06.PREIGNITION (WEB FORM LOGIN)

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

root@htb:~$ nmap -sV -T4 {targetIP} -p-
 PORT   STATE SERVICE VERSION
 80/tcp open  http    nginx 1.14.2

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 80
 PORT   STATE SERVICE VERSION
 80/tcp open  http    nginx 1.14.2
 |_http-title: Welcome to nginx!
 |_http-server-header: nginx/1.14.2


 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 80
 PORT   STATE SERVICE
 80/tcp open  http
 |_http-csrf: Couldn't find any CSRF vulnerabilities.
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 | http-vuln-cve2011-3192: 
 |   VULNERABLE:
 |   Apache byterange filter DoS
 |     State: VULNERABLE
 |     IDs:  CVE:CVE-2011-3192  BID:49303
 |       The Apache web server is vulnerable to a denial of service attack when numerous
 |       overlapping byte ranges are requested.
 |     Disclosure date: 2011-08-19
 |     References:
 |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
 |       https://seclists.org/fulldisclosure/2011/Aug/175
 |       https://www.tenable.com/plugins/nessus/55976
 |_      https://www.securityfocus.com/bid/49303
 | http-enum: 
 |_  /admin.php: Possible admin folder

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!