nmap scan: nmap -T4 -A 10.10.87.121
We have ftp, ssh, and http open for the ports. Since anonymous access to ftp is allowed, let’s try that first.
We have 2 files here, locks.txt and task.txt
So let’s get those files to the local machine by using get locks.txt and get task.txt, also might need to turn off passive mode with the passive command
These are the outputs for the files we have. In locks.txt there is a bit more content, but this kind of looks like a password file, because of the attempt of substitution to make a complicated password but still have it be kinda human readable. We know also know that lin is likely a user on the machine. With this information, and a possible password list, we could try and brute force ssh, using hydra, let’s try that.
hydra -l lin -P locks.txt ssh://10.10.87.121 -v -t 4
So we know that lin can run /bin/tar as sudo. The purpose of the /bin/tar command is to manipulate archives, aka store and extract files from a tape or disk archive. Not too sure how that could help us yet, so let’s take a look at port 80.
We may have a few possible users: spike, jet, ed, and ein, let’s try gobuster on this url
gobuster dir -u <http://10.10.87.121> -w /usr/share/wordlists/dirb/common.txt
didn’t find anything of new information.
Furthermore, trying to find tar files, we come up empty handed because always there is Permission Denied so we need to get the tar file name from somewhere else. Or there could be no files and we just can’t get into the necessary directories, here’s the command:
find / -name "*.tar" # find files in root directory with .tar extension?