nmap

  ___                        
 ( _ ) _ __ ___   __ _ _ __  
 / _ \| '_ ` _ \ / _` | '_ \ 
| (_) | | | | | | (_| | |_) |
 \___/|_| |_| |_|\__,_| .__/ 
                      |_|    

[+] Scanning 10.10.10.239 [65535 TCP ports]


[+] Enumerating 10.10.10.239 [80,135,139,443,445,3306,5000,5040,5985,5986,7680,9896,11708,47001,49664,49665,49666,49667,49668,49669,49670]

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 07:07 CDT
Nmap scan report for love (10.10.10.239)
Host is up (0.051s latency).

PORT      STATE  SERVICE      VERSION
80/tcp    open   http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open   ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| tls-alpn: 
|_  http/1.1
|_http-title: 403 Forbidden
445/tcp   open   microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open   mysql?
| fingerprint-strings: 
|   DNSVersionBindReqTCP, GenericLines, Help, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe: 
|_    Host '10.10.14.3' is not allowed to connect to this MariaDB server
5000/tcp  open   http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open   unknown
5985/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp  open   ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2024-05-26T12:31:51+00:00; +21m33s from scanner time.
| tls-alpn: 
|_  http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after:  2024-04-10T14:39:19
|_http-title: Not Found
7680/tcp  open   pando-pub?
9896/tcp  closed unknown
11708/tcp closed unknown
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open   msrpc        Microsoft Windows RPC
49665/tcp open   msrpc        Microsoft Windows RPC
49666/tcp open   msrpc        Microsoft Windows RPC
49667/tcp open   msrpc        Microsoft Windows RPC
49668/tcp open   msrpc        Microsoft Windows RPC
49669/tcp open   msrpc        Microsoft Windows RPC
49670/tcp open   msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=5/26%Time=665325FC%P=x86_64-pc-linux-gnu%r
SF:(NULL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLin
SF:es,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,4
SF:9,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,49,"E\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBindReqTCP,49,
SF:"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20t
SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,49,"E\0\0\x01\
SF:xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connec
SF:t\x20to\x20this\x20MariaDB\x20server")%r(SSLSessionReq,49,"E\0\0\x01\xf
SF:fj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\
SF:x20to\x20this\x20MariaDB\x20server")%r(TLSSessionReq,49,"E\0\0\x01\xffj
SF:\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x2
SF:0to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,49,"E\0\0\x01\xffj\x04H
SF:ost\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x
SF:20this\x20MariaDB\x20server")%r(X11Probe,49,"E\0\0\x01\xffj\x04Host\x20
SF:'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\
SF:x20MariaDB\x20server")%r(LPDString,49,"E\0\0\x01\xffj\x04Host\x20'10\.1
SF:0\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mar
SF:iaDB\x20server")%r(LDAPSearchReq,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\
SF:.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Maria
SF:DB\x20server")%r(LDAPBindReq,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\
SF:.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x
SF:20server")%r(SIPOptions,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x
SF:20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20ser
SF:ver")%r(TerminalServer,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x2
SF:0is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serv
SF:er");
Service Info: Hosts: www.example.com, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-05-26T05:31:40-07:00
| smb2-time: 
|   date: 2024-05-26T12:31:39
|_  start_date: N/A
|_clock-skew: mean: 2h06m34s, deviation: 3h30m02s, median: 21m32s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 175.19 seconds

[+] Enumerating 10.10.10.239 for vulnerabilities [80,135,139,443,445,3306,5000,5040,5985,5986,7680,9896,11708,47001,49664,49665,49666,49667,49668,49669,49670]

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 07:10 CDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for love (10.10.10.239)
Host is up (0.045s latency).

PORT      STATE  SERVICE
80/tcp    open   http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-sql-injection: 
|   Possible sqli for queries:
|     http://love:80/bower_components/jquery/dist/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/dist/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://love:80/bower_components/jquery/?C=N%3BO%3DD%27%20OR%20sqlspider
|_    http://love:80/bower_components/jquery/?C=M%3BO%3DA%27%20OR%20sqlspider
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
|_http-trace: TRACE is enabled
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=love
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://love:80/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://love:80/login.php
|     Form id: 
|_    Form action: login.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /admin/: Possible admin folder
|   /admin/index.php: Possible admin folder
|   /Admin/: Possible admin folder
|   /icons/: Potentially interesting folder w/ directory listing
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.46 (win64) openssl/1.1.1j php/7.3.27'
|_  /includes/: Potentially interesting directory w/ listing on 'apache/2.4.46 (win64) openssl/1.1.1j php/7.3.27'
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
135/tcp   open   msrpc
139/tcp   open   netbios-ssn
443/tcp   open   https
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-trace: TRACE is enabled
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
445/tcp   open   microsoft-ds
3306/tcp  open   mysql
5000/tcp  open   upnp
5040/tcp  open   unknown
5985/tcp  open   wsman
5986/tcp  open   wsmans
7680/tcp  open   pando-pub
9896/tcp  closed unknown
11708/tcp closed unknown
47001/tcp open   winrm
49664/tcp open   unknown
49665/tcp open   unknown
49666/tcp open   unknown
49667/tcp open   unknown
49668/tcp open   unknown
49669/tcp open   unknown
49670/tcp open   unknown

Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 347.15 seconds

[+] Scanning 10.10.10.239 [1000 UDP ports]
[sudo] password for adot: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 07:30 CDT
Initiating Ping Scan at 07:30
Scanning 10.10.10.239 [4 ports]
Completed Ping Scan at 07:30, 0.12s elapsed (1 total hosts)
Initiating UDP Scan at 07:30
Scanning love (10.10.10.239) [100 ports]
Increasing send delay for 10.10.10.239 from 0 to 50 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.10.239 from 50 to 100 due to max_successful_tryno increase to 6
Warning: 10.10.10.239 giving up on port because retransmission cap hit (6).
Increasing send delay for 10.10.10.239 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.10.10.239 from 200 to 400 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 10.10.10.239 from 400 to 800 due to 11 out of 14 dropped probes since last increase.
Increasing send delay for 10.10.10.239 from 800 to 1000 due to 12 out of 29 dropped probes since last increase.
Completed UDP Scan at 07:32, 120.72s elapsed (100 total ports)
Nmap scan report for love (10.10.10.239)
Host is up (0.060s latency).
Not shown: 81 closed udp ports (port-unreach)
PORT      STATE         SERVICE
68/udp    open|filtered dhcpc
123/udp   open|filtered ntp
135/udp   open|filtered msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
445/udp   open|filtered microsoft-ds
497/udp   open|filtered retrospect
500/udp   open|filtered isakmp
996/udp   open|filtered vsinet
1813/udp  open|filtered radacct
1900/udp  open|filtered upnp
2222/udp  open|filtered msantipiracy
4500/udp  open|filtered nat-t-ike
5353/udp  open|filtered zeroconf
5632/udp  open|filtered pcanywherestat
20031/udp open|filtered bakbonenetvault
49154/udp open|filtered unknown
49182/udp open|filtered unknown
49186/udp open|filtered unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 120.97 seconds
           Raw packets sent: 461 (29.718KB) | Rcvd: 92 (9.197KB)

[+] Completed!