ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.121 | grep '^[0-9]' | cut -d '/' -f 1 |
tr '\\n' ',' | sed s/,$//)
nmap -p$ports -sV 10.10.10.121
tarting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-01 18:19 IST
Nmap scan report for 10.10.10.121
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18
3000/tcp open http Node.js Express framework
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
checking out the port 80 webpage we’ve a default apache landing page.
use dirbust:
gobuster dir -w directory-list-2.3-medium.txt -t 100 -u <http://help.htb/>
found /support directory
Version: 1.0.2
searchsploit says vuln to file upload
tried raising a ticket with uploading a php rev shell didnt work
so copy the searchsploit file to edit and use with -m and file path
find where uploads go with a genuine image
probably log in to view ticket ? github dir structure: uploads/dir.. in https://github.com/ViktorNova/HelpDeskZ/tree/master/
leave this end
curl with -I shows express framework. and something query ?
A bit of express knowledge:
Express.js itself does not have a built-in "query language" in the same way a database like SQL or a dedicated API query language like GraphQL does. Instead, Express.js provides mechanisms to interact with query parameters from client-side requests and to integrate with various database query languages or API query languages.