1. Enumeration:
- Nmap scan:
http(80), https(443), http-proxy(8080) are open
Web Enumeration:
-
PORT 80:
-
PORT 443:
-
PORT 8080:
Gobuster:
$ gobuster dir -u https://reel2.htb/ -w /usr/share/dirb/wordlists/big.txt -b 404,403 -k
/ews (Status: 301)
/exchange (Status: 302)
/exchweb (Status: 302)
/owa (Status: 301)
/public (Status: 302)
/rpc (Status: 401)
/owa » outlook web app and needs login creds:
lets get back to 8080 and signup
lets gather all the usernames here:
admin1
sven
svensson
cube
egre55
cube0x0
lars
larsson
jeenny
adams
teresa
trump
wtf
admin
lets make a list of them:
lets use this python script on names.txt to make combinations of ’em:
#!/usr/bin/env python
import sys
import os.path
if __name__ == "__main__":
if len(sys.argv) != 2:
print("usage: {} names.txt".format((sys.argv[0])))
sys.exit(0)
if not os.path.exists(sys.argv[1]):
print("{} not found".format(sys.argv[1]))
sys.exit(0)
for line in open(sys.argv[1]):
name = ''.join([c for c in line if c == " " or c.isalpha()])
tokens = name.lower().split()
# skip empty lines
if len(tokens) < 1:
continue
fname = tokens[0]
lname = tokens[-1]
print(fname + lname) # johndoe
print(lname + fname) # doejohn
print(fname + "." + lname) # john.doe
print(lname + "." + fname) # doe.john
print(lname + fname[0]) # doej
print(fname[0] + lname) # jdoe
print(lname[0] + fname) # djoe
print(fname[0] + "." + lname) # j.doe
print(lname[0] + "." + fname) # d.john
print(fname) # john
print(lname) # joe
./script.py names.txt » result.txt
