Recon & Enum - JA Smith

- Add domain to `/etc/hosts` - Ping is a bit wonky, maybe the remote host is buggy? ![[images/Pasted image 20251020140702.png]]![[images/Pasted image 20251020141402.png]] - Light nmap scan with -Pn flag ![[images/Pasted image 20251020141419.png]] - Detailed nmap scan ![[images/Pasted image 20251020141759.png]]![[images/Pasted image 20251020141836.png]] - OS nmap scan - UDP nmap scan - Nmap scan with tracing `--packet-trace -Pn -n --disable-arp-ping --reason` - Dig fails # Enumeration - FTP null session attempts ![[images/Pasted image 20251020142003.png]] ![[images/Pasted image 20251020142011.png]] - Try to pluck username with `smtp-user-enum` - `[email protected]` is in play ![[images/Pasted image 20251020142308.png]] - Try to brute force smtp with hydra - failure with given `pws.list` ![[images/Pasted image 20251020142519.png]] - try again with `rockyou.txt` ![[images/Pasted image 20251020142544.png]] - Try to get into ftp with fiona:987654321 ![[images/Pasted image 20251020142938.png]]![[images/Pasted image 20251020143625.png]] - grab all files with wget ![[images/Pasted image 20251020143255.png]] - looks like a dead end? ![[images/Pasted image 20251020143419.png]] - try to get into mysql - got some TLS/SSL errors and needed to add `--skip-ssl` flag ![[images/Pasted image 20251020143920.png]]![[images/Pasted image 20251020144350.png]]![[images/Pasted image 20251020144748.png]] - try to get into rdp - failures ![[images/Pasted image 20251020150254.png]]![[images/Pasted image 20251020150308.png]] - ![[images/Pasted image 20251020150659.png]] - attempt to crack hash from mysql with `-m 300` for mysql - too lengthy ![[images/Pasted image 20251020150907.png]] - try john - determine format with `john --list=formats |grep -i mysql` ![[images/Pasted image 20251020151043.png]] - error ![[images/Pasted image 20251020151151.png]] # Exploit - Coreftp version 2.0 build 725 based on nmap scan and doc in ftp share ![[images/Pasted image 20251020151906.png]] - searchploit on `coreftp` base don files found in ftp share ![[images/Pasted image 20251020151516.png]] - copy to local directory ![[images/Pasted image 20251020151541.png]]