## Enumeration ### FTP - no anon access ### WAPP #### Directory Enumeration | URL | Note | | ------ | ---- | | . | ?? | | images | | | assets | | `/robots.txt` contains: ``` User-agent: * # This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo Disallow: /admin-dir ``` So I'm guessing we'll have to look there somewhere :)) we may have a user name here too: `waldo` Additional directory enumeration of `admin-dir` reveals: http://10.10.10.187/admin-dir/credentials.txt ``` [Internal mail account] [email protected] fgJr6q#S\W:$P [FTP account] ftpuser %n?4Wz}R$tTF7 [Wordpress account] admin w0rdpr3ss01! ``` http://10.10.10.187/admin-dir/contacts.txt ``` ########## # admins # ########## # Penny Email: [email protected] ############## # developers # ############## # Rajesh Email: [email protected] # Amy Email: [email protected] # Leonard Email: [email protected] ############# # designers # ############# # Howard Email: [email protected] # Bernadette Email: b.rauch@admirer.**htb** ``` ### FTP Data dump highlights: ``` # db_admin.php $username = "waldo"; $password = "Wh3r3_1s_w4ld0?"; ``` - Attempting to spray for ssh access? - ## Adminer 4.6.2 Found using [[FFUF]] login using above creds.