Web
Nmap discovered a Web server on the port 80 of the DEV-DATASCI-JUP(10.10.232.68) host.
The running service is Tornado httpd 6.0.3
┌──(kali㉿kali)-[~/archive/thm/weasel]
└─$ curl -I -X OPTIONS http://$IP:8888/
HTTP/1.1 405 Method Not Allowed
Server: TornadoServer/6.0.3
Content-Type: text/html; charset=UTF-8
Date: Sun, 06 Jul 2025 12:18:33 GMT
Content-Length: 87
┌──(kali㉿kali)-[~/archive/thm/weasel]
└─$ curl -I http://$IP:8888/
HTTP/1.1 405 Method Not Allowed
Server: TornadoServer/6.0.3
Content-Type: text/html; charset=UTF-8
Date: Sun, 06 Jul 2025 12:18:40 GMT
Content-Length: 87
┌──(kali㉿kali)-[~/archive/thm/weasel]
└─$ curl -i http://$IP:8888/
HTTP/1.1 302 Found
Server: TornadoServer/6.0.3
Content-Type: text/html; charset=UTF-8
Date: Sun, 06 Jul 2025 12:19:07 GMT
Location: /tree?
Content-Length: 0
Redirected to a Jupyter Notebook instance.
Authentication
An authentication token was revealed in the /misc/jupyter-token.txt file found in the datasci-team share of the DEV-DATASCI-JUP(10.10.232.68) host; 067470c5ddsadc54153ghfjd817d15b5d5f5341e56b0dsad78a
Logging in
Successfully authenticated.
This appears to be mirroring the datasci-team share as content are identical.
Jupyter Notebook supports code execution as it is a web-based IDE. Moving on to the Exploitation phase.