Lab Notes – 2025-11-28

Overview

Target: Horror LLC (NodeJS). Heavy recon, fuzzing, and analysis.

Nmap

nmap -sV -vv -sU -sS -sC 10.64.182.99 --script vuln

Findings:

• 22/tcp OpenSSH
• 80/tcp Node webserver
• Slowloris likely vulnerable
• phpMyAdmin CVE flagged but unconfirmed

Web Analysis

Newsletter signup + session cookie (Base64 JSON). No visible reflection. Session not tied to auth.

ffuf

ffuf -u "http://10.64.182.99/?email=FUZZ" -w seclists/LFI-Jhaddix.txt -ac -v

Consistent 200 response — no behavioral change observed yet.

Reflection

First hour learning, second hour scatter-fire. Recognized plateau and pivoted. Foundational win.