Footprinting Lab - easy

Hey Guys,

I don’t whether I’m stupid or something does not work as intended… I found the id_rsa quite quickly but when I tried to connect to the machine via ssh from my local VM (yes I had an active VPN tunnel) I always got a
“Connection closed by port 22”.
Every other service worked just fine. I was able to connect via ftp and was able to enumerate the dns server.

I then used the in-browser VM and I was able to ssh into the machine. It was kind of frustrating and I realy started doubting myself as I tried to use ssh from my local VM for almost an hour. Did I miss sth or does the lab not work for ssh over vpn?

nvm… I was stupid… something was wrong with the vpn config…

for any body who is still having problems with this lab here is the solution.
enumerate the target with Nmap and acess the open tcp port 2121 using credentials provided, download all files to your locall machine using the command avaialble on the cheatsheets, when you open the files ,you find your keys ,public and private .you need to activate the keys and change permissions before you can use them(private key) check the commands to do that after that use a special ssh comman that will also accept your keys along with your username and password .when you log in to the target simply comb the target for a flag directory and your flag will be in a flag.txt file.thanks i hope it helps .

The real FTP server is located on port 2121. FTP via port 2121 to locate the target’s ssh configuration files. You will then need to authenticate your VM keys to the target public keys in order to ssh into the target server.

1 Like

Hey, how come it works on port 2121 but not 21? As far as I understand, port 21 is the FTP server, port 2121 is an FTP proxy but I dont really understand what that means - is anyone able to explain?

get < file-name >

  1. On ftp there are files… find way to view hidden files / check both ftp ports
  2. Find way to download these files.
  3. Find ways to use one of the files and log in using SSH.

Tip: any errors that throw when you do a command… copy and paste in Google. Find out what each does.

You will need to use Google and research but try think of what you are doing each step above.

I have the same problem, I have been overwhelmed for 2 hours, I have tried all the commands with all the possible flags :frowning:

Go to the link below to get the flag.txt file:

Oh man, an interesting one. Got it done. :smiley:

you have to use the port number too. the command should look like this
wget -m --no-passive ftp://username:password@ip:portnumber/

Don’t forget the slash after the port number

As long as you are not using exploits! the directions of scope don’t allow them. I realize this is old just wanted to add it. I am stuck on this problem as well. not using msf however. it appears ports 53 21 2121 are open. proxy ftp and dns. However no listing is available for the ftp in either port so im lost looking for hints.

Can you clarify what you mean by activating the keys and changing permissions? Are you referring to chmod on the keys?

I was able to figure this one out. Here are hints:

  1. use the pwnbox. When I used the local vm, all ports were filtered.
  2. look for hidden folders once you connect to ftp servers.
  3. download the file that will give you access to other connections (ftp/ssh)
  4. look at bash history to see where the flag might be.

Thank you so much for this tip! I solved it!

I solved it with port 2121 but is there any other way we can get flag ?? like i am too focused on DNS nut dont get anything except some subdomains by bruteforcing it

anybody able to get a root on this one? was interested in the /cry0lit3 user dir

Hello Asecsys.

Are you still having trouble on this lab? If so, can you provide me what you’ve done so far and any trains of thought you may have on how to go about solving this?

Thank you,

DotDragon

Cheatsheet needs updating to:

Download all available files on the target
wget -m --no-passive ftp://anonymous:anonymous@target:PORT

Hi ckacks!!

  • The key is to do the same thing with wget, but on port 2121
  • Then it’s just give 600 permissions to the id_rsa file
  • Finally connect to the system with ssh and browse the directories for find the flag.txt

Good Loock…