root@rumais:~# enumerate --surface web

root@rumais:~# inspect nax

Nax

Web-focused room covering application testing, content discovery, and common attack paths. This page combines the local notes, supporting artifacts, and a cleaned-up summary of the room path.

Room Details

Primary writeup exists in local notes. This room is grouped under Web and App Security.

Web and App Security 1 markdown source 1 command artifact

Summary

Web-focused room covering application testing, content discovery, and common attack paths. Use the recovered artifacts below as the evidence base for enumeration, access development, and post-exploitation review.

Notes

Recon

  • The web application is the main attack surface, so content discovery, login behavior, and hidden paths matter immediately.
  • Nax rewards careful note-taking and stepwise validation rather than trial-and-error execution.

Initial Access

  • The intended foothold comes from chaining application flaws, exposed content, or weak credentials into code execution or authenticated access.
  • The room path becomes clear once the recovered artifacts and service behavior are linked together.

Privilege Escalation

  • Once the app is compromised, the next step is to stabilize host access and enumerate for the final path to proof material.
  • After the foothold, local context matters more than noisy exploitation.

Security Notes

  • The defensive lesson is that web compromise rarely stays in the web tier when secrets, upload paths, or admin functions are exposed.

    Collected Output

nmap-initial

# Nmap 7.91 scan initiated Mon Sep 27 20:53:07 2021 as: nmap -sC -sV -oN nmap-initial -T3 10.10.242.96
Nmap scan report for 10.10.242.96
Host is up (0.29s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 62:1d:d9:88:01:77:0a:52:bb:59:f9:da:c1:a6:e3:cd (RSA)
|   256 af:67:7d:24:e5:95:f4:44:72:d1:0c:39:8d:cc:21:15 (ECDSA)
|_  256 20:28:15:ef:13:c8:9f:b8:a7:0f:50:e6:2f:3b:1e:57 (ED25519)
25/tcp  open  smtp     Postfix smtpd
|_smtp-commands: ubuntu.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-03-23T23:42:04
|_Not valid after:  2030-03-21T23:42:04
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp open  ldap     OpenLDAP 2.2.X - 2.3.X
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2020-03-24T00:14:58
|_Not valid after:  2030-03-22T00:14:58
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: Host:  ubuntu.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 27 20:53:55 2021 -- 1 IP address (1 host up) scanned in 48.75 seconds