📚 Table of Contents
$ sudo rustscan -b 8192 -u 16384 -a 10.10.11.111 -- -sS -sV -sC -oN 10.10.11.111.$(basename $PWD).nmap.txt
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \\ | `| |
| .-. \\| {_} |.-._} } | | .-._} }\\ }/ /\\ \\| |\\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: <https://discord.gg/GFrQsGy> :
: <https://github.com/RustScan/RustScan> :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 16384.
Open 10.10.11.111:22
Open 10.10.11.111:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-01-02 04:26 PST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:26
Completed NSE at 04:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:26
Completed NSE at 04:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:26
Completed NSE at 04:26, 0.00s elapsed
Initiating Ping Scan at 04:26
Scanning 10.10.11.111 [4 ports]
Completed Ping Scan at 04:26, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:26
Completed Parallel DNS resolution of 1 host. at 04:26, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 04:26
Scanning 10.10.11.111 [2 ports]
Discovered open port 80/tcp on 10.10.11.111
Discovered open port 22/tcp on 10.10.11.111
Completed SYN Stealth Scan at 04:26, 0.11s elapsed (2 total ports)
Initiating Service scan at 04:26
Scanning 2 services on 10.10.11.111
Completed Service scan at 04:26, 6.17s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.111.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:26
Completed NSE at 04:26, 2.43s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:26
Completed NSE at 04:26, 0.32s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:26
Completed NSE at 04:26, 0.00s elapsed
Nmap scan report for 10.10.11.111
Host is up, received echo-reply ttl 63 (0.077s latency).
Scanned at 2022-01-02 04:26:36 PST for 9s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2sK9Bs3bKpmIER8QElFzWVwM0V/pval09g7BOCYMOZihHpPeE4S2aCt0oe9/KHyALDgtRb3++WLuaI6tdYA1k4bhZU/0bPENKBp6ykWUsWieSSarmd0sfekrbcqob69pUJSxIVzLrzXbg4CWnnLh/UMLc3emGkXxjLOkR1APIZff3lXIDr8j2U3vDAwgbQINDinJaFTjDcXkOY57u4s2Si4XjJZnQVXuf8jGZxyyMKY/L/RYxRiZVhDGzEzEBxyLTgr5rHi3RF+mOtzn3s5oJvVSIZlh15h2qoJX1v7N/N5/7L1RR9rV3HZzDT+reKtdgUHEAKXRdfrff04hXy6aepQm+kb4zOJRiuzZSw6ml/N0ITJy/L6a88PJflpctPU4XKmVX5KxMasRKlRM4AMfzrcJaLgYYo1bVC9Ik+cCt7UjtvIwNZUcNMzFhxWFYFPhGVJ4HC0Cs2AuUC8T0LisZfysm61pLRUGP7ScPo5IJhwlMxncYgFzDrFRig3DlFQ0=
| 256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH67/BaxpvT3XsefC62xfP5fvtcKxG2J2di6u8wupaiDIPxABb5/S1qecyoQJYGGJJOHyKlVdqgF1Odf2hAA69Y=
| 256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcTSbyCdqkw29aShdKmVhnudyA2B6g6ULjspAQpHLIC
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to <http://forge.htb>
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:26
Completed NSE at 04:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:26
Completed NSE at 04:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:26
Completed NSE at 04:26, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 9.67 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
| Port | Service | Notes |
|---|---|---|
| 22 | OpenSSH 8.2p1 | |
| 80 | Apache/2.4.41 | Web server with multiple subdomains. One site contains a gallery and upload form. A second subdomain contains an “admin” page protected by a whitelist of sorts. |
Visiting the webpage listening on port 80 automatically returns an HTTP/302 and redirects us to a new VHOST named forge.htb so we’ll add that hostname to our /etc/hosts.
Browsing the website shows us a gallery-style webpage that also contains an uploads page as well.
The upload page has two means of uploading an image. You can specify a local file or you can specify an remote URL. This doesn’t seem helpful right now but it may help us in the future and is something we should note.
I tried to upload a reverse shell but I wasn’t sure what the backend technology was. I guessed that it might be PHP and appended a basic PHP reverse shell to an image.
The image+shell uploaded successfully but when browsing to the image we don’t get a callback. So we probably need to enumerate further.
Let’s do a little more VHOST discovery since we know we’re already dealing with a webserver that’s redirected us to a hostname once already.
$ gobuster vhost -ru <http://forge.htb> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://forge.htb>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/02 05:13:15 Starting gobuster in VHOST enumeration mode
===============================================================
Found: admin.forge.htb (Status: 200) [Size: 27]
Progress: 114442 / 114442 (100.00%)
