nmap scan:
So we have ftp open, also ssh, and port 80. Let’s see what’s on the web page
So if we have a specific codename then we can get to a secret page. The codename is prolly in the form user-{name} or something like that.
If we need to set a codename, perhaps we can use Burp’s intruder to do so. If we intercept the request, we can see something like the following pointing to the user agent.
We can change this header using the Burp Intruder, and manually set a payload to include all different characters, because we know that there is already a user with the name R.
We have a redirect for the header with C. We know that this likely redirects to somewhere else on the site. In the response we can see we have a url we can navigate to, which redirects to this:
So we know there is Chris, Agent C, there is also Agent J, and also chris’ password is weak.
Now that we know Chris’ password is weak, we can try to brute force. In the tryhackme, it is told to start with ftp. So we are going to brute force into ftp with the following command:
hydra -l chris -P /usr/share/wordlists/rockyou.txt <ftp://10.10.7.17>
And we receive the following information:
connect to ftp with the following: