# Nmap - light ![[images/Pasted image 20260628143458.png]] - detailed ![[images/Pasted image 20260628143516.png]] ![[images/Pasted image 20260628143543.png]] --- # Port 21 (FTP) - First flag found ![[images/Pasted image 20260628144317.png]] - Cannot write ![[images/Pasted image 20260628144331.png]] --- # Port 25 (SMTP) - try to enum users --- # Port 53 (DNS) - attempt zone transfer ![[images/Pasted image 20260628145218.png]] - there's a lot here - most look to be on `localhost` - Note flag in `txt` record --- # Port 80 (HTTP; httpd 2.4.41) ## Visit page - visit page ![[images/Pasted image 20260628144552.png]] - potential users on `/about.html` ![[images/Pasted image 20260628144814.png]] - try poking at `/contact.html` later ![[images/Pasted image 20260628144901.png]] - send a test message ![[images/Pasted image 20260630084228.png]] - can also send just an email address with the signup now feature ![[images/Pasted image 20260630084342.png]] - check `robots.txt` and `sitemap.xml` > nothing - error page > default apache - `whatweb` ![[images/Pasted image 20260630084542.png]] - `nikto` ![[images/Pasted image 20260630085452.png]] ## Fuzzing - directory ![[images/Pasted image 20260628151055.png]] - vhost ![[images/Pasted image 20260628150923.png]] ## `/monitoring/login.php` - Visit page ![[images/Pasted image 20260630084840.png]] - `request:response` in burp ![[images/Pasted image 20260630084908.png]] - try SQLi ```bash sqlmap --batch -r inlanefreight.local.montioring.req --level=5 --risk=3 ``` --- # Port 111 (possible NFS) - nothing for now ![[images/Pasted image 20260628144450.png]] --- # Ports 110,143,993,995 (IMAP+POPs) - nothing ```bash openssl s_client -connect 10.129.229.147:imaps openssl s_client -connect 10.129.229.147:pop3s ``` - nothing ```bash curl -k 'pop3s://10.129.229.147' curl -k 'imaps://10.129.229.147' ``` - try interacting ```bash nc -nv 10.129.229.147 143 telnet 10.129.229.147 110 ``` ![[images/Pasted image 20260628150551.png]] - come back to check mail once we have creds # Port 8080 (HTTP; httpd 2.4.41) ## Visit page - different page here ![[images/Pasted image 20260628145510.png]] - everything is non-functional but: - `/login.php` ![[images/Pasted image 20260628145702.png]] - `ticket.php` ![[images/Pasted image 20260628145732.png]] - check `robots.txt` and `sitemap.xml` > nothing - error page > default apache ## Fuzzing - directory ![[images/Pasted image 20260628151107.png]] - page ![[images/Pasted image 20260628151220.png]]