Diff Medium

#2025.11.5

Adding the IP to the β€œ/etc/hosts”

sudo nano /etc/hosts

Running the network enumeration

htb/machine/Imagery
> rustscan -a 10.10.11.88
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \\ |  `| |
| .-. \\| {_} |.-._} } | |  .-._} }\\     }/  /\\  \\| |\\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: <http://discord.skerritt.blog>         :
: <https://github.com/RustScan/RustScan> :
 --------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash πŸ’¨

[~] The config file is expected to be at "/home/xacce/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.88:22
Open 10.10.11.88:8000
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( <https://nmap.org> ) at 2025-11-05 15:24 +0800
Initiating Ping Scan at 15:24
Scanning 10.10.11.88 [2 ports]
Completed Ping Scan at 15:24, 0.28s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:24
Completed Parallel DNS resolution of 1 host. at 15:24, 2.50s elapsed
DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 15:24
Scanning 10.10.11.88 [2 ports]
Discovered open port 22/tcp on 10.10.11.88
Discovered open port 8000/tcp on 10.10.11.88
Completed Connect Scan at 15:24, 0.27s elapsed (2 total ports)
Nmap scan report for 10.10.11.88
Host is up, received conn-refused (0.28s latency).
Scanned at 2025-11-05 15:24:36 +08 for 1s

PORT     STATE SERVICE  REASON
22/tcp   open  ssh      syn-ack
8000/tcp open  http-alt syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.07 seconds

htb/machine/Imagery took 46s
>

directory enumeration

htb/machine/Imagery
> feroxbuster -u <http://10.10.11.88:8000/> -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \\ \\_/ | |  \\ |__
|    |___ |  \\ |  \\ | \\__,    \\__/ / \\ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            β”‚ <http://10.10.11.88:8000/>
 🚩  In-Scope Url          β”‚ 10.10.11.88
 πŸš€  Threads               β”‚ 50
 πŸ“–  Wordlist              β”‚ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 πŸ‘Œ  Status Codes          β”‚ All Status Codes!
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.13.0
 πŸ”Ž  Extract Links         β”‚ true
 🏁  HTTP methods          β”‚ [GET]
 πŸ”ƒ  Recursion Depth       β”‚ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menuβ„’
──────────────────────────────────────────────────
404      GET        5l       31w      207c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
401      GET        1l        4w       59c <http://10.10.11.88:8000/images>
405      GET        5l       20w      153c <http://10.10.11.88:8000/login>
405      GET        5l       20w      153c <http://10.10.11.88:8000/register>
200      GET       27l       48w      584c <http://10.10.11.88:8000/static/fonts.css>
405      GET        5l       20w      153c <http://10.10.11.88:8000/upload_image>
200      GET        3l      282w    20343c <http://10.10.11.88:8000/static/purify.min.js>
200      GET       83l     9103w   407279c <http://10.10.11.88:8000/static/tailwind.js>
200      GET     2779l     9472w   146960c <http://10.10.11.88:8000/>
405      GET        5l       20w      153c <http://10.10.11.88:8000/logout>
404      GET        0l        0w      207c <http://10.10.11.88:8000/netinet>
404      GET        0l        0w      207c <http://10.10.11.88:8000/tech_support>
404      GET        0l        0w      207c <http://10.10.11.88:8000/3652486>
404      GET        0l        0w      207c <http://10.10.11.88:8000/Team>
404      GET        0l        0w      207c <http://10.10.11.88:8000/with>
404      GET        0l        0w      207c <http://10.10.11.88:8000/2573>
404      GET        0l        0w      207c <http://10.10.11.88:8000/1867>
404      GET        0l        0w      207c <http://10.10.11.88:8000/2004-02>
404      GET        0l        0w      207c <http://10.10.11.88:8000/2246>
[#>------------------] - 6m     21558/220560  44m     found:18      errors:32
[#>------------------] - 6m     21581/220560  44m     found:18      errors:32                                               [##>-----------------] - 7m     26457/220560  59m     found:18      errors:32                                               [##>-----------------] - 7m     26432/220546  63/s    <http://10.10.11.88:8000/>

http server at 8000

image.png

I went ahead and registered with

test@test.com
test1234