Diff - > Medium

#2025.11.6

Add the IP

sudo nano /etc/hosts

Network enumeration

htb/vpn/lab
> nmap -Pn -sV -sC 10.10.11.85
Starting Nmap 7.98 ( <https://nmap.org> ) at 2025-11-06 18:09 +0800
Nmap scan report for 10.10.11.85
Host is up (0.28s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
|   256 95:62:ef:97:31:82:ff:a1:c6:08:01:8c:6a:0f:dc:1c (ECDSA)
|_  256 5f:bd:93:10:20:70:e6:09:f1:ba:6a:43:58:86:42:66 (ED25519)
79/tcp   filtered finger
80/tcp   open     http           nginx 1.22.1
|_http-title: Did not follow redirect to <http://hacknet.htb/>
|_http-server-header: nginx/1.22.1
1233/tcp filtered univ-appserver
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 66.39 seconds

Visiting the web

image.png

Registering

image.png

Upon creating user and logging in

image.png

Directory enumeration

htb/vpn/lab
> feroxbuster -u <http://hacknet.htb/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \\ \\_/ | |  \\ |__
|    |___ |  \\ |  \\ | \\__,    \\__/ / \\ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            β”‚ <http://hacknet.htb/>
 🚩  In-Scope Url          β”‚ hacknet.htb
 πŸš€  Threads               β”‚ 50
 πŸ“–  Wordlist              β”‚ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 πŸ‘Œ  Status Codes          β”‚ All Status Codes!
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.13.0
 πŸ”Ž  Extract Links         β”‚ true
 🏁  HTTP methods          β”‚ [GET]
 πŸ”ƒ  Recursion Depth       β”‚ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menuβ„’
──────────────────────────────────────────────────
404      GET       10l       21w      179c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       67l      105w     7859c <http://hacknet.htb/static/icon.png>
200      GET       23l       56w      857c <http://hacknet.htb/login>
200      GET       24l       63w      948c <http://hacknet.htb/register>
302      GET        0l        0w        0c <http://hacknet.htb/search> => <http://hacknet.htb/>
301      GET        7l       11w      169c <http://hacknet.htb/media> => <http://hacknet.htb/media/>
302      GET        0l        0w        0c <http://hacknet.htb/profile> => <http://hacknet.htb/>
200      GET      928l     1570w    15786c <http://hacknet.htb/static/style.css>
404      GET        7l       11w      153c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        7l       11w      153c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        2l     1262w    87533c <http://hacknet.htb/static/jquery-3.7.1.min.js>
200      GET       22l       56w      667c <http://hacknet.htb/>
302      GET        0l        0w        0c <http://hacknet.htb/contacts> => <http://hacknet.htb/>
403      GET        7l        9w      153c <http://hacknet.htb/static/>
302      GET        0l        0w        0c <http://hacknet.htb/post> => <http://hacknet.htb/>
302      GET        0l        0w        0c <http://hacknet.htb/comment> => <http://hacknet.htb/>
301      GET        7l       11w      169c <http://hacknet.htb/static/admin> => <http://hacknet.htb/static/admin/>
301      GET        7l       11w      169c <http://hacknet.htb/static/admin/img> => <http://hacknet.htb/static/admin/img/>
302      GET        0l        0w        0c <http://hacknet.htb/messages> => <http://hacknet.htb/>
301      GET        7l       11w      169c <http://hacknet.htb/static/admin/css> => <http://hacknet.htb/static/admin/css/>
302      GET        0l        0w        0c <http://hacknet.htb/logout> => <http://hacknet.htb/>
301      GET        7l       11w      169c <http://hacknet.htb/static/admin/js> => <http://hacknet.htb/static/admin/js/>
301      GET        7l       11w      169c <http://hacknet.htb/static/admin/js/admin> => <http://hacknet.htb/static/admin/js/admin/>
301      GET        7l       11w      169c <http://hacknet.htb/static/admin/css/vendor> => <http://hacknet.htb/static/admin/css/vendor/>
302      GET        0l        0w        0c <http://hacknet.htb/explore> => <http://hacknet.htb/>
301      GET        7l       11w      169c <http://hacknet.htb/static/admin/js/vendor> => <http://hacknet.htb/static/admin/js/vendor/>
301      GET        7l       11w      169c <http://hacknet.htb/static/admin/fonts> => <http://hacknet.htb/static/admin/fonts/>
200      GET       20l      172w     1081c <http://hacknet.htb/static/admin/img/LICENSE>
301      GET        7l       11w      169c <http://hacknet.htb/static/admin/img/gis> => <http://hacknet.htb/static/admin/img/gis/>
[>-------------------] - 86s    77606/1764376 23m     found:26      errors:110
[>-------------------] - 86s    10742/220546  125/s   <http://hacknet.htb/>
[>-------------------] - 84s    10559/220546  126/s   <http://hacknet.htb/static/>
[>-------------------] - 84s    10369/220546  124/s   <http://hacknet.htb/media/>
[>-------------------] - 79s    10131/220546  129/s   <http://hacknet.htb/static/admin/>
[>-------------------] - 78s    10035/220546  129/s   <http://hacknet.htb/static/admin/img/>
[>-------------------] - 75s     9536/220546  128/s   <http://hacknet.htb/static/admin/css/>
[>-------------------] - 72s     9057/220546  126/s   <http://hacknet.htb/static/admin/js/>
[>-------------------] - 54s     7112/220546  133/s   <http://hacknet.htb/static/admin/fonts/>