Primero realizamos un escaneo de nmap:

❯ nmap -Pn -n  --disable-arp-ping -p- -sV --min-rate 3000 10.10.11.46 --open  -vvv
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-18 16:59 -05
NSE: Loaded 46 scripts for scanning.
Initiating Connect Scan at 16:59
Scanning 10.10.11.46 [65535 ports]
Discovered open port 80/tcp on 10.10.11.46
Discovered open port 22/tcp on 10.10.11.46
Completed Connect Scan at 16:59, 22.70s elapsed (65535 total ports)
Initiating Service scan at 16:59
Scanning 2 services on 10.10.11.46
Completed Service scan at 17:00, 6.40s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.46.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.84s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.78s elapsed
Nmap scan report for 10.10.11.46
Host is up, received user-set (0.20s latency).
Scanned at 2025-03-18 16:59:32 -05 for 31s
Not shown: 65487 closed tcp ports (conn-refused), 46 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 31.21 seconds

<aside> 💡

La informacion de cada flag usada para nmap esta en :

NMAP

</aside>

Depues ingresemos por el puerto 80, aparece un apartado de login con una ligera descripcion de lo que es la web.

image.png

Nos registraremos para poder revisar la web completo

image.png

image.png

Nos sale espte apartado, antes de ir probando los para saber si es vulnerable buscaremos directorios y/o subdominios posibles.

❯ gobuster vhost -u <http://heal.htb/> -w ../../fuerza_bruta/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -t 200 --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             <http://heal.htb/>
[+] Method:          GET
[+] Threads:         200
[+] Wordlist:        ../../fuerza_bruta/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: api.heal.htb Status: 200 [Size: 12515]

Encontramos por fuerza bruta la existencia de un api.heal.htb , si entramos a la web nos muestra la informacion de una tecnologia llamada ruby on rails 7.1.4

Regresando ya a la web heal.htb nos sale tres opciones profile, survey, logout si entramos a survey nos redirige a un subdominio take-survey.heal.htb si investigamos la teconologia es una herramienta que permite la creacion de encuestas en linea. Enumerando directorios de la web encontraremos un apartado de login de administrador

❯ dirsearch -u  <http://take-survey.heal.htb> -t 100

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 100 | Wordlist size: 11460

Output File: /home/moltengama/laboratorios/heal/reports/http_take-survey.heal.htb/_25-03-18_17-13-59.txt

Target: <http://take-survey.heal.htb/>
.
.
.
[17:13:10] 503 -  608B  - /admin/web/
[17:13:11] 302 -    0B  - /admin/_logs/access.log  ->  <http://take-survey.heal.htb/index.php/admin/authentication/sa/logi>
[17:13:11] 302 -    0B  - /admin/access.log  ->  <http://take-survey.heal.htb/index.php/admin/authentication/sa/login>
[17:13:10] 503 -  608B  - /admin12
[17:13:11] 302 -    0B  - /admin/account.js  ->  <http://take-survey.heal.htb/index.php/admin/authentication/sa/login>
[17:13:11] 302 -    0B  - /admin/admin.jsp  ->  <http://take-survey.heal.htb/index.php/admin/authentication/sa/login>
[17:13:11] 302 -    0B  - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx  ->  <http://take-survey.heal.htb/index.php/admin/authentication/sa/login>
[17:13:11] 302 -    0B  - /admin/dumper/  ->  <http://take-survey.heal.htb/index.php/admin/authentication/sa/login>
[17:13:11] 503 -  608B  - /admin_address.js
[17:13:11] 302 -    0B  - /admin/controlpanel.js  ->  <http://take-survey.heal.htb/index.php/admin/authentication/sa/login>
[17:13:12] 302 -    0B  - /admin/log/error.log  ->  <http://take-survey.heal.htb/index.php/admin/authentication/sa/login>
[17:13:12] 503 -  608B  - /admin_area/admin.js
[17:13:11] 503 -  608B  - /admin_advert.html
[17:13:11] 503 -  608B  - /admin_advert.js
[17:13:12] 503 -  608B  - /admin_area/index.aspx
[17:13:12] 503 -  608B  - /admin_area/index.php
[17:13:11] 503 -  608B  - /admin_album.php
[17:13:11] 503 -  608B  - /admin_album.aspx
[17:13:12] 302 -    0B  - /admin/index.js  ->  <http://take-survey.heal.htb/index.php/admin/authentication/sa/login>
[17:13:12] 503 -  608B  - /admin_album.js

http://take-survey.heal.htb/index.php/admin/authentication/sa/login

image.png

Si fuimos curiosos y revisamos el index.php nos revelara un usuario para este panel que es [email protected]

Ya despues de este pequeño mapeo tocara explotara la unica web que tenemos “contacto” directo con el servidor heal.htb , primero testemos como si fueramos usuario normal y le damos a export as pdf