So I’m pretty new to htb, I’ve completed Archetype( The previous challenge) in the starting point batch.
I’ve enumerated the machine with nmap and discovered 2 ports as followed:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open ssl/http?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Apache/2.4.29
Basically when I go to the website : http://10.10.10.28 it loads indefinitely . I was thinking the problem was just incorrect path in the url, but I can’t seem to enumerate anything because there is no connection :
Error: error on running gobuster: unable to connect to http://10.10.10.28:80/: Get "http://10.10.10.28:80/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
as i mentioned, pings and nmap was working. ssh was working .
something interesting happned while accesing the ssh through port 80:
└─$ ssh -vvvv -p 80 10.10.10.28
OpenSSH_8.4p1 Debian-3, OpenSSL 1.1.1i 8 Dec 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 10.10.10.28 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/kali/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/kali/.ssh/known_hosts2'
debug2: ssh_connect_direct
debug1: Connecting to 10.10.10.28 [10.10.10.28] port 80.
debug1: Connection established.
debug1: identity file /home/kali/.ssh/id_rsa type -1
debug1: identity file /home/kali/.ssh/id_rsa-cert type -1
debug1: identity file /home/kali/.ssh/id_dsa type -1
debug1: identity file /home/kali/.ssh/id_dsa-cert type -1
debug1: identity file /home/kali/.ssh/id_ecdsa type -1
debug1: identity file /home/kali/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/kali/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/kali/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/kali/.ssh/id_ed25519 type -1
debug1: identity file /home/kali/.ssh/id_ed25519-cert type -1
debug1: identity file /home/kali/.ssh/id_ed25519_sk type -1
debug1: identity file /home/kali/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/kali/.ssh/id_xmss type -1
debug1: identity file /home/kali/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-3
debug1: kex_exchange_identification: banner line 0: HTTP/1.1 400 Bad Request
debug1: kex_exchange_identification: banner line 1: Date: Wed, 05 May 2021 14:52:48 GMT
debug1: kex_exchange_identification: banner line 2: Server: Apache/2.4.29 (Ubuntu)
debug1: kex_exchange_identification: banner line 3: Content-Length: 301
debug1: kex_exchange_identification: banner line 4: Connection: close
debug1: kex_exchange_identification: banner line 5: Content-Type: text/html; charset=iso-8859-1
debug1: kex_exchange_identification: banner line 6:
debug1: kex_exchange_identification: banner line 7: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
debug1: kex_exchange_identification: banner line 8: <html><head>
debug1: kex_exchange_identification: banner line 9: <title>400 Bad Request</title>
debug1: kex_exchange_identification: banner line 10: </head><body>
debug1: kex_exchange_identification: banner line 11: <h1>Bad Request</h1>
debug1: kex_exchange_identification: banner line 12: <p>Your browser sent a request that this server could not understand.<br />
debug1: kex_exchange_identification: banner line 13: </p>
debug1: kex_exchange_identification: banner line 14: <hr>
debug1: kex_exchange_identification: banner line 15: <address>Apache/2.4.29 (Ubuntu) Server at 127.0.1.1 Port 80</address>
debug1: kex_exchange_identification: banner line 16: </body></html>
kex_exchange_identification: Connection closed by remote host
Connection closed by 10.10.10.28 port 80
So I know that there is an Apache running in there. I’ve tried accessing the website through Firefox as well as a fresh install of chromium.
I tried to continue, but the beginning of the next challenge write up suggested the challenges are incremental.
My thoughts are as follows: most probably the machine is malfunctioning ( Though I’ve tried resetting it a few times) or some other user is trying really hard to brute force something and it’s overloaded.
I really refuse to believe that the machine is trickier than that.
Thanks for the help
Edit: It occurred to me that my vpn setting might be relevant. so I’ll share it here: EU Starting point VPN, EU Starting point #1, and I’ve tried both Connection TCP and UDP