# Scanning and Enumeration

## Scanning

```
kali@kali:~/HTB$ nmap -Pn -sV -sC -p22,3000 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 07:42 EDT
Nmap scan report for 10.10.10.58
Host is up (0.082s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_  256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info: 
|_  Logs: /login
| hadoop-tasktracker-info: 
|_  Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.98 seconds
```

## Enumeration

### Port 3000

* port 3000 appears to be a web server, lets check it out.

![](/files/-MJavdoOM2RHgDEM5KAz)

Potential  Usernames:

* tom
* mark
* rastating

### Found Login

![](/files/-MJawBrk9rYA_qQTAHC5)

### Redirecting Gobuster to BURP&#x20;

![specifying port to bind to ](/files/-MJb2TSmxt8cxSgtwz75)

![](/files/-MJb2aHi2NnonHjhatus)

Gobuster does not work, therefore we will analyze on burp spider. On Burp Spider (on the target tab, you may need to change your settings and enable proxy), we are able to find:&#x20;

![](/files/-MJbBLzb-iEKzDS6UbOp)

Analyzing on the webrowser, we find the following:

![](/files/-MJbBw50lXElTtNutd81)

Checking those files, we are able to find the following:

![](/files/-MJbEp8bn-LuiDixmAur)

### Found hashes

Not much luck, looks like we are going to have to login to get this file, but where could we get credentials? Looking further, we were able to find some interesting information in the /api/users/latest path. These appear to be hashes.&#x20;

![](/files/-MJbFNwGBker-rENduiM)

Notice how these are the latest? if we get rid of latest from the path we get more information. It appears that we get an admin hash

![](/files/-MJbGXSsxFryxPETdsQZ)

### Identifying hashes

![](/files/-MJbI2AYl4QPwDBwHwlL)

### Found Passwords

* manchester is admins password
* spongebob is toms password
* snowflake is marks password


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box/node/scanning-and-enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.