This found two interesting gobuster dir -u -w /usr/share/wordlists/dirbuster/ -x php -o scans/gobuster-http-root-medium -t 20īy OJ Reeves & Christian Mehlmauer Url: I’ll include -x php because it’s Linux and that’s always worth guessing, even though index.php didn’t load manually in Firefox. I also started a gobuster to see what other paths may exist. This is the same visiting by IP address or nineveh.htb. The site just displays a simple success page with no further information: Neither returned wfuzz -c -u -H "Host: " -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -hh 178 For the HTTP site -hh 178 ( -hh is hide by character length) worked, and -hh 49 on the HTTPS site. With wfuzz, I’ll always start it without the hiding flag, see what the default response looks like, and then Ctrl-c to kill it, and re-run with a flag to hide the default response. I’ll run wfuzzand fuzz the Host HTTP header. I want to check for subdomains that might be different. There’s a hostname in the certificate, in the nmap scan, nineveh.htb. Nmap done: 1 IP address (1 host up) scanned in 15.00 seconds |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR |_http-title: Site doesn't have a title (text/html).Ĥ43/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) Nmap done: 1 IP address (1 host up) scanned in 13.52 nmap -p 80,443 -sV -sC -oA scans/nmap-tcpscripts 10.10.10.43Ĩ0/tcp open http Apache httpd 2.4.18 ((Ubuntu))
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |