PaintSpecial[.]com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-16 20:52 Atlantic Standard Time
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:52
Completed NSE at 20:52, 0.00s elapsed
Initiating NSE at 20:52
Completed NSE at 20:52, 0.00s elapsed
Initiating NSE at 20:52
Completed NSE at 20:52, 0.00s elapsed
Initiating Ping Scan at 20:52
Scanning paintspecial.com (167.99.176.242) [4 ports]
Completed Ping Scan at 20:52, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:52
Completed Parallel DNS resolution of 1 host. at 20:52, 0.01s elapsed
Initiating SYN Stealth Scan at 20:52
Scanning paintspecial.com (167.99.176.242) [1000 ports]
Discovered open port 80/tcp on 167.99.176.242
Discovered open port 443/tcp on 167.99.176.242
Discovered open port 22/tcp on 167.99.176.242
Completed SYN Stealth Scan at 20:52, 4.61s elapsed (1000 total ports)
Initiating Service scan at 20:52
Scanning 3 services on paintspecial.com (167.99.176.242)
Completed Service scan at 20:52, 12.14s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against paintspecial.com (167.99.176.242)
Initiating Traceroute at 20:52
Completed Traceroute at 20:52, 3.03s elapsed
Initiating Parallel DNS resolution of 12 hosts. at 20:52
Completed Parallel DNS resolution of 12 hosts. at 20:52, 0.04s elapsed
NSE: Script scanning 167.99.176.242.
Initiating NSE at 20:52
Completed NSE at 20:53, 43.51s elapsed
Initiating NSE at 20:53
Completed NSE at 20:53, 0.96s elapsed
Initiating NSE at 20:53
Completed NSE at 20:53, 0.00s elapsed
Nmap scan report for paintspecial.com (167.99.176.242)
Host is up (0.021s latency).
rDNS record for 167.99.176.242: 180321.cloudwaysapps.com
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
[b]22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)[/b]
| ssh-hostkey:
| 1024 6e:8b:22:0c:3e:63:6d:dd:59:80:9e:49:ed:84:67:b8 (DSA)
|_ 2048 fc:c3:ae:4a:53:e7:ec:33:c6:5b:42:d8:c6:4f:d9:f3 (RSA)
80/tcp open http nginx
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: POST OPTIONS
|_http-title: Did not follow redirect to https://paintspecial.com/
443/tcp open ssl/http nginx
|_http-generator: Powered by WPBakery Page Builder - drag and drop page builder for WordPress.
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: House Painters | $375 Residential Paint Special
| ssl-cert: Subject: commonName=paintspecial.com
| Subject Alternative Name: DNS:paintspecial.com
| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-01-07T19:10:09
| Not valid after: 2020-04-06T19:10:09
| MD5: a50b 8238 7267 6977 9b03 37aa c747 f2a9
|_SHA-1: ca38 8d8e 0c56 b852 cc31 8ea2 2f8c 310c 00b2 5b5f
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| h2
|_ http/1.1
| tls-nextprotoneg:
| h2
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3.13 cpe:/o:linux:linux_kernel:4.2
OS details: Linux 3.13 or 4.2
Uptime guess: 44.171 days (since Tue Dec 03 16:47:30 2019)
Network Distance: 14 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 1.00 ms mynetwork (192.168.2.1)
2 1.00 ms loop0.38w.ba07.fctn.nb.aliant.net (142.166.182.17)
3 1.00 ms be14-181.dr01.fctn.nb.aliant.net (142.176.208.49)
4 1.00 ms ae3-50.dr02.fctn.nb.aliant.net (142.166.185.154)
5 3.00 ms ae7.cr02.stjh.nb.aliant.net (142.166.185.145)
6 21.00 ms ae0.bx01.toro.on.aliant.net (207.231.227.53)
7 24.00 ms bx2-torontoxn_ae3 (184.150.187.56)
8 23.00 ms tcore4-torontoxn_hundredgige0-6-0-0.net.bell.ca (64.230.97.146)
9 22.00 ms bx1-torontoxn_et1-0-0.net.bell.ca (64.230.97.157)
10 22.00 ms ix-ae-9-0.tcore2.tnk-toronto.as6453.net (63.243.172.25)
11 21.00 ms 63.243.172.34
12 ... 13
14 21.00 ms 180321.cloudwaysapps.com (167.99.176.242)
NSE: Script Post-scanning.
Initiating NSE at 20:53
Completed NSE at 20:53, 0.00s elapsed
Initiating NSE at 20:53
Completed NSE at 20:53, 0.00s elapsed
Initiating NSE at 20:53
Completed NSE at 20:53, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.65 seconds
Raw packets sent: 2068 (93.488KB) | Rcvd: 299 (19.603KB)
You're running on Debian 5?! We're into Debian 11. Your operating system was released in 2009. It's not fit to be public facing, under ANY circumstance. It's old, outdated and EXTREMELY vulnerable to attack. The same issues are present on the other sites, which isn't surprising.. given they're on the same box. Take the website down, and update the host. You are asking to be hacked with an OS like that. We don't see OSes that out of date in HackTheBox.
There are literal pages of local priv esc for your host on exploit-DB
