┌──(kali㉿VirtualBox)-[~]
└─$ rustscan -a 192.168.108.101
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
2112/tcp open kip syn-ack
┌──(kali㉿VirtualBox)-[~]
└─$ nmap -sC -sV 192.168.108.101 -p 22,80,2112
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ef:24:0e:ab:d2:b3:16:b4:4b:2e:27:c0:5f:48:79:8b (RSA)
| 256 f2:d8:35:3f:49:59:85:85:07:e6:a2:0e:65:7a:8c:4b (ECDSA)
|_ 256 0b:23:89:c3:c0:26:d5:64:5e:93:b7:ba:f5:14:7f:3e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Potato company
|_http-server-header: Apache/2.4.41 (Ubuntu)
2112/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak
|_-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.108.101/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -t 200
/admin (Status: 301) [Size: 318] [--> <http://192.168.108.101/admin/>]
/potato (Status: 301) [Size: 319] [--> <http://192.168.108.101/potato/>]
/server-status (Status: 403) [Size: 280]
Going to /admin tab we see this
Going to /potato tab we see this
Since the nmap says login as Anonymous is allowed, remember when login the anonymous is all small letters
┌──(kali㉿VirtualBox)-[~]
└─$ ftp 192.168.108.101 -p 2112
Connected to 192.168.108.101.
220 ProFTPD Server (Debian) [::ffff:192.168.108.101]
Name (192.168.108.101:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user [email protected] !
230-
230-The local time is: Sun Jun 05 03:56:23 2022
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Here we get both index.php.bak and welcome.msg
┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ cat index.php.bak
<html>
<head></head>
<body>
<?php
$pass= "potato"; //note Change this password regularly
if($_GET['login']==="1"){
if (strcmp($_POST['username'], "admin") == 0 && strcmp($_POST['password'], $pass) == 0) {
echo "Welcome! </br> Go to the <a href=\\"dashboard.php\\">dashboard</a>";
setcookie('pass', $pass, time() + 365*24*3600);
}else{
echo "<p>Bad login/password! </br> Return to the <a href=\\"index.php\\">login page</a> <p>";
}
exit();
}
?>
<form action="index.php?login=1" method="POST">
<h1>Login</h1>
<label><b>User:</b></label>
<input type="text" name="username" required>
</br>
<label><b>Password:</b></label>
<input type="password" name="password" required>
</br>
<input type="submit" id='submit' value='Login' >
</form>
</body>
</html>
┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ cat welcome.msg
Welcome, archive user %U@%R !
The local time is: %T
On index.php.bak line 8 we can see the login is using strcmp, which we can bypass using [] array symbol in the parameter
PHP strcmp Bypass (ABCTF2016 - L33t H4xx0r)
After successfully login we will see