It’s been a while since I have done a write-up and I am happy to say I’m back with one! This is the 5th machine I’ve done for my OSCP preparation so let’s get started! Also, I have a few more write-ups in the bank so I’ll get to it ASAP uwu.
The first step is to find out what is our target machine’s IP address. We can do that by doing a host scan on our network.
sudo nmap -sn -oN nmap_discovery 192.168.110.0/24
192.168.110.133 is our attacker machine’s IP address, we can identify that
192.168.110.139 is our target. Once our target has been identified, we can now perform port scanning on our target with the following:
sudo nmap -sC -sV -Pn -p- 192.168.110.139 -oN nmap_port_scan
-sC: Load default nmap scripts
-sV: Version scan
-Pn: Assume all hosts are up
-p-: Scans for all 65535 ports
-oN: Outputs file in normal format
The results of the port scan reveal that these services are being hosted on the target:
- a Web Server
With FTP, let’s try to see whether it allows anonymous logins
And it does! Listing the file directory we can see a download folder and an upload folder.
The download folder does not contain anything useful. However, the upload directory has a file which contains the directory listing of a user.
Okay, breaking the fourth wall a bit, I actually have done this box before and this is the second time I’m doing it so I kinda know where to proceed.
At this point, I was stuck so I gave up on the FTP server route for initial foothold and took a look at the web server.
With a web server available, directory brute forcing would be our next step. I used
gobuster to get the directories on the web server
gobuster dir -u http://192.168.110.139 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.js,.css,.txt -t 100 -o directory_brute
dir : Uses
gobuster for directory brute forcing
-u : The target’s URL
-w : The wordlist used to enumerate the web server’s directories
-x : Extensions added to the end of every word within the wordlist
-t : Threads used
-o : The output file
But I found nothing.
However, having the version of
OSSEC, let’s check for any available exploits on ExploitDB with the
-x : Examines the exploit file
-m : Copies the exploit file into the current directory
Also, again I found nothing.
So, now the last resort was to do brute-forcing. Knowing that there is a user named
patrick let’s brute-force the
pop3 service. However, again, that was not possible.
Remember how I said I did this box before? Well, a bit of Google searching eventually got me the answer on the second try lol
nmap scan, we have the version of the FTP server being hosted. Doing some Google searching on how to exploit FTP servers, I found a very unique capability on ProFTPD 1.3.5.
If the vulnerability is present on 1.3.5, it could be present on 1.2.10. So let’s try going that route.
Looking at the directory listing earlier, the version_control file looks interesting. Using
nc to connect to the FTP server, we can use the following commands.
SITE CPFR : Allows us to target a file on the target system to be copied
SITE CPTO : Allows us to select a destination for the selected file
Note: The default directory for FTP files are in
Doing that allows us to read the contents of version_control
Reading the file tells us the version of the services being hosted on the target as well as the root directory for the web server is
Having the actual version of
ProFTPd, let’s check for any available exploits on ExploitDB with the
And there are available exploits available for initial foothold!
From here on out, I was tinkering with the 2 exploits that do not require Metasploit. It took a long time but I managed to get it running, thanks to t0kx’s exploit. (Which was not present in
However, reading the scripts available over and over. I think I have the responsibility to explain what all the scripts do.
Basically, as we are able to copy files across the system with ProFTPd, we can also create a web shell and copy it to the root of the web directory. That is the reason why the root directory of the web server is given.
With that, we are able to create a web shell!
Now that we have remote code execution (RCE), let’s find a reverse shell on PayloadsAllTheThings and let’s listen on port
nc -lvnp 4444
python reverse shell seems to work!
Let’s upgrade our shell to make it more interactive with
python3 -c 'import pty;pty.spawn("/bin/bash")'
Enumerating through the web server’s directory, the credentials for
patrick was found.
With that, we can switch to the user
With our current user, let’s see whether we have
sudo capabilities with:
We can see that
patrick can run the script
The script basically allows users to change the permissions of files and directories within the current directory. However, using directory traversal, we can change the
root folder to have read and write permissions
Doing so gives us the flag!
So with that said, I really liked this box because it introduced me to a new vulnerability within ProFTPd servers. Even though I kinda knew how to get into the box, doing the box the second time taught me that enumeration is key through Uncle Google (Yes imma call Google that).