# Lessons Learned - xxx --- # # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260405192605.png]] - Windows host based on TTL value - `nmap` scan - light ![[images/Pasted image 20260405192635.png]] - `nmap` scan - detailed ![[images/Pasted image 20260405192916.png]] - `nmap` scan - UDP ![[images/Pasted image 20260405192821.png]] --- # Port 80 (http) Enum: IIS 10.0 ## `pov.htb` - Visit page - Bottom of page has some interesting info such as an admin email, `dev.pov.htb`, and contact us ![[images/Pasted image 20260405193504.png]] - Add to `/etc/hosts` - View source for contact us ![[images/Pasted image 20260405193535.png]] - request:response in `burp` ![[images/Pasted image 20260405193306.png]] - Try `robots.txt` and `sitemap.xml` > nothing, both default 404s - Try `index.html` and `index.php` - html brings me to the home page, php throws a 404 - think this is because the IIS webserver is using `asp.net` - Try random page > default 404 - Test submittal to contact us ![[images/Pasted image 20260405195419.png]] - Literally nothing happens > no http request ## `dev.pov.htb` - Visit page ![[images/Pasted image 20260405194551.png]] - View source ![[images/Pasted image 20260405195923.png]]![[images/Pasted image 20260405194700.png]] - Only unique page is `dev.pov.htb/portfolio/contact.aspx`; the rest have a # meaning they are sections of the home page - Interesting to see `dev.pov.htb:8080` > we did not see 8080 open with nmap - follow-up `nmap` scan after seeing indication of port 8080 ![[images/Pasted image 20260405195845.png]] - when we trying visiting `dev.pov.htb:8080`, it hangs - request:response in `burp` ![[images/Pasted image 20260405194810.png]] - redirects us to `dev.pov.htb/portfolio` - Able to download CV ![[images/Pasted image 20260405200058.png]] - View `dev.pov.htb/portfolio/contact.aspx` ![[images/Pasted image 20260405195107.png]] - Try a test submittal ![[images/Pasted image 20260405195245.png]] - interesting `burp` request:response with a POST ![[images/Pasted image 20260405195732.png]] ## Web fuzzing - Vhost fuzzing: start here because we already knows that `dev.pov.htb` exists - `top1million-20000` ![[images/Pasted image 20260405200402.png]] - Subdomain fuzzing - `top1million-20000` ![[images/Pasted image 20260405200737.png]] - Directory fuzzing - `dev.pov.htb` - `raft-medium` ![[images/Pasted image 20260405201915.png]] - `2.3-medium` ![[images/Pasted image 20260405201759.png]] - Why did we not pickup portfolio? - It should be in there ![[images/Pasted image 20260405202144.png]] - Must be the redirect ![[images/Pasted image 20260405203025.png]] - `raft-medium` > try again with `-fw 9` ![[images/Pasted image 20260405202932.png]] - `feroxbuster` on `dev.pov.htb` > not much found ![[images/Pasted image 20260405204522.png]] - `pov.htb` > `2.3-medium` ![[images/Pasted image 20260405201426.png]] - Page fuzzing - `dev.pov.htb/portfolio/FUZZ.aspx` ![[images/Pasted image 20260405202900.png]] ## Revisit CV --- # Foothold > Port xxx: service/web_page - xxx