Overpass

22/tcp open ssh 80/tcp open http

Yeah right, just because the Romans used it doesn't make it military grade, change this?

detail scan ----> PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 37968598d1009c1463d9b03475b1f957 (RSA) | 256 5375fac065daddb1e8dd40b8f6823924 (ECDSA) |_ 256 1c4ada1f36546da6c61700272e67759c (ED25519) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Overpass Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

──╼ $ffuf -u http://10.10.146.167/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/  \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/

   v1.4.1-dev

---

:: Method : GET :: URL : http://10.10.146.167/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/big.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500

---

admin [Status: 301, Size: 42, Words: 3, Lines: 3, Duration: 196ms] css [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 177ms] downloads [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 170ms] img [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 193ms]

gobuster

=============================================================== /img (Status: 301) [Size: 0] [--> img/] /downloads (Status: 301) [Size: 0] [--> downloads/] /aboutus (Status: 301) [Size: 0] [--> aboutus/]
/admin (Status: 301) [Size: 42] [--> /admin/]
/css (Status: 301) [Size: 0] [--> css/]

James from image file

checking out the network on developer options i could see that credentials is validated through login.js which check the session cookie or data returned from api

async function login() { const usernameBox = document.querySelector("#username"); const passwordBox = document.querySelector("#password"); const loginStatus = document.querySelector("#loginStatus"); loginStatus.textContent = "" const creds = { username: usernameBox.value, password: passwordBox.value } const response = await postData("/api/login", creds) const statusOrCookie = await response.text() if (statusOrCookie === "Incorrect credentials") { loginStatus.textContent = "Incorrect Credentials" passwordBox.value="" } else { Cookies.set("SessionToken",statusOrCookie) window.location = "/admin" } }

setting up the cookin in the network tab we get :

Since you keep forgetting your password, James, I've set up SSH keys for you.

If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you. Also, we really need to talk about this "Military Grade" encryption. - Paradox

after setting the cookie SessionToken to statusOrCookie we get the private ssh key

cracking the ssh key using the ssh2john and john and using the wordlist rockyou.txt.

which gives the password james13