I am using the TryHackMe machines to enumerate and exploit the FTP server. The module is present in Network Services lab. This lab is present for premium users only.
File Transfer Protocol is a
protocol used to allow remote transfer of files over a network. It uses a
client-server model to do this.
A typical FTP session operates using two channels:
- a command (sometimes called the control) channel
- a data channel.
As their names imply, the command channel is
used for transmitting commands as well as replies to those commands, while the
data channel is used for transferring data.
The FTP server may support either Active or
Passive connections, or both.
- In an Active FTP connection, the client opens a port and
listens. The server is required to actively connect to it.
- In a Passive FTP connection, the server opens a port and
listens (passively), and the client connects to it.
Enumeration:
Perform NMAP scan on the IP address, and after a complete scan on the provided IP address we are able to view that there are two ports present which are port 21 and 80.
The FTP port and HTTP ports
are open. The version FTP service is vsftpd 2.0.8 or later and on port 80 we
have http service running and the service version is Apache httpd 2.4.29.
Now we should try to login
to the ftp using default username “anonymous” and no password. Try to access
the file for some sensitive information. According to the screenshot provided
below we can see a file “PUBLIC_NOTICE.txt”. Fetch the .txt file from the FTP
server. The command that we provide to access the FTP server is provided below:
“ftp 10.10.61.190”
As provided in the screenshot below access the .txt file and search for some sensitive information on the file.
Exploitation:
So, from our enumeration stage, we know:
- There is an FTP
server running on this machine
- We have a possible
username “Mike”
By using the information provided above, we need to brute-force the password
to the FTP server. Perform brute force using hydra as we have a possible
username “mike” present with us.
The command that we use is provided below:
"hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.61.190
ftp"
Let's break it down:
|
SECTION |
FUNCTION |
|
hydra |
Runs
the hydra tool |
|
-t 4 |
Number
of parallel connections per target |
|
-l
[user] |
Points
to the user who's account you're trying to compromise |
|
-P |
[path
to dictionary] Points to the file containing the list of possible passwords |
|
-vV |
Sets
verbose mode to very verbose, shows the login+pass combination for each
attempt |
|
[machine
IP] |
The IP
address of the target machine |
|
ftp /
protocol |
Sets
the protocol |
After performing a brute-force using hydra we were able to get a password for login using mike as the username. The password is “password”. By using this username and password we would try to login to the ftp server again and try to search file for the sensitive information (in this condition the flag).
There is a file present on “ftp.txt” on the ftp server after accessing the file we were able to view the flag.
No comments:
Post a Comment