2112 | OffSec Proving Grounds

adot@pwnbox:~/oscp/provinggrounds/easy/potato$ ftp 192.168.205.101 -p 2112
Connected to 192.168.205.101.
220 ProFTPD Server (Debian) [::ffff:192.168.205.101]
Name (192.168.205.101:adot): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230-Welcome, archive user anonymous@192.168.45.216 !
230-
230-The local time is: Thu Jun 27 18:40:23 2024
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||60702|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 ftp      ftp          4096 Aug  2  2020 .
drwxr-xr-x   2 ftp      ftp          4096 Aug  2  2020 ..
-rw-r--r--   1 ftp      ftp           901 Aug  2  2020 index.php.bak
-rw-r--r--   1 ftp      ftp            54 Aug  2  2020 welcome.msg
226 Transfer complete
ftp> mget *
mget welcome.msg [anpqy?]? y
229 Entering Extended Passive Mode (|||52224|)
150 Opening BINARY mode data connection for welcome.msg (54 bytes)
    54      712.62 KiB/s 
226 Transfer complete
54 bytes received in 00:00 (1.11 KiB/s)
mget index.php.bak [anpqy?]? y
229 Entering Extended Passive Mode (|||55795|)
150 Opening BINARY mode data connection for index.php.bak (901 bytes)
   901        9.33 MiB/s 
226 Transfer complete
901 bytes received in 00:00 (16.89 KiB/s)
ftp> exit
221 Goodbye.

index.php.bak

<html>
<head></head>
<body>

<?php

$pass= "potato"; //note Change this password regularly

if($_GET['login']==="1"){
  if (strcmp($_POST['username'], "admin") == 0  && strcmp($_POST['password'], $pass) == 0) {
    echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>";
    setcookie('pass', $pass, time() + 365*24*3600);
  }else{
    echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>";
  }
  exit();
}
?>


  <form action="index.php?login=1" method="POST">
                <h1>Login</h1>
                <label><b>User:</b></label>
                <input type="text" name="username" required>
                </br>
                <label><b>Password:</b></label>
                <input type="password" name="password" required>
                </br>
                <input type="submit" id='submit' value='Login' >
  </form>
</body>
</html>

Last updated 8 months ago

adot@pwnbox:~/oscp/provinggrounds/easy/potato$ ftp 192.168.205.101 -p 2112 Connected to 192.168.205.101. 220 ProFTPD Server (Debian) [::ffff:192.168.205.101] Name (192.168.205.101:adot): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230-Welcome, archive user anonymous@192.168.45.216 ! 230- 230-The local time is: Thu Jun 27 18:40:23 2024 230- 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||60702|) 150 Opening ASCII mode data connection for file list drwxr-xr-x 2 ftp ftp 4096 Aug 2 2020 . drwxr-xr-x 2 ftp ftp 4096 Aug 2 2020 .. -rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak -rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg 226 Transfer complete ftp> mget * mget welcome.msg [anpqy?]? y 229 Entering Extended Passive Mode (|||52224|) 150 Opening BINARY mode data connection for welcome.msg (54 bytes) 54 712.62 KiB/s 226 Transfer complete 54 bytes received in 00:00 (1.11 KiB/s) mget index.php.bak [anpqy?]? y 229 Entering Extended Passive Mode (|||55795|) 150 Opening BINARY mode data connection for index.php.bak (901 bytes) 901 9.33 MiB/s 226 Transfer complete 901 bytes received in 00:00 (16.89 KiB/s) ftp> exit 221 Goodbye.

<html> <head></head> <body> <?php $pass= "potato"; //note Change this password regularly if($_GET['login']==="1"){ if (strcmp($_POST['username'], "admin") == 0 && strcmp($_POST['password'], $pass) == 0) { echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>"; setcookie('pass', $pass, time() + 365*24*3600); }else{ echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>"; } exit(); } ?> <form action="index.php?login=1" method="POST"> <h1>Login</h1> <label><b>User:</b></label> <input type="text" name="username" required> </br> <label><b>Password:</b></label> <input type="password" name="password" required> </br> <input type="submit" id='submit' value='Login' > </form> </body> </html>