Reconnaissance:

The IP address for Ethereal is 10.10.10.106 and conducting a nmap scan we see ports 21,80 and 8080 open.

nmap -sC -sV -A 10.10.10.106

From the nmap output we see that Anonymous FTP login is allowed and we learned from Access how Anonymous FTP login can yield fruit.

ftp 10.10.10.106

Once we log into the FTP service as an Anonymous user with anonymous as the password we immediately see there is a lot of files available. There is a couple ways to download all these files. One way is to use the mget * command but we will be prompted for each file. The files will be dumped into your current directory. Now we can examine these files and see what we can find. A quick way to run the file command on all the files at once is to put the files in a directory then run file * inside the directory.

file *

The two Zip archives look interesting and both have DISK in the name so they might have information about the file system. Starting with FDISK.zip using the unzip to decompress the Zip archive. We get some errors from the unzip command but the archive is left in tact. We now have a file named FDISK in our directory. Running the file command we see that it is a DOS/MBR boot sector . What can we do with this?

file FDISK

FDISK: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", root entries 224, sectors 2880 (volumes <=32 MB), sectors/FAT 9, sectors/track 18, serial number 0x5843af55, unlabeled, FAT (12 bit), followed by FAT

This file is a disk image which contains exact copy of a hard disk. Looking at the output of the file command tells us that this file contains a boot sector with 224 root entries. Interestingly the file architecture is File Allocation Table (FAT12). So let’s see if we can use the mount command to attach this disk image to our file system so we can extract the files. If you are not familiar with the mount command I would suggest looking over the man page. First we need to create directory for the image. Then we will use the mount command with the loop option to act as a pseudo device driver for the disk image.

mount -o loop FDISK /mnt/fdisk/

Listing the files in the directory we created for the disk we see two files pbox.dat and pbox.exe . We can dig into these two files using the file command like we did before however, we know these are MS-DOS files based on what we learned from the FDISK image file. These files will run on the MS-DOS operating system. We can either copy these files over to a 32bit Windows VM and run them or we could use a DOS emulator. I will be using a DOS emulator called dosbox and we can easily install it on our Kali host by running sudo apt install dosbox . Once installed, executing dosbox will open another dialog box.

dosbox

Mount the directory that contains the pbox.exe file in DOSBox and execute the file. DOSBox may complain about not having DPMI then you may need to download cwsdpmi.zip and that can be downloaded here. DPMI is DOS Protected Mode Interface which allows a program to run in protected mode on 80286 series and later processors.[1]

If you are having a tough time getting dosbox to execute the file there is a Linux client for PasswordBox which is what pbox.exe is. It can be downloaded here. There are a few dependencies required.

sudo apt install libncurses5:i386 bwbasic

Running the pbox executable the program will ask for a database file. We have a database file from the FDISK image that we mounted earlier.

./pbox executable

Move the pbox.dat file from the mount point to /root/.pbox.dat and execute pbox again. Now we are prompted for the password to the database.

Not knowing the password shouldn’t stop you from trying to guess the password. Usually start with password first. Doing this we get access to the database!

PasswordBox Database

Going through each entry in the database a pressing enter the password pops up. Copy all of them to a text file to save for later. Also, you can add the --dump flag and the database will be dumped to the screen.

Password dumb from PasswordBox database