First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.
target="10.10.10.8"
ports=$(sudo nmap -p- --min-rate=1000 -T4 $target | grep "^[0-9]" | cut -d '/' -f 1 | tr '\\n' ',' | sed s/,$//)
sudo nmap -p$ports -sC -sV $target -vvv
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 HttpFileServer httpd 2.3
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
|_http-title: HFS /
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
We get back the following result showing that only one port is open:
Similarly, we run an nmap scan with the -sU flag enabled to run a UDP scan.
sudo nmap -Pn -sU --open -p- --min-rate 10000 $target
We get back the following result.
Our initial recon shows that our only point of entry is through exploiting the HTTP File Server.
The website is just what the nmap script identified: an HttpFileServer (HFS).
It seems to be a server that allows you to remotely access your files over the network. There’s a login page that might be using default credentials. However, basic cred guessing involving words like admin, password, hfs, optimum just doesn’t work for login.
At the bottom of the page, the exact version of HFS is shown. We can google it or use tools like searchsploit.
We found a bunch of them, all that seems promising.