FTP
Nmap discovered a FTP server on the target port 21
The running service is vsftpd 3.0.3
Null Session
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/reconstruction/ftp]
└─$ ftp $IP
Connected to 192.168.209.103.
220 (vsFTPd 3.0.3)
Name (192.168.209.103:kali): ftp
331 Please specify the password.
Password: ftp
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> Null session established
ftp> put test
local: test remote: test
229 Entering Extended Passive Mode (|||8866|)
550 Permission denied.No write access
ftp> ls
229 Entering Extended Passive Mode (|||35995|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Apr 29 2020 WebSOC
-rw-r--r-- 1 0 0 137 Apr 29 2020 note.txt
226 Directory send OK.note.txt
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||30354|)
150 Opening BINARY mode data connection for note.txt (137 bytes).
100% |*******************************************************************************************| 137 2.77 MiB/s 00:00 ETA
226 Transfer complete.
137 bytes received in 00:00 (5.59 KiB/s)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/reconstruction/ftp]
└─$ cat note.txt
I've just setup the new WebSOC! This should hopefully help us catch these filthy hackers!
TODO: remove leftover passwords from testingMention of the WebSOC directory
leftover passwords from testing
WebSOC
ftp> cd WebSOC
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||20560|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 3086771 Apr 29 2020 1.05.2020.pcap
-rw-r--r-- 1 0 0 869677 Apr 29 2020 29.04.2020.pcap
-rw-r--r-- 1 0 0 14579662 Apr 29 2020 30.04.2020.pcap
226 Directory send OK.
ftp> get 1.05.2020.pcap
local: 1.05.2020.pcap remote: 1.05.2020.pcap
229 Entering Extended Passive Mode (|||28906|)
150 Opening BINARY mode data connection for 1.05.2020.pcap (3086771 bytes).
0% | | 0 0.00 KiB/s --:-- ETAg100% |*******************************************************************************************| 3014 KiB 3.96 MiB/s 00:00 ETA
226 Transfer complete.
3086771 bytes received in 00:00 (3.86 MiB/s)
ftp> get 29.04.2020.pcap
local: 29.04.2020.pcap remote: 29.04.2020.pcap
229 Entering Extended Passive Mode (|||10216|)
150 Opening BINARY mode data connection for 29.04.2020.pcap (869677 bytes).
100% |*******************************************************************************************| 849 KiB 2.91 MiB/s 00:00 ETA
226 Transfer complete.
869677 bytes received in 00:00 (2.72 MiB/s)
ftp> get 30.04.2020.pcap
local: 30.04.2020.pcap remote: 30.04.2020.pcap
229 Entering Extended Passive Mode (|||26782|)
150 Opening BINARY mode data connection for 30.04.2020.pcap (14579662 bytes).
100% |*******************************************************************************************| 14237 KiB 4.65 MiB/s 00:00 ETA
226 Transfer complete.
14579662 bytes received in 00:03 (4.62 MiB/s)
Getting all 3 PCAP files;
29.04.2020.pcap
/Practice/Reconstruction/2-Enumeration/attachments/{0AC0AE3F-7A12-4B87-918D-7BF7B793975D}.png)
Opening it up in WireShark
/Practice/Reconstruction/2-Enumeration/attachments/{0037EDD0-3C43-4385-AC83-AA6166EDF1B3}.png)
/Practice/Reconstruction/2-Enumeration/attachments/{CBDBB898-1E6E-4605-AE6E-73D997737051}.png)
There appears to be payloads for XSS, SQLi, SSRF, etc, attacking the web application on the port 8080
None appeared to be worked
N/A
30.04.2020.pcap
/Practice/Reconstruction/2-Enumeration/attachments/{37D44EC2-963E-4E2E-9B8D-8007542CA183}.png)
admin
/Practice/Reconstruction/2-Enumeration/attachments/{C1C1E8F0-07F1-46BC-8FF7-24EB50B56868}.png)
/Practice/Reconstruction/2-Enumeration/attachments/Pasted-image-20250207010317.png)
Lots of brute-force attempts to the /login endpoint
/Practice/Reconstruction/2-Enumeration/attachments/{4EAF121B-83BE-4ECD-8E8C-D5D604E31B2C}.png)
The attacker never found the password
N/A
1.05.2020.pcap
/Practice/Reconstruction/2-Enumeration/attachments/{F372D7FD-06F9-4DC3-B568-FAD89169D755}.png)
Found it
Cleartext Password
/Practice/Reconstruction/2-Enumeration/attachments/Pasted-image-20250207012732.png)
1edfa9b54a7c0ec28fbc25babb50892e
Additionally, the password appears to be a
/Practice/Reconstruction/2-Enumeration/attachments/{EF8DCA3B-550C-463E-9DA9-D750D4734A96}.png)
The web application set the session cookie, which appears to be a JWT
/Practice/Reconstruction/2-Enumeration/attachments/{76F63580-CC31-454B-8418-C9F2DE025A9A}.png)
Another same authentication
Password Cracking
1edfa9b54a7c0ec28fbc25babb50892e
Additionally, the password appears to be a hash string
/Practice/Reconstruction/2-Enumeration/attachments/{BFBEF831-B9DB-4C0E-8206-4B74565008E1}.png)
It was MD5 hash of what the fuck?
/data/
/Practice/Reconstruction/2-Enumeration/attachments/{62727675-DDB8-4541-B790-6E5885C42389}.png)
Another endpoint, /data/
Interestingly, some hex bytes are supplied; e0cdb98d8