Nmap

22 and 80

ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.177 | grep '^[0-9]' | cut -d '/' -f 1 |
tr '\\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.10.11.177
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-30 21:23 IST
Nmap scan report for 10.10.11.177
Host is up (0.20s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
|   256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_  256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

website checks if site is up

i httpd into my nc at 80 :

sudo nc -nvlp  80
[sudo] password for kali: 
listening on [any] 80 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.177] 55930
GET / HTTP/1.1
Host: 10.10.14.12
User-Agent: siteisup.htb
Accept: */*

dirs

vhost fuzzing has :

ffuf -u <http://siteisup.htb> -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.siteisup.htb' -fs 1131 -s
dev but a 403 no access

dir fuzzing:

got /dev which is nothing gobuster on that : got /.git

trivia:

i can connect to ftp://myip with nc listener on the url status form

.git

use git-dumper to get the /dev/.git file and look around

found a lfi vuln here:

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: index.php
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ <b>This is only for developers</b>
   2   │ <br>
   3   │ <a href="?page=admin">Admin Panel</a>
   4   │ <?php
   5   │     define("DIRECTACCESS",false);
   6   │     $page=$_GET['page'];
   7   │     if($page && !preg_match("/bin|usr|home|var|etc/i",$page)){
   8   │         include($_GET['page'] . ".php");
   9   │     }else{
  10   │         include("checker.php");
  11   │     }   
  12   │ ?>

!preg_match("/bin|usr|home|var|etc/i",$page) is a blacklist approach to filter user input rather than a whitelist. then it includes page directly.

  1. Reading Source Code (e.g., index.php itself)