Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn <snip>
Anonymous login not allowed.
![[Pasted image 20210619055406.png]]
Seems that the server sniffs the packets between it and my pc for 5 seconds.. And notice the url http://10.10.10.245/data/11 ![[Pasted image 20210619055654.png]] When trying to change the value to something like 1 to get the first captured packets (maybe it contains ftp credentials). http://10.10.10.245/data/1 and downloaded the pcap file and opened it. ![[Pasted image 20210619060109.png]] ![[Pasted image 20210619060123.png]] Seems like there is nothing usefull here. So looking at the other pages..
It just executes ifconfig, nothing here too. ![[Pasted image 20210619060223.png]]
Here it executes netstat command which shows us the same result as our nmap scan, nothing useful too. ![[Pasted image 20210619060330.png]]
But after a second i just tried to put 0 instead of 1 (maybe the administrator of the server starts naming the pcap files from 0).
And that's true, i got a different file. So lets download it and filter with FTP. ![[Pasted image 20210619060617.png]]
And we got some packets that has username and password for FTP. ![[Pasted image 20210619060857.png]]
Lets login to FTP using these credentials (nathan:Buck3tH4TF0RM3!)
Logged in successfully! ![[Pasted image 20210619061050.png]]
Also DON'T FORGET to try same credentials on different services. ddd Trying save creds on SSH and successfully logged in.. ![[Pasted image 20210619063241.png]]
Doing some enumeration, found interesting lines on /var/www/html/app.py os.setuid(0) needs root privileges to be executed but the file (app.py) is being run by user nathan. ![[Pasted image 20210619065359.png]] ![[Pasted image 20210619065005.png]]
So for sure python has cap_setuid capability. ![[Pasted image 20210619065305.png]] ![[Pasted image 20210619065814.png]]
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
![[Pasted image 20210619070029.png]]