https://tryhackme.com/jr/brainstorm

Pwned Date -

Enumeration

PORT     STATE SERVICE            VERSION
21/tcp   open  ftp                Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
3389/tcp open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=brainstorm
| Not valid before: 2022-07-19T15:34:45
|_Not valid after:  2023-01-18T15:34:45
| rdp-ntlm-info: 
|   Target_Name: BRAINSTORM
|   NetBIOS_Domain_Name: BRAINSTORM
|   NetBIOS_Computer_Name: BRAINSTORM
|   DNS_Domain_Name: brainstorm
|   DNS_Computer_Name: brainstorm
|   Product_Version: 6.1.7601
|_  System_Time: 2022-07-20T15:43:12+00:00
|_ssl-date: 2022-07-20T15:43:42+00:00; +1s from scanner time.
9999/tcp open  abyss?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     Welcome to Brainstorm chat (beta)
|     Please enter your username (max 20 characters): Write a message:
|   NULL: 
|     Welcome to Brainstorm chat (beta)
|_    Please enter your username (max 20 characters):
1 service unrecognized despite returning data.

We can enter FTP Anonymously but we have some error Entering Extended Passive Mode

┌──(kali㉿VirtualBox)-[~]
└─$ ftp 10.10.73.16                             
Connected to 10.10.73.16.

220 Microsoft FTP Service
Name (10.10.73.16:kali): anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 

230 User logged in.
Remote system type is Windows_NT.

lftp> ls -la
229 Entering Extended Passive Mode (|||49231|)

To solve this FTP problem, I found this Chinese blog useful

ftp中遇到的Entering Extended Passive Mode问题_惹不起的程咬金的博客-CSDN博客_229 entering extended passive

Where we need to specify *epsv4 off* and switch to *passive* mode

ftp> passive
Passive mode: off; fallback to active mode: off.

ftp> ls -la
200 EPRT command successful.
150 Opening ASCII mode data connection.
425 Cannot open data connection.

ftp> epsv4 off
EPSV/EPRT on IPv4 off.

ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-29-19  08:36PM       <DIR>          chatserver

After going into chatserver we found two files

ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-29-19  10:26PM                43747 chatserver.exe
08-29-19  10:27PM                30761 essfunc.dll

chatserver.zip

Exploitation

Privilege Escalation