reconnaissance

pyLoader

1337 Sheets

Mar 7, 2026 ·

Nov 10 2023

Target:

[LAB_IP]

Prep

Open Resources

General Mind Map: https://xmind.app/m/QsNUEz/

Confirm docker is installed and set rustscan as an alias or add to bashrc / fish config due to it being able to scan all ports and services in 10 seconds

alias rustscan='sudo docker run -it --rm --name rustscan rustscan/rustscan:2.1.1 -a'

Create directory for target and enter it

mkdir ClamAV
cd ClamAV

Prep a nc listener

nc -nlvp 4444

Confirm ip address

hostname -I

[LAB_IP]

Recon

Start with a quick open port scan

rustscan [LAB_IP]

22/tcp open ssh syn-ack 9666/tcp open zoomcp syn-ack

Quick OS check

sudo nmap -O --top-ports 1000 -v -T4 [LAB_IP] -oN osType.nmap

No exact OS matches for host

Follow up with a service scan on those open ports

sudo nmap -sC -sV -p22,9666 -v -T5 [LAB_IP] -oN services.nmap

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 [HASH_REDACTED] (ECDSA) |_ 256 [HASH_REDACTED] (ED25519) 9666/tcp open http CherryPy wsgiserver | http-robots.txt: 1 disallowed entry |/ | http-methods: | Supported Methods: GET OPTIONS HEAD | http-title: Login - pyLoad |_Requested resource was /login?next=http://[LAB_IP]:9666/ |_http-server-header: Cheroot/8.6.0 |_http-favicon: Unknown favicon MD5: 71AAC1BA3CF57C009DA1994F94A2CC89 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 22 - ssh

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 [HASH_REDACTED] (ECDSA) |_ 256 [HASH_REDACTED] (ED25519)

Skip for now

Port 9666 http

nmap -sV --script "http-*" -p 9666 -T5 [LAB_IP] -oN http9666.nmap

...long scan...