Escaneo NMAP
❯ nmap -Pn -n --disable-arp-ping -p- -sV --min-rate 3000 10.10.11.47 --open -vvv
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-20 11:48 -05
NSE: Loaded 46 scripts for scanning.
Initiating Connect Scan at 11:48
Scanning 10.10.11.47 [65535 ports]
Discovered open port 80/tcp on 10.10.11.47
Discovered open port 22/tcp on 10.10.11.47
Completed Connect Scan at 11:48, 25.59s elapsed (65535 total ports)
Initiating Service scan at 11:48
Scanning 2 services on 10.10.11.47
Completed Service scan at 11:48, 6.44s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.47.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 11:48
Completed NSE at 11:48, 0.84s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 11:48
Completed NSE at 11:48, 0.79s elapsed
Nmap scan report for 10.10.11.47
Host is up, received user-set (0.20s latency).
Scanned at 2025-03-20 11:48:23 -05 for 34s
Not shown: 58681 closed tcp ports (conn-refused), 6852 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack Apache httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 33.85 seconds
<aside> 💡
La informacion de cada flag usada para nmap esta en :
</aside>
Agregamos al etc/hosts el dominio de linkvortex.htb
Entrando en la web, el wappalyzer nos indica informacion interesante.
Existe un CMS llamado Ghost VERSION 5.58
Si revisamos la web no encontraremos nada a primera vista, asi que encontremos posibles directorios y/o subdominios.
❯ gobuster vhost -u <http://linkvortex.htb/> -w ../../fuerza_bruta/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -t 200 --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://linkvortex.htb/>
[+] Method: GET
[+] Threads: 200
[+] Wordlist: ../../fuerza_bruta/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.linkvortex.htb Status: 200 [Size: 2538]
Encontramos un subdominio dev , si ingresamos a la web nos sale una pagina sin data interesante
El “launching soon” nos puede indicar que recien se esta haciendo la web, intentemos descubrir mas directorios con dirseach
<aside> 💡
Personalmente aplico dirsearch ya que el wordlist que usa me permite encontrar directorios comunes de configuracion o de desarrollo como:
.gitrobots.txtwell-knowns.htaccesss
</aside>❯ dirsearch -u <http://dev.linkvortex.htb/> -t 100
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 100 | Wordlist size: 11460
Output File: /home/moltengama/laboratorios/linkvortex/reports/http_dev.linkvortex.htb/__25-03-20_11-58-51.txt
Target: <http://dev.linkvortex.htb/>
[11:58:51] Starting:
[11:58:55] 301 - 239B - /.git -> <http://dev.linkvortex.htb/.git/>
[11:58:55] 200 - 73B - /.git/description
[11:58:55] 200 - 41B - /.git/HEAD
[11:58:55] 200 - 620B - /.git/hooks/
[11:58:55] 200 - 201B - /.git/config
[11:58:55] 200 - 557B - /.git/
[11:58:55] 200 - 402B - /.git/info/
[11:58:55] 200 - 401B - /.git/logs/
[11:58:55] 200 - 175B - /.git/logs/HEAD
[11:58:55] 200 - 240B - /.git/info/exclude
[11:58:55] 200 - 147B - /.git/packed-refs
[11:58:55] 301 - 249B - /.git/refs/tags -> <http://dev.linkvortex.htb/.git/refs/tags/>
[11:58:55] 200 - 418B - /.git/objects/
[11:58:55] 200 - 393B - /.git/refs/
[11:58:55] 403 - 199B - /.ht_wsr.txt
Nos da la informacion de un .git , si dumpeamos esta data con git-dumper
❯ git-dumper <http://dev.linkvortex.htb> .
En nuestro directorio actual descargara los datos del .git , si revisamos con el comando tree en linux confirmaremos que es un monton de datos que buscar asi que realizaremos una busqueda de posibles credenciales expuestas.
> grep -rw . -ie "password" 2>/dev/null
Nos saldra un monton de coincidencias pero podremos pasarle el output a herramientas como ChatGPT para que analize la salida y nos de las opciones posibles de contraseña entregandonos: