Let's start our reconnaissance with a quick nmap scan:

nmap -p- --open -sV -sC -sS --min-rate=5000 -n -Pn 172.17.0.2 -oN Nmap1

-p- - Search for open ports

--open - List open ports

-sS - A quick scan mode

-sC - Use a set of reconnaissance scripts

-sV - Find the version of the open service

--min-rate=5000 - Makes the reconnaissance even faster by sending no fewer than 5000 packets

-n - No DNS resolution

-Pn - No ping

-oN - Save file name

We will see that port 80 is open and running Apache.

Website page:

If we go to Forum button, we can see that it takes us to the URL panel.mybb.dl, so we will put it in the /etc/hosts:

nano /etc/hosts

Now we will see what the Forum page is.

Now we start fuzzing on that domain with DirBuster:

We find one directory, backups, with one file in it. Let's check it out.

We can see that we have found two users, alice and admin.

For alice, we have the hashed password, so we will copy it and save it to a file with the name hash. Then, we will use john to perform a brute force attack to find the password using the dictionary rockyou.txt.

User: Alice

Password: tinkerbell

But this credentials in the MyBB login, are incorrect.

In data file, we can see that we have a user *admin*, so I will do a brute force attack on the login page:

First we start Burpsuite to see what type of request is sent:

Knowing this information, we will go to hydra and enter the following:

hydra -l admin -P /usr/share/wordlists/rockyou.txt panel.mybb.dl http-post-form
"/member.php:username=admin&password=^PASS^&remember=yes&submit=Login&action=do_l
ogin&url=&my_post_key=8bf80030fa0d699af33e313cdf8b5840:F=Please correct"

We will see that it has given us many valid passwords, which are false positives, but one of them is not, so we will have to try each one in the login page.