Scanning and Enumeration

Scanning

kali@kali:~/HTB$ nmap -Pn -sV -sC -p22,3000 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 07:42 EDT
Nmap scan report for 10.10.10.58
Host is up (0.082s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_  256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info: 
|_  Logs: /login
| hadoop-tasktracker-info: 
|_  Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.98 seconds

Enumeration

Port 3000

• port 3000 appears to be a web server, lets check it out.

Potential Usernames:

• tom

• mark

• rastating

Found Login

Redirecting Gobuster to BURP

specifying port to bind to

Gobuster does not work, therefore we will analyze on burp spider. On Burp Spider (on the target tab, you may need to change your settings and enable proxy), we are able to find:

Analyzing on the webrowser, we find the following:

Checking those files, we are able to find the following:

Found hashes

Not much luck, looks like we are going to have to login to get this file, but where could we get credentials? Looking further, we were able to find some interesting information in the /api/users/latest path. These appear to be hashes.

Notice how these are the latest? if we get rid of latest from the path we get more information. It appears that we get an admin hash

Identifying hashes

Found Passwords

• manchester is admins password

• spongebob is toms password

• snowflake is marks password