🪀DC4

1.Nmap with all port with aggressive scan

nmap -p- -A 10.10.1.10

We could see the below details identified

80/tcp open http nginx 1.15.10

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)

we will try to browse the website

We will try to exploit nginix default user id and password

Wappalyzer results below

no use. Now we will try to use dirb/gobuster/nikto

Run Nikto -> nikto -h http://10.10.1.10

Nothing identified using nikto.We will use Gobuster using below command

gobuster dir -u http://10.10.1.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,old,bak,zip 80 > gobuster.txt

Nothing identified we will use dirb

dirb http://10.10.1.10

Below directory identified using dir scan

http://10.10.1.10/index.php http://10.10.1.10/images/ http://10.10.1.10/css/

after navigating directory nothing identified. Now we will use FFUF

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.1.10/FUZZ

I didn’t find anything on the webserver, no directories, no files, nothing. There was nothing to go on, I decided to brute-force the login page. For this, I used my Windows machine because it’s a little bit faster. By the way, I used the rockyou-20.txt wordlist from the SecLists repository.