Jetty

Jetty box

Jetty

https://www.vulnhub.com/entry/jetty-1,621/

The company Aquarium Life S.L. has contacted you to perform a pentest against one of their machines. They suspect that one of their employees has been committing fraud selling fake tickets. They want you to break into his computer, escalate privileges and search for any evidences that proves this behaviour.

ZIP Password: EsSabad0!

nmap scan 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

user@kali:~$ sudo nmap -sV -Pn -p- 10.200.1.242
[sudo] password for user: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-25 09:41 +03
Nmap scan report for 10.200.1.242
Host is up (0.00011s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
65507/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
MAC Address: 52:54:00:84:9B:1E (QEMU virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.04 seconds

http://10.200.1.242/kraken.png

apache scanning 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

user@kali:~$ nikto -host 10.200.1.242
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.200.1.242
+ Target Hostname:    10.200.1.242
+ Target Port:        80
+ Start Time:         2020-12-25 09:46:00 (GMT3)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 4 entries which should be manually viewed.
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7921 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2020-12-25 09:46:10 (GMT3) (10 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

gobuster 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

user@kali:~$ ./tools/gobuster/gobuster dir -u http://10.200.1.242 -w directory-list-lowercase-2.3-big.txt -o jetty/gobuster.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.200.1.242
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2020/12/25 10:02:42 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 300]
                                               
===============================================================
2020/12/25 10:03:21 Finished
===============================================================

ftp 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

user@kali:~$ ftp 10.200.1.242
Connected to 10.200.1.242.
220 (vsFTPd 3.0.3)
Name (10.200.1.242:user): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls /
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 ftp      ftp           306 Oct 06  2018 README.txt
-rwxrwxrwx    1 ftp      ftp           226 Oct 06  2018 sshpass.zip
226 Directory send OK.

1
2
3
4
5
6

user@kali:~/boxes/jetty$ cat README.txt 
Hi Henry, here you have your ssh's password. As you can see the file is encrypted with the default company's password. 
Please, once you have read this file, run the following command on your computer to close the FTP server on your side. 
IT IS VERY IMPORTANT!! CMD: service ftp stop. 

Regards, Michael.

seahorse!

sshpass -f sshpass.txt ssh [email protected] -p 65507

Desktop/user.txt

1

dd69f649f3e5159ddd10b83b56b2dda2

To_Michael.txt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

Hi Michael,



When I run the command you ask me to, an error occurr. Can you help me with this?



Regards,



Henry
© 2018 - 2025 Aziz