So, today we are going to show you can solve the Capture the Flag (CTF) My File Server 1, Vulnhub.com is a kind of which provides users with vulnerable applications/machines for there practice who has a experience in the field of information security. You can check our previous articles for more CTF challenges.
Please note: For all of these machines, I have used Oracle VirtualBox to run the downloaded VMs. I am using Kali Linux as an attacker machine for solving this CTF.
Note please: The victim and attacker machine IP addresses may be different, as per your network configuration.
After downloading the file server VM it will be our victim, or we run it in VirtualBox.
Now, the first step is to find out its IP address. On Kali — the attacker machine — I am using this command The netdiscover command output can be seen in the screenshot.
Our next step is to find the open ports and services available on the victim machine. For that I have used an nmap full-port scan for this purpose. Here is the output. The command we are using is nmap -p- 192.168.1.21 -sV.
There are a lot of open ports and services available on the target machine. I used this command for -sV switch for enumerating the version information of the identified services. This will help us identify vulnerable services to exploit.
We are good to go by exploring the open ports and services on the target machine. And the FTP port 21 was open, We are decided to start form there.
I tried to connect to the victim machine’s FTP service by guessing common credentials and one worked.
Commands used: ftp 192.168.1.21 , ls
- Username: ftp
- Password: (none)
As we know that we can now have the FTP access on the target machine, I run the ls command to see the list of files and directories available for default user. I learn that there was one empty directory available on the target machine. I am trying to exploring the “pub” directory for further contents, but that was a dead end. After that, I checked the vsFTPd version.
As we know from Step 2 above, there is one more FTP port available on the target machine. Let’s check the FTP service on port 2121. I started with enumerating the FTP login with some default credentials and one of them worked.
- Username: anonymous
- Password: anonymous
As we can see above, we’ve got the anonymous user FTP access on port 2121 by using default credentials. This time it worked for me, as I was able to view the contents of files on the target machine. I used the ls command and was able to list the contents of the “log” directory from there.
I tried to look for an available exploit for the FTP service running through this port. The FTP version which is running on this port was: ProFTPD 1.3.5 Server. I found some useful exploits on Google for this version of the FTP service.
After exploring the FTP ports to get into the target machine, I shifted my attention to the HTTP port 80. I opened the target machine IP address into the browser and there was a simple webpage.
I chose the nikto vulnerability scanner which is by default available on Kali Linux and is used for scanning the host for web-based files and vulnerabilities.
As we can see, there is an interesting text file available on the target machine. When I opened this file on the browser, there was a password mentioned.
We have explored the FTP ports and HTTP port, but there are still five open ports remaining to be checked. Next, I started with the SMB service which was running on the port 445 on the target machine.
I used the smbmap utility, which is available in Kali Linux by default. It is basically used to enumerate the SMB server.
SSH on port 22 was open on the target machine, so I tried to login to the target machine with the username and password through SSH:
The same username and password with the FTP service on port 21, and this time it worked as I was able to log into the target system through FTP
After logging into FTP, I used the pwd command to check the current directory. It showed that the current directory was “/home/smbuser”. In the next step, we will use this information for gaining user access on the target machine.
This completes this CTF challenge. We hope you learned a lot from it!
My File Server:1, VulnHub