Diff → HARD

2025.11.6

Add the IP

sudo nano /etc/hosts

Network Enumeration

Documents/htb/machine
> rustscan -a 10.10.11.84
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \\ |  `| |
| .-. \\| {_} |.-._} } | |  .-._} }\\     }/  /\\  \\| |\\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: <http://discord.skerritt.blog>         :
: <https://github.com/RustScan/RustScan> :
 --------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.

[~] The config file is expected to be at "/home/xacce/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.84:22
Open 10.10.11.84:80
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( <https://nmap.org> ) at 2025-11-05 23:07 +0800
Initiating Ping Scan at 23:07
Scanning 10.10.11.84 [2 ports]
Completed Ping Scan at 23:07, 0.28s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:07
Completed Parallel DNS resolution of 1 host. at 23:07, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 4, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 23:07
Scanning 10.10.11.84 [2 ports]
Discovered open port 22/tcp on 10.10.11.84
Discovered open port 80/tcp on 10.10.11.84
Completed Connect Scan at 23:07, 0.32s elapsed (2 total ports)
Nmap scan report for 10.10.11.84
Host is up, received syn-ack (0.29s latency).
Scanned at 2025-11-05 23:07:59 +08 for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds

Directory Enumeration

htb/machine/guardian
> feroxbuster -u <http://guardian.htb/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \\ \\_/ | |  \\ |__
|    |___ |  \\ |  \\ | \\__,    \\__/ / \\ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ <http://guardian.htb/>
 🚩  In-Scope Url          │ guardian.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       31l       84w      919c <http://guardian.htb/js/scripts.js>
301      GET        9l       28w      313c <http://guardian.htb/images> => <http://guardian.htb/images/>
200      GET      296l      575w     5104c <http://guardian.htb/css/styles.css>
200      GET      156l      447w     6741c <http://guardian.htb/>
301      GET        9l       28w      310c <http://guardian.htb/css> => <http://guardian.htb/css/>
301      GET        9l       28w      309c <http://guardian.htb/js> => <http://guardian.htb/js/>
301      GET        9l       28w      317c <http://guardian.htb/javascript> => <http://guardian.htb/javascript/>
[##>-----------------] - 6m    154603/1102741 34m     found:7       errors:4787
[##>-----------------] - 6m     31594/220546  82/s    <http://guardian.htb/>
[##>-----------------] - 6m     30820/220546  82/s    <http://guardian.htb/images/>
[##>-----------------] - 6m     31485/220546  84/s    <http://guardian.htb/css/>
[##>-----------------] - 6m     30653/220546  83/s    <http://guardian.htb/js/>
[##>-----------------] - 6m     30012/220546  81/s    <http://guardian.htb/javascript/>

Subdomain Enumeration

htb/machine/guardian
❯ ffuf -u <http://10.10.11.84> -H "Host: FUZZ.guardian.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -ac

        /'___\\  /'___\\           /'___\\
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\
          \\/_/    \\/_/   \\/___/    \\/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : <http://10.10.11.84>
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.guardian.htb
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

portal                  [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 307ms]
:: Progress: [6963/19966] :: Job [1/1] :: 150 req/sec :: Duration: [0:01:04] :: Errors: 0 ::

Subdomain found. Adding to the /etc/hosts amd visiting

image.png

On the Help button

image.png