Bashed - User

Scanning and Enumeration

At the start of every box, I like to make a directory for the box, to organise everything. I then use nmap to scan the IP to look for anything interesting, and put the output into a file. See the below:

kali@kali:pts/3->/home/kali/HTB/Bashed (0) 
> sudo nmap -T4 -A -v 10.10.10.68 > scan.txt
kali@kali:pts/3->/home/kali/HTB/Bashed (0) 
> cat scan.txt 
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 08:14 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:14
Completed NSE at 08:14, 0.00s elapsed
Initiating NSE at 08:14
Completed NSE at 08:14, 0.00s elapsed
Initiating NSE at 08:14
Completed NSE at 08:14, 0.00s elapsed
Initiating Ping Scan at 08:14
Scanning 10.10.10.68 [4 ports]
Completed Ping Scan at 08:14, 2.04s elapsed (1 total hosts)
Nmap scan report for 10.10.10.68 [host down]
NSE: Script Post-scanning.
Initiating NSE at 08:14
Completed NSE at 08:14, 0.00s elapsed
Initiating NSE at 08:14
Completed NSE at 08:14, 0.00s elapsed
Initiating NSE at 08:14
Completed NSE at 08:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.60 seconds
           Raw packets sent: 8 (304B) | Rcvd: 0 (0B)

Weird, no scan results, let's try this again, but use -Pn.(this gives a lil ping to see if we're up or not)

There's a lot of text, so I'll only send what's interesting to us.

kali@kali:pts/3->/home/kali/HTB/Bashed (0) 
> sudo nmap -T4 -A -v -Pn 10.10.10.68 > scan.txt
kali@kali:pts/3->/home/kali/HTB/Bashed (0) 
> cat scan.txt 

Completed NSE at 08:20, 0.00s elapsed
Nmap scan report for 10.10.10.68
Host is up (0.015s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=12/24%OT=80%CT=1%CU=42385%PV=Y%DS=2%DC=T%G=Y%TM=5FE495
OS:9D%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Uptime guess: 0.001 days (since Thu Dec 24 08:19:45 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros

We see a website! Lets use dirb, and look if there's anything more interesting!

kali@kali:pts/3->/home/kali/HTB/Bashed (255) 
> dirb http://10.10.10.68

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Dec 24 08:23:31 2020
URL_BASE: http://10.10.10.68/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.68/ ----
==> DIRECTORY: http://10.10.10.68/css/                                                                                                                                                                                                    
==> DIRECTORY: http://10.10.10.68/dev/                                                                                                                                                                                                    
==> DIRECTORY: http://10.10.10.68/fonts/
==> DIRECTORY: http://10.10.10.68/images/                                                                                                                                                                                                 
+ http://10.10.10.68/index.html (CODE:200|SIZE:7743)                                                                                                                                                                                      
==> DIRECTORY: http://10.10.10.68/js/                                                                                                                                                                                                     
==> DIRECTORY: http://10.10.10.68/php/                                                                                                                                                                                                    
+ http://10.10.10.68/server-status (CODE:403|SIZE:299)                                                                                                                                                                                    
==> DIRECTORY: http://10.10.10.68/uploads/

Of this, http://10.10.10.68/dev/ is the most interesting. Let's go here, and have a look.

Hm, weird. Let's click on one of these!

Interesting, let's ls to see if the flag's in our current directory.

We're in a weird directory here, let's cd into /home and have a look for any more directories.

Ooh, 2 more directories, let's cd into arrexel first and check for a flag!

PreviousMachinesNextTry Hack Me

Last updated