# Nmap
- light ![[images/Pasted image 20260628143458.png]]
- detailed ![[images/Pasted image 20260628143516.png]] ![[images/Pasted image 20260628143543.png]]
---
# Port 21 (FTP)
- First flag found ![[images/Pasted image 20260628144317.png]]
- Cannot write ![[images/Pasted image 20260628144331.png]]
---
# Port 25 (SMTP)
- try to enum users
---
# Port 53 (DNS)
- attempt zone transfer ![[images/Pasted image 20260628145218.png]]
- there's a lot here - most look to be on `localhost`
- Note flag in `txt` record
---
# Port 80 (HTTP; httpd 2.4.41)
## Visit page
- visit page ![[images/Pasted image 20260628144552.png]]
- potential users on `/about.html` ![[images/Pasted image 20260628144814.png]]
- try poking at `/contact.html` later ![[images/Pasted image 20260628144901.png]]
- send a test message ![[images/Pasted image 20260630084228.png]]
- can also send just an email address with the signup now feature ![[images/Pasted image 20260630084342.png]]
- check `robots.txt` and `sitemap.xml` > nothing
- error page > default apache
- `whatweb` ![[images/Pasted image 20260630084542.png]]
- `nikto` ![[images/Pasted image 20260630085452.png]]
## Fuzzing
- directory ![[images/Pasted image 20260628151055.png]]
- vhost ![[images/Pasted image 20260628150923.png]]
## `/monitoring/login.php`
- Visit page ![[images/Pasted image 20260630084840.png]]
- `request:response` in burp ![[images/Pasted image 20260630084908.png]]
- try SQLi
```bash
sqlmap --batch -r inlanefreight.local.montioring.req --level=5 --risk=3
```
---
# Port 111 (possible NFS)
- nothing for now ![[images/Pasted image 20260628144450.png]]
---
# Ports 110,143,993,995 (IMAP+POPs)
- nothing
```bash
openssl s_client -connect 10.129.229.147:imaps
openssl s_client -connect 10.129.229.147:pop3s
```
- nothing
```bash
curl -k 'pop3s://10.129.229.147'
curl -k 'imaps://10.129.229.147'
```
- try interacting
```bash
nc -nv 10.129.229.147 143
telnet 10.129.229.147 110
```
![[images/Pasted image 20260628150551.png]]
- come back to check mail once we have creds
# Port 8080 (HTTP; httpd 2.4.41)
## Visit page
- different page here ![[images/Pasted image 20260628145510.png]]
- everything is non-functional but:
- `/login.php` ![[images/Pasted image 20260628145702.png]]
- `ticket.php` ![[images/Pasted image 20260628145732.png]]
- check `robots.txt` and `sitemap.xml` > nothing
- error page > default apache
## Fuzzing
- directory ![[images/Pasted image 20260628151107.png]]
- page ![[images/Pasted image 20260628151220.png]]