InfoSec LAB

Potato_FTP

Created: 2 min read

FTP

Nmap discovered a FTP server on the target port 2112 The running service is ProFTPD

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/potato]
└─$ ftp ftp@$IP 2112
Connected to 192.168.120.101.
220 ProFTPD Server (Debian) [::ffff:192.168.120.101]
331 Anonymous login ok, send your complete email address as your password
Password: 
230-Welcome, archive user ftp@192.168.45.235 !
230-
230-The local time is: Sun Apr 27 16:12:57 2025
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.

The target FTP server allows anonymous access

ftp> put test
local: test remote: test
229 Entering Extended Passive Mode (|||52221|)
550 test: Operation not permitted

No write access

ftp> ls
229 Entering Extended Passive Mode (|||10183|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftp      ftp           901 Aug  2  2020 index.php.bak
-rw-r--r--   1 ftp      ftp            54 Aug  2  2020 welcome.msg
226 Transfer complete

2 files

welcome.msg

ftp> more welcome.msg
Welcome, archive user %U@%R !
 
The local time is: %T

N/A

index.php.bak

ftp> more index.php.bak
<html>
<head></head>
<body>
 
<?php
 
$pass= "potato"; //note Change this password regularly
 
if($_GET['login']==="1"){
  if (strcmp($_POST['username'], "admin") == 0  && strcmp($_POST['password'], $pass) == 0) {
    echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>";
    setcookie('pass', $pass, time() + 365*24*3600);
  }else{
    echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>";
  }
  exit();
}
?>
 
 
  <form action="index.php?login=1" method="POST">
                <h1>Login</h1>
                <label><b>User:</b></label>
                <input type="text" name="username" required>
                </br>
                <label><b>Password:</b></label>
                <input type="password" name="password" required>
                </br>
                <input type="submit" id='submit' value='Login' >
  </form>
</body>
</html>
  • The index.php.bak file appears to be a backup file for index.php
  • It leaks the login credential; admin:potato
    • index.php?login=1 is the login endpoint

This appears to be the backup file for the login page at the /admin/ endpoint in the web server

Interactive Graph View

Backlinks