No edit summary |
No edit summary |
||
| Line 67: | Line 67: | ||
manual [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 80ms] | manual [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 80ms] | ||
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 101ms] | server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 101ms] | ||
</syntaxhighlight> | |||
===Username Enumeration=== | |||
<syntaxhighlight lang="powershell"> | |||
# https://broscience.htb/user.php | |||
# URL states missing ID Value | |||
# https://broscience.htb/user.php?id=1 | |||
administrator | |||
administrator@broscience.htb | |||
# https://broscience.htb/user.php?id=2 | |||
bill | |||
bill@broscience.htb | |||
# https://broscience.htb/user.php?id=3 | |||
michael | |||
michael@broscience.htb | |||
# https://broscience.htb/user.php?id=4 | |||
john | |||
john@broscience.htb | |||
# https://broscience.htb/user.php?id=5 | |||
dmytro | |||
dmytro@broscience.htb | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 15:00, 5 February 2023
Box Information
Network: Hack The Box
Operating System: Linux
Release Date: 7 January 2023
Creator: bmdyy
Difficulty: Medium
Points: 30
Enumeration
Nmap
# Nmap 7.93 scan initiated Thu Jan 26 19:36:36 2023 as: nmap -sCV -oA nmap/broscience 10.129.5.153
Nmap scan report for 10.129.5.153
Host is up (0.077s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 df17c6bab18222d91db5ebff5d3d2cb7 (RSA)
| 256 3f8a56f8958faeafe3ae7eb880f679d2 (ECDSA)
|_ 256 3c6575274ae2ef9391374cfdd9d46341 (ED25519)
80/tcp open http Apache httpd 2.4.54
|_http-title: Did not follow redirect to https://broscience.htb/
|_http-server-header: Apache/2.4.54 (Debian)
443/tcp open ssl/http Apache httpd 2.4.54 ((Debian))
|_ssl-date: TLS randomness does not represent time
|_http-title: BroScience : Home
|_http-server-header: Apache/2.4.54 (Debian)
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=broscience.htb/organizationName=BroScience/countryName=AT
| Not valid before: 2022-07-14T19:48:36
|_Not valid after: 2023-07-14T19:48:36
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: Host: broscience.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan 26 19:37:09 2023 -- 1 IP address (1 host up) scanned in 32.28 seconds
Directory Scan
________________________________________________ [15/68]
:: Method : GET
:: URL : https://broscience.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
images [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 131ms]
includes [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 104ms]
styles [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 115ms]
javascript [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 73ms]
manual [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 80ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 101ms]
Username Enumeration
# https://broscience.htb/user.php
# URL states missing ID Value
# https://broscience.htb/user.php?id=1
administrator
administrator@broscience.htb
# https://broscience.htb/user.php?id=2
bill
bill@broscience.htb
# https://broscience.htb/user.php?id=3
michael
michael@broscience.htb
# https://broscience.htb/user.php?id=4
john
john@broscience.htb
# https://broscience.htb/user.php?id=5
dmytro
dmytro@broscience.htb