Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
su
echo "10.10.10.29 bank.htb" >> /etc/hosts
mkdir -p htb/bank.htb
cd htb/bank.htb
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 devel.htb
PING devel.htb (10.10.10.5) 56(84) bytes of data.
64 bytes from devel.htb (10.10.10.5): icmp_seq=1 ttl=127 time=57.1 ms
64 bytes from devel.htb (10.10.10.5): icmp_seq=2 ttl=127 time=53.6 ms
64 bytes from devel.htb (10.10.10.5): icmp_seq=3 ttl=127 time=56.2 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~128 secs. this indicates that the target is a Windows system, while *nix systems usually have a TTL of 64 secs.
2.1 - What is the name of the service is running on TCP port 21 on the target machine?
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 15:32 EDT
Initiating SYN Stealth Scan at 15:32
Scanning devel.htb (10.10.10.5) [65536 ports]
Discovered open port 80/tcp on 10.10.10.5
Discovered open port 21/tcp on 10.10.10.5
Completed SYN Stealth Scan at 15:32, 26.41s elapsed (65536 total ports)
Nmap scan report for devel.htb (10.10.10.5)
Host is up, received user-set (0.057s latency).
Scanned at 2023-07-24 15:32:23 EDT for 26s
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 127
80/tcp open http syn-ack ttl 127
command
result
sudo
run as root
sC
run default scripts
sV
enumerate versions
A
aggressive mode
T4
run a bit faster
oN
output to file with nmap formatting
It looks like there are 2 open ports on the machine: 21, 80.
Now, we need to search which services are running on open ports, in details on port 21:
2.2 - Which basic FTP command can be used to upload a single file onto the server?
ftp devel.htb
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel.htb:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> help
Commands may be abbreviated. Commands are:
! cr ftp macdef msend prompt restart sunique
$ debug gate mdelete newer proxy rhelp system
account delete get mdir nlist put rmdir tenex
append dir glob mget nmap pwd rstatus throttle
ascii disconnect hash mkdir ntrans quit runique trace
bell edit help mls open quote send type
binary epsv idle mlsd page rate sendport umask
bye epsv4 image mlst passive rcvbuf set unset
case epsv6 lcd mode pdir recv site usage
cd exit less modtime pls reget size user
cdup features lpage more pmlsd remopts sndbuf verbose
chmod fget lpwd mput preserve rename status xferbuf
close form ls mreget progress reset struct ?
We can use put command to upload a single file.
put
2.3 - Are files put into the FTP root available via the webserver?
We can try to put a file using ftp, in this case we use nmap result file (port_scan):
