Intro

The Network Enumeration with Nmap module comprises a total of eight sub-modules. This write-up will focus on the coverage of the first four sections, providing detailed explanations and analysis for each.

  1. Host and Port Scanning
  2. Saving the Results
  3. Service Enumeration
  4. Nmap Script Engine (NSE)

1. Host and Port Scanning

Task 1: Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.

In order to find all of the TCP ports, the -Pn flag is utilized to deactivate host discovery, focusing solely on port scanning. The inclusion of the -v flag serves the purpose of providing detailed insights into nmap’s operations. Specifically, with increased verbosity (-vv), interactive mode displays open ports in real-time as they are encountered.

┌──(solo㉿HTB)-[~]
└─$ sudo nmap -Pn -vv 10.129.11.154
PORT      STATE SERVICE      REASON
22/tcp    open  ssh          syn-ack ttl 63
80/tcp    open  http         syn-ack ttl 63
110/tcp   open  pop3         syn-ack ttl 63
139/tcp   open  netbios-ssn  syn-ack ttl 63
143/tcp   open  imap         syn-ack ttl 63
445/tcp   open  microsoft-ds syn-ack ttl 63
31337/tcp open  Elite        syn-ack ttl 63

Answer: 7

Task 2: Enumerate the hostname of your target and submit it as the answer. (case-sensitive)

We are tasked to enumerate the hostname of our target, and various approaches can be employed to accomplish this task. Below, I present two methods for enumerating the hostname.

The first method involves utilizing the -A flag. It is worth noting that this method exhibits slower performance compared to the second approach due to the flag enabling OS detection, version detection, script scanning, and traceroute.

┌──(solo㉿HTB)-[~]
└─$ nmap -A -vv 10.129.79.161
Not shown: 993 closed tcp ports (conn-refused)
PORT      STATE SERVICE     REASON  VERSION
22/tcp    open  ssh         syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 1accacd49552d64d71e7341e14273c3c
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AA5AAIMYSP2Z8qyfE4cFAGOW1EWXDnPnCPbw2MGkB25pCXL/
80/tcp    open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp   open  pop3        syn-ack Dovecot pop3d
139/tcp   open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        syn-ack Dovecot imapd
445/tcp   open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
31337/tcp open  Elite?      syn-ack
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

The second method entails employing the smb-os-discovery script, which is notably faster in terms of execution time when compared to the first method. This script specifically aims to ascertain critical system information such as the operating system, computer name, domain, workgroup, and current time, making it an ideal choice for accomplishing the task.

┌──(solo㉿HTB)-[~]
└─$ sudo nmap --script=smb-os-discovery -vv 10.129.79.161
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE      REASON
22/tcp    open  ssh          syn-ack ttl 63
80/tcp    open  http         syn-ack ttl 63
110/tcp   open  pop3         syn-ack ttl 63
139/tcp   open  netbios-ssn  syn-ack ttl 63
143/tcp   open  imap         syn-ack ttl 63
445/tcp   open  microsoft-ds syn-ack ttl 63
31337/tcp open  Elite        syn-ack ttl 63

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: nix-nmap-default
|   NetBIOS computer name: NIX-NMAP-DEFAULT\x00
|   Domain name: \x00
|   FQDN: nix-nmap-default

Answer: NIX-NMAP-DEFAULT

2. Saving the Results

Task: Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer.

The task at hand is straightforward: we have to perform full TCP port scan which is done by utilising the -p- flag. This approach aligns with task 1 of the Host and Port Scanning module. To exclusively focus on port scanning, we will once again employ the -Pn flag to deactivate host discovery. Furthermore, we are utilizing the aggressive timing mode, denoted by the -T flag, to expedite our scans.

Finally, we save the scan output to an XML file using the -oX flag, which we can subsequently convert into an HTML report.

┌──(solo㉿HTB)-[~]
└─$ sudo nmap -Pn -p- -T4 -vv -oX fulltcp 10.129.236.139
Starting Nmap 7.93 ( https://nmap.org )
Initiating Parallel DNS resolution of 1 host. at 12:10
Completed Parallel DNS resolution of 1 host. at 12:10, 0.00s elapsed
Initiating SYN Stealth Scan at 12:10
Scanning 10.129.236.139 [65535 ports]
SYN Stealth Scan Timing: About 0.45% done
Discovered open port 22/tcp on 10.129.236.139
Discovered open port 139/tcp on 10.129.236.139
Discovered open port 110/tcp on 10.129.236.139
Discovered open port 445/tcp on 10.129.236.139
Discovered open port 143/tcp on 10.129.236.139
Discovered open port 80/tcp on 10.129.236.139
SYN Stealth Scan Timing: About 46.54% done; ETC: 12:12 (0:01:10 remaining)
Discovered open port 31337/tcp on 10.129.236.139
Completed SYN Stealth Scan at 12:11, 74.35s elapsed (65535 total ports)
Nmap scan report for 10.129.236.139
Host is up, received user-set (0.040s latency).
Scanned for 75s
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE      REASON
22/tcp    open  ssh          syn-ack ttl 63
80/tcp    open  http         syn-ack ttl 63
110/tcp   open  pop3         syn-ack ttl 63
139/tcp   open  netbios-ssn  syn-ack ttl 63
143/tcp   open  imap         syn-ack ttl 63
445/tcp   open  microsoft-ds syn-ack ttl 63
31337/tcp open  Elite        syn-ack ttl 63

With the XML output, we can easily create HTML reports that are easy to read, even for non-technical people. This is very useful for documentation, as it presents our results in a detailed and clear way. To convert the stored results from XML format to HTML, we can use the tool xsltproc.

┌──(solo㉿HTB)-[~]
└─$ xsltproc fulltcp -o fulltcp.html

When we open the newly converted HTML report. This is what it looks like:

image.png

Answer: 31337

3. Service Enumeration

Task: Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

The task is to enumerate all ports and their services. We will find the flag in one of the services.

Let’s start by enumerating all ports and their services with the -sV flag. Here, we are telling Nmap to perform service version detection on the specified ports which in our case are all ports, denoted by the -p- flag.

┌──(solo㉿HTB)-[~]
└─$ sudo nmap -sV -Pn- -p- -T4 -vv 10.129.33.227

Nmap scan report for 10.129.33.227
Host is up, received user-set (0.044s latency).
Scanned for 120s
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE     REASON         VERSION
22/tcp    open  ssh         syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http        syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
110/tcp   open  pop3        syn-ack ttl 63 Dovecot pop3d
139/tcp   open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        syn-ack ttl 63 Dovecot imapd
445/tcp   open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
31337/tcp open  Elite?      syn-ack ttl 63
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.90 seconds
           Raw packets sent: 65712 (2.891MB) | Rcvd: 65708 (2.628MB)

In the initial phase of this task, our objective was to enumerate all ports along with their corresponding services, and we have achieved this successfully. However, one limitation is that we lack detailed information about the specific flag associated with the ports. To overcome this limitation, we will employ the use of netcat (nc), a versatile utility that allows us to establish TCP or UDP connections between two computers. This tool enables us to both write and read data through an open port, facilitating our exploration of the ports in question.

┌──(solo㉿HTB)-[~]
└─$ nc -nv 10.129.33.227 31337 

(UNKNOWN) [10.129.33.227] 31337 (?) open
220 HTB{pr0F7pDv3r510nb4nn3r}

Answer: HTB{pr0F7pDv3r510nb4nn3r}

4. Nmap Script Engine (NSE)

Task: Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

The objective of this task is to utilize the Nmap Scripting Engine (NSE) scripts to search for the flag within one of the services. By leveraging the capabilities of NSE scripts, we can automate the process of scanning and probing the services in order to identify the specific location of the flag.

To begin the process, we will deploy the default script by using the -sC flag. This flag instructs Nmap to run the default NSE scripts, which are designed to perform a comprehensive analysis of the target services. By executing these scripts, we can gather valuable information and potentially uncover the location of the flag.

┌──(solo㉿HTB)-[~]
└─$ sudo nmap -sC -vv 10.129.33.227

Scanned for 143s
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE      REASON
22/tcp    open  ssh          syn-ack ttl 63
| ssh-hostkey: 
80/tcp    open  http         syn-ack ttl 63
|_http-title: Apache2 Ubuntu Default Page: It works
110/tcp   open  pop3         syn-ack ttl 63
|_pop3-capabilities: TOP SASL RESP-CODES AUTH-RESP-CODE UIDL PIPELINING CAPA
139/tcp   open  netbios-ssn  syn-ack ttl 63
143/tcp   open  imap         syn-ack ttl 63
|_imap-capabilities: Pre-login more SASL-IR capabilities LOGIN-REFERRALS OK IMAP4rev1 LITERAL+ IDLE have post-login listed ENABLE LOGINDISABLEDA0001 ID
445/tcp   open  microsoft-ds syn-ack ttl 63
31337/tcp open  Elite        syn-ack ttl 63

Host script results:
|_clock-skew: mean: -38m02s, deviation: 1h09m16s, median: 1m56s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: nix-nmap-default
|   NetBIOS computer name: NIX-NMAP-DEFAULT\x00
|   Domain name: \x00
|   FQDN: nix-nmap-default
|_  System time:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 
|_  start_date: N/A
| nbstat: NetBIOS name: NIX-NMAP-DEFAUL, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
|   NIX-NMAP-DEFAUL<00>  Flags: <unique><active>
|   NIX-NMAP-DEFAUL<03>  Flags: <unique><active>
|   NIX-NMAP-DEFAUL<20>  Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   0000000000000000000000000000000000
|   0000000000000000000000000000000000
|_  0000000000000000000000000000
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 53108/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 57139/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 15310/udp): CLEAN (Failed to receive data)
|   Check 4 (port 26426/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 14:19
Completed NSE at 14:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 14:19
Completed NSE at 14:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 144.37 seconds
           Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.056KB)

Please pay close attention to the output specifically related to port 80. This port is of particular interest as it may provide crucial information regarding the location of the flag.

80/tcp    open  http         syn-ack ttl 63
|_http-title: Apache2 Ubuntu Default Page: It works

Next, we will explore the NSE scripts folder to find a suitable script that allows us to specifically target the HTTP protocol. By selecting an appropriate script from the NSE scripts folder, we can effectively scan and analyze the HTTP service for potential flag-related information.

┌──(solo㉿HTB)-[~]
└─$ cd /usr/share/nmap/scripts

┌──(solo㉿HTB)-[/usr/share/nmap/scripts]
└─$ ls
carsd-info.nse                       fcrdns.nse                              https-redirect.nse               ms-sql-info.nse                 smb-flood.nse
address-info.nse                      finger.nse                              http-stored-xss.nse              ms-sql-ntlm-info.nse            smb-ls.nse
afp-brute.nse                         fingerprint-strings.nse                 http-svn-enum.nse                ms-sql-query.nse                smb-mbenum.nse
afp-ls.nse                            firewalk.nse                            http-svn-info.nse                ms-sql-tables.nse               smb-os-discovery.nse
afp-path-vuln.nse                     firewall-bypass.nse                     http-title.nse                   ms-sql-xp-cmdshell.nse          smb-print-text.nse
afp-serverinfo.nse                    flume-master-info.nse                   http-tplink-dir-traversal.nse    mtrace.nse                      smb-protocols.nse
afp-showmount.nse                     fox-info.nse                            http-trace.nse                   murmur-version.nse              smb-psexec.nse
ajp-auth.nse                          freelancer-info.nse                     http-traceroute.nse              mysql-audit.nse                 smb-security-mode.nse
ajp-brute.nse                         ftp-anon.nse                            http-trane-info.nse              mysql-brute.nse                 smb-server-stats.nse
ajp-headers.nse                       ftp-bounce.nse                          http-unsafe-output-escaping.nse  mysql-databases.nse             smb-system-info.nse
ajp-methods.nse                       ftp-brute.nse                           http-useragent-tester.nse        mysql-dump-hashes.nse           smb-vuln-conficker.nse
ajp-request.nse                       ftp-libopie.nse                         http-userdir-enum.nse            mysql-empty-password.nse        smb-vuln-cve2009-3103.nse
allseeingeye-info.nse                 ftp-proftpd-backdoor.nse                http-vhosts.nse                  mysql-enum.nse                  smb-vuln-cve-2017-7494.nse
amqp-info.nse                         ftp-syst.nse                            http-virustotal.nse              mysql-info.nse                  smb-vuln-ms06-025.nse
asn-query.nse                         ftp-vsftpd-backdoor.nse                 http-vlcstreamer-ls.nse          mysql-query.nse                 smb-vuln-ms07-029.nse
auth-owners.nse                       ftp-vuln-cve2010-4221.nse               http-vmware-path-vuln.nse        mysql-users.nse                 smb-vuln-ms08-067.nse
auth-spoof.nse                        ganglia-info.nse                        http-vuln-cve2006-3392.nse       mysql-variables.nse             smb-vuln-ms10-054.nse
backorifice-brute.nse                 giop-info.nse                           http-vuln-cve2009-3960.nse       mysql-vuln-cve2012-2122.nse     smb-vuln-ms10-061.nse
backorifice-info.nse                  gkrellm-info.nse                        http-vuln-cve2010-0738.nse       nat-pmp-info.nse                smb-vuln-ms17-010.nse
bacnet-info.nse                       gopher-ls.nse                           http-vuln-cve2010-2861.nse       nat-pmp-mapport.nse             smb-vuln-regsvc-dos.nse
banner.nse                            gpsd-info.nse                           http-vuln-cve2011-3192.nse       nbd-info.nse                    smb-vuln-webexec.nse
bitcoin-getaddr.nse                   hadoop-datanode-info.nse                http-vuln-cve2011-3368.nse       nbns-interfaces.nse             smb-webexec-exploit.nse
bitcoin-info.nse                      hadoop-jobtracker-info.nse              http-vuln-cve2012-1823.nse       nbstat.nse                      smtp-brute.nse
bitcoinrpc-info.nse                   hadoop-namenode-info.nse                http-vuln-cve2013-0156.nse       ncp-enum-users.nse              smtp-commands.nse
bittorrent-discovery.nse              hadoop-secondary-namenode-info.nse      http-vuln-cve2013-6786.nse       ncp-serverinfo.nse              smtp-enum-users.nse
bjnp-discover.nse                     hadoop-tasktracker-info.nse             http-vuln-cve2013-7091.nse       ndmp-fs-info.nse                smtp-ntlm-info.nse
broadcast-ataoe-discover.nse          hbase-master-info.nse                   http-vuln-cve2014-2126.nse       ndmp-version.nse                smtp-open-relay.nse
broadcast-avahi-dos.nse               hbase-region-info.nse                   http-vuln-cve2014-2127.nse       nessus-brute.nse                smtp-strangeport.nse
broadcast-bjnp-discover.nse           hddtemp-info.nse                        http-vuln-cve2014-2128.nse       nessus-xmlrpc-brute.nse         smtp-vuln-cve2010-4344.nse
broadcast-db2-discover.nse            hnap-info.nse                           http-vuln-cve2014-2129.nse       netbus-auth-bypass.nse          smtp-vuln-cve2011-1720.nse
broadcast-dhcp6-discover.nse          hostmap-bfk.nse                         http-vuln-cve2014-3704.nse       netbus-brute.nse                smtp-vuln-cve2011-1764.nse
broadcast-dhcp-discover.nse           hostmap-crtsh.nse                       http-vuln-cve2014-8877.nse       netbus-info.nse                 sniffer-detect.nse
broadcast-dns-service-discovery.nse   hostmap-robtex.nse                      http-vuln-cve2015-1427.nse       netbus-version.nse              snmp-brute.nse
broadcast-dropbox-listener.nse        http-adobe-coldfusion-apsa1301.nse      http-vuln-cve2015-1635.nse       nexpose-brute.nse               snmp-hh3c-logins.nse
broadcast-eigrp-discovery.nse         http-affiliate-id.nse                   http-vuln-cve2017-1001000.nse    nfs-ls.nse                      snmp-info.nse
broadcast-hid-discoveryd.nse          http-apache-negotiation.nse             http-vuln-cve2017-5638.nse       nfs-showmount.nse               snmp-interfaces.nse
broadcast-igmp-discovery.nse          http-apache-server-status.nse           http-vuln-cve2017-5689.nse       nfs-statfs.nse                  snmp-ios-config.nse
broadcast-jenkins-discover.nse        http-aspnet-debug.nse                   http-vuln-cve2017-8917.nse       nje-node-brute.nse              snmp-netstat.nse
broadcast-listener.nse                http-auth-finder.nse                    http-vuln-misfortune-cookie.nse  nje-pass-brute.nse              snmp-processes.nse
broadcast-ms-sql-discover.nse         http-auth.nse                           http-vuln-wnr1000-creds.nse      nntp-ntlm-info.nse              snmp-sysdescr.nse
broadcast-netbios-master-browser.nse  http-avaya-ipoffice-users.nse           http-waf-detect.nse              nping-brute.nse                 snmp-win32-services.nse
broadcast-networker-discover.nse      http-awstatstotals-exec.nse             http-waf-fingerprint.nse         nrpe-enum.nse                   snmp-win32-shares.nse
broadcast-novell-locate.nse           http-axis2-dir-traversal.nse            http-webdav-scan.nse             ntp-info.nse                    snmp-win32-software.nse
broadcast-ospf2-discover.nse          http-backup-finder.nse                  http-wordpress-brute.nse         ntp-monlist.nse                 snmp-win32-users.nse
broadcast-pc-anywhere.nse             http-barracuda-dir-traversal.nse        http-wordpress-enum.nse          omp2-brute.nse                  socks-auth-info.nse
broadcast-pc-duo.nse                  http-bigip-cookie.nse                   http-wordpress-users.nse         omp2-enum-targets.nse           socks-brute.nse
broadcast-pim-discovery.nse           http-brute.nse                          http-xssed.nse                   omron-info.nse                  socks-open-proxy.nse
broadcast-ping.nse                    http-cakephp-version.nse                iax2-brute.nse                   openflow-info.nse               ssh2-enum-algos.nse
broadcast-pppoe-discover.nse          http-chrono.nse                         iax2-version.nse                 openlookup-info.nse             ssh-auth-methods.nse
broadcast-rip-discover.nse            http-cisco-anyconnect.nse               icap-info.nse                    openvas-otp-brute.nse           ssh-brute.nse
broadcast-ripng-discover.nse          http-coldfusion-subzero.nse             iec-identify.nse                 openwebnet-discovery.nse        ssh-hostkey.nse
broadcast-sonicwall-discover.nse      http-comments-displayer.nse             ike-version.nse                  oracle-brute.nse                ssh-publickey-acceptance.nse
broadcast-sybase-asa-discover.nse     http-config-backup.nse                  imap-brute.nse                   oracle-brute-stealth.nse        ssh-run.nse
broadcast-tellstick-discover.nse      http-cookie-flags.nse                   imap-capabilities.nse            oracle-enum-users.nse           sshv1.nse
broadcast-upnp-info.nse               http-cors.nse                           imap-ntlm-info.nse               oracle-sid-brute.nse            ssl-ccs-injection.nse
broadcast-versant-locate.nse          http-cross-domain-policy.nse            impress-remote-discover.nse      oracle-tns-version.nse          ssl-cert-intaddr.nse
broadcast-wake-on-lan.nse             http-csrf.nse                           informix-brute.nse               ovs-agent-version.nse           ssl-cert.nse
broadcast-wpad-discover.nse           http-date.nse                           informix-query.nse               p2p-conficker.nse               ssl-date.nse
broadcast-wsdd-discover.nse           http-default-accounts.nse               informix-tables.nse              path-mtu.nse                    ssl-dh-params.nse
broadcast-xdmcp-discover.nse          http-devframework.nse                   ip-forwarding.nse                pcanywhere-brute.nse            ssl-enum-ciphers.nse
cassandra-brute.nse                   http-dlink-backdoor.nse                 ip-geolocation-geoplugin.nse     pcworx-info.nse                 ssl-heartbleed.nse
cassandra-info.nse                    http-dombased-xss.nse                   ip-geolocation-ipinfodb.nse      pgsql-brute.nse                 ssl-known-key.nse
cccam-version.nse                     http-domino-enum-passwords.nse          ip-geolocation-map-bing.nse      pjl-ready-message.nse           ssl-poodle.nse
cics-enum.nse                         http-drupal-enum.nse                    ip-geolocation-map-google.nse    pop3-brute.nse                  sslv2-drown.nse
cics-info.nse                         http-drupal-enum-users.nse              ip-geolocation-map-kml.nse       pop3-capabilities.nse           sslv2.nse
cics-user-brute.nse                   http-enum.nse                           ip-geolocation-maxmind.nse       pop3-ntlm-info.nse              sstp-discover.nse
cics-user-enum.nse                    http-errors.nse                         ip-https-discover.nse            port-states.nse                 stun-info.nse
citrix-brute-xml.nse                  http-exif-spider.nse                    ipidseq.nse                      pptp-version.nse                stun-version.nse
citrix-enum-apps.nse                  http-favicon.nse                        ipmi-brute.nse                   puppet-naivesigning.nse         stuxnet-detect.nse
citrix-enum-apps-xml.nse              http-feed.nse                           ipmi-cipher-zero.nse             qconn-exec.nse                  supermicro-ipmi-conf.nse
citrix-enum-servers.nse               http-fetch.nse                          ipmi-version.nse                 qscan.nse                       svn-brute.nse
citrix-enum-servers-xml.nse           http-fileupload-exploiter.nse           ipv6-multicast-mld-list.nse      quake1-info.nse                 targets-asn.nse
clamav-exec.nse                       http-form-brute.nse                     ipv6-node-info.nse               quake3-info.nse                 targets-ipv6-map4to6.nse
clock-skew.nse                        http-form-fuzzer.nse                    ipv6-ra-flood.nse                quake3-master-getservers.nse    targets-ipv6-multicast-echo.nse
coap-resources.nse                    http-frontpage-login.nse                irc-botnet-channels.nse          rdp-enum-encryption.nse         targets-ipv6-multicast-invalid-dst.nse
couchdb-databases.nse                 http-generator.nse                      irc-brute.nse                    rdp-ntlm-info.nse               targets-ipv6-multicast-mld.nse
couchdb-stats.nse                     http-git.nse                            irc-info.nse                     rdp-vuln-ms12-020.nse           targets-ipv6-multicast-slaac.nse
creds-summary.nse                     http-gitweb-projects-enum.nse           irc-sasl-brute.nse               realvnc-auth-bypass.nse         targets-ipv6-wordlist.nse
cups-info.nse                         http-google-malware.nse                 irc-unrealircd-backdoor.nse      redis-brute.nse                 targets-sniffer.nse
cups-queue-info.nse                   http-grep.nse                           iscsi-brute.nse                  redis-info.nse                  targets-traceroute.nse
cvs-brute.nse                         http-headers.nse                        iscsi-info.nse                   resolveall.nse                  targets-xml.nse
cvs-brute-repository.nse              http-hp-ilo-info.nse                    isns-info.nse                    reverse-index.nse               teamspeak2-version.nse
daap-get-library.nse                  http-huawei-hg5xx-vuln.nse              jdwp-exec.nse                    rexec-brute.nse                 telnet-brute.nse
daytime.nse                           http-icloud-findmyiphone.nse            jdwp-info.nse                    rfc868-time.nse                 telnet-encryption.nse
db2-das-info.nse                      http-icloud-sendmsg.nse                 jdwp-inject.nse                  riak-http-info.nse              telnet-ntlm-info.nse
deluge-rpc-brute.nse                  http-iis-short-name-brute.nse           jdwp-version.nse                 rlogin-brute.nse                tftp-enum.nse
dhcp-discover.nse                     http-iis-webdav-vuln.nse                knx-gateway-discover.nse         rmi-dumpregistry.nse            tls-alpn.nse
dicom-brute.nse                       http-internal-ip-disclosure.nse         knx-gateway-info.nse             rmi-vuln-classloader.nse        tls-nextprotoneg.nse
dicom-ping.nse                        http-joomla-brute.nse                   krb5-enum-users.nse              rpcap-brute.nse                 tls-ticketbleed.nse
dict-info.nse                         http-jsonp-detection.nse                ldap-brute.nse                   rpcap-info.nse                  tn3270-screen.nse
distcc-cve2004-2687.nse               http-litespeed-sourcecode-download.nse  ldap-novell-getpass.nse          rpc-grind.nse                   tor-consensus-checker.nse
dns-blacklist.nse                     http-ls.nse                             ldap-rootdse.nse                 rpcinfo.nse                     traceroute-geolocation.nse
dns-brute.nse                         http-majordomo2-dir-traversal.nse       ldap-search.nse                  rsa-vuln-roca.nse               tso-brute.nse
dns-cache-snoop.nse                   http-malware-host.nse                   lexmark-config.nse               rsync-brute.nse                 tso-enum.nse
dns-check-zone.nse                    http-mcmp.nse                           llmnr-resolve.nse                rsync-list-modules.nse          ubiquiti-discovery.nse
dns-client-subnet-scan.nse            http-methods.nse                        lltd-discovery.nse               rtsp-methods.nse                unittest.nse
dns-fuzz.nse                          http-method-tamper.nse                  lu-enum.nse                      rtsp-url-brute.nse              unusual-port.nse
dns-ip6-arpa-scan.nse                 http-mobileversion-checker.nse          maxdb-info.nse                   rusers.nse                      upnp-info.nse
dns-nsec3-enum.nse                    http-ntlm-info.nse                      mcafee-epo-agent.nse             s7-info.nse                     uptime-agent-info.nse
dns-nsec-enum.nse                     http-open-proxy.nse                     membase-brute.nse                samba-vuln-cve-2012-1182.nse    url-snarf.nse
dns-nsid.nse                          http-open-redirect.nse                  membase-http-info.nse            script.db                       ventrilo-info.nse
dns-random-srcport.nse                http-passwd.nse                         memcached-info.nse               servicetags.nse                 versant-info.nse
dns-random-txid.nse                   http-phpmyadmin-dir-traversal.nse       metasploit-info.nse              shodan-api.nse                  vmauthd-brute.nse
dns-recursion.nse                     http-phpself-xss.nse                    metasploit-msgrpc-brute.nse      sip-brute.nse                   vmware-version.nse
dns-service-discovery.nse             http-php-version.nse                    metasploit-xmlrpc-brute.nse      sip-call-spoof.nse              vnc-brute.nse
dns-srv-enum.nse                      http-proxy-brute.nse                    mikrotik-routeros-brute.nse      sip-enum-users.nse              vnc-info.nse
dns-update.nse                        http-put.nse                            mmouse-brute.nse                 sip-methods.nse                 vnc-title.nse
dns-zeustracker.nse                   http-qnap-nas-info.nse                  mmouse-exec.nse                  skypev2-version.nse             voldemort-info.nse
dns-zone-transfer.nse                 http-referer-checker.nse                modbus-discover.nse              smb2-capabilities.nse           vtam-enum.nse
docker-version.nse                    http-rfi-spider.nse                     mongodb-brute.nse                smb2-security-mode.nse          vulners.nse
domcon-brute.nse                      http-robots.txt.nse                     mongodb-databases.nse            smb2-time.nse                   vuze-dht-info.nse
domcon-cmd.nse                        http-robtex-reverse-ip.nse              mongodb-info.nse                 smb2-vuln-uptime.nse            wdb-version.nse
domino-enum-users.nse                 http-robtex-shared-ns.nse               mqtt-subscribe.nse               smb-brute.nse                   weblogic-t3-info.nse
dpap-brute.nse                        http-sap-netweaver-leak.nse             mrinfo.nse                       smb-double-pulsar-backdoor.nse  whois-domain.nse
drda-brute.nse                        http-security-headers.nse               msrpc-enum.nse                   smb-enum-domains.nse            whois-ip.nse
drda-info.nse                         http-server-header.nse                  ms-sql-brute.nse                 smb-enum-groups.nse             wsdd-discover.nse
duplicates.nse                        http-shellshock.nse                     ms-sql-config.nse                smb-enum-processes.nse          x11-access.nse
eap-info.nse                          http-sitemap-generator.nse              ms-sql-dac.nse                   smb-enum-services.nse           xdmcp-discover.nse
enip-info.nse                         http-slowloris-check.nse                ms-sql-dump-hashes.nse           smb-enum-sessions.nse           xmlrpc-methods.nse
epmd-info.nse                         http-slowloris.nse                      ms-sql-empty-password.nse        smb-enum-shares.nse             xmpp-brute.nse
eppc-enum-processes.nse               http-sql-injection.nse                  ms-sql-hasdbaccess.nse           smb-enum-users.nse              xmpp-info.nse

Considering the large number of scripts available, running a simple vulnerability scan specifically targeting the HTTP protocol on port 80 can be a more efficient approach. By focusing on vulnerability scanning, we can quickly identify any potential security weaknesses that may be relevant to the flag.

┌──(solo㉿HTB)-[~]
└─$ sudo nmap -sV -script vuln -vv 10.129.33.227 -p 80
Nmap scan report for 10.129.33.227
Host is up, received echo-reply ttl 63 (0.037s latency).
Scanned for 320s

PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| http-enum: 
|_  /robots.txt: Robots file
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
| vulners: 
|   cpe:/a:apache:http_server:2.4.18: 
|       PACKETSTORM:171631      7.5     https://vulners.com/packetstorm/PACKETSTORM:171631      *EXPLOIT*
|       EDB-ID:51193    7.5     https://vulners.com/exploitdb/EDB-ID:51193      *EXPLOIT*
|       CVE-2023-25690  7.5     https://vulners.com/cve/CVE-2023-25690
|       CVE-2022-31813  7.5     https://vulners.com/cve/CVE-2022-31813
|       CVE-2022-23943  7.5     https://vulners.com/cve/CVE-2022-23943
|       CVE-2022-22720  7.5     https://vulners.com/cve/CVE-2022-22720
|       CVE-2021-44790  7.5     https://vulners.com/cve/CVE-2021-44790
|       CVE-2021-39275  7.5     https://vulners.com/cve/CVE-2021-39275
|       CVE-2021-26691  7.5     https://vulners.com/cve/CVE-2021-26691
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CNVD-2022-73123 7.5     https://vulners.com/cnvd/CNVD-2022-73123
|       CNVD-2022-03225 7.5     https://vulners.com/cnvd/CNVD-2022-03225
|       CNVD-2021-102386        7.5     https://vulners.com/cnvd/CNVD-2021-102386
|       5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9    7.5     https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9  *EXPLOIT*
|       1337DAY-ID-38427        7.5     https://vulners.com/zdt/1337DAY-ID-38427        *EXPLOIT*
|       EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    7.2     https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    *EXPLOIT*
|       EDB-ID:46676    7.2     https://vulners.com/exploitdb/EDB-ID:46676      *EXPLOIT*
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       1337DAY-ID-32502        7.2     https://vulners.com/zdt/1337DAY-ID-32502        *EXPLOIT*
|       FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8    6.8     https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8  *EXPLOIT*
|       CVE-2021-40438  6.8     https://vulners.com/cve/CVE-2021-40438
|       CVE-2020-35452  6.8     https://vulners.com/cve/CVE-2020-35452
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2016-5387   6.8     https://vulners.com/cve/CVE-2016-5387
|       CNVD-2022-03224 6.8     https://vulners.com/cnvd/CNVD-2022-03224
|       8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2    6.8     https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2  *EXPLOIT*
|       4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332    6.8     https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332  *EXPLOIT*
|       4373C92A-2755-5538-9C91-0469C995AA9B    6.8     https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B  *EXPLOIT*
|       0095E929-7573-5E4A-A7FA-F6598A35E8DE    6.8     https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE  *EXPLOIT*
|       CVE-2022-28615  6.4     https://vulners.com/cve/CVE-2022-28615
|       CVE-2021-44224  6.4     https://vulners.com/cve/CVE-2021-44224
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2022-22721  5.8     https://vulners.com/cve/CVE-2022-22721
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       1337DAY-ID-33577        5.8     https://vulners.com/zdt/1337DAY-ID-33577        *EXPLOIT*
|       CVE-2022-36760  5.1     https://vulners.com/cve/CVE-2022-36760
|       SSV:96537       5.0     https://vulners.com/seebug/SSV:96537    *EXPLOIT*
|       EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D    5.0     https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D    *EXPLOIT*
|       EXPLOITPACK:2666FB0676B4B582D689921651A30355    5.0     https://vulners.com/exploitpack/EXPLOITPACK:2666FB0676B4B582D689921651A30355    *EXPLOIT*
|       EDB-ID:42745    5.0     https://vulners.com/exploitdb/EDB-ID:42745      *EXPLOIT*
|       EDB-ID:40909    5.0     https://vulners.com/exploitdb/EDB-ID:40909      *EXPLOIT*
|       CVE-2022-37436  5.0     https://vulners.com/cve/CVE-2022-37436
|       CVE-2022-30556  5.0     https://vulners.com/cve/CVE-2022-30556
|       CVE-2022-29404  5.0     https://vulners.com/cve/CVE-2022-29404
|       CVE-2022-28614  5.0     https://vulners.com/cve/CVE-2022-28614
|       CVE-2022-26377  5.0     https://vulners.com/cve/CVE-2022-26377
|       CVE-2022-22719  5.0     https://vulners.com/cve/CVE-2022-22719
|       CVE-2021-34798  5.0     https://vulners.com/cve/CVE-2021-34798
|       CVE-2021-33193  5.0     https://vulners.com/cve/CVE-2021-33193
|       CVE-2021-26690  5.0     https://vulners.com/cve/CVE-2021-26690
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-17567  5.0     https://vulners.com/cve/CVE-2019-17567
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2018-17189  5.0     https://vulners.com/cve/CVE-2018-17189
|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
|       CVE-2018-1303   5.0     https://vulners.com/cve/CVE-2018-1303
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-8740   5.0     https://vulners.com/cve/CVE-2016-8740
|       CVE-2016-4979   5.0     https://vulners.com/cve/CVE-2016-4979
|       CVE-2006-20001  5.0     https://vulners.com/cve/CVE-2006-20001
|       CNVD-2022-73122 5.0     https://vulners.com/cnvd/CNVD-2022-73122
|       CNVD-2022-53584 5.0     https://vulners.com/cnvd/CNVD-2022-53584
|       CNVD-2022-53582 5.0     https://vulners.com/cnvd/CNVD-2022-53582
|       CNVD-2022-03223 5.0     https://vulners.com/cnvd/CNVD-2022-03223
|       1337DAY-ID-28573        5.0     https://vulners.com/zdt/1337DAY-ID-28573        *EXPLOIT*
|       CVE-2020-11985  4.3     https://vulners.com/cve/CVE-2020-11985
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-1302   4.3     https://vulners.com/cve/CVE-2018-1302
|       CVE-2018-1301   4.3     https://vulners.com/cve/CVE-2018-1301
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2016-1546   4.3     https://vulners.com/cve/CVE-2016-1546
|       4013EC74-B3C1-5D95-938A-54197A58586D    4.3     https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D  *EXPLOIT*
|       1337DAY-ID-33575        4.3     https://vulners.com/zdt/1337DAY-ID-33575        *EXPLOIT*
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|       CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
|_      PACKETSTORM:152441      0.0     https://vulners.com/packetstorm/PACKETSTORM:152441      *EXPLOIT*

Based on the provided output, it appears that there is a text file named “robots.txt” located on port 80. Let’s directly connect to http://10.129.33.227/robots.txt and investigate the contents of the file. By accessing this URL, we can gather more information that might be relevant to our task.

User-agent: *

Allow: /
<body><pre>User-agent: *

Allow: /

HTB{873nniuc71bu6usbs1i96as6dsv26}
</pre></body>

Answer: HTB{873nniuc71bu6usbs1i96as6dsv26}

Conclusion

This module offers an exceptional opportunity for individuals seeking to acquire proficient skills in utilizing Nmap, an indispensable tool that holds immense value for professionals in the realm of Cyber Security. Mastery of Nmap is highly recommended for anyone aspiring to excel in this field, making this module an essential resource for knowledge acquisition.