simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init htb

Browse Source 
old htb folders
This commit is contained in:
Simon
2023-08-29 21:53:22 +02:00
parent 62ab804867
commit 82b0759f1e
21891 changed files with 6277643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
HTB/soccer/results/report/report.md/10.10.11.194/Services/Service - tcp-22-ssh/Nmap SSH.md Normal file
View File

@@ -0,0 +1,71 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 22 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "/home/kali/htb/soccer/results/scans/tcp22/tcp_22_ssh_nmap.txt" -oX "/home/kali/htb/soccer/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml" 10.10.11.194
```
[/home/kali/htb/soccer/results/scans/tcp22/tcp_22_ssh_nmap.txt](file:///home/kali/htb/soccer/results/scans/tcp22/tcp_22_ssh_nmap.txt):
```
# Nmap 7.93 scan initiated Fri Jan 27 10:42:19 2023 as: nmap -vv --reason -Pn -T4 -sV -p 22 --script=banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /home/kali/htb/soccer/results/scans/tcp22/tcp_22_ssh_nmap.txt -oX /home/kali/htb/soccer/results/scans/tcp22/xml/tcp_22_ssh_nmap.xml 10.10.11.194
Nmap scan report for soccer.htb (10.10.11.194)
Host is up, received user-set (0.077s latency).
Scanned at 2023-01-27 10:42:19 CET for 1s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChXu/2AxokRA9pcTIQx6HKyiO0odku5KmUpklDRNG+9sa6olMd4dSBq1d0rGtsO2rNJRLQUczml6+N5DcCasAZUShDrMnitsRvG54x8GrJyW4nIx4HOfXRTsNqImBadIJtvIww1L7H1DPzMZYJZj/oOwQHXvp85a2hMqMmoqsljtS/jO3tk7NUKA/8D5KuekSmw8m1pPEGybAZxlAYGu3KbasN66jmhf0ReHg3Vjx9e8FbHr3ksc/MimSMfRq0lIo5fJ7QAnbttM5ktuQqzvVjJmZ0+aL7ZeVewTXLmtkOxX9E5ldihtUFj8C6cQroX69LaaN/AXoEZWl/v1LWE5Qo1DEPrv7A6mIVZvWIM8/AqLpP8JWgAQevOtby5mpmhSxYXUgyii5xRAnvDWwkbwxhKcBIzVy4x5TXinVR7FrrwvKmNAG2t4lpDgmryBZ0YSgxgSAcHIBOglugehGZRHJC9C273hs44EToGCrHBY8n2flJe7OgbjEL8Il3SpfUEF0=
| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIy3gWUPD+EqFcmc0ngWeRLfCr68+uiuM59j9zrtLNRcLJSTJmlHUdcq25/esgeZkyQ0mr2RZ5gozpBd5yzpdzk=
| 256 5797565def793c2fcbdb35fff17c615c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2Pj1mZ0q8u/E8K49Gezm3jguM3d8VyAYsX0QyaN6H/
|_banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 27 10:42:20 2023 -- 1 IP address (1 host up) scanned in 1.54 seconds
```

24
HTB/soccer/results/report/report.md/10.10.11.194/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,24 @@
```bash
curl -sSikf http://10.10.11.194:80/robots.txt
```
[/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_curl-robots.txt](file:///home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_curl-robots.txt):
```
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 27 Jan 2023 09:42:19 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://soccer.htb/robots.txt
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
```

25
HTB/soccer/results/report/report.md/10.10.11.194/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,25 @@
```bash
curl -sSik http://10.10.11.194:80/
```
[/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_curl.html](file:///home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 27 Jan 2023 09:42:19 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://soccer.htb/
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
```

11
HTB/soccer/results/report/report.md/10.10.11.194/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
feroxbuster -u http://10.10.11.194:80/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -q -e -o "/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt"
```
[/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt](file:///home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_feroxbuster_directory-list-2.3-medium.txt):
```
WLD GET 7l 12w 178c Got 301 for http://10.10.11.194/805749485a5b4fe19ef44e590a9b4ed2 (url length: 32)
WLD - - - http://10.10.11.194/805749485a5b4fe19ef44e590a9b4ed2 => http://soccer.htb/805749485a5b4fe19ef44e590a9b4ed2
```

24
HTB/soccer/results/report/report.md/10.10.11.194/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,24 @@
```bash
curl -sSikf http://10.10.11.194:80/.well-known/security.txt
```
[/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_known-security.txt](file:///home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_known-security.txt):
```
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 27 Jan 2023 09:42:19 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://soccer.htb/.well-known/security.txt
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
```

124
HTB/soccer/results/report/report.md/10.10.11.194/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,124 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/kali/htb/soccer/results/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.10.11.194
```
[/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_nmap.txt](file:///home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Fri Jan 27 10:42:19 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_nmap.txt -oX /home/kali/htb/soccer/results/scans/tcp80/xml/tcp_80_http_nmap.xml 10.10.11.194
Nmap scan report for soccer.htb (10.10.11.194)
Host is up, received user-set (0.026s latency).
Scanned at 2023-01-27 10:42:19 CET for 70s
Bug in http-security-headers: no string output.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
|_http-fetch: Please enter the complete path of the directory to save data in.
| http-referer-checker:
| Spidering limited to: maxpagecount=30
| https://cdn.jsdelivr.net:443/npm/bootstrap15.2.2/dist/js/bootstrap.bundle.min.js
| http://maxcdn.bootstrapcdn.com:80/bootstrap/4.1.1/js/bootstrap.min.js
| http://cdnjs.cloudflare.com:80/ajax/libs/jquery/3.2.1/jquery.min.js
|_ https://ajax.googleapis.com:443/ajax/libs/jquery/3.6.0/jquery.min.js
|_http-chrono: Request times for /; avg: 167.91ms; min: 157.46ms; max: 176.69ms
|_http-mobileversion-checker: No mobile version detected.
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1; jpg: 4
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_ Other: 1; jpg: 4
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-headers:
| Server: nginx/1.18.0 (Ubuntu)
| Date: Fri, 27 Jan 2023 09:42:28 GMT
| Content-Type: text/html
| Content-Length: 6917
| Last-Modified: Thu, 17 Nov 2022 08:07:11 GMT
| Connection: close
| ETag: "6375ebaf-1b05"
| Accept-Ranges: bytes
|
|_ (Request type: HEAD)
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 BID:49303
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://seclists.org/fulldisclosure/2011/Aug/175
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| https://www.securityfocus.com/bid/49303
|_ https://www.tenable.com/plugins/nessus/55976
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=soccer.htb
|
| Path: http://soccer.htb:80/
| Line number: 145
| Comment:
| <!-- /.container -->
|
| Path: http://soccer.htb:80/
| Line number: 142
| Comment:
| <!-- /.row -->
|
| Path: http://soccer.htb:80/
| Line number: 106
| Comment:
|_ <!-- Page Content -->
| http-vhosts:
|_128 names had status 301
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-php-version: Logo query returned unknown hash ad6ef659069e5f1721a5932f71942408
|_Credits query returned unknown hash ad6ef659069e5f1721a5932f71942408
|_http-title: Soccer - Index
|_http-errors: Couldn't find any error pages.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-exif-spider: ERROR: Script execution failed (use -d to debug)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-date: Fri, 27 Jan 2023 09:42:28 GMT; 0s from local time.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-feed: Couldn't find any feeds.
|_http-malware-host: Host appears to be clean
| http-methods:
|_ Supported Methods: GET HEAD
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 27 10:43:30 2023 -- 1 IP address (1 host up) scanned in 70.83 seconds
```

11
HTB/soccer/results/report/report.md/10.10.11.194/Services/Service - tcp-80-http/Virtual Host Enumeration.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
curl -sk -o /dev/null -H "Host: TftyUjcxjULDwbGIAAgk.soccer.htb" http://soccer.htb:80/ -w "%{size_download}"
``````bash
ffuf -u http://soccer.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.soccer.htb" -fs 178 -noninteractive -s | tee "/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_soccer.htb_vhosts_subdomains-top1million-110000.txt"
```
[/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_soccer.htb_vhosts_subdomains-top1million-110000.txt](file:///home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_soccer.htb_vhosts_subdomains-top1million-110000.txt):
```
```

116
HTB/soccer/results/report/report.md/10.10.11.194/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,116 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://10.10.11.194:80 2>&1
```
[/home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_whatweb.txt):
```
WhatWeb report for http://10.10.11.194:80
Status : 301 Moved Permanently
Title : 301 Moved Permanently
IP : 10.10.11.194
Country : RESERVED, ZZ
Summary : HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], nginx[1.18.0], RedirectLocation[http://soccer.htb/]
Detected Plugins:
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : nginx/1.18.0 (Ubuntu) (from server string)
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://soccer.htb/ (from location)
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 27 Jan 2023 09:42:21 GMT
Content-Type: text/html
Content-Length: 178
Connection: close
Location: http://soccer.htb/
WhatWeb report for http://soccer.htb/
Status : 200 OK
Title : Soccer - Index
IP : 10.10.11.194
Country : RESERVED, ZZ
Summary : Bootstrap[4.1.1], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], JQuery[3.2.1,3.6.0], nginx[1.18.0], Script, X-UA-Compatible[IE=edge]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Version : 4.1.1
Version : 4.1.1
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : nginx/1.18.0 (Ubuntu) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 3.2.1,3.6.0
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.18.0
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 27 Jan 2023 09:42:23 GMT
Content-Type: text/html
Last-Modified: Thu, 17 Nov 2022 08:07:11 GMT
Transfer-Encoding: chunked
Connection: close
ETag: W/"6375ebaf-1b05"
Content-Encoding: gzip
```

3
HTB/soccer/results/report/report.md/10.10.11.194/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://10.10.11.194:80/ /home/kali/htb/soccer/results/scans/tcp80/tcp_80_http_screenshot.png
```