Good luck !

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| 256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_ 256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Photobomb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
============
update got this from js file!

http://photobomb.htb/printer/welcome
pH0t0:b0Mb!

Why there's no any scan results with nmap?

---

(October 8, 2022, 07:00 PM)nhocit Wrote: PORT  STATE SERVICE VERSION
22/tcp open  ssh    OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|  3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|  256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Photobomb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
============
update got this from js file!

http://photobomb.htb/printer/welcome
pH0t0:b0Mb!

what nmap command did you use? I tried `nmap -sC -sV IP -Pn` but not showing anything

(October 8, 2022, 07:13 PM)achillescarter Wrote: Why there's no any scan results with nmap?

---

(October 8, 2022, 07:00 PM)nhocit Wrote: PORT  STATE SERVICE VERSION
22/tcp open  ssh    OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|  3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|  256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Photobomb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
============
update got this from js file!

http://photobomb.htb/printer/welcome
pH0t0:b0Mb!

what nmap command did you use? I tried `nmap -sC -sV IP -Pn` but not showing anything

nmap -sC -sV -A photobomb.htb

https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-22017

(October 8, 2022, 07:48 PM)achillescarter Wrote: https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-22017

i don't think this works, it doesnt work for me unless you got it working? it gives me a 400.

I also think there is something preventing this from happening:

        #
        # Unescapes '/' and '.', expands +path_info+.
        # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
        class PathTraversal < Base
          def call(env)
            path_was        = env["PATH_INFO"]
            env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?

            app.call env

          ensure
            env["PATH_INFO"] = path_was
          end

but then again I could be reading it wrong lmao

(October 8, 2022, 07:51 PM)rolo Wrote:

(October 8, 2022, 07:48 PM)achillescarter Wrote: https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-22017

i don't think this works, it doesnt work for me unless you got it working? it gives me a 400.



I also think there is something preventing this from happening:

        #
        # Unescapes '/' and '.', expands +path_info+.
        # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
        class PathTraversal < Base
          def call(env)
            path_was        = env["PATH_INFO"]
            env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?

            app.call env

          ensure
            env["PATH_INFO"] = path_was
          end

but then again I could be reading it wrong lmao

Do you have any other idea how to attack this web app?

(October 8, 2022, 07:00 PM)nhocit Wrote: PORT  STATE SERVICE VERSION
22/tcp open  ssh    OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|  3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|  256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Photobomb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
============
update got this from js file!

http://photobomb.htb/printer/welcome
pH0t0:b0Mb!

Where was the js file? gobuster isn't picking any up.

(October 8, 2022, 08:00 PM)Lasagna217 Wrote:

(October 8, 2022, 07:00 PM)nhocit Wrote: PORT  STATE SERVICE VERSION
22/tcp open  ssh    OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|  3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|  256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Photobomb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
============
update got this from js file!

http://photobomb.htb/printer/welcome
pH0t0:b0Mb!

Where was the js file? gobuster isn't picking any up.

view-source

(October 8, 2022, 08:00 PM)Lasagna217 Wrote:

(October 8, 2022, 07:00 PM)nhocit Wrote: PORT  STATE SERVICE VERSION
22/tcp open  ssh    OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|  3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
|  256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
|_  256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Photobomb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
============
update got this from js file!

http://photobomb.htb/printer/welcome
pH0t0:b0Mb!

Where was the js file? gobuster isn't picking any up.

its in the source of the main page