# Vulnhub-Alfa
## Rustscan
```
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 4096 Dec 17 12:02 thomas
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.8
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Alfa IT Solutions
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
65111/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 ad:3e:8d:45:48:b1:63:88:63:47:64:e5:62:28:6d:02 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2/gN4xwraW4+k393E8l0qsfBzclz6JW+SZG4rtYaonpi1RNGoTWSOgfEUm74RQocMqqklmzlqYVpr1jWu7+hqKZyQvhS3Z02/bbl2aPLsk$
| 2048 ad:3e:8d:45:48:b1:63:88:63:47:64:e5:62:28:6d:02 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2/gN4xwraW4+k393E8l0qsfBzclz6JW+SZG4rtYaonpi1RNGoTWSOgfEUm74RQocMqqklmzlqYVpr1jWu7+hqKZyQvhS3Z02/bbl2aPLskz
xJSHNQwX6C5gbA1m4ilgWr7beOvLr0ZsS1FwsM7F3UghKpgjWcXhK+PGYi9kh79q3HO0KZlhv46fpiPLxVOi7g4jA/TB7RZFEyWUgH0oUFqC6h9TGitOuH9mm1cVFbSFve/Xv+R3Fg1/nOsXtMp/
dbk3/qRBLnAZuMie4Lfi6Ri/ogb16NfQBowSv65zq3V312ctWdtp9ACrqNdHukHavW09qanQ6j+MAYFqI/gVx/
| 256 1d:b3:0c:ca:5f:22:a4:17:d6:61:b5:f7:2c:50:e9:4c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJWoOk2y6Gj22LwB1cphvfRxANuV99NkaatiHlQ3qoGomRhyzNzK2AWLBrHasjWbJKDxci+7JE
dP99XCBYZzKHQ=
| 256 42:15:88:48:17:42:69:9b:b6:e1:4e:3e:81:0b:68:0c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICRMwXyo2xpfoG0gAJKYSDnTdwp8RRZMVHrQS2wNB5T1
```
## PORT 21 (FTP)
Since anonymous login is enabled we can what's on ftp.
We only find `milo.png`
## PORT 80 (HTTP)
Visit `robots.txt` we see some entries but there is only `images` directory on web server.
Scrolling down a bit we can see something written in `Brainfuck`
Now here we can see a conversation between `Thomas` and Alfa IT support where the user thomas is requesting for password reset and he tells that his current password is petname and 3 digit numbers so we brute force his password
Now that the wordlist has been generated we can brute force against the user `thomas`
And we found the password
We can see `.remote_secret` which might be a password for vnc , we can verify to see if vnc is running or not which is usually on port 5900 or 5901
Now since vnc client is not installed on target machine we can do port forwarding for vnc port using ssh
Now that port is open on our local machine
Simply connect to that port using `remote_secret`
