Getting Started, Section: Web Enumeration

HTB Content Academy
1

Hi Guys hope your well.

I need some help on Module - Getting Started, Section: Web Enumeration

I am trying to capture the flag and have done the following commands and got back the following results
but still cannot find the flag. Any help would be much appricated.

So done the following things:

Gobuster

Had run this command and gt
gobuster dir -u http://134.209.177.128:30158 -w /usr/share/dirb/wordlists/common.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://134.209.177.128:30158
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s

2023/04/04 21:42:56 Starting gobuster in directory enumeration mode

/.hta (Status: 403) [Size: 283]
/.htaccess (Status: 403) [Size: 283]
/.htpasswd (Status: 403) [Size: 283]
/index.php (Status: 200) [Size: 990]
/robots.txt (Status: 200) [Size: 45]
/server-status (Status: 403) [Size: 283]
/wordpress (Status: 301) [Size: 331] [–> http://134.209.177.128:30158/wordpress/]

===============================================================
2023/04/04 21:43:04 Finished

went to this link
http://134.209.177.128:30158/wordpress

Click continue nothing happens

I put this /.htpasswd in front of wordpress says i dont have access

DNS Subdomain Enumeration

Install SecLists

Had run
git clone GitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Got this result
[eu-academy-1]─[10.10.15.107]─[htb-ac-570585@htb-ijcyyqzudg]─[~]
└──╼ [★]$ git clone GitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Cloning into ‘SecLists’…
remote: Enumerating objects: 12168, done.
remote: Total 12168 (delta 0), reused 0 (delta 0), pack-reused 12168
Receiving objects: 100% (12168/12168), 884.86 MiB | 17.89 MiB/s, done.
Resolving deltas: 100% (6663/6663), done.
Updating files: 100% (5450/5450), done.
┌─[eu-academy-1]─[10.10.15.107]─[htb-ac-570585@htb-ijcyyqzudg]─[~]
└──╼ [★]$

Had run
sudo apt install seclists -y

Got this as a result
┌─[eu-academy-1]─[10.10.15.107]─[htb-ac-570585@htb-ijcyyqzudg]─[~]
└──╼ [★]$ sudo apt install seclists -y
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
seclists is already the newest version (2022.1-0parrot1).
The following packages were automatically installed and are no longer required:
libgit2-1.1 libmbedcrypto3 libmbedtls12 libmbedx509-0 libstd-rust-1.48
libstd-rust-dev linux-kbuild-5.18 rust-gdb
Use ‘sudo apt autoremove’ to remove them.
0 upgraded, 0 newly installed, 0 to remove and 108 not upgraded.

Did this command for gobuster dns
gobuster dns -d 134.209.177.128:30158 -w /usr/share/SecLists/Discovery/DNS/namelist.txt

Got the following

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Domain: 134.209.177.128:30158
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/SecLists/Discovery/DNS/namelist.txt

2023/04/04 22:00:40 Starting gobuster in DNS enumeration mode

2023/04/04 22:00:40 [-] Unable to validate base domain: 134.209.177.128:30158 (lookup 134.209.177.128:30158: no such host)

===============================================================
2023/04/04 22:00:40 Finished

┌─[eu-academy-1]─[10.10.15.107]─[htb-ac-570585@htb-ijcyyqzudg]─[~]
└──╼ [★]$

Banner Grabbing / Web Server Headers

Used this command
curl -IL http://134.209.177.128:30158

Got the following results back
HTTP/1.1 200 OK
Date: Tue, 04 Apr 2023 21:03:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=UTF-8

Whatweb

Did this command
whatweb 134.209.177.128:30158

Got this
http://134.209.177.128:30158 [200 OK] Apache[2.4.41], Country[UNITED STATES][US], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[134.209.177.128], Title[HTB Academy]

Did this command
whatweb --no-errors 134.209.177.128:30158

Got this back
http://134.209.177.128:30158 [200 OK] Apache[2.4.41], Country[UNITED STATES][US], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[134.209.177.128], Title[HTB Academy]

Certificates

Tried browsing to
https://134.209.177.128:30158

Got a timmed out connection error

Robots.txt

Tried navigating to
http://134.209.177.128:30158/private

Got back saying the requested URL was not found on the server

Source Code
So i decided to check the source code for

http://134.209.177.128:30158

Which gave back HTB Academy

I check through the source code there was no username or password i could see

2

Ok worked it out :slight_smile: