Knowing that usually HTB machines fancy some web app on port 80, even before running an nmap scan I check if there is some domain redirect: curl http://10.10.11.20 -v And we have the results:Now to explore this web app I added 10.10.11.20 to hosts:sudo bash -c "echo '10.10.11.20 editorial.htb' >> /etc/hosts" So now we can explore the web app. And while I do that in the background I still launch an nmap scan, just in case there is something else:nmap -vv -A -Pn -p- 10.10.11.252 -sV The web app...