Task1
What Nmap scanning switch employs the use of default scripts during a scan?
问nmap什么选项是使用默认脚本进行扫描
-sC
Task2
What service version is found to be running on port 21?
21端口上的服务版本号是什么
用第一题的参数,nmap -sC扫描靶机,扫出来服务版本号
vsFTPd 3.0.3
Task3
What FTP code is returned to us for the "Anonymous FTP login allowed" message?
根据第二题的扫描结果,可以看到code是230
Task4
After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?
问匿名登录时要提供什么用户名?
anonymous
Task5
After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?
在匿名登陆ftp服务后,我们可以用什么命令下载文件?
get
Task6
What is one of the higher-privilege sounding usernames in 'allowed.userlist' that we download from the FTP server?
问ftp服务里面的allowed.userlist里面更高级的用户名是什么?
这里匿名FTP登陆进去,下载下来查看,里面有这些用户名
非常明显是admin
Task7
What version of Apache HTTP Server is running on the target host?
问apache服务的版本号,nmap -sV扫描,看到结果
2.4.41
Task8
What switch can we use with Gobuster to specify we are looking for specific filetypes?
问Gobuster的什么指令可以指定正在寻找的特定文件类型,直接gobuster dir --help
可以看到是选项是-x
Task9
Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?
问哪个PHP文件将提供对web服务身份验证的机会?,这里用上一题的gobuster扫描一下
扫出来一个敏感目录/login.php
login.php
Submit root Flag
根据之前得到的信息,开放了FTP端口且匿名可以登录,直接登陆上去下载用户名和密码,然后到登录界面
账号密码对应,直接用admin登录
