FTP
Nmap discovered a FTP server on the target port 30021
The running service is FileZilla ftpd 0.9.41 beta
Null Session
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ ftp -P 30021 anonymous@$IP
Connected to 192.168.156.127.
220-FileZilla Server version 0.9.41 beta
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220 Please visit http://sourceforge.net/projects/filezilla/
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> Null session established as the anonymous user
ftp> put test
local: test remote: test
229 Entering Extended Passive Mode (|||54064|)
550 Permission deniedNo write access
ftp> ls -la
229 Entering Extended Passive Mode (|||53423|)
150 Connection accepted
-r--r--r-- 1 ftp ftp 536 Nov 03 2020 .gitignore
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 app
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 bin
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 config
-r--r--r-- 1 ftp ftp 130 Nov 03 2020 config.ru
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 db
-r--r--r-- 1 ftp ftp 1750 Nov 03 2020 Gemfile
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 lib
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 log
-r--r--r-- 1 ftp ftp 66 Nov 03 2020 package.json
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 public
-r--r--r-- 1 ftp ftp 227 Nov 03 2020 Rakefile
-r--r--r-- 1 ftp ftp 374 Nov 03 2020 README.md
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 test
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 tmp
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 vendor
226 Transfer OKThe FTP root appears to be a web application root directory
Particularly the ruby web application on the target port 33033
package.json
ftp> more package.json
{
"name": "Profiles",
"private": true,
"dependencies": {}
}Gemfile
ftp> more Gemfile
source 'https://rubygems.org'
git_source(:github) do |repo_name|
repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
"https://github.com/#{repo_name}.git"
end
# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
gem 'rails', '~> 5.1.3'
# Use sqlite3 as the database for Active Record
gem 'sqlite3'
# Use Puma as the app server
gem 'puma', '~> 3.7'
# Use SCSS for stylesheets
gem 'sass-rails', '~> 5.0'
# Use Uglifier as compressor for JavaScript assets
gem 'uglifier', '>= 1.3.0'
# See https://github.com/rails/execjs#readme for more supported runtimes
# gem 'therubyracer', platforms: :ruby
# Use CoffeeScript for .coffee assets and views
gem 'coffee-rails', '~> 4.2'
# Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks
gem 'turbolinks', '~> 5'
# Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
gem 'jbuilder', '~> 2.5'
# Use Redis adapter to run Action Cable in production
# gem 'redis', '~> 3.0'
# Use ActiveModel has_secure_password
# gem 'bcrypt', '~> 3.1.7'
# Use Capistrano for deployment
# gem 'capistrano-rails', group: :development
group :development, :test do
# Call 'byebug' anywhere in the code to stop execution and get a debugger console
gem 'byebug', platforms: [:mri, :mingw, :x64_mingw]
# Adds support for Capybara system testing and selenium driver
gem 'capybara', '~> 2.13'
gem 'selenium-webdriver'
end
group :development do
# Access an IRB console on exception pages or by using <%= console %> anywhere in the code.
gem 'web-console', '>= 3.3.0'
end
# Windows does not include zoneinfo files, so bundle the tzinfo-data gem
gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]config
ftp> cd config
250 CWD successful. "/config" is current directory.
ftp> ls -la
229 Entering Extended Passive Mode (|||54180|)
150 Connection accepted
-r--r--r-- 1 ftp ftp 595 Nov 03 2020 application.rb
-r--r--r-- 1 ftp ftp 128 Nov 03 2020 boot.rb
-r--r--r-- 1 ftp ftp 154 Nov 03 2020 cable.yml
-r--r--r-- 1 ftp ftp 594 Nov 03 2020 database.yml
-r--r--r-- 1 ftp ftp 128 Nov 03 2020 environment.rb
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 environments
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 initializers
drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 locales
-r--r--r-- 1 ftp ftp 2306 Nov 03 2020 puma.rb
-r--r--r-- 1 ftp ftp 139 Nov 03 2020 routes.rb
-r--r--r-- 1 ftp ftp 1277 Nov 03 2020 secrets.yml
226 Transfer OKcable.yml
ftp> more cable.yml
development:
adapter: async
test:
adapter: async
production:
adapter: redis
url: redis://localhost:6379/1
channel_prefix: Profiles_productionThere might be an internal Redis instance if the app is in the production mode
database.yml
ftp> more database.yml
# SQLite version 3.x
# gem install sqlite3
#
# Ensure the SQLite 3 gem is defined in your Gemfile
# gem 'sqlite3'
#
default: &default
adapter: sqlite3
pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
timeout: 5000
development:
<<: *default
database: db/development.sqlite3
# Warning: The database defined as "test" will be erased and
# re-generated from your development database when you run "rake".
# Do not set this db to the same as development or production.
test:
<<: *default
database: db/test.sqlite3
production:
<<: *default
database: db/production.sqlite3It uses SQLite3;
db/development.sqlite3db/test.sqlite3db/production.sqlite3
environments
ftp> cd environments
250 CWD successful. "/config/environments" is current directory.
ftp> ls
229 Entering Extended Passive Mode (|||54205|)
150 Connection accepted
-r--r--r-- 1 ftp ftp 1900 Nov 03 2020 development.rb
-r--r--r-- 1 ftp ftp 3786 Nov 03 2020 production.rb
-r--r--r-- 1 ftp ftp 1766 Nov 03 2020 test.rb
226 Transfer OK3 environment setups
development.rb
ftp> more development.rb
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# In the development environment your application's code is reloaded on
# every request. This slows down response time but is perfect for development
# since you don't have to restart the web server when you make code changes.
config.cache_classes = false
# Do not eager load code on boot.
config.eager_load = false
# Show full error reports.
config.consider_all_requests_local = true
# Enable/disable caching. By default caching is disabled.
if Rails.root.join('tmp/caching-dev.txt').exist?
config.action_controller.perform_caching = true
config.cache_store = :memory_store
config.public_file_server.headers = {
'Cache-Control' => "public, max-age=#{2.days.seconds.to_i}"
}
else
config.action_controller.perform_caching = false
config.cache_store = :null_store
end
# Don't care if the mailer can't send.
config.action_mailer.raise_delivery_errors = false
config.action_mailer.perform_caching = false
# Print deprecation notices to the Rails logger.
config.active_support.deprecation = :log
# Raise an error on page load if there are pending migrations.
config.active_record.migration_error = :page_load
# Debug mode disables concatenation and preprocessing of assets.
# This option may cause significant delays in view rendering with a large
# number of complex assets.
config.assets.debug = true
# Suppress logger output for asset requests.
config.assets.quiet = true
# Raises error for missing translations
# config.action_view.raise_on_missing_translations = true
# Use an evented file watcher to asynchronously detect changes in source code,
# routes, locales, etc. This feature depends on the listen gem.
# config.file_watcher = ActiveSupport::EventedFileUpdateChecker
endN/A
production.rb
ftp> more production.rb
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# Code is not reloaded between requests.
config.cache_classes = true
# Eager load code on boot. This eager loads most of Rails and
# your application in memory, allowing both threaded web servers
# and those relying on copy on write to perform better.
# Rake tasks automatically ignore this option for performance.
config.eager_load = true
# Full error reports are disabled and caching is turned on.
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
# Attempt to read encrypted secrets from `config/secrets.yml.enc`.
# Requires an encryption key in `ENV["RAILS_MASTER_KEY"]` or
# `config/secrets.yml.key`.
config.read_encrypted_secrets = true
# Disable serving static files from the `/public` folder by default since
# Apache or NGINX already handles this.
config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
# Compress JavaScripts and CSS.
config.assets.js_compressor = :uglifier
# config.assets.css_compressor = :sass
# Do not fallback to assets pipeline if a precompiled asset is missed.
config.assets.compile = false
# `config.assets.precompile` and `config.assets.version` have moved to config/initializers/assets.rb
# Enable serving of images, stylesheets, and JavaScripts from an asset server.
# config.action_controller.asset_host = 'http://assets.example.com'
# Specifies the header that your server uses for sending files.
# config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
# Mount Action Cable outside main process or domain
# config.action_cable.mount_path = nil
# config.action_cable.url = 'wss://example.com/cable'
# config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
# Use the lowest log level to ensure availability of diagnostic information
# when problems arise.
config.log_level = :debug
# Prepend all log lines with the following tags.
config.log_tags = [ :request_id ]
# Use a different cache store in production.
# config.cache_store = :mem_cache_store
# Use a real queuing backend for Active Job (and separate queues per environment)
# config.active_job.queue_adapter = :resque
# config.active_job.queue_name_prefix = "Profiles_#{Rails.env}"
config.action_mailer.perform_caching = false
# Ignore bad email addresses and do not raise email delivery errors.
# Set this to true and configure the email server for immediate delivery to raise delivery errors.
# config.action_mailer.raise_delivery_errors = false
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
# the I18n.default_locale when a translation cannot be found).
config.i18n.fallbacks = true
# Send deprecation notices to registered listeners.
config.active_support.deprecation = :notify
# Use default logging formatter so that PID and timestamp are not suppressed.
config.log_formatter = ::Logger::Formatter.new
# Use a different logger for distributed setups.
# require 'syslog/logger'
# config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
if ENV["RAILS_LOG_TO_STDOUT"].present?
logger = ActiveSupport::Logger.new(STDOUT)
logger.formatter = config.log_formatter
config.logger = ActiveSupport::TaggedLogging.new(logger)
end
# Do not dump schema after migrations.
config.active_record.dump_schema_after_migration = false
endN/A
test.rb
ftp> more test.rb
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# The test environment is used exclusively to run your application's
# test suite. You never need to work with it otherwise. Remember that
# your test database is "scratch space" for the test suite and is wiped
# and recreated between test runs. Don't rely on the data there!
config.cache_classes = true
# Do not eager load code on boot. This avoids loading your whole application
# just for the purpose of running a single test. If you are using a tool that
# preloads Rails for running tests, you may have to set it to true.
config.eager_load = false
# Configure public file server for tests with Cache-Control for performance.
config.public_file_server.enabled = true
config.public_file_server.headers = {
'Cache-Control' => "public, max-age=#{1.hour.seconds.to_i}"
}
# Show full error reports and disable caching.
config.consider_all_requests_local = true
config.action_controller.perform_caching = false
# Raise exceptions instead of rendering exception templates.
config.action_dispatch.show_exceptions = false
# Disable request forgery protection in test environment.
config.action_controller.allow_forgery_protection = false
config.action_mailer.perform_caching = false
# Tell Action Mailer not to deliver emails to the real world.
# The :test delivery method accumulates sent emails in the
# ActionMailer::Base.deliveries array.
config.action_mailer.delivery_method = :test
# Print deprecation notices to the stderr.
config.active_support.deprecation = :stderr
# Raises error for missing translations
# config.action_view.raise_on_missing_translations = true
endN/A
puma.rb
ftp> more puma.rb
# Puma can serve each request in a thread from an internal thread pool.
# The `threads` method setting takes two numbers: a minimum and maximum.
# Any libraries that use thread pools should be configured to match
# the maximum value specified for Puma. Default is set to 5 threads for minimum
# and maximum; this matches the default thread size of Active Record.
#
threads_count = ENV.fetch("RAILS_MAX_THREADS") { 5 }
threads threads_count, threads_count
# Specifies the `port` that Puma will listen on to receive requests; default is 3000.
#
port ENV.fetch("PORT") { 3000 }
# Specifies the `environment` that Puma will run in.
#
environment ENV.fetch("RAILS_ENV") { "development" }
# Specifies the number of `workers` to boot in clustered mode.
# Workers are forked webserver processes. If using threads and workers together
# the concurrency of the application would be max `threads` * `workers`.
# Workers do not work on JRuby or Windows (both of which do not support
# processes).
#
# workers ENV.fetch("WEB_CONCURRENCY") { 2 }
# Use the `preload_app!` method when specifying a `workers` number.
# This directive tells Puma to first boot the application and load code
# before forking the application. This takes advantage of Copy On Write
# process behavior so workers use less memory. If you use this option
# you need to make sure to reconnect any threads in the `on_worker_boot`
# block.
#
# preload_app!
# If you are preloading your application and using Active Record, it's
# recommended that you close any connections to the database before workers
# are forked to prevent connection leakage.
#
# before_fork do
# ActiveRecord::Base.connection_pool.disconnect! if defined?(ActiveRecord)
# end
# The code in the `on_worker_boot` will be called if you are using
# clustered mode by specifying a number of `workers`. After each worker
# process is booted, this block will be run. If you are using the `preload_app!`
# option, you will want to use this block to reconnect to any threads
# or connections that may have been created at application boot, as Ruby
# cannot share connections between processes.
#
# on_worker_boot do
# ActiveRecord::Base.establish_connection if defined?(ActiveRecord)
# end
#
# Allow puma to be restarted by `rails restart` command.
plugin :tmp_restartIt’s set to development
secrets.yml
ftp> more secrets.yml
# Be sure to restart your server when you modify this file.
# Your secret key is used for verifying the integrity of signed cookies.
# If you change this key, all old signed cookies will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
# You can use `rails secret` to generate a secure secret key.
# Make sure the secrets in this file are kept private
# if you're sharing your code publicly.
# Shared secrets are available across all environments.
# shared:
# api_key: a1B2c3D4e5F6
# Environmental secrets are only available for that specific environment.
development:
secret_key_base: 36c569c923cac0e10cddd6588b468d09e82eb8a3a25cee7274f1a6680fb0cb19f6c1a64cad5c57923aa4b89675315c9202a5ff8db67f84a150668d6949cc0846
test:
secret_key_base: be9463a08fe11dd60d1ff4bd361392f994f5365445b6685b86ac65fa08d1a2c8772068af773f31b758475849117a231dc51ac60f3a937539ceff9dc3a3668c48
# Do not keep production secrets in the unencrypted secrets file.
# Instead, either read values from the environment.
# Or, use `bin/rails secrets:setup` to configure encrypted secrets
# and move the `production:` environment over there.
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>db
ftp> cd db
250 CWD successful. "/db" is current directory.
ftp> ls
229 Entering Extended Passive Mode (|||54267|)
150 Connection accepted
-r--r--r-- 1 ftp ftp 370 Nov 03 2020 seeds.rb
226 Transfer OKdatabase files are nowhere to be found
seeds.rb
ftp> more seeds.rb
# This file should contain all the record creation needed to seed the database with its default values.
# The data can then be loaded with the rails db:seed command (or created alongside the database with db:setup).
#
# Examples:
#
# movies = Movie.create([{ name: 'Star Wars' }, { name: 'Lord of the Rings' }])
# Character.create(name: 'Luke', movie: movies.first)N/A
public
ftp> cd public
250 CWD successful. "/public" is current directory.
ftp> ls
229 Entering Extended Passive Mode (|||54359|)
150 Connection accepted
-r--r--r-- 1 ftp ftp 1722 Nov 03 2020 404.html
-r--r--r-- 1 ftp ftp 1705 Nov 03 2020 422.html
-r--r--r-- 1 ftp ftp 1635 Nov 03 2020 500.html
-r--r--r-- 1 ftp ftp 0 Nov 03 2020 apple-touch-icon-precomposed.png
-r--r--r-- 1 ftp ftp 0 Nov 03 2020 apple-touch-icon.png
-r--r--r-- 1 ftp ftp 0 Nov 03 2020 favicon.ico
-r--r--r-- 1 ftp ftp 98 Nov 03 2020 robots.txt
226 Transfer OKIt’s relatively empty