FTP
Nmap initially discovered a FTP server running on the target port 21
The service running is vsftpd 3.0.3
┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ ftp $IP
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
name (10.10.10.197:kali): anonymous
530 Permission denied.
ftp: Login failedThe target FTP server does not allow anonymous login
developer
┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ ftp $IP
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:kali): developer
331 Please specify the password.
Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.Using the newly reset credential for the paulbyrd user, I am able to authenticate to the FTP server
ftp> ls
229 Entering Extended Passive Mode (|||54022|)
150 Here comes the directory listing.
drwxrwxr-x 8 0 1001 4096 Jun 30 2020 dev
226 Directory send OK.There is a directory named, dev
ftp> cd dev
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||5489|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 26 2020 css
drwxr-xr-x 2 0 0 4096 May 26 2020 img
-rwxr-xr-x 1 0 0 13742 Jun 23 2020 index.php
drwxr-xr-x 3 0 0 4096 May 26 2020 js
drwxr-xr-x 2 0 0 4096 May 26 2020 pypi
drwxr-xr-x 4 0 0 4096 May 26 2020 scss
-rwxr-xr-x 1 0 0 26523 May 26 2020 team.php
drwxr-xr-x 8 0 0 4096 May 26 2020 vendor
226 Directory send OK.The structure of the dev directory suggests that it might be serving the web root of the virtual host; dev.sneakycorp.htb
┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ echo 'testing' > test.txt
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||48431|)
150 Ok to send data.
100% |**********************| 8 126.00 KiB/s 00:00 ETA
226 Transfer complete.
8 bytes sent in 00:00 (0.13 KiB/s)I will put a testing file to confirm the theory