simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
HTB/metatwo/results/report/local.txt Normal file
View File

12
HTB/metatwo/results/report/notes.txt Normal file
View File

@@ -0,0 +1,12 @@
[*] ftp found on tcp/21.
[*] ssh found on tcp/22.
[*] http found on tcp/80.

0
HTB/metatwo/results/report/proof.txt Normal file
View File

33
HTB/metatwo/results/report/report.md/10.10.11.186/Commands.md Normal file
View File

@@ -0,0 +1,33 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/metatwo/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/xml/_quick_tcp_nmap.xml" 10.10.11.186
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/metatwo/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/xml/_full_tcp_nmap.xml" 10.10.11.186
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/metatwo/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/xml/_quick_tcp_nmap.xml" 10.10.11.186
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/metatwo/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/xml/_full_tcp_nmap.xml" 10.10.11.186
nmap -vv --reason -Pn -T4 -sV -p 21 --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/kali/htb/metatwo/results/scans/tcp21/tcp_21_ftp_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/tcp21/xml/tcp_21_ftp_nmap.xml" 10.10.11.186
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/metatwo/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.186
feroxbuster -u http://10.10.11.186:80/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -q -e -o "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt"
curl -sSikf http://10.10.11.186:80/.well-known/security.txt
curl -sSikf http://10.10.11.186:80/robots.txt
curl -sSik http://10.10.11.186:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.186
curl -sk -o /dev/null -H "Host: yQBDdkqpvKEGuxwSOHam.metapress.htb" http://metapress.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.10.11.186:80 2>&1
wkhtmltoimage --format png http://10.10.11.186:80/ /home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_screenshot.png
ffuf -u http://metapress.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.metapress.htb" -fs 145 -noninteractive -s | tee "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_metapress.htb_vhosts_subdomains-top1million-110000.txt"
```

43
HTB/metatwo/results/report/report.md/10.10.11.186/Manual Commands.md Normal file
View File

@@ -0,0 +1,43 @@
```bash
[*] ftp on tcp/21
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 21 -o "/home/kali/htb/metatwo/results/scans/tcp21/tcp_21_ftp_hydra.txt" ftp://10.10.11.186
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 21 -O "/home/kali/htb/metatwo/results/scans/tcp21/tcp_21_ftp_medusa.txt" -M ftp -h 10.10.11.186
[*] ssh on tcp/22
[-] Bruteforce logins:
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "/home/kali/htb/metatwo/results/scans/tcp22/tcp_22_ssh_hydra.txt" ssh://10.10.11.186
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "/home/kali/htb/metatwo/results/scans/tcp22/tcp_22_ssh_medusa.txt" -M ssh -h 10.10.11.186
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.10.11.186:80 -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -e -o /home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.10.11.186/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.10.11.186 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.10.11.186/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.10.11.186 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.10.11.186:80 2>&1 | tee "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.10.11.186:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_wpscan.txt"
```

2
HTB/metatwo/results/report/report.md/10.10.11.186/Patterns.md Normal file
View File

@@ -0,0 +1,2 @@
Identified HTTP Server: nginx/1.18.0

48
HTB/metatwo/results/report/report.md/10.10.11.186/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,48 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/metatwo/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/xml/_full_tcp_nmap.xml" 10.10.11.186
```
[/home/kali/htb/metatwo/results/scans/_full_tcp_nmap.txt](file:///home/kali/htb/metatwo/results/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Wed Jan 25 11:09:20 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/htb/metatwo/results/scans/_full_tcp_nmap.txt -oX /home/kali/htb/metatwo/results/scans/xml/_full_tcp_nmap.xml 10.10.11.186
Nmap scan report for metatwo.htb (10.10.11.186)
Host is up, received user-set (0.037s latency).
Scanned at 2023-01-25 11:09:20 EST for 565s
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
| Invalid command: try being more creative
| Invalid command: try being more creative
| Verifier:
|_ 220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4b44617d2102d8fec1dc927fecd79ee (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPp9LmBKMOuXu2ZOpw8JorL5ah0sU0kIBXvJB8LX26rpbOhw+1MPdhx6ptZzXwQ8wkQc88xu5h+oB8NGkeHLYhvRqtZmvkTpOsyJiMm+0Udbg+IJCENPiKGSC5J+0tt4QPj92xtTe/f7WV4hbBLDQust46D1xVJVOCNfaloIC40BtWoMWIoEFWnk7U3kwXcM5336LuUnhm69XApDB4y/dt5CgXFoWlDQi45WLLQGbanCNAlT9XwyPnpIyqQdF7mRJ5yRXUOXGeGmoO9+JALVQIEJ/7Ljxts6QuV633wFefpxnmvTu7XX9W8vxUcmInIEIQCmunR5YH4ZgWRclT+6rzwRQw1DH1z/ZYui5Bjn82neoJunhweTJXQcotBp8glpvq3X/rQgZASSyYrOJghBlNVZDqPzp4vBC78gn6TyZyuJXhDxw+lHxF82IMT2fatp240InLVvoWrTWlXlEyPiHraKC0okOVtul6T0VRxsuT+QsyU7pdNFkn2wDVvC25AW8=
| 256 2aea2fcb23e8c529409cab866dcd4411 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB1ZmNogWBUF8MwkNsezebQ+0/yPq7RX3/j9s4Qh8jbGlmvAcN0Z/aIBrzbEuTRf3/cHehtaNf9qrF2ehQAeM94=
| 256 fd78c0b0e22016fa050debd83f12a4ab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOP4kxBr9kumAjfplon8fXJpuqhdMJy2rpd3FM7+mGw2
80/tcp open http syn-ack nginx 1.18.0
|_http-title: Did not follow redirect to http://metapress.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.93%I=9%D=1/25%Time=63D15443%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,8F,"220\x20ProFTPD\x20Server\x20\(Debian\)\x20\[::ffff:10\.10\
SF:.11\.186\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20cre
SF:ative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creative
SF:\r\n")%r(Verifier,33,"220\x20ProFTPD\x20Server\x20\(Debian\)\x20\[::fff
SF:f:10\.10\.11\.186\]\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 25 11:18:46 2023 -- 1 IP address (1 host up) scanned in 565.53 seconds
```

48
HTB/metatwo/results/report/report.md/10.10.11.186/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,48 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/kali/htb/metatwo/results/scans/_quick_tcp_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/xml/_quick_tcp_nmap.xml" 10.10.11.186
```
[/home/kali/htb/metatwo/results/scans/_quick_tcp_nmap.txt](file:///home/kali/htb/metatwo/results/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Wed Jan 25 11:09:20 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/htb/metatwo/results/scans/_quick_tcp_nmap.txt -oX /home/kali/htb/metatwo/results/scans/xml/_quick_tcp_nmap.xml 10.10.11.186
Nmap scan report for metatwo.htb (10.10.11.186)
Host is up, received user-set (0.026s latency).
Scanned at 2023-01-25 11:09:20 EST for 559s
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
| Invalid command: try being more creative
| Invalid command: try being more creative
| Verifier:
|_ 220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4b44617d2102d8fec1dc927fecd79ee (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPp9LmBKMOuXu2ZOpw8JorL5ah0sU0kIBXvJB8LX26rpbOhw+1MPdhx6ptZzXwQ8wkQc88xu5h+oB8NGkeHLYhvRqtZmvkTpOsyJiMm+0Udbg+IJCENPiKGSC5J+0tt4QPj92xtTe/f7WV4hbBLDQust46D1xVJVOCNfaloIC40BtWoMWIoEFWnk7U3kwXcM5336LuUnhm69XApDB4y/dt5CgXFoWlDQi45WLLQGbanCNAlT9XwyPnpIyqQdF7mRJ5yRXUOXGeGmoO9+JALVQIEJ/7Ljxts6QuV633wFefpxnmvTu7XX9W8vxUcmInIEIQCmunR5YH4ZgWRclT+6rzwRQw1DH1z/ZYui5Bjn82neoJunhweTJXQcotBp8glpvq3X/rQgZASSyYrOJghBlNVZDqPzp4vBC78gn6TyZyuJXhDxw+lHxF82IMT2fatp240InLVvoWrTWlXlEyPiHraKC0okOVtul6T0VRxsuT+QsyU7pdNFkn2wDVvC25AW8=
| 256 2aea2fcb23e8c529409cab866dcd4411 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB1ZmNogWBUF8MwkNsezebQ+0/yPq7RX3/j9s4Qh8jbGlmvAcN0Z/aIBrzbEuTRf3/cHehtaNf9qrF2ehQAeM94=
| 256 fd78c0b0e22016fa050debd83f12a4ab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOP4kxBr9kumAjfplon8fXJpuqhdMJy2rpd3FM7+mGw2
80/tcp open http syn-ack nginx 1.18.0
|_http-title: Did not follow redirect to http://metapress.htb/
|_http-server-header: nginx/1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.93%I=9%D=1/25%Time=63D1543C%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,8F,"220\x20ProFTPD\x20Server\x20\(Debian\)\x20\[::ffff:10\.10\
SF:.11\.186\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20cre
SF:ative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creative
SF:\r\n")%r(Verifier,33,"220\x20ProFTPD\x20Server\x20\(Debian\)\x20\[::fff
SF:f:10\.10\.11\.186\]\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 25 11:18:39 2023 -- 1 IP address (1 host up) scanned in 559.05 seconds
```

31
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-21-ftp/Nmap FTP.md Normal file
View File

@@ -0,0 +1,31 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 21 --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/kali/htb/metatwo/results/scans/tcp21/tcp_21_ftp_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/tcp21/xml/tcp_21_ftp_nmap.xml" 10.10.11.186
```
[/home/kali/htb/metatwo/results/scans/tcp21/tcp_21_ftp_nmap.txt](file:///home/kali/htb/metatwo/results/scans/tcp21/tcp_21_ftp_nmap.txt):
```
# Nmap 7.93 scan initiated Wed Jan 25 11:18:39 2023 as: nmap -vv --reason -Pn -T4 -sV -p 21 "--script=banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/kali/htb/metatwo/results/scans/tcp21/tcp_21_ftp_nmap.txt -oX /home/kali/htb/metatwo/results/scans/tcp21/xml/tcp_21_ftp_nmap.xml 10.10.11.186
Nmap scan report for metatwo.htb (10.10.11.186)
Host is up, received user-set (0.037s latency).
Scanned at 2023-01-25 11:18:40 EST for 333s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp? syn-ack
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.93%I=7%D=1/25%Time=63D1566B%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,8F,"220\x20ProFTPD\x20Server\x20\(Debian\)\x20\[::ffff:10\.10\
SF:.11\.186\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20cre
SF:ative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creative
SF:\r\n");
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 25 11:24:13 2023 -- 1 IP address (1 host up) scanned in 333.35 seconds
```

71
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,71 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/metatwo/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.186
```
[/home/kali/htb/metatwo/results/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/kali/htb/metatwo/results/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Wed Jan 25 11:18:39 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/metatwo/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/metatwo/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.186
Nmap scan report for metatwo.htb (10.10.11.186)
Host is up, received user-set (0.023s latency).
Scanned at 2023-01-25 11:18:40 EST for 1s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4b44617d2102d8fec1dc927fecd79ee (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPp9LmBKMOuXu2ZOpw8JorL5ah0sU0kIBXvJB8LX26rpbOhw+1MPdhx6ptZzXwQ8wkQc88xu5h+oB8NGkeHLYhvRqtZmvkTpOsyJiMm+0Udbg+IJCENPiKGSC5J+0tt4QPj92xtTe/f7WV4hbBLDQust46D1xVJVOCNfaloIC40BtWoMWIoEFWnk7U3kwXcM5336LuUnhm69XApDB4y/dt5CgXFoWlDQi45WLLQGbanCNAlT9XwyPnpIyqQdF7mRJ5yRXUOXGeGmoO9+JALVQIEJ/7Ljxts6QuV633wFefpxnmvTu7XX9W8vxUcmInIEIQCmunR5YH4ZgWRclT+6rzwRQw1DH1z/ZYui5Bjn82neoJunhweTJXQcotBp8glpvq3X/rQgZASSyYrOJghBlNVZDqPzp4vBC78gn6TyZyuJXhDxw+lHxF82IMT2fatp240InLVvoWrTWlXlEyPiHraKC0okOVtul6T0VRxsuT+QsyU7pdNFkn2wDVvC25AW8=
| 256 2aea2fcb23e8c529409cab866dcd4411 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB1ZmNogWBUF8MwkNsezebQ+0/yPq7RX3/j9s4Qh8jbGlmvAcN0Z/aIBrzbEuTRf3/cHehtaNf9qrF2ehQAeM94=
| 256 fd78c0b0e22016fa050debd83f12a4ab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOP4kxBr9kumAjfplon8fXJpuqhdMJy2rpd3FM7+mGw2
|_banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 25 11:18:41 2023 -- 1 IP address (1 host up) scanned in 1.82 seconds
```

24
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,24 @@
```bash
curl -sSikf http://10.10.11.186:80/robots.txt
```
[/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_curl-robots.txt](file:///home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_curl-robots.txt):
```
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0
Date: Wed, 25 Jan 2023 16:18:41 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: http://metapress.htb/
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
```

25
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,25 @@
```bash
curl -sSik http://10.10.11.186:80/
```
[/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_curl.html](file:///home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0
Date: Wed, 25 Jan 2023 16:18:41 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: http://metapress.htb/
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
```

13
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,13 @@
```bash
feroxbuster -u http://10.10.11.186:80/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -q -e -o "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt"
```
[/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt](file:///home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt):
```
WLD GET 7l 9w 145c Got 302 for http://10.10.11.186/e578455e6e054d249578bf7e6c0cd509 (url length: 32)
WLD - - - http://10.10.11.186/e578455e6e054d249578bf7e6c0cd509 => http://metapress.htb/
WLD GET 7l 9w 145c Got 302 for http://10.10.11.186/fd84f08f2434479395436880d4806dcb22b8a6a25bd84c0ab30854d5a635138e9e033de8f46a4034a7119bf91a8e07fb (url length: 96)
WLD - - - http://10.10.11.186/fd84f08f2434479395436880d4806dcb22b8a6a25bd84c0ab30854d5a635138e9e033de8f46a4034a7119bf91a8e07fb => http://metapress.htb/
```

24
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,24 @@
```bash
curl -sSikf http://10.10.11.186:80/.well-known/security.txt
```
[/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_known-security.txt](file:///home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_known-security.txt):
```
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0
Date: Wed, 25 Jan 2023 16:18:41 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: http://metapress.htb/
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
```

88
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,88 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/metatwo/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.186
```
[/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_nmap.txt](file:///home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Wed Jan 25 11:18:39 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/metatwo/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.186
Nmap scan report for metatwo.htb (10.10.11.186)
Host is up, received user-set (0.028s latency).
Scanned at 2023-01-25 11:18:40 EST for 81s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack nginx 1.18.0
| http-vhosts:
|_128 names had status 302
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-sitemap-generator:
| Directory structure:
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-chrono: Request times for /; avg: 215.68ms; min: 203.92ms; max: 255.33ms
|_http-server-header: nginx/1.18.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-mobileversion-checker: No mobile version detected.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://metapress.htb/
|_http-errors: Couldn't find any error pages.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-comments-displayer: Couldn't find any comments.
|_http-feed: Couldn't find any feeds.
| http-headers:
| Server: nginx/1.18.0
| Date: Wed, 25 Jan 2023 16:18:51 GMT
| Content-Type: text/html
| Content-Length: 145
| Connection: close
| Location: http://metapress.htb/
|
|_ (Request type: GET)
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-date: Wed, 25 Jan 2023 16:18:48 GMT; +2s from local time.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| http-useragent-tester:
| Status for browser useragent: 200
| Redirected To: http://metapress.htb/
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
| http-security-headers:
| Cache_Control:
| Header: Cache-Control: no-store, no-cache, must-revalidate
| Pragma:
| Header: Pragma: no-cache
| Expires:
|_ Header: Expires: Thu, 19 Nov 1981 08:52:00 GMT
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 25 11:20:01 2023 -- 1 IP address (1 host up) scanned in 81.17 seconds
```

11
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-80-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
curl -sk -o /dev/null -H "Host: yQBDdkqpvKEGuxwSOHam.metapress.htb" http://metapress.htb:80/ -w "%{size_download}"
``````bash
ffuf -u http://metapress.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.metapress.htb" -fs 145 -noninteractive -s | tee "/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_metapress.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_metapress.htb_vhosts_subdomains-top1million-110000.txt](file:///home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_metapress.htb_vhosts_subdomains-top1million-110000.txt):
```
```

147
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,147 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://10.10.11.186:80 2>&1
```
[/home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://10.10.11.186:80
Status : 302 Found
Title : 302 Found
IP : 10.10.11.186
Country : RESERVED, ZZ
Summary : HTTPServer[nginx/1.18.0], nginx[1.18.0], RedirectLocation[http://metapress.htb/]
Detected Plugins:
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : nginx/1.18.0 (from server string)
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://metapress.htb/ (from location)
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0
Date: Wed, 25 Jan 2023 16:18:42 GMT
Content-Type: text/html
Content-Length: 145
Connection: close
Location: http://metapress.htb/
WhatWeb report for http://metapress.htb/
Status : 200 OK
Title : MetaPress &#8211; Official company site
IP : 10.10.11.186
Country : RESERVED, ZZ
Summary : Cookies[PHPSESSID], HTML5, HTTPServer[nginx/1.18.0], MetaGenerator[WordPress 5.6.2], nginx[1.18.0], PHP[8.0.24], PoweredBy[--], Script, UncommonHeaders[link], WordPress[5.6.2], X-Powered-By[PHP/8.0.24]
Detected Plugins:
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : PHPSESSID
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : nginx/1.18.0 (from server string)
[ MetaGenerator ]
This plugin identifies meta generator tags and extracts its
value.
String : WordPress 5.6.2
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 8.0.24
Google Dorks: (2)
Website : http://www.php.net/
[ PoweredBy ]
This plugin identifies instances of 'Powered by x' text and
attempts to extract the value for x.
String : --
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : link (from headers)
[ WordPress ]
WordPress is an opensource blogging system commonly used as
a CMS.
Version : 5.6.2
Aggressive function available (check plugin file or details).
Google Dorks: (1)
Website : http://www.wordpress.org/
[ X-Powered-By ]
X-Powered-By HTTP header
String : PHP/8.0.24 (from x-powered-by string)
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Wed, 25 Jan 2023 16:18:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/8.0.24
Set-Cookie: PHPSESSID=2ov58ptej4gtfom05meggtjkus; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Link: <http://metapress.htb/wp-json/>; rel="https://api.w.org/"
Content-Encoding: gzip
```

3
HTB/metatwo/results/report/report.md/10.10.11.186/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://10.10.11.186:80/ /home/kali/htb/metatwo/results/scans/tcp80/tcp_80_http_screenshot.png
```