server: Apache/2.4.52 (Ubuntu)
Identified HTTP Server: Apache/2.4.52 (Ubuntu)

59
HTB/mentor/results/report/report.md/mentor.htb/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,59 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/mentor/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_full_tcp_nmap.xml" mentor.htb
```
[/home/kali/htb/mentor/results/scans/_full_tcp_nmap.txt](file:///home/kali/htb/mentor/results/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 17:12:24 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/mentor/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/mentor/results/scans/xml/_full_tcp_nmap.xml mentor.htb
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.056s latency).
Scanned at 2023-02-07 17:12:24 CET for 35s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=
| 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 4.15 - 5.6 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (93%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Crestron XPanel control system (91%), Linux 5.4 (91%), Linux 3.1 - 3.2 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/7%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63E2788B%P=x86_64-pc-linux-gnu)
SEQ(SP=FE%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 30.285 days (since Sun Jan 8 10:22:03 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 87.00 ms 10.10.16.1
2 87.07 ms mentor.htb (10.10.11.193)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:12:59 2023 -- 1 IP address (1 host up) scanned in 35.28 seconds
```

155
HTB/mentor/results/report/report.md/mentor.htb/Port Scans/PortScan - Top 100 UDP Ports.md Normal file
View File

@@ -0,0 +1,155 @@
```bash
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/mentor/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_top_100_udp_nmap.xml" mentor.htb
```
[/home/kali/htb/mentor/results/scans/_top_100_udp_nmap.txt](file:///home/kali/htb/mentor/results/scans/_top_100_udp_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 17:12:24 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/kali/htb/mentor/results/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/mentor/results/scans/xml/_top_100_udp_nmap.xml mentor.htb
Increasing send delay for 10.10.11.193 from 0 to 50 due to 11 out of 16 dropped probes since last increase.
Increasing send delay for 10.10.11.193 from 50 to 100 due to 11 out of 16 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of -288682 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -559589 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -559589 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -272388 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -272388 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -275261 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -275261 microseconds. Ignoring time.
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.029s latency).
Scanned at 2023-02-07 17:12:25 CET for 391s
PORT STATE SERVICE REASON VERSION
7/udp closed echo port-unreach ttl 63
9/udp open|filtered discard no-response
17/udp closed qotd port-unreach ttl 63
19/udp closed chargen port-unreach ttl 63
49/udp open|filtered tacacs no-response
53/udp open|filtered domain no-response
67/udp open|filtered dhcps no-response
68/udp open|filtered dhcpc no-response
69/udp closed tftp port-unreach ttl 63
80/udp open|filtered http no-response
88/udp open|filtered kerberos-sec no-response
111/udp open|filtered rpcbind no-response
120/udp closed cfdptkt port-unreach ttl 63
123/udp open|filtered ntp no-response
135/udp closed msrpc port-unreach ttl 63
136/udp open|filtered profile no-response
137/udp closed netbios-ns port-unreach ttl 63
138/udp closed netbios-dgm port-unreach ttl 63
139/udp closed netbios-ssn port-unreach ttl 63
158/udp open|filtered pcmail-srv no-response
161/udp open snmp udp-response ttl 63 SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-sysdescr: Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
|_ System uptime: 5m59.23s (35923 timeticks)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: a124f60a99b99c6200000000
| snmpEngineBoots: 67
|_ snmpEngineTime: 5m59s
162/udp open|filtered snmptrap no-response
177/udp open|filtered xdmcp no-response
427/udp open|filtered svrloc no-response
443/udp open|filtered https no-response
445/udp closed microsoft-ds port-unreach ttl 63
497/udp open|filtered retrospect no-response
500/udp closed isakmp port-unreach ttl 63
514/udp open|filtered syslog no-response
515/udp open|filtered printer no-response
518/udp closed ntalk port-unreach ttl 63
520/udp open|filtered route no-response
593/udp open|filtered http-rpc-epmap no-response
623/udp open|filtered asf-rmcp no-response
626/udp open|filtered serialnumberd no-response
631/udp open|filtered ipp no-response
996/udp open|filtered vsinet no-response
997/udp closed maitrd port-unreach ttl 63
998/udp open|filtered puparp no-response
999/udp open|filtered applix no-response
1022/udp open|filtered exp2 no-response
1023/udp open|filtered unknown no-response
1025/udp open|filtered blackjack no-response
1026/udp open|filtered win-rpc no-response
1027/udp closed unknown port-unreach ttl 63
1028/udp closed ms-lsa port-unreach ttl 63
1029/udp open|filtered solid-mux no-response
1030/udp open|filtered iad1 no-response
1433/udp closed ms-sql-s port-unreach ttl 63
1434/udp open|filtered ms-sql-m no-response
1645/udp open|filtered radius no-response
1646/udp open|filtered radacct no-response
1701/udp closed L2TP port-unreach ttl 63
1718/udp open|filtered h225gatedisc no-response
1719/udp open|filtered h323gatestat no-response
1812/udp open|filtered radius no-response
1813/udp open|filtered radacct no-response
1900/udp open|filtered upnp no-response
2000/udp closed cisco-sccp port-unreach ttl 63
2048/udp open|filtered dls-monitor no-response
2049/udp closed nfs port-unreach ttl 63
2222/udp closed msantipiracy port-unreach ttl 63
2223/udp closed rockwell-csp2 port-unreach ttl 63
3283/udp closed netassistant port-unreach ttl 63
3456/udp open|filtered IISrpc-or-vat no-response
3703/udp closed adobeserver-3 port-unreach ttl 63
4444/udp closed krb524 port-unreach ttl 63
4500/udp open|filtered nat-t-ike no-response
5000/udp closed upnp port-unreach ttl 63
5060/udp closed sip port-unreach ttl 63
5353/udp open|filtered zeroconf no-response
5632/udp open|filtered pcanywherestat no-response
9200/udp closed wap-wsp port-unreach ttl 63
10000/udp open|filtered ndmp no-response
17185/udp open|filtered wdbrpc no-response
20031/udp open|filtered bakbonenetvault no-response
30718/udp closed unknown port-unreach ttl 63
31337/udp open|filtered BackOrifice no-response
32768/udp closed omad port-unreach ttl 63
32769/udp open|filtered filenet-rpc no-response
32771/udp open|filtered sometimes-rpc6 no-response
32815/udp closed unknown port-unreach ttl 63
33281/udp open|filtered unknown no-response
49152/udp open|filtered unknown no-response
49153/udp open|filtered unknown no-response
49154/udp open|filtered unknown no-response
49156/udp open|filtered unknown no-response
49181/udp open|filtered unknown no-response
49182/udp open|filtered unknown no-response
49185/udp closed unknown port-unreach ttl 63
49186/udp open|filtered unknown no-response
49188/udp open|filtered unknown no-response
49190/udp closed unknown port-unreach ttl 63
49191/udp open|filtered unknown no-response
49192/udp closed unknown port-unreach ttl 63
49193/udp open|filtered unknown no-response
49194/udp open|filtered unknown no-response
49200/udp closed unknown port-unreach ttl 63
49201/udp open|filtered unknown no-response
65024/udp closed unknown port-unreach ttl 63
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: remote management|phone|general purpose|webcam|storage-misc
Running: Avocent embedded, Google Android 2.X, Linux 2.6.X, AXIS embedded, ZyXEL embedded
OS CPE: cpe:/o:google:android:2.2 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.17 cpe:/h:axis:210a_network_camera cpe:/h:axis:211_network_camera cpe:/h:zyxel:nsa-210
OS details: Avocent/Cyclades ACS 6000, Android 2.2 (Linux 2.6), Linux 2.6.14 - 2.6.34, Linux 2.6.17, Linux 2.6.17 (Mandriva), Linux 2.6.32, AXIS 210A or 211 Network Camera (Linux 2.6.17), ZyXEL NSA-210 NAS device
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/7%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63E279F0%P=x86_
OS:64-pc-linux-gnu)SEQ(CI=Z)SEQ(CI=Z%II=I)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=A
OS:R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=4
OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=
OS:G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: mentor
TRACEROUTE (using port 138/udp)
HOP RTT ADDRESS
1 24.51 ms 10.10.16.1
2 23.94 ms mentor.htb (10.10.11.193)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:18:56 2023 -- 1 IP address (1 host up) scanned in 392.24 seconds
```

63
HTB/mentor/results/report/report.md/mentor.htb/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,63 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/mentor/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_quick_tcp_nmap.xml" mentor.htb
```
[/home/kali/htb/mentor/results/scans/_quick_tcp_nmap.txt](file:///home/kali/htb/mentor/results/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 17:12:24 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/mentor/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/mentor/results/scans/xml/_quick_tcp_nmap.xml mentor.htb
adjust_timeouts2: packet supposedly had rtt of -379307 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -379307 microseconds. Ignoring time.
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.038s latency).
Scanned at 2023-02-07 17:12:24 CET for 28s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=
| 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 4.15 - 5.6 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (93%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Linux 5.0 (91%), Crestron XPanel control system (91%), Linux 2.6.39 - 3.2 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/7%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63E27884%P=x86_64-pc-linux-gnu)
SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=N)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 30.285 days (since Sun Jan 8 10:22:02 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 27.07 ms 10.10.16.1
2 50.43 ms mentor.htb (10.10.11.193)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:12:52 2023 -- 1 IP address (1 host up) scanned in 27.71 seconds
```

69
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,69 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" mentor.htb
```
[/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 17:12:52 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml mentor.htb
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.034s latency).
Scanned at 2023-02-07 17:12:52 CET for 2s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=
| 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv
|_banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| sntrup761x25519-sha512@openssh.com
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:12:54 2023 -- 1 IP address (1 host up) scanned in 1.70 seconds
```

25
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,25 @@
```bash
curl -sSikf http://mentor.htb:80/robots.txt
```
[/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_curl-robots.txt](file:///home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_curl-robots.txt):
```
HTTP/1.1 302 Found
Date: Tue, 07 Feb 2023 16:12:52 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://mentorquotes.htb/
Content-Length: 284
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://mentorquotes.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at mentor.htb Port 80</address>
</body></html>
```

26
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,26 @@
```bash
curl -sSik http://mentor.htb:80/
```
[/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_curl.html](file:///home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 302 Found
Date: Tue, 07 Feb 2023 16:12:52 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://mentorquotes.htb/
Content-Length: 284
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://mentorquotes.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at mentor.htb Port 80</address>
</body></html>
```

13
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,13 @@
```bash
feroxbuster -u http://mentor.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
```
[/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt):
```
WLD GET 9l 26w 284c Got 302 for http://mentor.htb/00c755e63ad64560b48b10265e062587 (url length: 32)
WLD - - - http://mentor.htb/00c755e63ad64560b48b10265e062587 => http://mentorquotes.htb/
WLD GET 9l 26w 284c Got 302 for http://mentor.htb/6e22794eff354e3bb2d3eaf96e7816a3aab410720213421091e219809755dcc23a26646b56b448f99820dc1b8d0582c1 (url length: 96)
WLD - - - http://mentor.htb/6e22794eff354e3bb2d3eaf96e7816a3aab410720213421091e219809755dcc23a26646b56b448f99820dc1b8d0582c1 => http://mentorquotes.htb/
```

25
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,25 @@
```bash
curl -sSikf http://mentor.htb:80/.well-known/security.txt
```
[/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_known-security.txt](file:///home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_known-security.txt):
```
HTTP/1.1 302 Found
Date: Tue, 07 Feb 2023 16:12:52 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://mentorquotes.htb/
Content-Length: 284
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://mentorquotes.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at mentor.htb Port 80</address>
</body></html>
```

83
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,83 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml" mentor.htb
```
[/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt](file:///home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 17:12:52 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml mentor.htb
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.065s latency).
Scanned at 2023-02-07 17:12:52 CET for 18s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
|_http-chrono: Request times for /; avg: 164.16ms; min: 153.80ms; max: 181.69ms
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| http-sitemap-generator:
| Directory structure:
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_
| http-headers:
| Date: Tue, 07 Feb 2023 16:13:04 GMT
| Server: Apache/2.4.52 (Ubuntu)
| Location: http://mentorquotes.htb/
| Content-Length: 284
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
|
|_ (Request type: GET)
| http-vhosts:
|_128 names had status 302
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-errors: Couldn't find any error pages.
| http-useragent-tester:
| Status for browser useragent: 200
| Redirected To: http://mentorquotes.htb/
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-feed: Couldn't find any feeds.
|_http-comments-displayer: Couldn't find any comments.
|_http-mobileversion-checker: No mobile version detected.
|_http-date: Tue, 07 Feb 2023 16:13:01 GMT; 0s from local time.
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-title: Did not follow redirect to http://mentorquotes.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: mentorquotes.htb
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:13:10 2023 -- 1 IP address (1 host up) scanned in 17.76 seconds
```

226049
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - tcp-80-http/Virtual Host Enumeration.md Normal file
View File

File diff suppressed because it is too large Load Diff

97
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,97 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://mentor.htb:80 2>&1
```
[/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://mentor.htb:80
Status : 302 Found
Title : 302 Found
IP : 10.10.11.193
Country : RESERVED, ZZ
Summary : Apache[2.4.52], HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], RedirectLocation[http://mentorquotes.htb/]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.52 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.52 (Ubuntu) (from server string)
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://mentorquotes.htb/ (from location)
HTTP Headers:
HTTP/1.1 302 Found
Date: Tue, 07 Feb 2023 16:12:53 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://mentorquotes.htb/
Content-Length: 284
Connection: close
Content-Type: text/html; charset=iso-8859-1
WhatWeb report for http://mentorquotes.htb/
Status : 200 OK
Title : MentorQuotes
IP : 10.10.11.193
Country : RESERVED, ZZ
Summary : HTML5, HTTPServer[Werkzeug/2.0.3 Python/3.6.9], Python[3.6.9], Werkzeug[2.0.3]
Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/2.0.3 Python/3.6.9 (from server string)
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 3.6.9
Website : http://www.python.org/
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 2.0.3
Website : http://werkzeug.pocoo.org/
HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 07 Feb 2023 16:12:56 GMT
Server: Werkzeug/2.0.3 Python/3.6.9
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2029
Connection: close
```

3
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://mentor.htb:80/ /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_screenshot.png
```

29
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - udp-161-snmp/Nmap SNMP.md Normal file
View File

@@ -0,0 +1,29 @@
```bash
nmap -vv --reason -Pn -T4 -sU -sV -p 161 --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp-nmap.txt" -oX "/home/kali/htb/mentor/results/scans/udp161/xml/udp_161_snmp_nmap.xml" mentor.htb
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp-nmap.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp-nmap.txt):
```
# Nmap 7.93 scan initiated Tue Feb 7 17:18:56 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 161 "--script=banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/kali/htb/mentor/results/scans/udp161/udp_161_snmp-nmap.txt -oX /home/kali/htb/mentor/results/scans/udp161/xml/udp_161_snmp_nmap.xml mentor.htb
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.042s latency).
Scanned at 2023-02-07 17:18:57 CET for 15s
PORT STATE SERVICE REASON VERSION
161/udp open snmp udp-response ttl 63 SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: a124f60a99b99c6200000000
| snmpEngineBoots: 67
|_ snmpEngineTime: 8m27s
| snmp-sysdescr: Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
|_ System uptime: 8m27.56s (50756 timeticks)
Service Info: Host: mentor
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:19:12 2023 -- 1 IP address (1 host up) scanned in 15.19 seconds
```

12
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - udp-161-snmp/OneSixtyOne.md Normal file
View File

@@ -0,0 +1,12 @@
```bash
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd mentor.htb 2>&1
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_onesixtyone.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_onesixtyone.txt):
```
Debug level 2
Malformed IP address: mentor.htb
```

134
HTB/mentor/results/report/report.md/mentor.htb/Services/Service - udp-161-snmp/SNMPWalk.md Normal file
View File

@@ -0,0 +1,134 @@
```bash
snmpwalk -c public -v 1 mentor.htb 2>&1
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk.txt):
```
Created directory: /var/lib/snmp/cert_indexes
iso.3.6.1.2.1.1.1.0 = STRING: "Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (50699) 0:08:26.99
iso.3.6.1.2.1.1.4.0 = STRING: "Me <admin@mentorquotes.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "mentor"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (52639) 0:08:46.39
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E7 02 07 10 12 3A 00 2B 00 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-56-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 235
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
End of MIB
```
```bash
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.1.6.0 2>&1
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_system_processes.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_system_processes.txt):
```
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 235
```
```bash
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.4.2.1.2 2>&1
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_running_processes.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_running_processes.txt):
```
End of MIB
```
```bash
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.4.2.1.4 2>&1
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_process_paths.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_process_paths.txt):
```
End of MIB
```
```bash
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.2.3.1.4 2>&1
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_storage_units.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_storage_units.txt):
```
End of MIB
```
```bash
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.2.3.1.4 2>&1
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_software_names.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_software_names.txt):
```
End of MIB
```
```bash
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.4.1.77.1.2.25 2>&1
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_user_accounts.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_user_accounts.txt):
```
End of MIB
```
```bash
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.6.13.1.3 2>&1
```
[/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_tcp_ports.txt](file:///home/kali/htb/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_tcp_ports.txt):
```
```

76
HTB/mentor/results/scans/_commands.log Normal file
View File

@@ -0,0 +1,76 @@
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/mentor/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_quick_tcp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/mentor/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_full_tcp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/mentor/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_top_100_udp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" mentor.htb
feroxbuster -u http://mentor.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://mentor.htb:80/.well-known/security.txt
curl -sSikf http://mentor.htb:80/robots.txt
curl -sSik http://mentor.htb:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml" mentor.htb
curl -sk -o /dev/null -H "Host: DkVAlVYhhsOjIxsCpgdD.mentor.htb" http://mentor.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://mentor.htb:80 2>&1
wkhtmltoimage --format png http://mentor.htb:80/ /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://mentor.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.mentor.htb" -fs 305 -noninteractive -s | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_mentor.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/mentor/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_quick_tcp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/mentor/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_full_tcp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/kali/htb/mentor/results/scans/_top_100_udp_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/xml/_top_100_udp_nmap.xml" mentor.htb
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" mentor.htb
feroxbuster -u http://mentor.htb:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://mentor.htb:80/.well-known/security.txt
curl -sSikf http://mentor.htb:80/robots.txt
curl -sSik http://mentor.htb:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml" mentor.htb
curl -sk -o /dev/null -H "Host: WSNGRtYtRhMJqBsBbrHE.mentor.htb" http://mentor.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://mentor.htb:80 2>&1
wkhtmltoimage --format png http://mentor.htb:80/ /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://mentor.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.mentor.htb" -fs 305 -noninteractive -s | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_mentor.htb_vhosts_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sU -sV -p 161 --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/kali/htb/mentor/results/scans/udp161/udp_161_snmp-nmap.txt" -oX "/home/kali/htb/mentor/results/scans/udp161/xml/udp_161_snmp_nmap.xml" mentor.htb
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd mentor.htb 2>&1
snmpwalk -c public -v 1 mentor.htb 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.1.6.0 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.4.2.1.2 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.4.2.1.4 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.2.3.1.4 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.25.2.3.1.4 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.4.1.77.1.2.25 2>&1
snmpwalk -c public -v 1 mentor.htb 1.3.6.1.2.1.6.13.1.3 2>&1
curl -sk -o /dev/null -H "Host: ulHLBfgwlNbtGPVJGIXe.mentorquotes.htb" http://mentorquotes.htb:80/ -w "%{size_download}"
ffuf -u http://mentorquotes.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.mentorquotes.htb" -fs 311 -noninteractive -s | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_mentorquotes.htb_vhosts_subdomains-top1million-110000.txt"

15
HTB/mentor/results/scans/_errors.log Normal file
View File

@@ -0,0 +1,15 @@
[*] Service scan wkhtmltoimage (tcp/80/http/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
[-] Command: wkhtmltoimage --format png http://mentor.htb:80/ /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_screenshot.png
[-] Error Output:
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
[> ] 0%
Error: Failed to load http://mentorquotes.htb/, with network status code 3 and http status code 0 - Host mentorquotes.htb not found
[============================================================] 100%
Error: Failed loading page http://mentor.htb:80/ (sometimes it will work just to ignore this error with --load-error-handling ignore)
Exit with code 1 due to network error: HostNotFoundError
[*] Service scan OneSixtyOne (udp/161/snmp/onesixtyone) ran a command which returned a non-zero exit code (1).
[-] Command: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd mentor.htb 2>&1
[-] Error Output:

50
HTB/mentor/results/scans/_full_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,50 @@
# Nmap 7.93 scan initiated Tue Feb 7 17:12:24 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/mentor/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/mentor/results/scans/xml/_full_tcp_nmap.xml mentor.htb
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.056s latency).
Scanned at 2023-02-07 17:12:24 CET for 35s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=
| 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 4.15 - 5.6 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (93%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Crestron XPanel control system (91%), Linux 5.4 (91%), Linux 3.1 - 3.2 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/7%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63E2788B%P=x86_64-pc-linux-gnu)
SEQ(SP=FE%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 30.285 days (since Sun Jan 8 10:22:03 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 87.00 ms 10.10.16.1
2 87.07 ms mentor.htb (10.10.11.193)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:12:59 2023 -- 1 IP address (1 host up) scanned in 35.28 seconds

64
HTB/mentor/results/scans/_manual_commands.txt Normal file
View File

@@ -0,0 +1,64 @@
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://mentor.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h mentor.htb
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://mentor.htb:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://mentor.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h mentor.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://mentor.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h mentor.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://mentor.htb:80 2>&1 | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://mentor.htb:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_wpscan.txt"
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://mentor.htb
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h mentor.htb
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://mentor.htb:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://mentor.htb/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h mentor.htb -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://mentor.htb/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h mentor.htb -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://mentor.htb:80 2>&1 | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://mentor.htb:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_wpscan.txt"

4
HTB/mentor/results/scans/_patterns.log Normal file
View File

@@ -0,0 +1,4 @@
Identified HTTP Server: Apache/2.4.52 (Ubuntu)
Identified HTTP Server: Apache/2.4.52 (Ubuntu)

54
HTB/mentor/results/scans/_quick_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,54 @@
# Nmap 7.93 scan initiated Tue Feb 7 17:12:24 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/mentor/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/mentor/results/scans/xml/_quick_tcp_nmap.xml mentor.htb
adjust_timeouts2: packet supposedly had rtt of -379307 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -379307 microseconds. Ignoring time.
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.038s latency).
Scanned at 2023-02-07 17:12:24 CET for 28s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=
| 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 4.15 - 5.6 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (93%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Linux 5.0 (91%), Crestron XPanel control system (91%), Linux 2.6.39 - 3.2 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=2/7%OT=22%CT=1%CU=%PV=Y%DS=2%DC=T%G=N%TM=63E27884%P=x86_64-pc-linux-gnu)
SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=N)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 30.285 days (since Sun Jan 8 10:22:02 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 27.07 ms 10.10.16.1
2 50.43 ms mentor.htb (10.10.11.193)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:12:52 2023 -- 1 IP address (1 host up) scanned in 27.71 seconds

146
HTB/mentor/results/scans/_top_100_udp_nmap.txt Normal file
View File

@@ -0,0 +1,146 @@
# Nmap 7.93 scan initiated Tue Feb 7 17:12:24 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/kali/htb/mentor/results/scans/_top_100_udp_nmap.txt -oX /home/kali/htb/mentor/results/scans/xml/_top_100_udp_nmap.xml mentor.htb
Increasing send delay for 10.10.11.193 from 0 to 50 due to 11 out of 16 dropped probes since last increase.
Increasing send delay for 10.10.11.193 from 50 to 100 due to 11 out of 16 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of -288682 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -559589 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -559589 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -272388 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -272388 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -275261 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -275261 microseconds. Ignoring time.
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.029s latency).
Scanned at 2023-02-07 17:12:25 CET for 391s
PORT STATE SERVICE REASON VERSION
7/udp closed echo port-unreach ttl 63
9/udp open|filtered discard no-response
17/udp closed qotd port-unreach ttl 63
19/udp closed chargen port-unreach ttl 63
49/udp open|filtered tacacs no-response
53/udp open|filtered domain no-response
67/udp open|filtered dhcps no-response
68/udp open|filtered dhcpc no-response
69/udp closed tftp port-unreach ttl 63
80/udp open|filtered http no-response
88/udp open|filtered kerberos-sec no-response
111/udp open|filtered rpcbind no-response
120/udp closed cfdptkt port-unreach ttl 63
123/udp open|filtered ntp no-response
135/udp closed msrpc port-unreach ttl 63
136/udp open|filtered profile no-response
137/udp closed netbios-ns port-unreach ttl 63
138/udp closed netbios-dgm port-unreach ttl 63
139/udp closed netbios-ssn port-unreach ttl 63
158/udp open|filtered pcmail-srv no-response
161/udp open snmp udp-response ttl 63 SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-sysdescr: Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
|_ System uptime: 5m59.23s (35923 timeticks)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: a124f60a99b99c6200000000
| snmpEngineBoots: 67
|_ snmpEngineTime: 5m59s
162/udp open|filtered snmptrap no-response
177/udp open|filtered xdmcp no-response
427/udp open|filtered svrloc no-response
443/udp open|filtered https no-response
445/udp closed microsoft-ds port-unreach ttl 63
497/udp open|filtered retrospect no-response
500/udp closed isakmp port-unreach ttl 63
514/udp open|filtered syslog no-response
515/udp open|filtered printer no-response
518/udp closed ntalk port-unreach ttl 63
520/udp open|filtered route no-response
593/udp open|filtered http-rpc-epmap no-response
623/udp open|filtered asf-rmcp no-response
626/udp open|filtered serialnumberd no-response
631/udp open|filtered ipp no-response
996/udp open|filtered vsinet no-response
997/udp closed maitrd port-unreach ttl 63
998/udp open|filtered puparp no-response
999/udp open|filtered applix no-response
1022/udp open|filtered exp2 no-response
1023/udp open|filtered unknown no-response
1025/udp open|filtered blackjack no-response
1026/udp open|filtered win-rpc no-response
1027/udp closed unknown port-unreach ttl 63
1028/udp closed ms-lsa port-unreach ttl 63
1029/udp open|filtered solid-mux no-response
1030/udp open|filtered iad1 no-response
1433/udp closed ms-sql-s port-unreach ttl 63
1434/udp open|filtered ms-sql-m no-response
1645/udp open|filtered radius no-response
1646/udp open|filtered radacct no-response
1701/udp closed L2TP port-unreach ttl 63
1718/udp open|filtered h225gatedisc no-response
1719/udp open|filtered h323gatestat no-response
1812/udp open|filtered radius no-response
1813/udp open|filtered radacct no-response
1900/udp open|filtered upnp no-response
2000/udp closed cisco-sccp port-unreach ttl 63
2048/udp open|filtered dls-monitor no-response
2049/udp closed nfs port-unreach ttl 63
2222/udp closed msantipiracy port-unreach ttl 63
2223/udp closed rockwell-csp2 port-unreach ttl 63
3283/udp closed netassistant port-unreach ttl 63
3456/udp open|filtered IISrpc-or-vat no-response
3703/udp closed adobeserver-3 port-unreach ttl 63
4444/udp closed krb524 port-unreach ttl 63
4500/udp open|filtered nat-t-ike no-response
5000/udp closed upnp port-unreach ttl 63
5060/udp closed sip port-unreach ttl 63
5353/udp open|filtered zeroconf no-response
5632/udp open|filtered pcanywherestat no-response
9200/udp closed wap-wsp port-unreach ttl 63
10000/udp open|filtered ndmp no-response
17185/udp open|filtered wdbrpc no-response
20031/udp open|filtered bakbonenetvault no-response
30718/udp closed unknown port-unreach ttl 63
31337/udp open|filtered BackOrifice no-response
32768/udp closed omad port-unreach ttl 63
32769/udp open|filtered filenet-rpc no-response
32771/udp open|filtered sometimes-rpc6 no-response
32815/udp closed unknown port-unreach ttl 63
33281/udp open|filtered unknown no-response
49152/udp open|filtered unknown no-response
49153/udp open|filtered unknown no-response
49154/udp open|filtered unknown no-response
49156/udp open|filtered unknown no-response
49181/udp open|filtered unknown no-response
49182/udp open|filtered unknown no-response
49185/udp closed unknown port-unreach ttl 63
49186/udp open|filtered unknown no-response
49188/udp open|filtered unknown no-response
49190/udp closed unknown port-unreach ttl 63
49191/udp open|filtered unknown no-response
49192/udp closed unknown port-unreach ttl 63
49193/udp open|filtered unknown no-response
49194/udp open|filtered unknown no-response
49200/udp closed unknown port-unreach ttl 63
49201/udp open|filtered unknown no-response
65024/udp closed unknown port-unreach ttl 63
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: remote management|phone|general purpose|webcam|storage-misc
Running: Avocent embedded, Google Android 2.X, Linux 2.6.X, AXIS embedded, ZyXEL embedded
OS CPE: cpe:/o:google:android:2.2 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.17 cpe:/h:axis:210a_network_camera cpe:/h:axis:211_network_camera cpe:/h:zyxel:nsa-210
OS details: Avocent/Cyclades ACS 6000, Android 2.2 (Linux 2.6), Linux 2.6.14 - 2.6.34, Linux 2.6.17, Linux 2.6.17 (Mandriva), Linux 2.6.32, AXIS 210A or 211 Network Camera (Linux 2.6.17), ZyXEL NSA-210 NAS device
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/7%OT=%CT=%CU=7%PV=Y%DS=2%DC=T%G=N%TM=63E279F0%P=x86_
OS:64-pc-linux-gnu)SEQ(CI=Z)SEQ(CI=Z%II=I)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=A
OS:R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=4
OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=
OS:G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: mentor
TRACEROUTE (using port 138/udp)
HOP RTT ADDRESS
1 24.51 ms 10.10.16.1
2 23.94 ms mentor.htb (10.10.11.193)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:18:56 2023 -- 1 IP address (1 host up) scanned in 392.24 seconds

60
HTB/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt Normal file
View File

@@ -0,0 +1,60 @@
# Nmap 7.93 scan initiated Tue Feb 7 17:12:52 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml mentor.htb
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.034s latency).
Scanned at 2023-02-07 17:12:52 CET for 2s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=
| 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv
|_banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| sntrup761x25519-sha512@openssh.com
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:12:54 2023 -- 1 IP address (1 host up) scanned in 1.70 seconds

95
HTB/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml Normal file
View File

@@ -0,0 +1,95 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Tue Feb 7 17:12:52 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml mentor.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 22 -&#45;script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/mentor/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/mentor/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml mentor.htb" start="1675786372" startstr="Tue Feb 7 17:12:52 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="22"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1675786372"/>
<taskend task="NSE" time="1675786372"/>
<taskbegin task="NSE" time="1675786372"/>
<taskend task="NSE" time="1675786372"/>
<taskbegin task="SYN Stealth Scan" time="1675786372"/>
<taskend task="SYN Stealth Scan" time="1675786372" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1675786372"/>
<taskend task="Service scan" time="1675786372" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1675786372"/>
<taskend task="NSE" time="1675786374"/>
<taskbegin task="NSE" time="1675786374"/>
<taskend task="NSE" time="1675786374"/>
<host starttime="1675786372" endtime="1675786374"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.193" addrtype="ipv4"/>
<hostnames>
<hostname name="mentor.htb" type="user"/>
<hostname name="mentor.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="ssh" product="OpenSSH" version="8.9p1 Ubuntu 3" extrainfo="Ubuntu Linux; protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.9p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="&#xa; 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)&#xa;ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=&#xa; 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)&#xa;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv"><table>
<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=</elem>
<elem key="fingerprint">c73bfc3cf9ceee8b4818d5d1af8ec2bb</elem>
<elem key="type">ecdsa-sha2-nistp256</elem>
<elem key="bits">256</elem>
</table>
<table>
<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv</elem>
<elem key="fingerprint">4440084c0ecbd4f18e7eeda85c68a4f7</elem>
<elem key="type">ssh-ed25519</elem>
<elem key="bits">256</elem>
</table>
</script><script id="banner" output="SSH-2.0-OpenSSH_8.9p1 Ubuntu-3"/><script id="ssh-auth-methods" output="&#xa; Supported authentication methods: &#xa; publickey&#xa; password"><table key="Supported authentication methods">
<elem>publickey</elem>
<elem>password</elem>
</table>
</script><script id="ssh2-enum-algos" output="&#xa; kex_algorithms: (10)&#xa; curve25519-sha256&#xa; curve25519-sha256@libssh.org&#xa; ecdh-sha2-nistp256&#xa; ecdh-sha2-nistp384&#xa; ecdh-sha2-nistp521&#xa; sntrup761x25519-sha512@openssh.com&#xa; diffie-hellman-group-exchange-sha256&#xa; diffie-hellman-group16-sha512&#xa; diffie-hellman-group18-sha512&#xa; diffie-hellman-group14-sha256&#xa; server_host_key_algorithms: (4)&#xa; rsa-sha2-512&#xa; rsa-sha2-256&#xa; ecdsa-sha2-nistp256&#xa; ssh-ed25519&#xa; encryption_algorithms: (6)&#xa; chacha20-poly1305@openssh.com&#xa; aes128-ctr&#xa; aes192-ctr&#xa; aes256-ctr&#xa; aes128-gcm@openssh.com&#xa; aes256-gcm@openssh.com&#xa; mac_algorithms: (10)&#xa; umac-64-etm@openssh.com&#xa; umac-128-etm@openssh.com&#xa; hmac-sha2-256-etm@openssh.com&#xa; hmac-sha2-512-etm@openssh.com&#xa; hmac-sha1-etm@openssh.com&#xa; umac-64@openssh.com&#xa; umac-128@openssh.com&#xa; hmac-sha2-256&#xa; hmac-sha2-512&#xa; hmac-sha1&#xa; compression_algorithms: (2)&#xa; none&#xa; zlib@openssh.com"><table key="kex_algorithms">
<elem>curve25519-sha256</elem>
<elem>curve25519-sha256@libssh.org</elem>
<elem>ecdh-sha2-nistp256</elem>
<elem>ecdh-sha2-nistp384</elem>
<elem>ecdh-sha2-nistp521</elem>
<elem>sntrup761x25519-sha512@openssh.com</elem>
<elem>diffie-hellman-group-exchange-sha256</elem>
<elem>diffie-hellman-group16-sha512</elem>
<elem>diffie-hellman-group18-sha512</elem>
<elem>diffie-hellman-group14-sha256</elem>
</table>
<table key="server_host_key_algorithms">
<elem>rsa-sha2-512</elem>
<elem>rsa-sha2-256</elem>
<elem>ecdsa-sha2-nistp256</elem>
<elem>ssh-ed25519</elem>
</table>
<table key="encryption_algorithms">
<elem>chacha20-poly1305@openssh.com</elem>
<elem>aes128-ctr</elem>
<elem>aes192-ctr</elem>
<elem>aes256-ctr</elem>
<elem>aes128-gcm@openssh.com</elem>
<elem>aes256-gcm@openssh.com</elem>
</table>
<table key="mac_algorithms">
<elem>umac-64-etm@openssh.com</elem>
<elem>umac-128-etm@openssh.com</elem>
<elem>hmac-sha2-256-etm@openssh.com</elem>
<elem>hmac-sha2-512-etm@openssh.com</elem>
<elem>hmac-sha1-etm@openssh.com</elem>
<elem>umac-64@openssh.com</elem>
<elem>umac-128@openssh.com</elem>
<elem>hmac-sha2-256</elem>
<elem>hmac-sha2-512</elem>
<elem>hmac-sha1</elem>
</table>
<table key="compression_algorithms">
<elem>none</elem>
<elem>zlib@openssh.com</elem>
</table>
</script></port>
</ports>
<times srtt="34247" rttvar="34247" to="171235"/>
</host>
<taskbegin task="NSE" time="1675786374"/>
<taskend task="NSE" time="1675786374"/>
<taskbegin task="NSE" time="1675786374"/>
<taskend task="NSE" time="1675786374"/>
<runstats><finished time="1675786374" timestr="Tue Feb 7 17:12:54 2023" summary="Nmap done at Tue Feb 7 17:12:54 2023; 1 IP address (1 host up) scanned in 1.70 seconds" elapsed="1.70" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

16
HTB/mentor/results/scans/tcp80/tcp_80_http_curl-robots.txt Normal file
View File

@@ -0,0 +1,16 @@
HTTP/1.1 302 Found
Date: Tue, 07 Feb 2023 16:12:52 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://mentorquotes.htb/
Content-Length: 284
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://mentorquotes.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at mentor.htb Port 80</address>
</body></html>

17
HTB/mentor/results/scans/tcp80/tcp_80_http_curl.html Normal file
View File

@@ -0,0 +1,17 @@
HTTP/1.1 302 Found
Date: Tue, 07 Feb 2023 16:12:52 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://mentorquotes.htb/
Content-Length: 284
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://mentorquotes.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at mentor.htb Port 80</address>
</body></html>

4
HTB/mentor/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt Normal file
View File

@@ -0,0 +1,4 @@
WLD GET 9l 26w 284c Got 302 for http://mentor.htb/00c755e63ad64560b48b10265e062587 (url length: 32)
WLD - - - http://mentor.htb/00c755e63ad64560b48b10265e062587 => http://mentorquotes.htb/
WLD GET 9l 26w 284c Got 302 for http://mentor.htb/6e22794eff354e3bb2d3eaf96e7816a3aab410720213421091e219809755dcc23a26646b56b448f99820dc1b8d0582c1 (url length: 96)
WLD - - - http://mentor.htb/6e22794eff354e3bb2d3eaf96e7816a3aab410720213421091e219809755dcc23a26646b56b448f99820dc1b8d0582c1 => http://mentorquotes.htb/

16
HTB/mentor/results/scans/tcp80/tcp_80_http_known-security.txt Normal file
View File

@@ -0,0 +1,16 @@
HTTP/1.1 302 Found
Date: Tue, 07 Feb 2023 16:12:52 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://mentorquotes.htb/
Content-Length: 284
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://mentorquotes.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at mentor.htb Port 80</address>
</body></html>

113014
HTB/mentor/results/scans/tcp80/tcp_80_http_mentor.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

File diff suppressed because it is too large Load Diff

113013
HTB/mentor/results/scans/tcp80/tcp_80_http_mentorquotes.htb_vhosts_subdomains-top1million-110000.txt Normal file
View File

File diff suppressed because it is too large Load Diff

74
HTB/mentor/results/scans/tcp80/tcp_80_http_nmap.txt Normal file
View File

@@ -0,0 +1,74 @@
# Nmap 7.93 scan initiated Tue Feb 7 17:12:52 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml mentor.htb
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.065s latency).
Scanned at 2023-02-07 17:12:52 CET for 18s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
|_http-chrono: Request times for /; avg: 164.16ms; min: 153.80ms; max: 181.69ms
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| http-sitemap-generator:
| Directory structure:
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_
| http-headers:
| Date: Tue, 07 Feb 2023 16:13:04 GMT
| Server: Apache/2.4.52 (Ubuntu)
| Location: http://mentorquotes.htb/
| Content-Length: 284
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
|
|_ (Request type: GET)
| http-vhosts:
|_128 names had status 302
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-errors: Couldn't find any error pages.
| http-useragent-tester:
| Status for browser useragent: 200
| Redirected To: http://mentorquotes.htb/
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-feed: Couldn't find any feeds.
|_http-comments-displayer: Couldn't find any comments.
|_http-mobileversion-checker: No mobile version detected.
|_http-date: Tue, 07 Feb 2023 16:13:01 GMT; 0s from local time.
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-title: Did not follow redirect to http://mentorquotes.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: mentorquotes.htb
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:13:10 2023 -- 1 IP address (1 host up) scanned in 17.76 seconds

BIN
HTB/mentor/results/scans/tcp80/tcp_80_http_screenshot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 MiB

88
HTB/mentor/results/scans/tcp80/tcp_80_http_whatweb.txt Normal file
View File

@@ -0,0 +1,88 @@
WhatWeb report for http://mentor.htb:80
Status : 302 Found
Title : 302 Found
IP : 10.10.11.193
Country : RESERVED, ZZ
Summary : Apache[2.4.52], HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], RedirectLocation[http://mentorquotes.htb/]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.52 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.52 (Ubuntu) (from server string)
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://mentorquotes.htb/ (from location)
HTTP Headers:
HTTP/1.1 302 Found
Date: Tue, 07 Feb 2023 16:12:53 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://mentorquotes.htb/
Content-Length: 284
Connection: close
Content-Type: text/html; charset=iso-8859-1
WhatWeb report for http://mentorquotes.htb/
Status : 200 OK
Title : MentorQuotes
IP : 10.10.11.193
Country : RESERVED, ZZ
Summary : HTML5, HTTPServer[Werkzeug/2.0.3 Python/3.6.9], Python[3.6.9], Werkzeug[2.0.3]
Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/2.0.3 Python/3.6.9 (from server string)
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 3.6.9
Website : http://www.python.org/
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 2.0.3
Website : http://werkzeug.pocoo.org/
HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 07 Feb 2023 16:12:56 GMT
Server: Werkzeug/2.0.3 Python/3.6.9
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2029
Connection: close

75
HTB/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml Normal file
View File

@@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Tue Feb 7 17:12:52 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml mentor.htb -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/kali/htb/mentor/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/mentor/results/scans/tcp80/xml/tcp_80_http_nmap.xml mentor.htb" start="1675786372" startstr="Tue Feb 7 17:12:52 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="80"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1675786372"/>
<taskend task="NSE" time="1675786372"/>
<taskbegin task="NSE" time="1675786372"/>
<taskend task="NSE" time="1675786372"/>
<taskbegin task="NSE" time="1675786372"/>
<taskend task="NSE" time="1675786372"/>
<taskbegin task="SYN Stealth Scan" time="1675786372"/>
<taskend task="SYN Stealth Scan" time="1675786372" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1675786372"/>
<taskend task="Service scan" time="1675786379" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1675786379"/>
<taskend task="NSE" time="1675786390"/>
<taskbegin task="NSE" time="1675786390"/>
<taskend task="NSE" time="1675786390"/>
<taskbegin task="NSE" time="1675786390"/>
<taskend task="NSE" time="1675786390"/>
<host starttime="1675786372" endtime="1675786390"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.11.193" addrtype="ipv4"/>
<hostnames>
<hostname name="mentor.htb" type="user"/>
<hostname name="mentor.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/><service name="http" product="Apache httpd" version="2.4.52" hostname="mentorquotes.htb" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.52</cpe></service><script id="http-chrono" output="Request times for /; avg: 164.16ms; min: 153.80ms; max: 181.69ms"/><script id="http-stored-xss" output="Couldn&apos;t find any stored XSS vulnerabilities."/><script id="http-litespeed-sourcecode-download" output="Request with null byte did not work. This web server might not be vulnerable"/><script id="http-sitemap-generator" output="&#xa; Directory structure:&#xa; Longest directory structure:&#xa; Depth: 0&#xa; Dir: /&#xa; Total files found (by extension):&#xa; &#xa;"/><script id="http-headers" output="&#xa; Date: Tue, 07 Feb 2023 16:13:04 GMT&#xa; Server: Apache/2.4.52 (Ubuntu)&#xa; Location: http://mentorquotes.htb/&#xa; Content-Length: 284&#xa; Connection: close&#xa; Content-Type: text/html; charset=iso-8859-1&#xa; &#xa; (Request type: GET)&#xa;"/><script id="http-vhosts" output="&#xa;128 names had status 302"/><script id="http-security-headers" output=""></script><script id="http-drupal-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args number=&lt;number|all&gt; for deeper analysis)"/><script id="http-config-backup" output="ERROR: Script execution failed (use -d to debug)"/><script id="http-wordpress-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args search-limit=&lt;number|all&gt; for deeper analysis)"/><script id="http-fetch" output="Please enter the complete path of the directory to save data in."><elem key="ERROR">Please enter the complete path of the directory to save data in.</elem>
</script><script id="http-referer-checker" output="Couldn&apos;t find any cross-domain scripts."/><script id="http-devframework" output="Couldn&apos;t determine the underlying framework or CMS. Try increasing &apos;httpspider.maxpagecount&apos; value to spider more pages."/><script id="http-errors" output="Couldn&apos;t find any error pages."/><script id="http-useragent-tester" output="&#xa; Status for browser useragent: 200&#xa; Redirected To: http://mentorquotes.htb/&#xa; Allowed User Agents: &#xa; Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)&#xa; libwww&#xa; lwp-trivial&#xa; libcurl-agent/1.0&#xa; PHP/&#xa; Python-urllib/2.5&#xa; GT::WWW&#xa; Snoopy&#xa; MFC_Tear_Sample&#xa; HTTP::Lite&#xa; PHPCrawl&#xa; URI::Fetch&#xa; Zend_Http_Client&#xa; http client&#xa; PECL::HTTP&#xa; Wget/1.13.4 (linux-gnu)&#xa; WWW-Mechanize/1.34"><elem key="Status for browser useragent">200</elem>
<elem key="Redirected To">http://mentorquotes.htb/</elem>
<table key="Allowed User Agents">
<elem>Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)</elem>
<elem>libwww</elem>
<elem>lwp-trivial</elem>
<elem>libcurl-agent/1.0</elem>
<elem>PHP/</elem>
<elem>Python-urllib/2.5</elem>
<elem>GT::WWW</elem>
<elem>Snoopy</elem>
<elem>MFC_Tear_Sample</elem>
<elem>HTTP::Lite</elem>
<elem>PHPCrawl</elem>
<elem>URI::Fetch</elem>
<elem>Zend_Http_Client</elem>
<elem>http client</elem>
<elem>PECL::HTTP</elem>
<elem>Wget/1.13.4 (linux-gnu)</elem>
<elem>WWW-Mechanize/1.34</elem>
</table>
</script><script id="http-feed" output="Couldn&apos;t find any feeds."/><script id="http-comments-displayer" output="Couldn&apos;t find any comments."/><script id="http-mobileversion-checker" output="No mobile version detected."/><script id="http-date" output="Tue, 07 Feb 2023 16:13:01 GMT; 0s from local time."><elem key="date">2023-02-07T16:13:01+00:00</elem>
<elem key="delta">0.0</elem>
</script><script id="http-server-header" output="Apache/2.4.52 (Ubuntu)"><elem>Apache/2.4.52 (Ubuntu)</elem>
</script><script id="http-dombased-xss" output="Couldn&apos;t find any DOM based XSS."/><script id="http-jsonp-detection" output="Couldn&apos;t find any JSONP endpoints."/><script id="http-csrf" output="Couldn&apos;t find any CSRF vulnerabilities."/><script id="http-wordpress-users" output="[Error] Wordpress installation was not found. We couldn&apos;t find wp-login.php"/><script id="http-title" output="Did not follow redirect to http://mentorquotes.htb/"><elem key="redirect_url">http://mentorquotes.htb/</elem>
</script><script id="http-methods" output="&#xa; Supported Methods: GET HEAD POST OPTIONS"><table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script></port>
</ports>
<times srtt="64528" rttvar="64528" to="322640"/>
</host>
<taskbegin task="NSE" time="1675786390"/>
<taskend task="NSE" time="1675786390"/>
<taskbegin task="NSE" time="1675786390"/>
<taskend task="NSE" time="1675786390"/>
<taskbegin task="NSE" time="1675786390"/>
<taskend task="NSE" time="1675786390"/>
<runstats><finished time="1675786390" timestr="Tue Feb 7 17:13:10 2023" summary="Nmap done at Tue Feb 7 17:13:10 2023; 1 IP address (1 host up) scanned in 17.76 seconds" elapsed="17.76" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

20
HTB/mentor/results/scans/udp161/udp_161_snmp-nmap.txt Normal file
View File

@@ -0,0 +1,20 @@
# Nmap 7.93 scan initiated Tue Feb 7 17:18:56 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 161 "--script=banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/kali/htb/mentor/results/scans/udp161/udp_161_snmp-nmap.txt -oX /home/kali/htb/mentor/results/scans/udp161/xml/udp_161_snmp_nmap.xml mentor.htb
Nmap scan report for mentor.htb (10.10.11.193)
Host is up, received user-set (0.042s latency).
Scanned at 2023-02-07 17:18:57 CET for 15s
PORT STATE SERVICE REASON VERSION
161/udp open snmp udp-response ttl 63 SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: a124f60a99b99c6200000000
| snmpEngineBoots: 67
|_ snmpEngineTime: 8m27s
| snmp-sysdescr: Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
|_ System uptime: 8m27.56s (50756 timeticks)
Service Info: Host: mentor
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 7 17:19:12 2023 -- 1 IP address (1 host up) scanned in 15.19 seconds

3
HTB/mentor/results/scans/udp161/udp_161_snmp_onesixtyone.txt Normal file
View File

@@ -0,0 +1,3 @@
Debug level 2
Malformed IP address: mentor.htb

49
HTB/mentor/results/scans/udp161/udp_161_snmp_snmpwalk.txt Normal file
View File

@@ -0,0 +1,49 @@
Created directory: /var/lib/snmp/cert_indexes
iso.3.6.1.2.1.1.1.0 = STRING: "Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (50699) 0:08:26.99
iso.3.6.1.2.1.1.4.0 = STRING: "Me <admin@mentorquotes.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "mentor"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (52639) 0:08:46.39
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E7 02 07 10 12 3A 00 2B 00 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-56-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 235
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
End of MIB

2
HTB/mentor/results/scans/udp161/udp_161_snmp_snmpwalk_process_paths.txt Normal file
View File

@@ -0,0 +1,2 @@
End of MIB

Some files were not shown because too many files have changed in this diff Show More