nmap lab - scripting engine - htb
Questions
Answer the question(s) below to complete this Section and earn cubes!
Target: 10.129.168.221
Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.
Answer: HTB{873nniuc71bu6usbs1i96as6dsv26}
$ sudo nmap -v -sC -p22,80,110,139,143,445,31337 10.129.168.221
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 08:02 CST
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating Ping Scan at 08:02
Scanning 10.129.168.221 [4 ports]
Completed Ping Scan at 08:02, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:02
Completed Parallel DNS resolution of 1 host. at 08:02, 1.11s elapsed
Initiating SYN Stealth Scan at 08:02
Scanning 10.129.168.221 [7 ports]
Discovered open port 143/tcp on 10.129.168.221
Discovered open port 445/tcp on 10.129.168.221
Discovered open port 139/tcp on 10.129.168.221
Discovered open port 31337/tcp on 10.129.168.221
Discovered open port 110/tcp on 10.129.168.221
Discovered open port 80/tcp on 10.129.168.221
Discovered open port 22/tcp on 10.129.168.221
Completed SYN Stealth Scan at 08:02, 0.11s elapsed (7 total ports)
NSE: Script scanning 10.129.168.221.
Initiating NSE at 08:02
Completed NSE at 08:03, 45.47s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Nmap scan report for 10.129.168.221
Host is up (0.055s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
| 256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_ 256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
110/tcp open pop3
|_pop3-capabilities: PIPELINING TOP UIDL AUTH-RESP-CODE SASL CAPA RESP-CODES
139/tcp open netbios-ssn
143/tcp open imap
|_imap-capabilities: Pre-login LOGIN-REFERRALS IMAP4rev1 OK listed LOGINDISABLEDA0001 SASL-IR have post-login more LITERAL+ ENABLE ID IDLE capabilities
445/tcp open microsoft-ds
31337/tcp open Elite
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: nix-nmap-default
| NetBIOS computer name: NIX-NMAP-DEFAULT\x00
| Domain name: \x00
| FQDN: nix-nmap-default
|_ System time: 2023-11-25T23:51:19+01:00
|_clock-skew: mean: 1d08h28m42s, deviation: 34m38s, median: 1d08h48m41s
| nbstat: NetBIOS name: NIX-NMAP-DEFAUL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| NIX-NMAP-DEFAUL<00> Flags: <unique><active>
| NIX-NMAP-DEFAUL<03> Flags: <unique><active>
| NIX-NMAP-DEFAUL<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb2-time:
| date: 2023-11-25T22:51:19
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
NSE: Script Post-scanning.
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 47.18 seconds
Raw packets sent: 11 (460B) | Rcvd: 8 (336B)So using the default scripting flag sC only got us so far, time to crank it up a notch
Lets try running a category instead of the default scripts.
I'll admit this was a bit trial and error but also a learning experience as it ultimately helped me understand more than one category of scripts that run. Prior to the scan below I ran --script discovery on each port to run a shorter enumeration process. After that catergory did not work I started running the vuln category and only after the second search on port 80 we can see that the answer to the question is viewable.
$ sudo nmap -v --script vuln -p 80 10.129.168.221 | tee Documents/htb/labs/nmap/results/scripting-engine-results-vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 08:14 CST
NSE: Loaded 105 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:14
Completed NSE at 08:14, 10.01s elapsed
Initiating NSE at 08:14
Completed NSE at 08:14, 0.00s elapsed
Initiating Ping Scan at 08:14
Scanning 10.129.168.221 [4 ports]
Completed Ping Scan at 08:14, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:14
Completed Parallel DNS resolution of 1 host. at 08:14, 1.11s elapsed
Initiating SYN Stealth Scan at 08:14
Scanning 10.129.168.221 [1 port]
Discovered open port 80/tcp on 10.129.168.221
Completed SYN Stealth Scan at 08:14, 0.09s elapsed (1 total ports)
NSE: Script scanning 10.129.168.221.
Initiating NSE at 08:14
Completed NSE at 08:20, 335.81s elapsed
Initiating NSE at 08:20
Completed NSE at 08:20, 0.10s elapsed
Nmap scan report for 10.129.168.221
Host is up (0.050s latency).
PORT STATE SERVICE
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_ /robots.txt: Robots file
NSE: Script Post-scanning.
Initiating NSE at 08:20
Completed NSE at 08:20, 0.00s elapsed
Initiating NSE at 08:20
Completed NSE at 08:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 347.57 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (84B)Well would you look at that...a robots.txt file. Shall we???
Last updated