# TryHackMe-Panda ## NMAP ``` Nmap scan report for 10.10.87.214 Host is up (0.23s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 af:ff:dd:8f:74:ef:1b:ea:3a:33:7c:df:a0:e8:35:08 (RSA) | 256 b5:dc:77:c4:15:a4:b6:5e:f3:07:46:ad:90:ea:d6:59 (ECDSA) |_ 256 a5:20:b4:a0:94:2a:27:f2:c9:ea:cb:09:f8:ab:f0:a6 (ED25519) 53/tcp open domain ISC BIND 9.11.4-P2 (RedHat Enterprise Linux 7) | dns-nsid: |_ bind.version: 9.11.4-P2-RedHat-9.11.4-9.P2.el7 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA) 445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA) 3306/tcp open mysql MariaDB (unauthorized) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.92 9999/tcp open abyss? | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 200 OK | Date: Sat, 03 Oct 2020 10:50:05 GMT | Content-Length: 0 | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest, HTTPOptions: | HTTP/1.0 200 OK | Date: Sat, 03 Oct 2020 10:50:04 GMT |_ Content-Length: 0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9999-TCP:V=7.80%I=7%D=10/3%Time=5F785755%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,4B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Sat,\x2003\x20Oct\x2020 SF:20\x2010:50:04\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,4 SF:B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Sat,\x2003\x20Oct\x202020\x2010:5 SF:0:04\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(FourOhFourRequest,4B,"H SF:TTP/1\.0\x20200\x20OK\r\nDate:\x20Sat,\x2003\x20Oct\x202020\x2010:50:05 SF:\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(GenericLines,67,"HTTP/1\.1\ SF:x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf SF:-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(RTSPRequest SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain; SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request" SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20 SF:Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\ SF:r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\ SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67," SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(K SF:erberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R SF:equest")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent- SF:Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n40 SF:0\x20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Re SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x SF:20close\r\n\r\n400\x20Bad\x20Request")%r(SIPOptions,67,"HTTP/1\.1\x2040 SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\ SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"); Service Info: Host: PANDA; OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:7 Host script results: |_clock-skew: mean: 1h20m07s, deviation: 2h18m34s, median: 7s |_nbstat: NetBIOS name: PANDA, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.1) | Computer name: panda | NetBIOS computer name: PANDA\x00 | Domain name: \x00 | FQDN: panda |_ System time: 2020-10-03T06:51:44-04:00 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-10-03T10:51:44 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 134.43 seconds ``` ### PORT 80 Username `shifu`. Bruteforce with this username