> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/to-do/hunit.md). # Hunit (WIP) ## Nmap ``` sudo nmap 192.168.79.125 -p- -sS -sV Not shown: 65531 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http-proxy 12445/tcp open unknown 18030/tcp open http Apache httpd 2.4.46 ((Unix)) 43022/tcp open ssh OpenSSH 8.4 (protocol 2.0) ``` Browsing to port 8080 takes us to a web page for haikus. ![](/files/-MY-hBEXrJLiuTZKW5SR) We can individually browse to each haiku. ![](/files/-MY-hPzVjlikn7gpffR0) Checking the source page for any haiku reveals a comment refer to API. ![](/files/-MY-hVX5JSwxJueNXXMl) Running curl against the API reveals further information ``` curl http://192.168.79.125:8080/api/ ``` ![](/files/-MY-hlBLcwS3ZRgNeylO) Runnining curl against the user API directory reveals sensitive information regarding each user. ``` curl http://192.168.79.125:8080/api/user/ ``` ![](/files/-MY-i4LFkGPH62zWgHzr) Compiling the passwords and login names of each provides us with a users and password list. {% tabs %} {% tab title="Users" %} ``` rjackson dademola jvargas jsanchez ``` {% endtab %} {% endtabs %} {% tabs %} {% tab title="Passwords" %} ``` yYJcgYqszv4aGQ ExplainSlowQuest110 KTuGcSW6Zxwd0Q d52cQ1BzyNQycg OuQ96hcgiM5o9w ``` {% endtab %} {% endtabs %} I then tried bruteforcing this with Hydra and was unable to get a result. ![](/files/-MY-lq1QvqvFAdRD30bG) Inspecting our found information further we find that all the users are 'Editors' and David is a admin. The password associated with David is also greatly different from the rest. I then tried a manual login with SSH. ``` ssh -p 43022 dademola@192.168.79.125 ``` Valid credentials: `dademola:ExplainSlowQuest110` ![](/files/-MY-ma6qHLQrEt_BF3Js) Looking for other users in /home/ we see we have the Git user. Checking contents of the directory we also have a id\_rsa key. ![](/files/-MY-qW52YDQHklKYjWA7) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/to-do/hunit.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.