- nmap
- Add
unattended.htbto the hosts file so we can refer to the host by name$ echo "10.10.10.126 unattended.htb" >> /etc/hosts
-
Scan for ports and services
# Use nmap to find available TCP ports quickly $ unattended_tcp_ports=$( \ nmap unattended.htb \ -p- \ --min-rate=1000 \ --max-retries=2 \ -T4 \ -Pn \ -oA nmap-tcp-allports \ | grep ^[0-9] \ | cut -d '/' -f 1 \ | tr '\n' ',' \ | sed s/,$// \ ) # Scan found ports for services $ nmap unattended.htb \ -p ${unattended_tcp_ports} \ -sV \ -sC \ -T4 \ -Pn \ -oA nmap-tcp-foundports
-
Check found ports against the Vulners db/nse script
$ nmap unattended.htb \ -p ${unattended_tcp_ports} \ --script=vulners \ -Pn \ -A \ -T4 \ -oA nmap-tcp-foundports-vulners
Web Enumeration: www.nestedflanders.htb:443
-
Let's start by looking for interesting URL paths
$ gobuster -u https://www.nestedflanders.htb \ -w /usr/share/seclists/Discovery/Web-Content/common.txt \ -o gobuster-https.log \ -t 20 \ -k
We foun a few things, of which /dev is the most interesting. Let's see if there are any subpaths off of /dev.
-
Now let's look for subpaths
$ gobuster -u https://www.nestedflanders.htb/dev/ \ -w /usr/share/seclists/Discovery/Web-Content/common.txt \ -o gobuster-https.log \ -t 20 \ -k