FTP
Nmap discovered a FTP server on the target port 21
The running service is vsftpd 3.0.5
Null Session
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ ftp ftp@$IP
Connected to 192.168.125.103.
220 (vsFTPd 3.0.5)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> The target FTP server allows anonymous access
ftp> put test
local: test remote: test
229 Entering Extended Passive Mode (|||39631|)
550 Permission denied.Writ access is denied
ftp> ls
229 Entering Extended Passive Mode (|||31912|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1752 Sep 19 2024 config.xml
226 Directory send OK.
ftp> get config.xml
local: config.xml remote: config.xml
229 Entering Extended Passive Mode (|||41697|)
150 Opening BINARY mode data connection for config.xml (1752 bytes).
100% |*******************************************************************************************| 1752 35.54 MiB/s 00:00 ETA
226 Transfer complete.
1752 bytes received in 00:00 (77.25 KiB/s)It contains a single file; config.xml
config.xml
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ cat config.xml
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
<disabledAdministrativeMonitors/>
<version>2.401.2</version>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>false</denyAnonymousReadAccess>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
<disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
<buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
<jdks/>
<viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
<myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
<clouds/>
<InitialRootPassword>/root/.jenkins/secrets/initialAdminPassword></InitialRootPassword>
<scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<views>
<hudson.model.AllView>
<owner class="hudson" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
<primaryView>all</primaryView>
<slaveAgentPort>-1</slaveAgentPort>
<label></label>
<crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
<excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
</crumbIssuer>
<nodeProperties/>
<globalNodeProperties/>
<nodeRenameMigrationNeeded>false</nodeRenameMigrationNeeded>
</hudson>The config.xml file is the file used by Jenkins
/Practice/vmdak/2-Enumeration/attachments/{A4CAA0AC-540A-4994-B4B4-4655ED4BB57D}.png)
The version information is disclosed; 2.401.2
/Practice/vmdak/2-Enumeration/attachments/{D06ADFA0-BFC4-4729-9159-12F04198B83A}.png)
This InitialRootPassword attribute has an interesting value to it