Date
Mar 27, 2025
Tag
Nmap
Brute Force
Credential Harvesting
192.168.125.103
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 06:42 EDT
Nmap scan report for 192.168.125.103
Host is up (0.051s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
9443/tcp open tungsten-https
Nmap done: 1 IP address (1 host up) scanned in 14.55 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 06:42 EDT
Warning: 192.168.125.103 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.125.103
Host is up (0.050s latency).
All 65535 scanned ports on 192.168.125.103 are in ignored states.
Not shown: 65387 open|filtered udp ports (no-response), 148 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 144.90 seconds
└─# nmap -Pn -n $ip -sC -sV -p- --open -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 06:42 EDT
Nmap scan report for 192.168.125.103
Host is up (0.064s latency).
Not shown: 64592 closed tcp ports (reset), 939 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 1752 Sep 19 2024 config.xml
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.251.125
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.5 - secure, fast, stable
|End of status
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA)
| 256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.58 (Ubuntu)
9443/tcp open ssl/http Apache httpd 2.4.58 ((Ubuntu))
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=vmdak.local/organizationName=PrisonManagement/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:vmdak.local
| Not valid before: 2024-08-20T09:21:33
|Not valid after: 2025-08-20T09:21:33
| tls-alpn:
| http/1.1
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.17 seconds
21

- Config.xml

After brute-forcing, we found more accounts that we could log into

username | password |
ftp | ftp |
anonymous | anonymous |
ftp | b1uRR3 |

same item
22

nothing
80


nothing
9443


nothing




login successfully

admin:admin123



Malcom:RonnyCache001


cant login

the image can replace our code, I try every reverse shell not work, but bind shell can work


the password we got before is for user vmdak
PE
./chisel_amd64 client 192.168.45.160:8082 R:8085:127.0.0.1:8080
to forward port 8080, seems suspicious
need forward but network problem cant

