04.INCLUDED

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

root@htb:~$ sudo nmap -sV -sC -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
 | http-title: Site doesn't have a title (text/html; charset=UTF-8).
 |_Requested resource was http://10.129.95.185/?file=home.php
 |_http-server-header: Apache/2.4.29 (Ubuntu)

 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,6789,8080,8443,8843,8880
 PORT   STATE SERVICE
 80/tcp open  http
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 | http-internal-ip-disclosure: 
 |_  Internal IP Leaked: 127.0.1.1
 | http-enum: 
 |_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!