Aquatone Report

Host Report: 10.10.10.10



PortProtocolServiceProductVersionExtra Info
22 tcp ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 Ubuntu Linux; protocol 2.0
80 tcp http Apache httpd 2.4.18 (Ubuntu)


Start Time:06/15/2019 11:04:23
Run Time:00:00:18
Command:ncrack -vv -p 22 --user root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt 10.10.10.10 | tee /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_22_tcp_ncrack_ssh_best15.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_22_tcp_ncrack_ssh_best15.txt
Status:COMPLETED

Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-15 11:04 EDT

ssh://10.10.10.10:22 finished.


Ncrack done: 1 service scanned in 18.01 seconds.
Probes sent: 10 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.
Start Time:06/15/2019 11:05:34
Run Time:00:00:34
Command:medusa -u root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -e ns -h 10.10.10.10 - 22 -M ssh | tee /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_22_tcp_medusa.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_22_tcp_medusa.txt
Status:COMPLETED
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: (1 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: root (2 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 111111 (3 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (4 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 12345 (5 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (6 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234567 (7 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 12345678 (8 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: abc123 (9 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: dragon (10 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: iloveyou (11 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: letmein (12 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: monkey (13 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (14 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: qwerty (15 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: tequiero (16 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: test (17 of 17 complete)
Start Time:06/15/2019 11:06:45
Run Time:00:01:09
Command:whatweb http://10.10.10.10:80 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_whatweb.txt
Status:COMPLETED
http://10.10.10.10:80 [200 OK] Apache[2.4.18]
Country[RESERVED][ZZ]
HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)]
IP[10.10.10.10]
JQuery[1.12.4]
MetaGenerator[WordPress 4.7.3]
PoweredBy[WordPress,WordPress,]
Script[text/javascript]
Title[Job Portal – Just another WordPress site]
UncommonHeaders[link]
WordPress[4.7,4.7.3]
Start Time:06/15/2019 11:09:06
Run Time:00:00:03
Command:cewl http://10.10.10.10:80 -m 6 -w /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_cewl.txt
Status:COMPLETED
Portal
WordPress
content
Comments
comment
header
branding
navigation
Commenter
Search
Recent
Really
Simple
Syndication
another
Listing
custom
masthead
primary
Uncategorized
Proudly
powered
colophon
contain
Powered
comments
Welcome
delete
writing
Posted
Archives
Categories
Entries
secondary
semantic
personal
publishing
platform
Tester
started
moderating
editing
deleting
please
screen
dashboard
avatars
Gravatar
address
marked
Comment
author
metadata
Cancel
published
Required
fields
Website
respond
Address
Latest
degree
Salary
Location
Greece
Information
pentester
Category
Username
Password
password
hourly
wordpress
Application
Details
Scroll
Remember
Fields
asterisk
filled
before
submitting
Personal
Surname
Contact
Country
Telephone
Qualifications
complete
Upload
understood
privacy
policy
Author
Please
username
receive
create
Start Time:06/15/2019 11:11:51
Run Time:00:00:03
Command:docker run --rm wappalyzer/cli http://10.10.10.10:80 | jq . | tee /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"http://10.10.10.10:80/"
],
"applications": [
{
"name": "Apache",
"confidence": "100",
"version": "2.4.18",
"icon": "Apache.svg",
"website": "http://apache.org",
"categories": [
{
"22": "Web Servers"
}
]
},
{
"name": "Google Font API",
"confidence": "100",
"version": "",
"icon": "Google Font API.png",
"website": "http://google.com/fonts",
"categories": [
{
"17": "Font Scripts"
}
]
},
{
"name": "Twitter Emoji (Twemoji)",
"confidence": "100",
"version": "",
"icon": "default.svg",
"website": "http://twitter.github.io/twemoji/",
"categories": [
{
"25": "JavaScript Graphics"
}
]
},
{
"name": "Ubuntu",
"confidence": "100",
"version": "",
"icon": "Ubuntu.png",
"website": "http://www.ubuntu.com/server",
"categories": [
{
"28": "Operating Systems"
}
]
},
{
"name": "WordPress",
"confidence": "100",
"version": " 4.7.3",
"icon": "WordPress.svg",
"website": "http://wordpress.org",
"categories": [
{
"1": "CMS"
},
{
"11": "Blogs"
}
]
},
{
"name": "jQuery",
"confidence": "100",
"version": "1.12.4",
"icon": "jQuery.svg",
"website": "https://jquery.com",
"categories": [
{
"12": "JavaScript Frameworks"
}
]
},
{
"name": "jQuery Migrate",
"confidence": "100",
"version": "1.4.1",
"icon": "jQuery.svg",
"website": "https://github.com/jquery/jquery-migrate",
"categories": [
{
"12": "JavaScript Frameworks"
}
]
},
{
"name": "jQuery UI",
"confidence": "100",
"version": "1.11.4",
"icon": "jQuery UI.svg",
"website": "http://jqueryui.com",
"categories": [
{
"12": "JavaScript Frameworks"
}
]
},
{
"name": "PHP",
"confidence": "0",
"version": "",
"icon": "PHP.svg",
"website": "http://php.net",
"categories": [
{
"27": "Programming Languages"
}
]
}
],
"meta": {
"language": "en-US"
}
}
Start Time:06/15/2019 11:12:01
Run Time:00:00:02
Command:nmap 10.10.10.10 -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_22_tcp_nmap_service_scan.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_22_tcp_nmap_service_scan.txt
Status:COMPLETED
# Nmap 7.70 scan initiated Sat Jun 15 11:12:01 2019 as: nmap -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_22_tcp_nmap_service_scan.txt 10.10.10.10
Nmap scan report for 10.10.10.10
Host is up (0.050s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
| 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 15 11:12:03 2019 -- 1 IP address (1 host up) scanned in 2.32 seconds
Start Time:06/15/2019 11:12:07
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.10:80&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.10/
http://10.10.10.10/bild/sierp.jpg
https://10.10.10.10/errors/403.jsp
http://10.10.10.10/favicon.ico
http://10.10.10.10/GetImage.aspx?namekey=02976071-5bfe-41db-b7c5-e7d8f2f5658e
http://10.10.10.10/robots.txt
Start Time:06/15/2019 11:13:02
Run Time:00:00:24
Command:gobuster -u http://10.10.10.10:80 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_gobuster_common.txt
Status:COMPLETED
http://10.10.10.10:80/.cache/
http://10.10.10.10:80/.hta/
http://10.10.10.10:80/.htaccess/
http://10.10.10.10:80/.htpasswd/
http://10.10.10.10:80/icons/
http://10.10.10.10:80/server-status/
http://10.10.10.10:80/wp-content/
http://10.10.10.10:80/wp-admin/
http://10.10.10.10:80/wp-includes/
Start Time:06/15/2019 11:15:17
Run Time:00:01:38
Command:hydra -f -V -t 1 -l root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -s 22 10.10.10.10 ssh | tee /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_22_tcp_hydra_ssh_best15.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_22_tcp_hydra_ssh_best15.txt
Status:COMPLETED
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-06-15 11:15:17
[DATA] max 1 task per 1 server, overall 1 task, 15 login tries (l:1/p:15), ~15 tries per task
[DATA] attacking ssh://10.10.10.10:22/
[ATTEMPT] target 10.10.10.10 - login "root" - pass "111111" - 1 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "1234" - 2 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "12345" - 3 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "123456" - 4 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "1234567" - 5 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "12345678" - 6 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "abc123" - 7 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "dragon" - 8 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "iloveyou" - 9 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "letmein" - 10 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "monkey" - 11 of 15 [child 0] (0/0)
[STATUS] 11.00 tries/min, 11 tries in 00:01h, 4 to do in 00:01h, 1 active
[ATTEMPT] target 10.10.10.10 - login "root" - pass "password" - 12 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "qwerty" - 13 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "tequiero" - 14 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.10 - login "root" - pass "test" - 15 of 15 [child 0] (0/0)
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-06-15 11:16:55
Start Time:06/15/2019 11:15:48
Run Time:00:00:09
Command:wpscan --url http://10.10.10.10:80 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_wpscan.txt
Status:COMPLETED
[+] URL: http://10.10.10.10/
[+] Started: Sat Jun 15 11:15:54 2019

Interesting Finding(s):

[+] http://10.10.10.10/
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] http://10.10.10.10/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://10.10.10.10/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] http://10.10.10.10/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
| Detected By: Rss Generator (Passive Detection)
| - http://10.10.10.10/index.php/feed/, <generator>https://wordpress.org/?v=4.7.3</generator>
| - http://10.10.10.10/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.3</generator>
|
| [!] 34 vulnerabilities identified:
|
| [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
| References:
| - https://wpvulndb.com/vulnerabilities/8807
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
| - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
| - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
| - https://core.trac.wordpress.org/ticket/25239
|
| [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8815
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
| - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
|
| [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8816
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
|
| [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8817
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
|
| [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8818
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
| - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
|
| [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8819
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
| - https://hackerone.com/reports/203515
| - https://hackerone.com/reports/203515
|
| [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8820
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
|
| [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
| Fixed in: 4.7.6
| References:
| - https://wpvulndb.com/vulnerabilities/8905
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
|
| [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8906
| - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://wpvulndb.com/vulnerabilities/8905
|
| [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
| Fixed in: 4.7.6
| References:
| - https://wpvulndb.com/vulnerabilities/8910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41398
|
| [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
| Fixed in: 4.7.6
| References:
| - https://wpvulndb.com/vulnerabilities/8911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41457
|
| [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer
| Fixed in: 4.7.6
| References:
| - https://wpvulndb.com/vulnerabilities/8912
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41397
|
| [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
| Fixed in: 4.7.6
| References:
| - https://wpvulndb.com/vulnerabilities/8913
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41448
|
| [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
| Fixed in: 4.7.6
| References:
| - https://wpvulndb.com/vulnerabilities/8914
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41395
| - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
|
| [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
| Fixed in: 4.7.7
| References:
| - https://wpvulndb.com/vulnerabilities/8941
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
| - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
| - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
| - https://twitter.com/ircmaxell/status/923662170092638208
| - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
|
| [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
| Fixed in: 4.7.8
| References:
| - https://wpvulndb.com/vulnerabilities/8966
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
|
| [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
| Fixed in: 4.7.8
| References:
| - https://wpvulndb.com/vulnerabilities/8967
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
|
| [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
| Fixed in: 4.7.8
| References:
| - https://wpvulndb.com/vulnerabilities/8968
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
|
| [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
| Fixed in: 4.7.8
| References:
| - https://wpvulndb.com/vulnerabilities/8969
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
|
| [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
| Fixed in: 4.7.9
| References:
| - https://wpvulndb.com/vulnerabilities/9006
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
| - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
| - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/ticket/42720
|
| [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
| References:
| - https://wpvulndb.com/vulnerabilities/9021
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
| - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
| - https://github.com/quitten/doser.py
| - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
|
| [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
| Fixed in: 4.7.10
| References:
| - https://wpvulndb.com/vulnerabilities/9053
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
|
| [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
| Fixed in: 4.7.10
| References:
| - https://wpvulndb.com/vulnerabilities/9054
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
|
| [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
| Fixed in: 4.7.10
| References:
| - https://wpvulndb.com/vulnerabilities/9055
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
|
| [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
| Fixed in: 4.7.11
| References:
| - https://wpvulndb.com/vulnerabilities/9100
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
| - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
| - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
| - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
| - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
| - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
|
| [!] Title: WordPress <= 5.0 - Authenticated File Delete
| Fixed in: 4.7.12
| References:
| - https://wpvulndb.com/vulnerabilities/9169
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
| Fixed in: 4.7.12
| References:
| - https://wpvulndb.com/vulnerabilities/9170
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
|
| [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
| Fixed in: 4.7.12
| References:
| - https://wpvulndb.com/vulnerabilities/9171
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
| Fixed in: 4.7.12
| References:
| - https://wpvulndb.com/vulnerabilities/9172
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
| Fixed in: 4.7.12
| References:
| - https://wpvulndb.com/vulnerabilities/9173
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
|
| [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
| Fixed in: 4.7.12
| References:
| - https://wpvulndb.com/vulnerabilities/9174
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
| Fixed in: 4.7.12
| References:
| - https://wpvulndb.com/vulnerabilities/9175
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
Snip... Only displaying first 300 of the total 368 lines...
Start Time:06/15/2019 11:15:58
Run Time:00:07:24
Command:nikto -h http://10.10.10.10:80 -output /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.10
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET Uncommon header 'link' found, with contents: <http://10.10.10.10/index.php/wp-json/>; rel="https://api.w.org/"
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ HBHFVDZC Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3093: GET /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3093: GET /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ GET /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ GET /readme.html: This WordPress file reveals the installed version.
+ GET /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: GET /license.txt: License file found may identify site software.
+ GET /: A Wordpress installation was found.
+ GET Cookie wordpress_test_cookie created without the httponly flag
+ GET /wp-login.php: Wordpress login found
Start Time:06/15/2019 11:16:32
Run Time:00:00:01
Command:python3 /opt/Photon/photon.py -u http://10.10.10.10:80 -o /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_photon -e json && cat /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_photon/exported.json | tee /pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_photon.txt
Output File:/pentest/htb/10.10.10.10/celerystalkOutput/10.10.10.10_80_tcp_photon.txt
Status:COMPLETED
{
"files": [],
"intel": [],
"robots": [],
"custom": [],
"failed": [],
"internal": [
"http://10.10.10.10:80"
],
"scripts": [],
"external": [],
"fuzzable": [],
"endpoints": [],
"keys": []
}

Host Report: 10.10.10.13



PortProtocolServiceProductVersionExtra Info
22 tcp ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 Ubuntu Linux; protocol 2.0
53 tcp domain ISC BIND 9.10.3-P4 Ubuntu Linux
80 tcp http Apache httpd 2.4.18 (Ubuntu)


Start Time:06/15/2019 11:04:30
Run Time:00:00:24
Command:gobuster -u http://10.10.10.13:80 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_gobuster_common.txt
Status:COMPLETED
http://10.10.10.13:80/.htaccess/
http://10.10.10.13:80/.htpasswd/
http://10.10.10.13:80/.hta/
http://10.10.10.13:80/icons/
http://10.10.10.13:80/server-status/
Start Time:06/15/2019 11:05:05
Run Time:00:00:02
Command:docker run --rm wappalyzer/cli http://10.10.10.13:80 | jq . | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"http://10.10.10.13:80/"
],
"applications": [
{
"name": "Apache",
"confidence": "100",
"version": "2.4.18",
"icon": "Apache.svg",
"website": "http://apache.org",
"categories": [
{
"22": "Web Servers"
}
]
},
{
"name": "BuySellAds",
"confidence": "100",
"version": "",
"icon": "BuySellAds.png",
"website": "http://buysellads.com",
"categories": [
{
"36": "Advertising Networks"
}
]
},
{
"name": "Carbon Ads",
"confidence": "100",
"version": "",
"icon": "Carbon Ads.png",
"website": "http://carbonads.net",
"categories": [
{
"36": "Advertising Networks"
}
]
},
{
"name": "Ubuntu",
"confidence": "100",
"version": "",
"icon": "Ubuntu.png",
"website": "http://www.ubuntu.com/server",
"categories": [
{
"28": "Operating Systems"
}
]
}
],
"meta": {
"language": null
}
}
Start Time:06/15/2019 11:05:08
Run Time:00:01:35
Command:hydra -f -V -t 1 -l root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -s 22 10.10.10.13 ssh | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_22_tcp_hydra_ssh_best15.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_22_tcp_hydra_ssh_best15.txt
Status:COMPLETED
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-06-15 11:05:08
[DATA] max 1 task per 1 server, overall 1 task, 15 login tries (l:1/p:15), ~15 tries per task
[DATA] attacking ssh://10.10.10.13:22/
[ATTEMPT] target 10.10.10.13 - login "root" - pass "111111" - 1 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "1234" - 2 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "12345" - 3 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "123456" - 4 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "1234567" - 5 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "12345678" - 6 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "abc123" - 7 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "dragon" - 8 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "iloveyou" - 9 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "letmein" - 10 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "monkey" - 11 of 15 [child 0] (0/0)
[STATUS] 11.00 tries/min, 11 tries in 00:01h, 4 to do in 00:01h, 1 active
[ATTEMPT] target 10.10.10.13 - login "root" - pass "password" - 12 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "qwerty" - 13 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "tequiero" - 14 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.13 - login "root" - pass "test" - 15 of 15 [child 0] (0/0)
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-06-15 11:06:44
Start Time:06/15/2019 11:05:39
Run Time:00:00:01
Command:wpscan --url http://10.10.10.13:80 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_wpscan.txt
Status:COMPLETED

Scan Aborted: The remote website is up, but does not seem to be running WordPress.
Start Time:06/15/2019 11:05:40
Run Time:00:00:33
Command:medusa -u root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -e ns -h 10.10.10.13 - 22 -M ssh | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_22_tcp_medusa.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_22_tcp_medusa.txt
Status:COMPLETED
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: (1 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: root (2 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 111111 (3 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (4 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 12345 (5 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (6 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234567 (7 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 12345678 (8 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: abc123 (9 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: dragon (10 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: iloveyou (11 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: letmein (12 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: monkey (13 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (14 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: qwerty (15 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: tequiero (16 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.13 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: test (17 of 17 complete)
Start Time:06/15/2019 11:06:09
Run Time:00:00:15
Command:nmap 10.10.10.13 -p 53 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_53_tcp_nmap_service_scan.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_53_tcp_nmap_service_scan.txt
Status:COMPLETED
# Nmap 7.70 scan initiated Sat Jun 15 11:06:09 2019 as: nmap -p 53 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_53_tcp_nmap_service_scan.txt 10.10.10.13
Nmap scan report for 10.10.10.13
Host is up (0.048s latency).

PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 15 11:06:24 2019 -- 1 IP address (1 host up) scanned in 15.03 seconds
Start Time:06/15/2019 11:06:15
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.13:80&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.13
http://10.10.10.13/MFA_Portal/images/MFA-ar-Images/3dflagsdotcom_egypt_2fags.gif
http://10.10.10.13/MFA_Portal/images/MFA-ar-Images/bel-logo.gif
http://10.10.10.13/MFA_Portal/images/MFA-ar-Images/hed-2orange.gif
http://10.10.10.13/MFA_Portal/images/MFA-ar-Images/hed1-b.gif
http://10.10.10.13/MFA_Portal/images/MFA-ar-Images/left-bg.gif
http://10.10.10.13/MFA_Portal/javascripts/LatestNews.js
http://10.10.10.13/MFA_Portal/style_sheets/MFA-ar-style.css
http://10.10.10.13/MFA_Portal/TreeIcons/Icons/down20.gif
http://10.10.10.13/MFA_Portal/TreeIcons/Icons/down21-ar.gif
http://10.10.10.13/MFA_Portal/TreeIcons/Icons/down21.gif
http://10.10.10.13/MFA_Portal/TreeIcons/Icons/home-.gif
http://10.10.10.13/MFA_Portal/TreeIcons/Icons/ob_tree_504.js
http://10.10.10.13/MFA_Portal/TreeIcons/Styles/MFATreeCtrl/obout_treeview2.css
http://10.10.10.13/NR/rdonlyres/B892E3F0-49D0-4F97-9072-C528EAD5ADE1/0/secondlogo.gif
http://10.10.10.13/robots.txt
Start Time:06/15/2019 11:06:15
Run Time:00:00:02
Command:nmap 10.10.10.13 -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_22_tcp_nmap_service_scan.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_22_tcp_nmap_service_scan.txt
Status:COMPLETED
# Nmap 7.70 scan initiated Sat Jun 15 11:06:15 2019 as: nmap -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_22_tcp_nmap_service_scan.txt 10.10.10.13
Nmap scan report for 10.10.10.13
Host is up (0.047s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 15 11:06:18 2019 -- 1 IP address (1 host up) scanned in 2.30 seconds
Start Time:06/15/2019 11:07:55
Run Time:00:07:22
Command:nikto -h http://10.10.10.13:80 -output /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.13
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ GET Server may leak inodes via ETags, header found with file /, inode: 30a6, size: 555402443a52b, mtime: gzip
+ OPTIONS Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: GET /icons/README: Apache default file found.
Start Time:06/15/2019 11:08:02
Run Time:00:01:07
Command:whatweb http://10.10.10.13:80 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_whatweb.txt
Status:COMPLETED
http://10.10.10.13:80 [200 OK] Apache[2.4.18]
Country[RESERVED][ZZ]
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)]
IP[10.10.10.13]
PoweredBy[{]
Script[text/javascript]
Title[Apache2 Ubuntu Default Page: It works]
Start Time:06/15/2019 11:09:10
Run Time:00:00:00
Command:dnsrecon -t axfr -d 10.10.10.13 | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_53_tcp_dnsrecon.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_53_tcp_dnsrecon.txt
Status:COMPLETED
[*] Testing NS Servers for Zone Transfer
[*] Checking for Zone Transfer for 10.10.10.13 name servers
[*] Resolving SOA Record
[+] SOA a.root-servers.net 198.41.0.4
[*] Resolving NS Records
[-] Could not Resolve NS Records
[*] Removing any duplicate NS server IP Addresses...
[*]
[*] Trying NS server 198.41.0.4
[+] 198.41.0.4 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] Zone transfer error: REFUSED
Start Time:06/15/2019 11:09:11
Run Time:00:00:00
Command:cewl http://10.10.10.13:80 -m 6 -w /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_cewl.txt
Status:COMPLETED
Ubuntu
configuration
apache
Apache
server
default
enabled
Debian
located
respective
document
Default
installation
systems
installed
should
before
Configuration
different
itself
package
directories
modules
virtual
available
Please
report
Modified
original
updated
launchpad
CONTENTS
Changes
Config
Advertisement
welcome
correct
operation
equivalent
packaging
derived
working
properly
replace
continuing
operate
normal
probably
currently
unavailable
maintenance
problem
persists
please
contact
administrator
Overview
upstream
several
optimized
interaction
system
documented
README
documentation
Documentation
accessing
manual
layout
follows
pieces
together
including
remaining
starting
always
included
determine
listening
incoming
connections
customized
anytime
contain
particular
snippets
manage
global
fragments
configurations
respectively
activated
symlinking
counterparts
managed
helpers
dismod
ensite
dissite
enconf
disconf
detailed
information
binary
called
environment
variables
started
stopped
Calling
directly
Document
access
through
browser
public
applications
elsewhere
whitelist
directory
previous
releases
provides
better
security
Reporting
Problems
ubuntu
However
existing
reports
reporting
specific
others
packages
Start Time:06/15/2019 11:13:50
Run Time:00:00:18
Command:ncrack -vv -p 22 --user root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt 10.10.10.13 | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_22_tcp_ncrack_ssh_best15.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_22_tcp_ncrack_ssh_best15.txt
Status:COMPLETED

Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-15 11:13 EDT

ssh://10.10.10.13:22 finished.


Ncrack done: 1 service scanned in 18.00 seconds.
Probes sent: 10 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.
Start Time:06/15/2019 11:16:34
Run Time:00:00:00
Command:python3 /opt/Photon/photon.py -u http://10.10.10.13:80 -o /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_photon -e json && cat /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_photon/exported.json | tee /pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_photon.txt
Output File:/pentest/htb/10.10.10.13/celerystalkOutput/10.10.10.13_80_tcp_photon.txt
Status:COMPLETED
{
"files": [],
"intel": [
"http://10.10.10.13:80/manual:IPV4:10.10.10.13",
"http://10.10.10.13:80/manual:EMAIL:Server at 10.10.10.13"
],
"robots": [],
"custom": [],
"failed": [],
"internal": [
"http://10.10.10.13:80/",
"http://10.10.10.13:80//manual",
"http://10.10.10.13:80/manual",
"http://10.10.10.13:80"
],
"scripts": [],
"external": [
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2dissite",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2enconf",
"http://httpd.apache.org/docs/2.4/mod/mod_userdir.html",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2dismod",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2disconf",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2enmod",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2ensite"
],
"fuzzable": [],
"endpoints": [],
"keys": []
}

Host Report: 10.10.10.17



PortProtocolServiceProductVersionExtra Info
22 tcp ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 Ubuntu Linux; protocol 2.0
25 tcp smtp Postfix smtpd
110 tcp pop3 Dovecot pop3d
143 tcp imap Dovecot imapd
443 tcp https nginx 1.10.0 Ubuntu


Error!: No such file or directory: /pentest/htb/10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_photon.txt
Start Time:06/15/2019 11:04:23
Run Time:00:00:00
Command:python3 /opt/Photon/photon.py -u https://10.10.10.17:443 -o /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_photon -e json && cat /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_photon/exported.json | tee /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_photon.txt
Output File:/pentest/htb/10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_photon.txt
Command:python3 /opt/Photon/photon.py -u https://10.10.10.17:443 -o /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_photon -e json && cat /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_photon/exported.json | tee /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_photon.txt
Start Time:06/15/2019 11:04:42
Run Time:00:26:58
Command:nikto -h https://10.10.10.17:443 -ssl -output /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.17
+ Target Port: 443
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ GET The site uses SSL and Expect-CT header is not present.
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD nginx/1.10.0 appears to be outdated (current is at least 1.14.0)
+ GET The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ GET Hostname '10.10.10.17' does not match certificate's names: brainfuck.htb
Start Time:06/15/2019 11:05:58
Run Time:00:00:24
Command:gobuster -u https://10.10.10.17:443 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_gobuster_common.txt
Status:COMPLETED [No Output Data]
Start Time:06/15/2019 11:06:14
Run Time:00:00:01
Command:wpscan --url https://10.10.10.17:443 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_wpscan.txt
Status:COMPLETED

Scan Aborted: The remote website is up, but does not seem to be running WordPress.
Start Time:06/15/2019 11:11:12
Run Time:00:00:02
Command:docker run --rm wappalyzer/cli https://10.10.10.17:443 | jq . | tee /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"https://10.10.10.17:443/"
],
"applications": [
{
"name": "Nginx",
"confidence": "100",
"version": "1.10.0",
"icon": "Nginx.svg",
"website": "http://nginx.org/en",
"categories": [
{
"22": "Web Servers"
}
]
},
{
"name": "Ubuntu",
"confidence": "100",
"version": "",
"icon": "Ubuntu.png",
"website": "http://www.ubuntu.com/server",
"categories": [
{
"28": "Operating Systems"
}
]
}
],
"meta": {
"language": null
}
}
Start Time:06/15/2019 11:11:50
Run Time:00:00:00
Command:cewl https://10.10.10.17:443 -m 6 -w /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_cewl.txt
Status:COMPLETED
Welcome
support
server
successfully
installed
working
Further
configuration
required
online
documentation
please
Commercial
available
Start Time:06/15/2019 11:14:14
Run Time:00:02:15
Command:whatweb https://10.10.10.17:443 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_whatweb.txt
Status:COMPLETED
https://10.10.10.17:443 [200 OK] Country[RESERVED][ZZ]
HTML5, HTTPServer[Ubuntu Linux][nginx/1.10.0 (Ubuntu)]
IP[10.10.10.17]
Title[Welcome to nginx!]
nginx[1.10.0]
Start Time:06/15/2019 11:16:30
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.17:443&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb//10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.17/celerystalkOutput/10.10.10.17_443_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.17
http://10.10.10.17/robots.txt

Host Report: 10.10.10.18



PortProtocolServiceProductVersionExtra Info
22 tcp ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 Ubuntu Linux; protocol 2.0
80 tcp http Apache httpd 2.4.7 (Ubuntu)


Start Time:06/15/2019 11:04:23
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.18:80&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.18
http://10.10.10.18/robots.txt
Start Time:06/15/2019 11:04:26
Run Time:00:07:23
Command:nikto -h http://10.10.10.18:80 -output /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.18
+ Target Port: 80
+ GET Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ HZIUYTHN Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: GET /css/: Directory indexing found.
+ OSVDB-3092: GET /css/: This might be interesting...
+ OSVDB-3268: GET /images/: Directory indexing found.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ GET /login.php: Admin login page/section found.
Start Time:06/15/2019 11:09:31
Run Time:00:01:08
Command:whatweb http://10.10.10.18:80 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_whatweb.txt
Status:COMPLETED
http://10.10.10.18:80 [200 OK] Apache[2.4.7]
Country[RESERVED][ZZ]
HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)]
IP[10.10.10.18]
PHP[5.5.9-1ubuntu4.21]
Title[CompanyDev]
X-Powered-By[PHP/5.5.9-1ubuntu4.21]
Start Time:06/15/2019 11:11:11
Run Time:00:00:01
Command:wpscan --url http://10.10.10.18:80 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_wpscan.txt
Status:COMPLETED

Scan Aborted: The remote website is up, but does not seem to be running WordPress.
Start Time:06/15/2019 11:11:49
Run Time:00:00:10
Command:medusa -u root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -e ns -h 10.10.10.18 - 22 -M ssh | tee /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_22_tcp_medusa.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_22_tcp_medusa.txt
Status:COMPLETED
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [ssh] Host: 10.10.10.18 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: (1 of 17 complete)
Start Time:06/15/2019 11:11:54
Run Time:00:00:10
Command:hydra -f -V -t 1 -l root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -s 22 10.10.10.18 ssh | tee /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_22_tcp_hydra_ssh_best15.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_22_tcp_hydra_ssh_best15.txt
Status:COMPLETED
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-06-15 11:11:54
[DATA] max 1 task per 1 server, overall 1 task, 15 login tries (l:1/p:15), ~15 tries per task
[DATA] attacking ssh://10.10.10.18:22/
Start Time:06/15/2019 11:13:19
Run Time:00:00:02
Command:nmap 10.10.10.18 -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_22_tcp_nmap_service_scan.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_22_tcp_nmap_service_scan.txt
Status:COMPLETED
# Nmap 7.70 scan initiated Sat Jun 15 11:13:19 2019 as: nmap -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_22_tcp_nmap_service_scan.txt 10.10.10.18
Nmap scan report for 10.10.10.18
Host is up (0.049s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 e1:92:1b:48:f8:9b:63:96:d4:e5:7a:40:5f:a4:c8:33 (DSA)
| 2048 af:a0:0f:26:cd:1a:b5:1f:a7:ec:40:94:ef:3c:81:5f (RSA)
| 256 11:a3:2f:25:73:67:af:70:18:56:fe:a2:e3:54:81:e8 (ECDSA)
|_ 256 96:81:9c:f4:b7:bc:1a:73:05:ea:ba:41:35:a4:66:b7 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 15 11:13:22 2019 -- 1 IP address (1 host up) scanned in 2.44 seconds
Start Time:06/15/2019 11:13:24
Run Time:00:00:02
Command:docker run --rm wappalyzer/cli http://10.10.10.18:80 | jq . | tee /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"http://10.10.10.18:80/"
],
"applications": [
{
"name": "Apache",
"confidence": "100",
"version": "2.4.7",
"icon": "Apache.svg",
"website": "http://apache.org",
"categories": [
{
"22": "Web Servers"
}
]
},
{
"name": "PHP",
"confidence": "100",
"version": "5.5.9",
"icon": "PHP.svg",
"website": "http://php.net",
"categories": [
{
"27": "Programming Languages"
}
]
},
{
"name": "Bootstrap",
"confidence": "100",
"version": "",
"icon": "Bootstrap.svg",
"website": "https://getbootstrap.com",
"categories": [
{
"18": "Web Frameworks"
}
]
},
{
"name": "Ubuntu",
"confidence": "100",
"version": "",
"icon": "Ubuntu.png",
"website": "http://www.ubuntu.com/server",
"categories": [
{
"28": "Operating Systems"
}
]
}
],
"meta": {
"language": null
}
}
Start Time:06/15/2019 11:13:26
Run Time:00:00:23
Command:gobuster -u http://10.10.10.18:80 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_gobuster_common.txt
Status:COMPLETED
http://10.10.10.18:80/.hta/
http://10.10.10.18:80/.htaccess/
http://10.10.10.18:80/.htpasswd/
http://10.10.10.18:80/classes/
http://10.10.10.18:80/css/
http://10.10.10.18:80/icons/
http://10.10.10.18:80/images/
http://10.10.10.18:80/index.php/
http://10.10.10.18:80/server-status/
Start Time:06/15/2019 11:15:24
Run Time:00:00:00
Command:python3 /opt/Photon/photon.py -u http://10.10.10.18:80 -o /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_photon -e json && cat /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_photon/exported.json | tee /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_photon.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_photon.txt
Status:COMPLETED
{
"files": [],
"intel": [],
"robots": [],
"custom": [],
"failed": [],
"internal": [
"http://10.10.10.18:80",
"http://10.10.10.18:80/register.php",
"http://10.10.10.18:80/login.php"
],
"scripts": [],
"external": [],
"fuzzable": [],
"endpoints": [],
"keys": []
}
Start Time:06/15/2019 11:16:31
Run Time:00:00:00
Command:cewl http://10.10.10.18:80 -m 6 -w /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_80_tcp_cewl.txt
Status:COMPLETED
Register
CompanyDev
Password
Username
create
register
company
projects
potential
Remember
Start Time:06/15/2019 11:16:55
Run Time:00:00:24
Command:ncrack -vv -p 22 --user root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt 10.10.10.18 | tee /pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_22_tcp_ncrack_ssh_best15.txt
Output File:/pentest/htb/10.10.10.18/celerystalkOutput/10.10.10.18_22_tcp_ncrack_ssh_best15.txt
Status:COMPLETED

Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-15 11:16 EDT

ssh://10.10.10.18:22 finished.


Ncrack done: 1 service scanned in 23.99 seconds.
Probes sent: 10 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.

Host Report: 10.10.10.43



PortProtocolServiceProductVersionExtra Info
80 tcp http Apache httpd 2.4.18 (Ubuntu)
443 tcp https Apache httpd 2.4.18 (Ubuntu)


Start Time:06/15/2019 11:04:23
Run Time:00:00:01
Command:cewl http://10.10.10.43:80 -m 6 -w /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_cewl.txt
Status:COMPLETED
server
default
software
running
content
Start Time:06/15/2019 11:04:24
Run Time:00:07:25
Command:nikto -h http://10.10.10.43:80 -output /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.43
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ GET Server may leak inodes via ETags, header found with file /, inode: b2, size: 5535e4e04002a, mtime: gzip
+ OPTIONS Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ GET /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: GET /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ OSVDB-5292: GET /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
Start Time:06/15/2019 11:05:03
Run Time:00:00:00
Command:cewl https://10.10.10.43:443 -m 6 -w /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_cewl.txt
Status:COMPLETED [No Output Data]
Start Time:06/15/2019 11:05:33
Run Time:00:00:01
Command:wpscan --url http://10.10.10.43:80 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_wpscan.txt
Status:COMPLETED

Scan Aborted: The remote website is up, but does not seem to be running WordPress.
Start Time:06/15/2019 11:06:19
Run Time:00:02:13
Command:whatweb https://10.10.10.43:443 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_whatweb.txt
Status:COMPLETED
https://10.10.10.43:443 [200 OK] Apache[2.4.18]
Country[RESERVED][ZZ]
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)]
IP[10.10.10.43]
Error!: No such file or directory: /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_photon.txt
Start Time:06/15/2019 11:06:44
Run Time:00:00:00
Command:python3 /opt/Photon/photon.py -u https://10.10.10.43:443 -o /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_photon -e json && cat /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_photon/exported.json | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_photon.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_photon.txt
Command:python3 /opt/Photon/photon.py -u https://10.10.10.43:443 -o /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_photon -e json && cat /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_photon/exported.json | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_photon.txt
Start Time:06/15/2019 11:07:31
Run Time:00:01:10
Command:whatweb http://10.10.10.43:80 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_whatweb.txt
Status:COMPLETED
http://10.10.10.43:80 [200 OK] Apache[2.4.18]
Country[RESERVED][ZZ]
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)]
IP[10.10.10.43]
Start Time:06/15/2019 11:08:34
Run Time:00:00:25
Command:gobuster -u https://10.10.10.43:443 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_gobuster_common.txt
Status:COMPLETED
https://10.10.10.43:443/.hta/
https://10.10.10.43:443/.htaccess/
https://10.10.10.43:443/.htpasswd/
https://10.10.10.43:443/db/
https://10.10.10.43:443/icons/
https://10.10.10.43:443/server-status/
Start Time:06/15/2019 11:09:00
Run Time:00:00:23
Command:gobuster -u http://10.10.10.43:80 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_gobuster_common.txt
Status:COMPLETED
http://10.10.10.43:80/.htaccess/
http://10.10.10.43:80/.hta/
http://10.10.10.43:80/.htpasswd/
http://10.10.10.43:80/icons/
http://10.10.10.43:80/info.php/
http://10.10.10.43:80/server-status/
Start Time:06/15/2019 11:09:09
Run Time:00:00:00
Command:python3 /opt/Photon/photon.py -u http://10.10.10.43:80 -o /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_photon -e json && cat /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_photon/exported.json | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_photon.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_photon.txt
Status:COMPLETED
{
"files": [],
"intel": [],
"robots": [],
"custom": [],
"failed": [],
"internal": [
"http://10.10.10.43:80"
],
"scripts": [],
"external": [],
"fuzzable": [],
"endpoints": [],
"keys": []
}
Start Time:06/15/2019 11:09:11
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.43:80&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.43/robots.txt
Start Time:06/15/2019 11:09:12
Run Time:00:27:10
Command:nikto -h https://10.10.10.43:443 -ssl -output /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.43
+ Target Port: 443
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ GET The site uses SSL and Expect-CT header is not present.
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ GET Hostname '10.10.10.43' does not match certificate's names: nineveh.htb
+ OPTIONS Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ GET Cookie PHPSESSID created without the secure flag
+ GET Cookie PHPSESSID created without the httponly flag
+ OSVDB-3092: GET /db/: This might be interesting...
+ OSVDB-3233: GET /icons/README: Apache default file found.
Start Time:06/15/2019 11:13:24
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.43:443&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.43/robots.txt
Start Time:06/15/2019 11:14:11
Run Time:00:00:02
Command:docker run --rm wappalyzer/cli http://10.10.10.43:80 | jq . | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_80_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"http://10.10.10.43:80/"
],
"applications": [
{
"name": "Apache",
"confidence": "100",
"version": "2.4.18",
"icon": "Apache.svg",
"website": "http://apache.org",
"categories": [
{
"22": "Web Servers"
}
]
},
{
"name": "Ubuntu",
"confidence": "100",
"version": "",
"icon": "Ubuntu.png",
"website": "http://www.ubuntu.com/server",
"categories": [
{
"28": "Operating Systems"
}
]
}
],
"meta": {
"language": null
}
}
Start Time:06/15/2019 11:14:13
Run Time:00:00:01
Command:wpscan --url https://10.10.10.43:443 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_wpscan.txt
Status:COMPLETED

Scan Aborted: The remote website is up, but does not seem to be running WordPress.
Start Time:06/15/2019 11:14:15
Run Time:00:00:02
Command:docker run --rm wappalyzer/cli https://10.10.10.43:443 | jq . | tee /pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.43/celerystalkOutput/10.10.10.43_443_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"https://10.10.10.43:443/"
],
"applications": [
{
"name": "Apache",
"confidence": "100",
"version": "2.4.18",
"icon": "Apache.svg",
"website": "http://apache.org",
"categories": [
{
"22": "Web Servers"
}
]
},
{
"name": "Ubuntu",
"confidence": "100",
"version": "",
"icon": "Ubuntu.png",
"website": "http://www.ubuntu.com/server",
"categories": [
{
"28": "Operating Systems"
}
]
}
],
"meta": {
"language": null
}
}

Host Report: 10.10.10.80



PortProtocolServiceProductVersionExtra Info
80 tcp http Apache httpd 2.4.25 (Ubuntu)


Start Time:06/15/2019 11:04:23
Run Time:00:00:10
Command:docker run --rm wappalyzer/cli http://10.10.10.80:80 | jq . | tee /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"http://10.10.10.80:80/"
],
"applications": [
{
"name": "Apache",
"confidence": "100",
"version": "2.4.25",
"icon": "Apache.svg",
"website": "http://apache.org",
"categories": [
{
"22": "Web Servers"
}
]
},
{
"name": "Bootstrap",
"confidence": "100",
"version": "3.3.7",
"icon": "Bootstrap.svg",
"website": "https://getbootstrap.com",
"categories": [
{
"18": "Web Frameworks"
}
]
},
{
"name": "Ubuntu",
"confidence": "100",
"version": "",
"icon": "Ubuntu.png",
"website": "http://www.ubuntu.com/server",
"categories": [
{
"28": "Operating Systems"
}
]
},
{
"name": "jQuery",
"confidence": "100",
"version": "1.11.1",
"icon": "jQuery.svg",
"website": "https://jquery.com",
"categories": [
{
"12": "JavaScript Frameworks"
}
]
}
],
"meta": {
"language": "en"
}
}
Start Time:06/15/2019 11:04:41
Run Time:00:00:00
Command:cewl http://10.10.10.80:80 -m 6 -w /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_cewl.txt
Status:COMPLETED
fsociety
Bootstrap
Wanted
Portfolio
credit
databases
backups
AllSafe
Related
Anderson
FSociety
Custom
Navigation
Toggle
navigation
Upload
Copyright
Profit
Satire
container
jQuery
JavaScript
Content
Heading
Description
ransomware
encrypted
destroyed
compromising
Corporation
provided
security
solutions
believed
leader
insider
Infected
Vendor
overheat
building
Attacked
Phones
emergency
response
center
prison
infected
trojan
BadUSB
Projects
Suspects
Elliot
Tyrell
Wellick
Darlene
Angela
Injection
Submission
Removed
database
requirement
changing
submit
create
information
arrest
member
rewarded
genorously
Information
Start Time:06/15/2019 11:05:04
Run Time:00:00:01
Command:wpscan --url http://10.10.10.80:80 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_wpscan.txt
Status:COMPLETED

Scan Aborted: The remote website is up, but does not seem to be running WordPress.
Start Time:06/15/2019 11:05:38
Run Time:00:07:23
Command:nikto -h http://10.10.10.80:80 -output /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.80
+ Target Port: 80
+ GET Cookie admin created without the httponly flag
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ GET IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: GET The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ EYEMAKJW Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: GET /css/: Directory indexing found.
+ OSVDB-3092: GET /css/: This might be interesting...
+ OSVDB-3268: GET /images/: Directory indexing found.
+ OSVDB-3233: GET /icons/README: Apache default file found.
Start Time:06/15/2019 11:06:24
Run Time:00:01:06
Command:whatweb http://10.10.10.80:80 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_whatweb.txt
Status:COMPLETED
http://10.10.10.80:80 [200 OK] Apache[2.4.25]
Cookies[admin]
Country[RESERVED][ZZ]
HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.25 (Ubuntu)]
IP[10.10.10.80]
JQuery, Script, Title[FBIs Most Wanted: FSociety]
X-UA-Compatible[IE=edge]
Start Time:06/15/2019 11:13:18
Run Time:00:00:00
Command:python3 /opt/Photon/photon.py -u http://10.10.10.80:80 -o /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_photon -e json && cat /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_photon/exported.json | tee /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_photon.txt
Output File:/pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_photon.txt
Status:COMPLETED
{
"files": [],
"intel": [],
"robots": [],
"custom": [],
"failed": [],
"internal": [
"http://10.10.10.80:80/?op=upload",
"http://10.10.10.80:80",
"http://10.10.10.80:80/?op=home"
],
"scripts": [
"http://10.10.10.80:80/js/bootstrap.min.js",
"http://10.10.10.80:80/js/jquery.js"
],
"external": [],
"fuzzable": [
"http://10.10.10.80:80/?op=upload",
"http://10.10.10.80:80/?op=home"
],
"endpoints": [],
"keys": []
}
Start Time:06/15/2019 11:15:24
Run Time:00:00:23
Command:gobuster -u http://10.10.10.80:80 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_gobuster_common.txt
Status:COMPLETED
http://10.10.10.80:80/.hta/
http://10.10.10.80:80/.htpasswd/
http://10.10.10.80:80/.htaccess/
http://10.10.10.80:80/css/
http://10.10.10.80:80/fonts/
http://10.10.10.80:80/icons/
http://10.10.10.80:80/images/
http://10.10.10.80:80/index.php/
http://10.10.10.80:80/javascript/
http://10.10.10.80:80/js/
http://10.10.10.80:80/server-status/
http://10.10.10.80:80/uploads/
Start Time:06/15/2019 11:16:30
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.80:80&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.80/celerystalkOutput/10.10.10.80_80_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.80
http://10.10.10.80/robots.txt

Host Report: 10.10.10.153



PortProtocolServiceProductVersionExtra Info
80 tcp http Apache httpd 2.4.25 (Debian)


Start Time:06/15/2019 11:04:24
Run Time:00:00:01
Command:python3 /opt/Photon/photon.py -u http://10.10.10.153:80 -o /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_photon -e json && cat /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_photon/exported.json | tee /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_photon.txt
Output File:/pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_photon.txt
Status:COMPLETED
{
"files": [],
"intel": [
"http://10.10.10.153:80/gallery.html:EMAIL:contact@blackhatuni.com",
"http://10.10.10.153:80:EMAIL:contact@blackhatuni.com",
"http://10.10.10.153:80/:EMAIL:contact@blackhatuni.com"
],
"robots": [],
"custom": [],
"failed": [],
"internal": [
"http://10.10.10.153:80/",
"http://10.10.10.153:80/gallery.html",
"http://10.10.10.153:80"
],
"scripts": [
"http://10.10.10.153:80/js/plugins.js",
"http://10.10.10.153:80/js/main.js",
"http://10.10.10.153:80/js/jquery-1.11.1.min.js"
],
"external": [],
"fuzzable": [],
"endpoints": [],
"keys": []
}
Start Time:06/15/2019 11:06:44
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.153:80&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.153
Start Time:06/15/2019 11:11:15
Run Time:00:07:27
Command:nikto -h http://10.10.10.153:80 -output /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.153
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-630: GET The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ GET Server may leak inodes via ETags, header found with file /, inode: 1f5c, size: 56f96b7bed26f, mtime: gzip
+ OPTIONS Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3268: GET /css/: Directory indexing found.
+ OSVDB-3092: GET /css/: This might be interesting...
+ OSVDB-3092: GET /manual/: Web server manual found.
+ OSVDB-3268: GET /manual/images/: Directory indexing found.
+ OSVDB-3268: GET /images/: Directory indexing found.
+ OSVDB-3233: GET /icons/README: Apache default file found.
Start Time:06/15/2019 11:12:10
Run Time:00:00:01
Command:wpscan --url http://10.10.10.153:80 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_wpscan.txt
Status:COMPLETED

Scan Aborted: The remote website is up, but does not seem to be running WordPress.
Start Time:06/15/2019 11:13:27
Run Time:00:00:00
Command:cewl http://10.10.10.153:80 -m 6 -w /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_cewl.txt
Status:COMPLETED
container
Choose
subject
voluptatem
consectetur
adipisicing
eiusmod
tempor
incididunt
labore
dolore
aliqua
quibusdam
school
programs
content
portal
dolores
veniam
Request
information
Blackhat
Courses
Students
Events
Teachers
Gallery
navigation
header
students
teachers
accusantium
voluptas
aspernatur
consequuntur
events
Contact
contact
blackhatuni
topics
libero
tempore
soluta
aperiam
inventore
veritatis
Architecto
beatae
Social
Temporibus
debitis
necessitatibus
Facebook
Google
Twitter
Pinterest
Newsletter
Assumenda
repellendus
temporibus
Subscribe
footer
request
highschool
submit
homework
Awesome
results
accusamus
dignissimos
ducimus
blanditiis
praesentium
voluptatum
deleniti
corrupti
molestias
excepturi
occaecati
cupiditate
provident
similique
Latest
archival
Upcoming
upcoming
questions
answer
Highschool
Photos
selected
category
teacher
Student
olympics
Halloween
School
university
Karaoke
sidebar
Start Time:06/15/2019 11:14:08
Run Time:00:00:03
Command:docker run --rm wappalyzer/cli http://10.10.10.153:80 | jq . | tee /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"http://10.10.10.153:80/"
],
"applications": [
{
"name": "Apache",
"confidence": "100",
"version": "2.4.25",
"icon": "Apache.svg",
"website": "http://apache.org",
"categories": [
{
"22": "Web Servers"
}
]
},
{
"name": "Debian",
"confidence": "100",
"version": "",
"icon": "Debian.png",
"website": "http://debian.org",
"categories": [
{
"28": "Operating Systems"
}
]
},
{
"name": "FancyBox",
"confidence": "100",
"version": "2.1.4",
"icon": "FancyBox.png",
"website": "http://fancyapps.com/fancybox",
"categories": [
{
"12": "JavaScript Frameworks"
}
]
},
{
"name": "jQuery",
"confidence": "100",
"version": "1.11.1",
"icon": "jQuery.svg",
"website": "https://jquery.com",
"categories": [
{
"12": "JavaScript Frameworks"
}
]
}
],
"meta": {
"language": "en"
}
}
Start Time:06/15/2019 11:14:17
Run Time:00:01:06
Command:whatweb http://10.10.10.153:80 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_whatweb.txt
Status:COMPLETED
http://10.10.10.153:80 [200 OK] Apache[2.4.25]
Country[RESERVED][ZZ]
Email[contact@blackhatuni.com]
HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)]
IP[10.10.10.153]
JQuery[1.11.1]
Script, Title[Blackhat highschool]
Start Time:06/15/2019 11:16:34
Run Time:00:00:24
Command:gobuster -u http://10.10.10.153:80 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.153/celerystalkOutput/10.10.10.153_80_tcp_gobuster_common.txt
Status:COMPLETED
http://10.10.10.153:80/.htpasswd/
http://10.10.10.153:80/.hta/
http://10.10.10.153:80/.htaccess/
http://10.10.10.153:80/css/
http://10.10.10.153:80/fonts/
http://10.10.10.153:80/icons/
http://10.10.10.153:80/images/
http://10.10.10.153:80/javascript/
http://10.10.10.153:80/js/
http://10.10.10.153:80/manual/
http://10.10.10.153:80/moodle/
http://10.10.10.153:80/phpmyadmin/
http://10.10.10.153:80/server-status/

Host Report: 10.10.10.119



PortProtocolServiceProductVersionExtra Info
22 tcp ssh OpenSSH 7.4 protocol 2.0
80 tcp http Apache httpd 2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
389 tcp ldap OpenLDAP 2.2.X - 2.3.X


Start Time:06/15/2019 11:04:24
Run Time:00:00:39
Command:ncrack -vv -p 22 --user root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt 10.10.10.119 | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_22_tcp_ncrack_ssh_best15.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_22_tcp_ncrack_ssh_best15.txt
Status:COMPLETED

Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-15 11:04 EDT

ssh://10.10.10.119:22 finished.


Ncrack done: 1 service scanned in 39.00 seconds.
Probes sent: 10 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.
Start Time:06/15/2019 11:04:34
Run Time:00:00:38
Command:nikto -h http://10.10.10.119:80 -output /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.119
+ Target Port: 80
+ GET Retrieved x-powered-by header: PHP/5.4.16
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
Start Time:06/15/2019 11:04:54
Run Time:00:00:38
Command:hydra -f -V -t 1 -l root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -s 22 10.10.10.119 ssh | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_22_tcp_hydra_ssh_best15.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_22_tcp_hydra_ssh_best15.txt
Status:COMPLETED
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-06-15 11:04:54
[DATA] max 1 task per 1 server, overall 1 task, 15 login tries (l:1/p:15), ~15 tries per task
[DATA] attacking ssh://10.10.10.119:22/
[ATTEMPT] target 10.10.10.119 - login "root" - pass "111111" - 1 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "1234" - 2 of 16 [child 0] (0/1)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "12345" - 3 of 17 [child 0] (0/2)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "123456" - 4 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "1234567" - 5 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "12345678" - 6 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "abc123" - 7 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "dragon" - 8 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "iloveyou" - 9 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "letmein" - 10 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "monkey" - 11 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "password" - 12 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "qwerty" - 13 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "tequiero" - 14 of 18 [child 0] (0/3)
[ATTEMPT] target 10.10.10.119 - login "root" - pass "test" - 15 of 18 [child 0] (0/3)
[REDO-ATTEMPT] target 10.10.10.119 - login "root" - pass "111111" - 16 of 18 [child 0] (1/3)
[REDO-ATTEMPT] target 10.10.10.119 - login "root" - pass "1234" - 17 of 18 [child 0] (2/3)
[REDO-ATTEMPT] target 10.10.10.119 - login "root" - pass "12345" - 18 of 18 [child 0] (3/3)
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-06-15 11:05:32
Start Time:06/15/2019 11:05:34
Run Time:00:00:00
Command:gobuster -u http://10.10.10.119:80 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_gobuster_common.txt
Status:COMPLETED [No Output Data]
Start Time:06/15/2019 11:06:45
Run Time:00:00:00
Command:searchsploit ldap | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_389_tcp_ldap_searchsploit.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_389_tcp_ldap_searchsploit.txt
Status:COMPLETED
---------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache mod_rewrite - ?[01;31m?[KLDAP?[m?[K protocol Buffer Overflow (Metasploit) | exploits/windows/remote/16752.rb
Apple Mac OSX 10.4.x - Open?[01;31m?[KLDAP?[m?[K Denial of Service | exploits/osx/dos/28135.pl
Barracuda Spam Firewall 3.5.11 - '?[01;31m?[Kldap?[m?[K_test.cgi' Cross-Site Scripting | exploits/hardware/remote/31828.txt
Claroline E-Learning 1.75 - '?[01;31m?[Kldap?[m?[K.inc.php' Remote File Inclusion | exploits/php/webapps/1766.pl
CommuniGate Pro 5.0.6 - Server ?[01;31m?[KLDAP?[m?[K Denial of Service | exploits/linux/dos/27144.py
Dokeos Lms 1.6.4 - 'auth?[01;31m?[Kldap?[m?[K.php' Remote File Inclusion | exploits/php/webapps/1765.pl
FortiGate FortiOS < 6.0.3 - ?[01;31m?[KLDAP?[m?[K Credential Disclosure | exploits/hardware/webapps/46171.py
IBM Lotus Domino ?[01;31m?[KLDAP?[m?[K - Bind Request Remote Code Execution | exploits/windows/dos/16190.pl
IBM Tivoli Directory Server 6.0 - ?[01;31m?[KLDAP?[m?[K Memory Corruption | exploits/multiple/dos/27196.txt
IBM iSeries AS400 ?[01;31m?[KLDAP?[m?[K Server - Remote Information Disclosure | exploits/unix/remote/25335.txt
IPSwitch IMail ?[01;31m?[KLDAP?[m?[K Daemon/Service - Remote Buffer Overflow | exploits/windows/remote/157.c
IPSwitch IMail ?[01;31m?[KLDAP?[m?[K Daemon/Service - Remote Buffer Overflow (Metasploit) | exploits/windows/remote/16824.rb
Intel Corporation Shiva Access Manager 5.0 - Solaris World Readable ?[01;31m?[KLDAP?[m?[K Password | exploits/solaris/local/20003.txt
Ipswitch IMail 5.0 - ?[01;31m?[KLDAP?[m?[K Buffer Overflow (Denial of Service) (PoC) | exploits/multiple/dos/19378.txt
Isode M-Vault Server 11.3 - ?[01;31m?[KLDAP?[m?[K Memory Corruption | exploits/multiple/dos/27212.txt
Kerio MailServer 5.x/6.x - Remote ?[01;31m?[KLDAP?[m?[K Denial of Service | exploits/windows/dos/29039.py
?[01;31m?[KLDAP?[m?[K - Injection | exploits/multiple/local/11364.txt
?[01;31m?[KLDAP?[m?[K Account Manager 3.4.0 - 'selfserviceSaveOk' Cross-Site Scripting | exploits/php/webapps/35684.txt
Lemon?[01;31m?[KLDAP?[m?[K:NG 0.9.3.1 - User Enumeration / Cross-Site Scripting | exploits/cgi/webapps/32734.txt
Lotus Domino 7.0.x/8.0/8.5 - ?[01;31m?[KLDAP?[m?[K Message Remote Denial of Service | exploits/multiple/dos/27730.py
McAfee Security Center IsO?[01;31m?[KldAp?[m?[KpInstalled - ActiveX Buffer Overflow | exploits/windows/remote/3893.c
Microsoft Active Directory ?[01;31m?[KLDAP?[m?[K Server - 'Username' Enumeration | exploits/windows/remote/32586.py
Microsoft Windows Server 2008/2012 - ?[01;31m?[KLDAP?[m?[K RootDSE Netlogon Denial of Service | exploits/windows/dos/40703.pl
NetIQ Privileged User Manager 2.3.1 - '?[01;31m?[Kldap?[m?[Kagnt_eval()' Perl Remote Code Execution (Metasploit) | exploits/windows/remote/22903.rb
Netscape Professional Services FTP Server (?[01;31m?[KLDAP?[m?[K Aware) 1.3.6 - FTP Server | exploits/unix/remote/20046.txt
Network Associates PGP KeyServer 7 - ?[01;31m?[KLDAP?[m?[K Buffer Overflow (Metasploit) | exploits/windows/remote/16823.rb
Novell Groupwise Internet Agent - ?[01;31m?[KLDAP?[m?[K BIND Request Overflow | exploits/windows/dos/22707.txt
Novell NetIQ Privileged User Manager 2.3.1 - '?[01;31m?[Kldap?[m?[Kagnt.dll' ?[01;31m?[Kldap?[m?[Kagnt_eval() Perl Code Evaluation Remote Code Execution | exploits/windows/remote/22738.txt
Novell eDirectory 8.8 and Netware ?[01;31m?[KLDAP?[m?[K-SSL Daemon - Denial of Service | exploits/multiple/dos/35753.pl
Novell eDirectory 883ftf3 - n?[01;31m?[Kldap?[m?[K module Denial of Service | exploits/windows/dos/10062.py
Open?[01;31m?[KLDAP?[m?[K 1.2.7/1.2.8/1.2.9/1.2.10 - '/usr/tmp/' Symlink | exploits/linux/local/19946.txt
Open?[01;31m?[KLDAP?[m?[K 2.2.29 - Remote Denial of Service (Metasploit) | exploits/linux/dos/2730.pm
Open?[01;31m?[KLDAP?[m?[K 2.3.39 - MODRDN Remote Denial of Service | exploits/multiple/dos/10077.txt
Open?[01;31m?[KLDAP?[m?[K 2.3.41 - BER Decoding Remote Denial of Service | exploits/linux/dos/32000.txt
Open?[01;31m?[KLDAP?[m?[K 2.4.22 - 'modrdn' Multiple Vulnerabilities | exploits/linux/dos/34348.txt
Open?[01;31m?[KLDAP?[m?[K 2.4.3 - 'KBIND' Remote Buffer Overflow | exploits/linux/remote/2933.c
Open?[01;31m?[KLDAP?[m?[K 2.4.42 - ber_get_next Denial of Service | exploits/linux/dos/38145.txt
Open?[01;31m?[KLDAP?[m?[K 2.4.x - 'modrdn' NULL OldDN Remote Denial of Service | exploits/linux/dos/35445.txt
Oracle (oid?[01;31m?[Kldap?[m?[Kd connect) - Local Command Line Overflow | exploits/linux/local/183.c
Oracle Internet Directory 10.1.2.0.2 - 'oid?[01;31m?[Kldap?[m?[Kd' Remote Memory Corruption | exploits/multiple/dos/33532.txt
Oracle Internet Directory 2.0.6 - oid?[01;31m?[Kldap?[m?[K | exploits/linux/local/20312.c
PineApp Mail-SeCure - '?[01;31m?[Kldap?[m?[Ksyncnow.php' Arbitrary Command Execution (Metasploit) | exploits/php/remote/27294.rb
SIDVault ?[01;31m?[KLDAP?[m?[K Server - Remote Buffer Overflow | exploits/linux/remote/4315.py
SmarterMail < 7.2.3925 - ?[01;31m?[KLDAP?[m?[K Injection | exploits/asp/webapps/15189.txt
Solaris 8 libs?[01;31m?[Kldap?[m?[K - Local Buffer Overflow (1) | exploits/solaris/local/20969.c
Solaris 8 libs?[01;31m?[Kldap?[m?[K - Local Buffer Overflow (2) | exploits/solaris/local/20970.c
Sun SUNWl?[01;31m?[Kldap?[m?[K Library Hostname - Local Buffer Overflow | exploits/solaris/local/4.c
Surge?[01;31m?[KLDAP?[m?[K 1.0 - 'User.cgi' Directory Traversal | exploits/cgi/remote/23987.txt
Surge?[01;31m?[KLDAP?[m?[K 1.0 - Web Administration Authentication Bypass | exploits/cgi/webapps/24094.txt
Surge?[01;31m?[KLDAP?[m?[K 1.0 d - 'User.cgi' Cross-Site Scripting | exploits/cgi/webapps/23025.txt
Surge?[01;31m?[KLDAP?[m?[K 1.0 d - Full Path Disclosure | exploits/multiple/remote/23024.txt
Symantec Brightmail 10.6.0-7 - ?[01;31m?[KLDAP?[m?[K Credentials Disclosure (Metasploit) | exploits/java/webapps/39715.rb
WeBid - Multiple Cross-Site Scripting / ?[01;31m?[KLDAP?[m?[K Injection Vulnerabilities | exploits/php/webapps/39249.txt
Wireshark 0.99.8 - ?[01;31m?[KLDAP?[m?[K Dissector Denial of Service | exploits/linux/dos/31553.txt
Zabbix 2.0.5 - Cleartext ?[01;31m?[Kldap?[m?[K_bind_Password Password Disclosure (Metasploit) | exploits/php/webapps/36157.rb
php?[01;31m?[KLDAP?[m?[Kadmin - Local File Inclusion | exploits/php/webapps/10410.txt
php?[01;31m?[KLDAP?[m?[Kadmin 0.9.4b - Denial of Service | exploits/php/dos/18023.java
php?[01;31m?[KLDAP?[m?[Kadmin 0.9.6/0.9.7 - 'welcome.php' Arbitrary File Inclusion | exploits/php/webapps/26211.txt
php?[01;31m?[KLDAP?[m?[Kadmin 0.9.8 - 'compare_form.php' Cross-Site Scripting | exploits/php/webapps/27717.txt
php?[01;31m?[KLDAP?[m?[Kadmin 0.9.8 - 'copy_form.php' Cross-Site Scripting | exploits/php/webapps/27718.txt
php?[01;31m?[KLDAP?[m?[Kadmin 0.9.8 - 'rename_form.php' Cross-Site Scripting | exploits/php/webapps/27719.txt
php?[01;31m?[KLDAP?[m?[Kadmin 0.9.8 - 'search.php' Cross-Site Scripting | exploits/php/webapps/27721.txt
php?[01;31m?[KLDAP?[m?[Kadmin 0.9.8 - 'template_engine.php' Cross-Site Scripting | exploits/php/webapps/27722.txt
php?[01;31m?[KLDAP?[m?[Kadmin 1.2.0.5-2 - 'server_id' Cross-Site Scripting | exploits/php/webapps/36655.txt
php?[01;31m?[KLDAP?[m?[Kadmin 1.2.1.1 - Remote PHP Code Injection (1) | exploits/php/webapps/18021.php
php?[01;31m?[KLDAP?[m?[Kadmin 1.2.1.1 - Remote PHP Code Injection (Metasploit) (2) | exploits/php/webapps/18031.rb
php?[01;31m?[KLDAP?[m?[Kadmin 1.2.2 - 'base' Cross-Site Scripting | exploits/php/webapps/36654.txt
php?[01;31m?[KLDAP?[m?[Kadmin 1.2.2 - 'server_id' ?[01;31m?[KLDAP?[m?[K Injection (Username) | exploits/php/webapps/44926.txt
yaplap 0.6.1b - '?[01;31m?[Kldap?[m?[K.php' Remote File Inclusion | exploits/php/webapps/2930.pl
---------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Start Time:06/15/2019 11:08:33
Run Time:00:00:00
Command:wpscan --url http://10.10.10.119:80 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_wpscan.txt
Status:COMPLETED

Scan Aborted: The url supplied 'http://10.10.10.119/' seems to be down (Couldn't connect to server)
Start Time:06/15/2019 11:09:23
Run Time:00:00:12
Command:nmap 10.10.10.119 -p 389 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_389_tcp_nmap_service_scan.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_389_tcp_nmap_service_scan.txt
Status:COMPLETED
# Nmap 7.70 scan initiated Sat Jun 15 11:09:23 2019 as: nmap -p 389 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_389_tcp_nmap_service_scan.txt 10.10.10.119
Nmap scan report for 10.10.10.119
Host is up (0.052s latency).

PORT STATE SERVICE VERSION
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Issuer: commonName=lightweight.htb
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-06-09T13:32:51
| Not valid after: 2019-06-09T13:32:51
| MD5: 0e61 1374 e591 83bd fd4a ee1a f448 547c
|_SHA-1: 8e10 be17 d435 e99d 3f93 9f40 c5d9 433c 47dd 532f
|_ssl-date: TLS randomness does not represent time

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 15 11:09:36 2019 -- 1 IP address (1 host up) scanned in 12.33 seconds
Start Time:06/15/2019 11:10:40
Run Time:00:00:31
Command:medusa -u root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -e ns -h 10.10.10.119 - 22 -M ssh | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_22_tcp_medusa.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_22_tcp_medusa.txt
Status:COMPLETED
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [ssh] Host: 10.10.10.119 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: (1 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.119 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: root (2 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.119 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 111111 (3 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.119 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (4 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.119 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 12345 (5 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.119 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (6 of 17 complete)
Start Time:06/15/2019 11:11:49
Run Time:00:00:00
Command:python3 /opt/Photon/photon.py -u http://10.10.10.119:80 -o /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_photon -e json && cat /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_photon/exported.json | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_photon.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_photon.txt
Status:COMPLETED
{
"files": [],
"intel": [
"http://10.10.10.119:80/user.php:IPV4:10.10.14.3",
"https://github.com/joseluisq/slendr"
],
"robots": [],
"custom": [],
"failed": [],
"internal": [
"http://10.10.10.119:80",
"http://10.10.10.119:80/",
"http://10.10.10.119:80/info.php",
"http://10.10.10.119:80/reset.php",
"http://10.10.10.119:80/user.php"
],
"scripts": [
"http://10.10.10.119:80/js/index.js"
],
"external": [
"https://github.com/joseluisq/slendr"
],
"fuzzable": [],
"endpoints": [],
"keys": []
}
Start Time:06/15/2019 11:12:00
Run Time:00:00:00
Command:nmap 10.10.10.119 -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_22_tcp_nmap_service_scan.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_22_tcp_nmap_service_scan.txt
Status:COMPLETED
# Nmap 7.70 scan initiated Sat Jun 15 11:12:00 2019 as: nmap -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_22_tcp_nmap_service_scan.txt 10.10.10.119
Nmap scan report for 10.10.10.119
Host is up (0.048s latency).

PORT STATE SERVICE VERSION
22/tcp filtered ssh

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 15 11:12:00 2019 -- 1 IP address (1 host up) scanned in 0.68 seconds
Start Time:06/15/2019 11:12:03
Run Time:00:05:21
Command:whatweb http://10.10.10.119:80 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_whatweb.txt
Status:COMPLETED
http://10.10.10.119:80 [200 OK] Apache[2.4.6][mod_fcgid/2.3.9]
Country[RESERVED][ZZ]
HTML5, HTTPServer[CentOS][Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16]
IP[10.10.10.119]
OpenSSL[1.0.2k-fips]
PHP[5.4.16]
Script, Title[Lightweight slider evaluation page - slendr]
X-Powered-By[PHP/5.4.16]
Start Time:06/15/2019 11:13:22
Run Time:00:00:01
Command:docker run --rm wappalyzer/cli http://10.10.10.119:80 | jq . | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"http://10.10.10.119:80/"
],
"applications": [],
"meta": {}
}
Start Time:06/15/2019 11:14:06
Run Time:00:00:07
Command:cewl http://10.10.10.119:80 -m 6 -w /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_cewl.txt
Status:COMPLETED [No Output Data]
Start Time:06/15/2019 11:16:33
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.119:80&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.119/celerystalkOutput/10.10.10.119_80_tcp_wayback.txt
Status:COMPLETED [No Output Data]

Host Report: 10.10.10.121



PortProtocolServiceProductVersionExtra Info
22 tcp ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 Ubuntu Linux; protocol 2.0
80 tcp http Apache httpd 2.4.18 (Ubuntu)
3000 tcp http Node.js Express framework


Start Time:06/15/2019 11:04:23
Run Time:00:01:14
Command:whatweb http://10.10.10.121:80 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_whatweb.txt
Status:COMPLETED
http://10.10.10.121:80 [200 OK] Apache[2.4.18]
Country[RESERVED][ZZ]
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)]
IP[10.10.10.121]
Title[Apache2 Ubuntu Default Page: It works]
Start Time:06/15/2019 11:04:23
Run Time:00:00:06
Command:wpscan --url http://10.10.10.121:3000 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_wpscan.txt
Status:COMPLETED
[i] Updating the Database ...
[i] Update completed.


Scan Aborted: The remote website is up, but does not seem to be running WordPress.
Start Time:06/15/2019 11:04:23
Run Time:00:01:34
Command:hydra -f -V -t 1 -l root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -s 22 10.10.10.121 ssh | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_22_tcp_hydra_ssh_best15.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_22_tcp_hydra_ssh_best15.txt
Status:COMPLETED
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-06-15 11:04:23
[DATA] max 1 task per 1 server, overall 1 task, 15 login tries (l:1/p:15), ~15 tries per task
[DATA] attacking ssh://10.10.10.121:22/
[ATTEMPT] target 10.10.10.121 - login "root" - pass "111111" - 1 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "1234" - 2 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "12345" - 3 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "123456" - 4 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "1234567" - 5 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "12345678" - 6 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "abc123" - 7 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "dragon" - 8 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "iloveyou" - 9 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "letmein" - 10 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "monkey" - 11 of 15 [child 0] (0/0)
[STATUS] 11.00 tries/min, 11 tries in 00:01h, 4 to do in 00:01h, 1 active
[ATTEMPT] target 10.10.10.121 - login "root" - pass "password" - 12 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "qwerty" - 13 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "tequiero" - 14 of 15 [child 0] (0/0)
[ATTEMPT] target 10.10.10.121 - login "root" - pass "test" - 15 of 15 [child 0] (0/0)
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-06-15 11:05:58
Start Time:06/15/2019 11:05:12
Run Time:00:00:02
Command:docker run --rm wappalyzer/cli http://10.10.10.121:3000 | jq . | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [],
"applications": [],
"meta": {}
}
Start Time:06/15/2019 11:05:14
Run Time:00:00:24
Command:gobuster -u http://10.10.10.121:80 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_gobuster_common.txt
Status:COMPLETED
http://10.10.10.121:80/.htaccess/
http://10.10.10.121:80/.htpasswd/
http://10.10.10.121:80/.hta/
http://10.10.10.121:80/icons/
http://10.10.10.121:80/javascript/
http://10.10.10.121:80/server-status/
http://10.10.10.121:80/support/
Start Time:06/15/2019 11:05:32
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.121:3000&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.121
http://10.10.10.121/robots.txt
Start Time:06/15/2019 11:06:18
Run Time:00:00:00
Command:cewl http://10.10.10.121:80 -m 6 -w /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_cewl.txt
Status:COMPLETED
Ubuntu
configuration
apache
Apache
server
default
enabled
Debian
located
respective
document
Default
installation
systems
installed
should
before
Configuration
different
itself
package
directories
modules
virtual
available
Please
report
Modified
original
updated
launchpad
CONTENTS
Changes
Config
welcome
correct
operation
equivalent
packaging
derived
working
properly
replace
continuing
operate
normal
probably
currently
unavailable
maintenance
problem
persists
please
contact
administrator
Overview
upstream
several
optimized
interaction
system
documented
README
documentation
Documentation
accessing
manual
layout
follows
pieces
together
including
remaining
starting
always
included
determine
listening
incoming
connections
customized
anytime
contain
particular
snippets
manage
global
fragments
configurations
respectively
activated
symlinking
counterparts
managed
helpers
dismod
ensite
dissite
enconf
disconf
detailed
information
binary
called
environment
variables
started
stopped
Calling
directly
Document
access
through
browser
public
applications
elsewhere
whitelist
directory
previous
releases
provides
better
security
Reporting
Problems
ubuntu
However
existing
reports
reporting
specific
others
packages
Start Time:06/15/2019 11:06:18
Run Time:00:00:00
Command:python3 /opt/Photon/photon.py -u http://10.10.10.121:80 -o /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_photon -e json && cat /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_photon/exported.json | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_photon.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_photon.txt
Status:COMPLETED
{
"files": [],
"intel": [
"http://10.10.10.121:80/manual:IPV4:10.10.10.121",
"http://10.10.10.121:80/manual:EMAIL:Server at 10.10.10.121"
],
"robots": [],
"custom": [],
"failed": [],
"internal": [
"http://10.10.10.121:80",
"http://10.10.10.121:80/",
"http://10.10.10.121:80/manual",
"http://10.10.10.121:80//manual"
],
"scripts": [],
"external": [
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2dissite",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2ensite",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2dismod",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2disconf",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2enmod",
"http://httpd.apache.org/docs/2.4/mod/mod_userdir.html",
"http://manpages.debian.org/cgi-bin/man.cgi?query=a2enconf"
],
"fuzzable": [],
"endpoints": [],
"keys": []
}
Start Time:06/15/2019 11:06:22
Run Time:00:01:39
Command:nikto -h http://10.10.10.121:3000 -output /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.121
+ Target Port: 3000
+ GET Retrieved x-powered-by header: Express
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OPTIONS Allowed HTTP Methods: GET, HEAD
Start Time:06/15/2019 11:08:02
Run Time:00:00:00
Command:curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://10.10.10.121:80&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_wayback.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_wayback.txt
Status:COMPLETED
http://10.10.10.121
http://10.10.10.121/robots.txt
Start Time:06/15/2019 11:08:41
Run Time:00:00:24
Command:gobuster -u http://10.10.10.121:3000 -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_gobuster_common.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_gobuster_common.txt
Status:COMPLETED [No Output Data]
Start Time:06/15/2019 11:09:09
Run Time:00:00:01
Command:wpscan --url http://10.10.10.121:80 --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_wpscan.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_wpscan.txt
Status:COMPLETED

Scan Aborted: The remote website is up, but does not seem to be running WordPress.
Start Time:06/15/2019 11:09:10
Run Time:00:00:21
Command:ncrack -vv -p 22 --user root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt 10.10.10.121 | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_22_tcp_ncrack_ssh_best15.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_22_tcp_ncrack_ssh_best15.txt
Status:COMPLETED

Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-15 11:09 EDT

ssh://10.10.10.121:22 finished.


Ncrack done: 1 service scanned in 21.00 seconds.
Probes sent: 10 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.
Start Time:06/15/2019 11:09:36
Run Time:00:07:25
Command:nikto -h http://10.10.10.121:80 -output /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_nikto.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_nikto.txt
Status:COMPLETED
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.121
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ GET Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 57ba5b7e5205d, mtime: gzip
+ OPTIONS Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ GET Cookie PHPSESSID created without the httponly flag
+ GET Cookie lang created without the httponly flag
+ OSVDB-3092: GET /support/: This might be interesting...
+ OSVDB-3233: GET /icons/README: Apache default file found.
Start Time:06/15/2019 11:12:05
Run Time:00:00:02
Command:nmap 10.10.10.121 -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_22_tcp_nmap_service_scan.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_22_tcp_nmap_service_scan.txt
Status:COMPLETED
# Nmap 7.70 scan initiated Sat Jun 15 11:12:05 2019 as: nmap -p 22 -sC -sV -v -Pn -oN /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_22_tcp_nmap_service_scan.txt 10.10.10.121
Nmap scan report for 10.10.10.121
Host is up (0.050s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 15 11:12:07 2019 -- 1 IP address (1 host up) scanned in 2.25 seconds
Start Time:06/15/2019 11:12:08
Run Time:00:00:02
Command:docker run --rm wappalyzer/cli http://10.10.10.121:80 | jq . | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_wappalyzer_cli.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_80_tcp_wappalyzer_cli.txt
Status:COMPLETED
{
"urls": [
"http://10.10.10.121:80/"
],
"applications": [
{
"name": "Apache",
"confidence": "100",
"version": "2.4.18",
"icon": "Apache.svg",
"website": "http://apache.org",
"categories": [
{
"22": "Web Servers"
}
]
},
{
"name": "Ubuntu",
"confidence": "100",
"version": "",
"icon": "Ubuntu.png",
"website": "http://www.ubuntu.com/server",
"categories": [
{
"28": "Operating Systems"
}
]
}
],
"meta": {
"language": null
}
}
Start Time:06/15/2019 11:12:11
Run Time:00:01:07
Command:whatweb http://10.10.10.121:3000 -a4 --colour=never | sed s/],/]\\n/g | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_whatweb.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_whatweb.txt
Status:COMPLETED
http://10.10.10.121:3000 [200 OK] Country[RESERVED][ZZ]
IP[10.10.10.121]
X-Powered-By[Express]
Start Time:06/15/2019 11:13:27
Run Time:00:00:38
Command:medusa -u root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -e ns -h 10.10.10.121 - 22 -M ssh | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_22_tcp_medusa.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_22_tcp_medusa.txt
Status:COMPLETED
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: (1 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: root (2 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 111111 (3 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (4 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 12345 (5 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (6 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234567 (7 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 12345678 (8 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: abc123 (9 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: dragon (10 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: iloveyou (11 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: letmein (12 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: monkey (13 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (14 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: qwerty (15 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: tequiero (16 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.121 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: test (17 of 17 complete)
Start Time:06/15/2019 11:14:06
Run Time:00:00:00
Command:cewl http://10.10.10.121:3000 -m 6 -w /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_cewl.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_cewl.txt
Status:COMPLETED
message
access
please
credentials
Start Time:06/15/2019 11:16:33
Run Time:00:00:00
Command:python3 /opt/Photon/photon.py -u http://10.10.10.121:3000 -o /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_photon -e json && cat /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_photon/exported.json | tee /pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_photon.txt
Output File:/pentest/htb/10.10.10.121/celerystalkOutput/10.10.10.121_3000_tcp_photon.txt
Status:COMPLETED
{
"files": [],
"intel": [],
"robots": [],
"custom": [],
"failed": [],
"internal": [
"http://10.10.10.121:3000"
],
"scripts": [],
"external": [],
"fuzzable": [],
"endpoints": [],
"keys": []
}