# Nmap 7.93 scan initiated Wed Feb 1 17:50:14 2023 as: nmap -vv --reason -Pn -T4 -sV -p 443 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/kali/htb/broscience/results/scans/tcp443/tcp_443_https_nmap.txt -oX /home/kali/htb/broscience/results/scans/tcp443/xml/tcp_443_https_nmap.xml 10.10.11.195 Nmap scan report for broscience.htb (10.10.11.195) Host is up, received user-set (0.030s latency). Scanned at 2023-02-01 17:50:14 CET for 352s PORT STATE SERVICE REASON VERSION 443/tcp open http syn-ack ttl 63 Apache httpd 2.4.54 ((Debian)) | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 3072) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 3072) of lower strength than certificate key | Key exchange (secp256r1) of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 3072) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 3072) of lower strength than certificate key | Key exchange (secp256r1) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 3072) - A | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 3072) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 3072) - A | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 3072) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_128_CCM (rsa 4096) - A | TLS_RSA_WITH_AES_128_CCM_8 (rsa 4096) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A | TLS_RSA_WITH_AES_256_CCM_8 (rsa 4096) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 4096) - A | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 3072) of lower strength than certificate key | Key exchange (secp256r1) of lower strength than certificate key | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | cipher preference: client |_ least strength: A |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-jsonp-detection: Couldn't find any JSONP endpoints. |_http-server-header: Apache/2.4.54 (Debian) |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) |_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number= for deeper analysis) |_http-feed: Couldn't find any feeds. |_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit= for deeper analysis) | http-vhosts: |_128 names had status 400 |_http-date: Wed, 01 Feb 2023 16:50:48 GMT; +1s from local time. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-fetch: Please enter the complete path of the directory to save data in. |_http-referer-checker: Couldn't find any cross-domain scripts. |_http-csrf: Couldn't find any CSRF vulnerabilities. | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | ssl-cert: Subject: commonName=broscience.htb/organizationName=BroScience/countryName=AT/localityName=Vienna/emailAddress=administrator@broscience.htb | Issuer: commonName=broscience.htb/organizationName=BroScience/countryName=AT/localityName=Vienna/emailAddress=administrator@broscience.htb | Public Key type: rsa | Public Key bits: 4096 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-07-14T19:48:36 | Not valid after: 2023-07-14T19:48:36 | MD5: 5328ddd62f3429d11d26ae8a68d86e0c | SHA-1: 20568d0d9e4109cde5a22021fe3f349c40d8d75b | -----BEGIN CERTIFICATE----- | MIIF0zCCA7ugAwIBAgIUD+qpK08oB9Kng1mp3mIxnO21+s4wDQYJKoZIhvcNAQEL | BQAweTELMAkGA1UEBhMCQVQxDzANBgNVBAcMBlZpZW5uYTETMBEGA1UECgwKQnJv | U2NpZW5jZTEXMBUGA1UEAwwOYnJvc2NpZW5jZS5odGIxKzApBgkqhkiG9w0BCQEW | HGFkbWluaXN0cmF0b3JAYnJvc2NpZW5jZS5odGIwHhcNMjIwNzE0MTk0ODM2WhcN | MjMwNzE0MTk0ODM2WjB5MQswCQYDVQQGEwJBVDEPMA0GA1UEBwwGVmllbm5hMRMw | EQYDVQQKDApCcm9TY2llbmNlMRcwFQYDVQQDDA5icm9zY2llbmNlLmh0YjErMCkG | CSqGSIb3DQEJARYcYWRtaW5pc3RyYXRvckBicm9zY2llbmNlLmh0YjCCAiIwDQYJ | KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcyX2E/e8BqyRU6FoKOWoWFJo6nLHhK | B0wNgmPrcUZ5ycizPc+6ereoFgzZmj5qI0lBW4ZZNn5m5nBcAlVxCC6qzT+vUY1N | j8VyC0seh90AJYGXHylWOJoEl+a8UOrbirbkuvJNhwG6Eryo2enWgmSkyHHIjH2d | mS29vmydxAJafTR04IQkbmyfhbuYMEl5aZZQCS+ZuA+5MRCWbpZg8E02O5zAWSa6 | Kc3W1DnjEFJNECY9fwiga842sR7QxQYaJN30bBQAG0DJgay6Af+7cB82czIt8aRa | gcrkrCeBtWc6t0VXyCOAqeVSghqzYhZuAbGQaQJN/lgcVL2Zky8Jte70EGW9Lsq1 | m6o92goMCfEFKxKieD0niVtOW1v/mkuwMG7R6VRY9D6ySn9jTK0WmmBYX0V145oY | BU8WUbhAqZAPb/vsayGmVsKaX6ruNUO0t07ZhMjO8GO1mBh507+3YRtYztwueCOL | 7e3N5jdOWXIauGXQafo9jhuhletktmeFs5ytM5gTf0X7R+Ink2coum5TI/KVK2WQ | Lb+oSOkgqbrVpIyr3YrpqW1NnyekPweUbC/n4/uSZv1+9QHjGJ3aQtWmf73JFCkG | BBeirNufb4/imdX8GZpkJs35kcL32gRyfpLHF9gyEIbW9NEnX1kpg8VfCrUJOjR5 | PFedjVtw4G/bAgMBAAGjUzBRMB0GA1UdDgQWBBR8vMUiyG5QWyER5cOhk24raL+A | WjAfBgNVHSMEGDAWgBR8vMUiyG5QWyER5cOhk24raL+AWjAPBgNVHRMBAf8EBTAD | AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCjEIzE+EpLeuGgCY18AREB4t2xSwqiYgqC | H+gRoSbQ64xpNrbjOLBeyB4b1FotYdquKiaiFs7P1taY7hQiyHGFk4HOJlhyBnRK | atjKt6ZE24yWgsGikGx0D57SYTeJwhqafYRnNuqNPCvnvhO1zQjMTl03T30PvSeb | TDfcgd3rzG72w4S/zL59Vr4kr9Js01LpjDgt2Kyd5zW4RZKHA+RdIE+ePJXZaTwj | +Ko8QzNKwt3qDlOXAV5MiqUfKPHyg6Rzq8i5bKNMpwU1UxYGpE64T0t+IfhiOX/O | r/dW59nLXoHTGhqwAStFCzCqu+6Jfod2wFb+9Ty5rctVIpHw2XMEKfC8DSewvCc6 | QjMMMCRc2vpkc/YHberK+VYb8eVf4GcKzq6ns341jZ0FAwNEpB6tY6eeGovOLeeO | P5ONg9XAO8EipKj/tJhmIZ2G6GHKh1Enj7zg1DoGCMttLeaC5lMzaxAWdwUplaBm | w/+0dzFuuJL+XlxQIrVpGpmJOmBvPq/WvzU6ZFi4UwbHkow5EVvUPvW2GmTVecpx | Or1X3z3W5aGvj1tH2OcqY5WTcgDNoBtFc3tob8xNd7KB88DQfNbSHuFShKymwAVK | bcb0jeUT6YRF6NEmoLu80xyrro+Ejt1fLd3WE6q4+BXvhdj62OPtt5ue2rEhycgc | dfC1SCd82A== |_-----END CERTIFICATE----- |_http-mobileversion-checker: No mobile version detected. |_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages. | http-sitemap-generator: | Directory structure: | Longest directory structure: | Depth: 0 | Dir: / | Total files found (by extension): |_ | http-errors: | Spidering limited to: maxpagecount=40; withinhost=broscience.htb | Found the following error pages: | | Error Code: 400 |_ http://broscience.htb:443/ |_ssl-date: TLS randomness does not represent time |_http-chrono: Request times for /; avg: 260.46ms; min: 153.74ms; max: 364.01ms |_http-comments-displayer: Couldn't find any comments. |_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php | http-headers: | Date: Wed, 01 Feb 2023 16:50:51 GMT | Server: Apache/2.4.54 (Debian) | Content-Length: 458 | Connection: close | Content-Type: text/html; charset=iso-8859-1 | |_ (Request type: GET) |_http-malware-host: Host appears to be clean |_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable | http-security-headers: | Strict_Transport_Security: |_ HSTS not configured in HTTPS Server | http-useragent-tester: | Status for browser useragent: 400 | Allowed User Agents: | Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) | libwww | lwp-trivial | libcurl-agent/1.0 | PHP/ | Python-urllib/2.5 | GT::WWW | Snoopy | MFC_Tear_Sample | HTTP::Lite | PHPCrawl | URI::Fetch | Zend_Http_Client | http client | PECL::HTTP | Wget/1.13.4 (linux-gnu) |_ WWW-Mechanize/1.34 |_http-config-backup: ERROR: Script execution failed (use -d to debug) |_http-title: 400 Bad Request Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 1 17:56:06 2023 -- 1 IP address (1 host up) scanned in 352.25 seconds