Connected to [email protected]. 220- 220-|—————————————————————————————–| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|—————————————————————————————–| 220-
We have a username: harry
1 2 3 4 5 6 7 8 9 10
ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 107 Jun 03 2016 note 226 Directory send OK. ftp> get note 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note (107 bytes). 226 Transfer complete. 107 bytes received in 0,000452 seconds (231 kbytes/s)
Let’s what is in the note.
1 2 3 4 5
cat ~/note
`Elly`, make sure you update the payload information. Leave it in your FTP account once your are done, `John`. Now we have 3 usersneme: harry, Elly and John We have to connect with Elly to find the `payload information`.
# If not running interactively, don't do anything case $- in *i*) ;; *) return;; esac
# don't put duplicate lines or lines starting with space in the history. # See bash(1) for more options HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1) HISTSIZE=1000 HISTFILESIZE=2000
# check the window size after each command and, if necessary, # update the values of LINES and COLUMNS. shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will # match all files and zero or more directories and subdirectories. #shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1) [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below) if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then debian_chroot=$(cat /etc/debian_chroot) fi
# set a fancy prompt (non-color, unless we know we "want" color) case "$TERM" in xterm-color|*-256color) color_prompt=yes;; esac
# uncomment for a colored prompt, if the terminal has the capability; turned # off by default to not distract the user: the focus in a terminal window # should be on the output of commands, not on the prompt #force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then # We have color support; assume it's compliant with Ecma-48 # (ISO/IEC-6429). (Lack of such support is extremely rare, and such # a case would tend to support setf rather than setaf.) color_prompt=yes else color_prompt= fi fi
if [ "$color_prompt" = yes ]; then PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' else PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
.profil
1 2 3 4 5 6 7 8 9 10 11
if [ -n "$BASH_VERSION" ]; then # include .bashrc if it exists if [ -f "$HOME/.bashrc" ]; then . "$HOME/.bashrc" fi fi
# set PATH so it includes user's private bin if it exists if [ -d "$HOME/bin" ] ; then PATH="$HOME/bin:$PATH" fi
Browsing
On the port 12380 we have this.
We have this comment: A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you!
Now we have 5 usernames: harry, Elly, Tim, John and Zoe
Nikto on 12380
1 2 3 4
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + /phpmyadmin/: phpMyAdmin directory found + "robots.txt" contains 2 entries which should be manually viewed.
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
It’s a samba server.
I found nothing interesting in the backups. You can also use nautilus to download and browse in the smb server.
Exploit
Brute force metasploit
I’ve done a bruteforce with metasploit with the wordlist rockyou and the user john, because he is the one who manage the website. The password is incorrect.
