1. Enumeration:
- Nmap: To scan for open ports and services running
$ nmap -sC -sV -o nmapscan 10.10.10.149
let’s add it to our /etc/hosts file
2. Web Enumeration:
tried admin:password but it asks for email not username , tried admin@htb , gave this error page:
let’s try login as guest:
so we got user hazard asking the admin a question and this interesting attachment (config file) > let’s check it:
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
another nmap scan shows two other open ports:
$ nmap -sV -sT -p- -o fullportscan heist.htb
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49669/tcp open msrpc Microsoft Windows RPC
the port 5985 is for winRM
