Hey there, my friend! I'm Tameem and absolutely thrilled to embark on this journey with you today we are going to solve this lab togther!! It is classified as an easy-level. You can join it for 🆓 using your own virtual machine with openVPN or TryHackMe´s AttackBox if you are subscribed. Click the link below, and let’s get started!

Reconnaissance:

This is the most important part! Because if we don't enumerate the target carefully, we might encounter issues later. So, we need to focus on this step and do it well, of course. :)

so this is my command that im always using :

“nmap -sV -sC -A -T4 10.10.199.145”

lets break it down together….

1- sV: this command will get us the version of the port so its important.

2-sC: Script Scan It tells Nmap to run a default set of NSE (Nmap Scripting Engine) scripts during the scan. These default scripts are selected to provide useful information without being too intrusive or noisy.

3- -A its the advanced scan will get you everything you need.

4- -T4 and this is for the timing Speeds up scans significantly.

and this is the output i got from this scan, so theres 6 open ports in this Target, FTP,SSH,SMB,2HTTP

FTP-21

lets start To enumerate port 21, which is typically used for FTP (File Transfer Protocol), you can follow these steps:

first i used the telnet to banner grabbing to get the port version
Check for Anonymous Login: Use an FTP client or command-line tool to attempt an anonymous login. This can be done using the command:
```
 ftp 10.10.199.145
```
When prompted for a username, try using "anonymous" and see if you can log in without a password.
1. as you can see i couldnt access the ftp with the anonymous credentails :(( lets try another way.
List Directories and Files: If you gain access, list the directories and files to see if there are any interesting files that can be downloaded or further investigated. Use the ls or dir command within the FTP session.
Download Files: If you find any files, you can download them using the get command. For example:
```
 get filename.txt
```
now i will try to brute forcing with this commands:
msfconsole
use auxiliary/scanner/ftp/ftp_login
set RHOSTS $IP
set RPORT $PORT
set USER_FILE $user.txt
set PASS_FILE $pass.txt
run
1. now we are starting the brute force lets see if we can get the credentails.
Check for Writable Directories: Determine if there are any directories where you have write permissions. This can be useful for uploading files or scripts.
Banner Grabbing: Sometimes, the FTP server will display a banner upon connection that reveals the software version. This information can be useful for identifying vulnerabilities.
Use Nmap Scripts: You can use Nmap with specific scripts to gather more information about the FTP service. For example:
```
nmap --script ftp-anon,ftp-bounce,ftp-syst 10.10.199.145
```
These scripts can check for anonymous login, FTP bounce attacks, and system information.

By following these steps, you can effectively enumerate the FTP service running on port 21.

SSH-22

as we didnt get anything on the ftp port now lets try with port 22.

To enumerate port 22, which is typically used for SSH (Secure Shell), we can follow these steps:

Banner Grabbing: Use tools like telnet, nc (netcat), or nmap to grab the banner of the SSH service. This can provide information about the SSH version and potentially the operating system.
Nmap Scan: Use Nmap with specific scripts to gather more information about the SSH service. For example:
- nmap -sV -p 22 --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods <target-ip>
Check for Weak Credentials: Use tools like hydra or medusa to perform a brute force attack with a list of common usernames and passwords to check for weak credentials.
SSH Key Authentication: Check if there are any known SSH keys that might allow access. This can be done by trying to connect with any private keys you have access to.
Configuration Review: If you have access to the system, review the SSH configuration file (usually located at /etc/ssh/sshd_config) for any misconfigurations or weak settings.