Diff medium

#2025.11.7

Add the IP

sudo nano /etc/hosts

Network enumeration

~/Documents/htb
❯ nmap -Pn -sV -sC 10.10.11.79
Starting Nmap 7.98 ( <https://nmap.org> ) at 2025-11-08 03:15 +0800
Nmap scan report for era.htb (10.10.11.79)
Host is up (0.28s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Era Designs
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 59.96 seconds

Directory enumeration

htb/machine/era
> feroxbuster -u <http://era.htb/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \\ \\_/ | |  \\ |__
|    |___ |  \\ |  \\ | \\__,    \\__/ / \\ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            β”‚ <http://era.htb/>
 🚩  In-Scope Url          β”‚ era.htb
 πŸš€  Threads               β”‚ 50
 πŸ“–  Wordlist              β”‚ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 πŸ‘Œ  Status Codes          β”‚ All Status Codes!
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.13.0
 πŸ”Ž  Extract Links         β”‚ true
 🏁  HTTP methods          β”‚ [GET]
 πŸ”ƒ  Recursion Depth       β”‚ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menuβ„’
──────────────────────────────────────────────────
404      GET        7l       12w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        7l       12w      178c <http://era.htb/img> => <http://era.htb/img/>
200      GET      226l      553w     6803c <http://era.htb/js/jquery.nav.js>
200      GET      402l     1188w    11953c <http://era.htb/js/wow.js>
200      GET      176l      116w    18648c <http://era.htb/img/client_logo5.png>
200      GET      174l      103w    18048c <http://era.htb/img/client_logo2.png>
200      GET     3303l     5911w    69747c <http://era.htb/css/animate.css>
200      GET        9l        9w      307c <http://era.htb/js/html5element.js>
200      GET       46l      231w    16345c <http://era.htb/img/era.png>
200      GET        8l       73w     2429c <http://era.htb/js/html5shiv.js>
200      GET      183l      141w    19356c <http://era.htb/img/client_logo3.png>
200      GET     1398l     4982w    42845c <http://era.htb/js/jquery.isotope.js>
200      GET        3l       49w     1323c <http://era.htb/favicon.png>
200      GET      140l      288w     3613c <http://era.htb/js/custom.js>
200      GET      322l      639w     5547c <http://era.htb/js/fancybox/jquery.fancybox.css>
200      GET       12l      155w     6344c <http://era.htb/js/respond-1.1.0.min.js>
200      GET      201l     1204w   117568c <http://era.htb/img/portfolio_pic2.jpg>
200      GET       78l      503w    48452c <http://era.htb/img/team_pic2.jpg>
200      GET      205l     1368w     8097c <http://era.htb/js/jquery.easing.1.3.js>
200      GET     1672l     2840w    26650c <http://era.htb/css/font-awesome.css>
200      GET      558l     1856w    20511c <http://era.htb/js/jquery-scrolltofixed.js>
200      GET      344l     1501w   166394c <http://era.htb/img/portfolio_pic8.jpg>
200      GET       92l      588w    62199c <http://era.htb/img/team_pic3.jpg>
200      GET       46l      207w    23135c <http://era.htb/js/fancybox/jquery.fancybox.pack.js>
200      GET        7l      400w    35601c <http://era.htb/js/bootstrap.min.js>
403      GET        7l       10w      162c <http://era.htb/js/>
403      GET        7l       10w      162c <http://era.htb/css/>
200      GET       97l      495w    47669c <http://era.htb/img/team_pic1.jpg>
200      GET     1143l     6379w   486506c <http://era.htb/img/portfolio_pic5.jpg>
200      GET      184l      132w    19355c <http://era.htb/img/client_logo1.png>
200      GET      191l     1108w   113391c <http://era.htb/img/portfolio_pic4.jpg>
200      GET     1823l     3526w    31754c <http://era.htb/css/style.css>
200      GET     1083l     6242w   526387c <http://era.htb/img/portfolio_pic6.jpg>
200      GET      390l     1601w   145339c <http://era.htb/img/1.jpg>
200      GET      312l     1146w   108725c <http://era.htb/img/3.jpg>
200      GET      408l     1589w   127791c <http://era.htb/img/portfolio_pic3.jpg>
200      GET      361l     1233w    95449c <http://era.htb/img/2.jpg>
403      GET        7l       10w      162c <http://era.htb/js/fancybox/>
301      GET        7l       12w      178c <http://era.htb/css> => <http://era.htb/css/>
200      GET        5l     1421w   113498c <http://era.htb/css/bootstrap.min.css>
200      GET      453l     2907w   302969c <http://era.htb/img/portfolio_pic1.jpg>
200      GET      633l     3945w   356145c <http://era.htb/img/portfolio_pic7.jpg>
200      GET        4l     1309w    96381c <http://era.htb/js/jquery-1.11.0.min.js>
200      GET      446l     1536w    19493c <http://era.htb/>
301      GET        7l       12w      178c <http://era.htb/js> => <http://era.htb/js/>
301      GET        7l       12w      178c <http://era.htb/fonts> => <http://era.htb/fonts/>
[#>------------------] - 2m     71988/1323322 22m     found:45      errors:27
[#>------------------] - 2m     71999/1323322 22m     found:45      errors:27
[#>------------------] - 2m     72057/1323322 22m     found:45      errors:27
[##>-----------------] - 3m    152814/1323322 20m     found:45      errors:44
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_era_htb_-1762543647.state ...
[##>-----------------] - 3m    152816/1323322 20m     found:45      errors:44
[##>-----------------] - 3m     26198/220546  136/s   <http://era.htb/>                                                                 [##>-----------------] - 3m     25889/220546  137/s   <http://era.htb/img/>                                                             [##>-----------------] - 3m     25653/220546  136/s   <http://era.htb/js/fancybox/>                                                     [##>-----------------] - 3m     25859/220546  137/s   <http://era.htb/css/>                                                             [##>-----------------] - 3m     25888/220546  138/s   <http://era.htb/js/>
[##>-----------------] - 3m     23218/220546  139/s   <http://era.htb/fonts/>
[--------------------] - 0s         0/220546  -       <http://era.htb/js/jquery.nav.js>
htb/machine/era took 3m15s
❯

Subdomain enumeration

htb/machine/era
> ffuf -u <http://era.htb/> -H 'Host: FUZZ.era.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 4

        /'___\\  /'___\\           /'___\\
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\
          \\/_/    \\/_/   \\/___/    \\/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : <http://era.htb/>
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.era.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 4
________________________________________________

file                    [Status: 200, Size: 6765, Words: 2608, Lines: 234, Duration: 310ms]
:: Progress: [3240/4989] :: Job [1/1] :: 165 req/sec :: Duration: [0:00:25] :: Errors: 0 ::

Oh look at that.

Add to the /etc/hosts β€œfile.era.htb”.

We are greeted with

image.png