PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Pwned....!!
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Viewing source page and we found one comment which might gives us some clue
<!-- I forgot to add this on last note
You are pretty smart as i thought
so here i left it for you
She sings very well. l loved it -->
Fuzzing brings us to this robots.txt, but nothing else interesting
Nothing has one nothing.html which is really nothing
Meanwhile /hidden_text might have some interesting directories
The contents of secret.dic
/hacked
/vanakam_nanba
/hackerman.gif
/facebook
/whatsapp
/instagram
/pwned
/pwned.com
/pubg
/cod
/fortnite
/youtube
/kali.org
/hacked.vuln
/users.vuln
/passwd.vuln
/pwned.vuln
/backup.vuln
/.ssh
/root
/home
Saving the secret.dic into secretdic.txt and do the secret fuzz on it
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.95/nothing> -w secretdic.txt -q
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.95/hidden_text> -w secretdic.txt -q
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.95/> -w secretdic.txt -q
//pwned.vuln (Status: 301) [Size: 321] [--> <http://192.168.158.95/pwned.vuln/>]
It does have a page on /pwned.vuln
On View Source we can see this commented out code
<?php
// if (isset($_POST['submit'])) {
// $un=$_POST['username'];
// $pw=$_POST['password'];
//
// if ($un=='ftpuser' && $pw=='B0ss_Pr!ncesS') {
// echo "welcome"
// exit();
// }
// else
// echo "Invalid creds"
// }
?>