Footprinting Lab - easy

Use these steps:

First download all the files from ftp 2121

change the permissions of the file using sudo chown -R root:root [filename]

search for the flag in the flag directory after successful login.

Happy Hacking.

I finally got it thanks everyone for the help

Hey guys. This bit seemed ridiculously easy after the hint, but I have no idea how we were supposed to get those creds without using the hint. Any insight? Also, was this easy lab meant to have anything to do with DNS? It seemed like that was the path it wanted us to go down, but after using the hint, it seemed to have nothing to do with DNS. Just want to know if DNS was a red herring for this lab or if there was some way to get those credentials without the hint. Thanks.

1 Like

Same thoughts. I was stuck longer on figuring out the hint (credential) rather than the actually getting the flag. For ceil username, I think that will popout as a banner once you tried nc, openssl, or telnet to the server. Now you have to assume that it is a username. Then you will try to bruteforce the password using a rockyou.txt or other password text file to obtain that password in the hint.

Hi jameskhor,
I have stucked after “ls -la” and found this. Could you point out further action?

Can I know, what you are trying to do?

Hi suryateja,

I have downloaded all files wget…
used ls -la
changed directory to .ip_adress:2121
After that, you see files in this directory. I can’t execute cat .bash_history and further chmod 600 id_rsa.
Reply is there is no file or directory like .bash_history.
So I have stucked after this. Can you provide me with some tips?

there is a directory named flag; cd flag and cat it. you will have the flag.

1 Like

I tried all directories after downloading files, although there is not “flag” directory. Keyword “flag” is only mentioned in directory ip_adress:2121 as I attached in screenshot above, but I can’t use cat for them.

Kindly assist, ls displaying directories after connecting with ftp the telnet is not helful also

Perhaps there is a way to see more with the ls command…

Check the hint and then try every enumeration method taught in the lesson. You should find that you need something to access the account. Maybe the files you downloaded have what you need.

Okay, I was stuck on this for a while and forgot about the hint button but when I came here I was wondering. So this lab does seem a bit more on the medium level but its easy because of the HINT i guess. You really have to enumerate this machine and do some additional things. Most of you are wondering how you get the password.

If you do a UDP scan, you will notice port 623 returns → IPMI. Remember from the course that if you try a VALID account you should get the hash back, which holds true. I ran the MSF module to dump hashes without adding CEIL and nothing returned. I added the account and the hash comes back, which I then took offline to crack but here is where it got me.

You’ll notice in the screenshot the password cracked out to be quer1234…I used hashcat to try to mangle it up a bit and it never hit me to just look at it hard and realize it was a mistyped keyboard walk. Not sure if this was intended but I never tried qwer1234 I kept trying all combinations with quer1234. But there is the answer guys…grab the hash through IPMI and then crack and then ENUMERATE other passwords from that password. Which is a real thing some may use Password1234 somewhere and then use P@ssword1234 elsewhere.

1 Like

Please send me the command you use to download the ftp server. I cant login to any ftp server

What command did you use to download the file

Thank you for this post, I was stuck here too. I think there are 2 ways to get the real password from here

  1. Enumerate it with “john” using the “o1” rule (generates 752 passwords) starting with the wrong one. Then use hydra with this short list.
  2. Brute force it with hydra, but use the “-t 64” flag and rockyou.txt. This took about 10 minutes so its a valid way to go as well. Don’t get nervous reading the hydra output saying “639h to go”.

It is easy when you know what you are looking for. It is a nightmare if you are stuck like I was :grin:

1 Like

Yay! Thanks!!

This lab was a waste of time and something I would expect from Offensive Security. FTP lab doc " With the usernames, we could attack the services like FTP and SSH and many others with a brute-force attack in theory. However, in reality, fail2ban solutions are now a standard implementation of any infrastructure that logs the IP address and blocks all access to the infrastructure after a certain number of failed login attempts."

If you use the first password file in SecList “2020-200_most_used_passwords.txt” and hydra its maybe a minute to get the password. I hope this is not what the actual final will look like. Stop wasting peoples time with this nonsense.

1 Like

I went down the completely wrong rabbitthole for this. I found it initially but didn’t do the right ls option. Spent the whole day researching proxy ftp and passive ftp.

Hey can you please guide me.! Really beating my head
What I have done:
Logged in with ftp with the cerd in the module
found nothing

Downloaded all files with wget -m … Got a folder with nothing.
ls -la inside that folder gives a file “.listing”
cat .listing gives nothing.

Please please help me!