HTB Cap

Enumeration

FTP 匿名登入失敗

點擊 Security Snapshot (5 Second PCAP + Analysis) 會捕捉封包並導向到 /data/[index]

download

從0.pcap開始看
tcp.stream eq 0

GET / HTTP/1.1
Host: 192.168.196.16
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 1240
Server: Werkzeug/2.0.0 Python/3.8.5
Date: Fri, 14 May 2021 13:12:49 GMT

<!doctype html>
<html lang="en">
	<head>
	...
	</head>

	<body class="text-center">
		<h1 class="h3 mb-3 font-weight-normal">Please Enter PCAP to be analyzed</h1>
		<form action="/upload" method="POST" enctype="multipart/form-data">
			
			<label for="formFile" class="form-label">PCAP To Be Analzyed</label>
			<input name="file" class="btn custom-form-cap form-control" type="file" id="formFile">
			<input name="submit" type="submit" value="Submit">
			<!--<button class="btn btn-lg btn-primary btn-block" type="submit">Submit</button>-->
		</form>
	</body>
	...
</html>

tcp.stream eq 1
CSS 而已

tcp.stream eq 2

tcp.stream eq 3

220 (vsFTPd 3.0.3)
USER nathan
331 Please specify the password.
PASS Buck3tH4TF0RM3!
230 Login successful.
SYST
215 UNIX Type: L8
PORT 192,168,196,1,212,140
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
PORT 192,168,196,1,212,141
200 PORT command successful. Consider using PASV.
LIST -al
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
PORT 192,168,196,1,212,143
200 PORT command successful. Consider using PASV.
RETR notes.txt
550 Failed to open file.
QUIT
221 Goodbye.

找到 FTP USER nathan PASS Buck3tH4TF0RM3!

取得 user.txt

Privilege Escalation

FTP 的帳密也可登入SSH

gtfobins Capabilities 有 Python