[HTB] Machine: Aragog

Aragog

Enumeration

• nmap

└─$ nmap -Pn -p- 10.10.10.78 --min-rate 5000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-18 18:10 BST
Nmap scan report for 10.10.10.78 (10.10.10.78)
Host is up (0.15s latency).
Not shown: 65493 filtered tcp ports (no-response), 39 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 26.62 seconds

└─$ nmap -Pn -p21,22,80 -sC -sV 10.10.10.78 --min-rate 5000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-18 18:11 BST
Nmap scan report for 10.10.10.78 (10.10.10.78)
Host is up (0.12s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.5
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://aragog.htb/
Service Info: Host: aragog.htb; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.47 seconds

• ftp

└─$ ftp anonymous@10.10.10.78  
Connected to 10.10.10.78.
220 (vsFTPd 3.0.3)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||43838|)
150 Here comes the directory listing.
-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
226 Directory send OK.
ftp> more test.txt
<details>
    <subnet_mask>255.255.255.192</subnet_mask>
    <test></test>
</details>

• Web server

[HTB] Machine: Celestial

Celestial

Enumeration

• nmap

└─$ nmap -sC -sV 10.10.10.85                
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-18 16:43 BST
Nmap scan report for 10.10.10.85 (10.10.10.85)
Host is up (0.15s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.38 seconds

• Web Server

[HTB] Machine: TartarSauce

TartarSauce

Enumeration

• nmap

└─$ nmap -Pn -p- 10.10.10.88 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 18:17 BST
Nmap scan report for 10.10.10.88 (10.10.10.88)
Host is up (0.10s latency).
Not shown: 65449 filtered tcp ports (no-response), 85 closed tcp ports (conn-refused)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 13.74 seconds

└─$ nmap -Pn -p80 -sC -sV 10.10.10.88 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 18:18 BST
Nmap scan report for 10.10.10.88 (10.10.10.88)
Host is up (0.097s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Landing Page
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 5 disallowed entries 
| /webservices/tar/tar/source/ 
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ 
|_/webservices/developmental/ /webservices/phpmyadmin/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.38 seconds

• Web Server

[HTB] Machine: Europa

Europa

Enumeration

• nmap

└─$ nmap -Pn -p- 10.10.10.22 --min-rate 10000    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-16 18:03 BST
Nmap scan report for 10.10.10.22 (10.10.10.22)
Host is up (0.11s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 36.67 seconds

└─$ nmap -Pn -p22,80,443 -sC -sV 10.10.10.22 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-16 18:05 BST
Nmap scan report for 10.10.10.22 (10.10.10.22)
Host is up (0.13s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
|   256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
|_  256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519)
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after:  2027-04-17T09:06:22
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.79 seconds

• Web Server
  • Add hosts from nmap results to /etc/hosts

[HTB] Machine: Cronos

Cronos

Enumeration

• nmap

└─$ nmap -Pn -p- 10.10.10.13 -T4                            
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-01 14:23 BST
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 0 undergoing Host Discovery
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Warning: 10.10.10.13 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.13 (10.10.10.13)
Host is up (0.15s latency).
Not shown: 65520 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
53/tcp    open     domain
80/tcp    open     http

└─$ nmap -Pn -p22,53,80 -sC -sV 10.10.10.13 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-01 15:04 BST
Nmap scan report for 10.10.10.13 (10.10.10.13)
Host is up (0.12s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• Web server

[HTB] Machine: LaCasaDePapel

LaCasaDePapel

Enumeration

• nmap

└─$ nmap -sC -sV -Pn 10.10.10.131             
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-19 16:13 BST
Nmap scan report for 10.10.10.131 (10.10.10.131)
Host is up (0.19s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT      STATE    SERVICE         VERSION
21/tcp    open     ftp             vsftpd 2.3.4
22/tcp    open     ssh             OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 03e1c2c9791ca66b51348d7ac3c7c850 (RSA)
|   256 41e495a3390b25f9dadebe6adc59486d (ECDSA)
|_  256 300bc6662b8f5e4f2628750ef5b171e4 (ED25519)
80/tcp    open     http            Node.js (Express middleware)
|_http-title: La Casa De Papel
119/tcp   filtered nntp
443/tcp   open     ssl/http        Node.js Express framework
|_http-title: La Casa De Papel
| tls-nextprotoneg: 
|   http/1.1
|_  http/1.0
| ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
| Not valid before: 2019-01-27T08:35:30
|_Not valid after:  2029-01-24T08:35:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
1065/tcp  filtered syscomlan
1084/tcp  filtered ansoft-lm-2
1112/tcp  filtered msql
1914/tcp  filtered elm-momentum
2034/tcp  filtered scoremgr
2119/tcp  filtered gsigatekeeper
4444/tcp  filtered krb524
7000/tcp  filtered afs3-fileserver
15660/tcp filtered bex-xr
19350/tcp filtered unknown
20031/tcp filtered unknown
34571/tcp filtered unknown
52869/tcp filtered unknown
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.58 seconds

• Web Server

[HTB] Machine: Curling

Curling

Enumeration

• nmap

└─$ nmap -sC -sV 10.10.10.150
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-12 17:50 BST
Nmap scan report for 10.10.10.150 (10.10.10.150)
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8ad169b490203ea7b65401eb68303aca (RSA)
|   256 9f0bc2b20bad8fa14e0bf63379effb43 (ECDSA)
|_  256 c12a3544300c5b566a3fa5cc6466d9a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.29 seconds

• gobuster

└─$ gobuster dir -u http://10.10.10.150 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50        
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.150
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/06/12 18:07:47 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 14264]
/media                (Status: 301) [Size: 312] [--> http://10.10.10.150/media/]
/templates            (Status: 301) [Size: 316] [--> http://10.10.10.150/templates/]
/modules              (Status: 301) [Size: 314] [--> http://10.10.10.150/modules/]
/.php                 (Status: 403) [Size: 277]
/images               (Status: 301) [Size: 313] [--> http://10.10.10.150/images/]
/bin                  (Status: 301) [Size: 310] [--> http://10.10.10.150/bin/]
/plugins              (Status: 301) [Size: 314] [--> http://10.10.10.150/plugins/]
/includes             (Status: 301) [Size: 315] [--> http://10.10.10.150/includes/]
/language             (Status: 301) [Size: 315] [--> http://10.10.10.150/language/]
/README.txt           (Status: 200) [Size: 4872]
/components           (Status: 301) [Size: 317] [--> http://10.10.10.150/components/]
/cache                (Status: 301) [Size: 312] [--> http://10.10.10.150/cache/]
/libraries            (Status: 301) [Size: 316] [--> http://10.10.10.150/libraries/]
/tmp                  (Status: 301) [Size: 310] [--> http://10.10.10.150/tmp/]
/LICENSE.txt          (Status: 200) [Size: 18092]
/layouts              (Status: 301) [Size: 314] [--> http://10.10.10.150/layouts/]
/secret.txt           (Status: 200) [Size: 17]
/administrator        (Status: 301) [Size: 320] [--> http://10.10.10.150/administrator/]
/configuration.php    (Status: 200) [Size: 0]
/htaccess.txt         (Status: 200) [Size: 3005]
/cli                  (Status: 301) [Size: 310] [--> http://10.10.10.150/cli/]
Progress: 220515 / 220561 (99.98%)
===============================================================
2023/06/12 18:16:06 Finished
===============================================================

• Web server

[HTB] Machine: Teacher

Teacher

Enumeration

• nmap

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.10.10.153                                 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-15 16:50 BST
Nmap scan report for 10.10.10.153 (10.10.10.153)
Host is up (0.10s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.53 seconds

• gobuster

└─$ gobuster dir -u http://10.10.10.153 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -x html,txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.153
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              txt,html
[+] Timeout:                 10s
===============================================================
2023/06/15 16:47:54 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 292]
/images               (Status: 301) [Size: 313] [--> http://10.10.10.153/images/]
/index.html           (Status: 200) [Size: 8028]
/gallery.html         (Status: 200) [Size: 8254]
/css                  (Status: 301) [Size: 310] [--> http://10.10.10.153/css/]
/manual               (Status: 301) [Size: 313] [--> http://10.10.10.153/manual/]
/js                   (Status: 301) [Size: 309] [--> http://10.10.10.153/js/]
/javascript           (Status: 301) [Size: 317] [--> http://10.10.10.153/javascript/]
/fonts                (Status: 301) [Size: 312] [--> http://10.10.10.153/fonts/]
/phpmyadmin           (Status: 403) [Size: 297]
/moodle               (Status: 301) [Size: 313] [--> http://10.10.10.153/moodle/]
/.html                (Status: 403) [Size: 292]
/server-status        (Status: 403) [Size: 300]

• Web server

[HTB] Machine: Bashed

Bashed

Enumeration

• nmap

└─$ nmap -sC -sV 10.10.10.68    
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-08 18:47 BST
Nmap scan report for 10.10.10.68 (10.10.10.68)
Host is up (0.14s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.87 seconds

• gobuster

└─$ gobuster dir -u http://10.10.10.68/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 50 -x php 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.68/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/06/08 19:48:11 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 311] [--> http://10.10.10.68/images/]
/uploads              (Status: 301) [Size: 312] [--> http://10.10.10.68/uploads/]
/config.php           (Status: 200) [Size: 0]
/dev                  (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/]
/php                  (Status: 301) [Size: 308] [--> http://10.10.10.68/php/]
/js                   (Status: 301) [Size: 307] [--> http://10.10.10.68/js/]
/css                  (Status: 301) [Size: 308] [--> http://10.10.10.68/css/]
/fonts                (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/]
/server-status        (Status: 403) [Size: 299]
/.php                 (Status: 403) [Size: 290]

• Webserver