Welcome to the Stapler: 1 lab environment!

This lab is designed to enhance your penetration testing and ethical hacking skills. It emulates a realistic scenario, providing an excellent opportunity to apply techniques and methodologies for discovering and exploiting common security weaknesses.

In this lab, you'll follow a structured path to uncover vulnerabilities in the target machine, utilizing tactics like information gathering,  enumeration, exploitation, and privilege escalation.

Each task will guide you step-by-step, helping you build a comprehensive understanding of the penetration testing workflow.

Attention: This lab, sourced from VulnHub, may contain inappropriate language or potentially offensive terms within the tasks, answers, or file contents. Please proceed with caution.

To identify the IP address of the target machine, observe the information displayed during the machine's boot process. In this lab, the IP address is 172.27.254.4 

Now start with first step which is Information Gathering. Let’s use nmap to discover open ports and services

Nmap: is a network mapper tool which help to identify the open ports and running services on each port.

Tips and tricks:

"Always divide the port scanning process into two stages to save time. Start with an initial/standard scan to identify only the open ports, and then perform a comprehensive and in-depth scan of the open ports only"

Inintial Scan Command: Open your terminal and run the follwoing command:

nmap -p- 172.27.254.4

This command scans all ports and identifies the open ports.

-p-  Scan all 65535 ports.

Recommendation: 

Always use the -p- option to avoid missing hidden services that may run on unusual ports

There is TCP port with unknown service, what is the port number? 

After identifying open ports, we can perform an advanced scan to gather detailed information on each service.

Open your terminal and type following command:

nmap -sV -sC -A --script vuln -p 20,21,22,53,80,139,666,3306,12380 172.27.254.4

This command initiates an advanced nmap scan to enumerate information from the identified open ports:

-sV  Enables version detection.

-sC  Executes default scripts enables service detection, vulnerability assessment, and more.

-A    Aggressive scan that enables OS detection, version detection, script scanning, and traceroute.

--script vuln  Runs vulnerability detection scripts.

-p  Specifies the individual ports to scan.

What is the version of the currently running FTP service? e.g 1.0.3

The nmap scan results indicate that FTP (port 21) is open. FTP (File Transfer Protocol) is a protocol used for transferring files across a computer network in PLAIN TEXT, which can expose sensitive information if not secured.

Hint:

Due to misconfigurations, anonymous access may be allowed on the FTP server, potentially exposing files to unauthorized users which may contain sensitive data / information.

Note:

Anonymous access mean that we can login by enter anonymous as user and pass. Let’s check if anonymous allow or not.

There are several methods to determine whether anonymous access is allowed on an FTP server; in this case, we will utilize Metasploit.

Metasploit: is an open-source penetration testing framework used for discovering, exploiting, and validating vulnerabilities in systems and applications.

Launch Metasploit: Open terminal and type:

msfconsole

Select the FTP Anonymous Access Scanner: Set the target IP and run

msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > show options
msf auxiliary(anonymous) > set RHOSTS 172.27.254.4 
msf auxiliary(anonymous) > run

msf auxiliary(anonymous) > exit

A message indicates a successful connection using anonymous user. What is the FTP banner message shown? (Remove commas , from your answer)

After discovering that we can access the FTP server using anonymous login, follow these steps:

Open the terminal and enter the following command:

ftp 172.27.254.4

When prompted for login credentials, enter anonymous as both the username and password.

List files and directory using ls command, What is the name of the existing file?

The file we discovered in previous task may contain important data. Download it using the following command:

get note

After downloading the file [note], type bye to disconnect from the FTP session. You will find the downalod file in your current directory.

Read it and check for any useful information.

Recommendation:

During penetration testing, it is important to document any discovered usernames in a file, as they may be utilized later for brute-force attacks.

What are the two names referenced in the file? answer in lowecase letters salim , ali

Save the discovered usernames into a file (users.txt), each user in a newline and lowercase lette. Now we will use Hydra to perform a brute-force attack.

Hydra: Is a powerful tool designed for conducting brute-force attacks.

To initiate the attack, open a terminal and use the following command:

hydra -L users.txt -P /usr/share/wordlists/small-passwords-list.txt 172.27.254.4 ftp -f -t 5

-L  Specifies a file (users.txt) that contains a list of usernames.

-P  Specifies a password file (small-passwords-list.txt contains passwords).

-f  Tells Hydra to stop after finding the first valid credential pair.

Wait a few minutes for Hydra to complete the brute-force attack. what is the discovered username and password ? username , password

Note:

In this task, we’re using a small password wordlist to save time. In a real-world scenario, a larger wordlist, such as rockyou, should be used to increase the chances of uncovering valid credentials.

Use the previously discovered credentials to log in to the FTP server again, employing the same method as in the previous task. Once logged in, list all files and directories.

Take some time to review the contents and search for any important files.

Useful FTP Commands To Try and Practice:

get  To downoad file from remote machine (FTP server) to local machine.

ls  List the files.

put  To upload file from local machine to remote machine (FTP server).

bye  To exit FTP environment. 

This task just to enhance your searching skills and familiarize you with FTP server and how to interact with it.