# Nmap 7.92 scan initiated Sun Dec1100:48:332022as: nmap -vvv -sC -sV -oN nmap/mentor mentor.htb Nmap scan report for mentor.htb (10.129.107.185) Host is up, received echo-reply ttl 63 (0.16s latency). Scanned at2022-12-1100:48:34 IST for14s Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |256 c7:3b:fc:3c:f9:ce:ee:8b:48:18:d5:d1:af:8e:c2:bb (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY= |25644:40:08:4c:0e:cb:d4:f1:8e:7e:ed:a8:5c:68:a4:f7 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 |_http-title: Did not follow redirect to http://mentorquotes.htb/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.52 (Ubuntu) Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Dec1100:48:482022-- 1 IP address (1 host up) scanned in 14.89 seconds
In the nmap Scan we see
Visting the page shows us
Enumerating the Site for Directories we find nothing
but doing a vhost enueration we find a new subdomain api.mentorquores.htb
Enumerating the api subdomain we find a swagger doc page
We also find an email
I was able to create a user using the signup api.
Looking at the token we see it is a JWT token
Trying to register with James email id we are able to register. As the token don’t have any check for admin. maybe the checkon email
but that to lead to no where maybe on username?
and we get admin access to the api
Checking /admin route we see two functionality
checking the backup route
using a ` we are able to get a shell.
Updating the user model to contain password
Now on querying /users api we get the passwords too.