InfoSec LAB

ServMon_FTP

Created: 2 min read

FTP

Nmap discovered a FTP service running on the target port 21

┌──(kali㉿kali)-[~/archive/htb/labs/servmon]
└─$ ftp $IP
Connected to 10.10.10.184.
220 Microsoft FTP Service
name (10.10.10.184:kali): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
password: 
230 User logged in.
Remote system type is Windows_NT.

The FTP server allows anonymous login

ftp> ls
229 Entering Extended Passive Mode (|||49678|)
125 Data connection already open; Transfer starting.
02-28-22  06:35PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users 
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49679|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM       <DIR>          Nadine
02-28-22  06:37PM       <DIR>          Nathan
226 Transfer complete.

There are 2 sub-directories under the Users directory. They seem to be representing the system users. it is very much possible that the ftp server is serving c:\Users

ftp> cd Nadine
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49681|)
150 Opening ASCII mode data connection.
02-28-22  06:36PM                  168 Confidential.txt
226 Transfer complete.

/Users/Nadine/Confidential.txt appears to be an important piece of information. I will get it.

ftp> cd Nathan
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49684|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM                  182 Notes to do.txt
226 Transfer complete.

Nathan has a note.

Confidential.txt

┌──(kali㉿kali)-[~/…/htb/labs/servmon/ftp]
└─$ cat Confidential.txt 
Nathan,
 
I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.
 
Regards
 
Nadine

Confidential.txt is a note from Nadine to Nathan. It says that Nadine left Nathan’s Passwords.txt file on his desktop. She also requests him to remove the file once he edits something himself and places that back into the secure folder.

That’s a lot of information without context for now.

Notes to do.txt

┌──(kali㉿kali)-[~/…/htb/labs/servmon/ftp]
└─$ cat Notes\ to\ do.txt 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

This to-do list implies that the target machine uses NSClient, NVMS and SharePoint

  • nsclient is a monitoring daemon, which was built for Nagios/Icinga/Naemon
  • nvms is a management software for surveillance camera
  • sharepoint is a web-based collaborative platform

Interactive Graph View

Backlinks