HacktheBox - Bounty - retired - update Recon I've been using threader3000 to do my recon scans lately. It does a super quick up/down scan on all TCP ports, then suggests a nmap scan to run based just on the open ports returned from the first scan. It will save the results of the nmap scan as an XML that I then convert to HTML to make it pretty. xsltproc ./bounty.htb/bounty.htb.xml -o ./bounty.html Just port 80 open, nmap says its IIS 7.5.. So a windows box for a change. Let's see what is happening when we browse to the site. Weird just a picture of merlin from sword in the stone. Let's try to brute force with drib and see if we can find anything interesting. First I just did the default drib scan and we did find a couple of interesting directories. dirb http://bounty.htb It found /aspnet_client/ /aspnet_client/system_web/ /uploadedfiles / Unfortunately we can't browse to any of the directories, but I always love to see anything with the word upload in it. Since this i
@circusmonkey404 on the twitters; DM for contact