Anonymous FTPAdvanced Penetration Testing Course

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Tagged: , ,

This topic contains 22 replies, has 7 voices, and was last updated by  I.X.L 3 years, 6 months ago.

Viewing 3 posts - 21 through 23 (of 23 total)
  • Author
  • #19429

    Two Wolves

    Check out the first video in Advanced Penetration Testing for the Exploitation section. Georgia’s lab has a web server running XAMPP with WebDAV. Using default credentials she uploads a PHP Backdoor and is able to run commands, passing them to the backdoor through the URL.

    Although our situation is a little different, I want to see if something similar is possible without default creds, but with an anon FTP server (it will have to have write permissions). Is there a similar method to upload a backdoor and gain a foothold?



    @twowolves- I was unable to get Filezilla to work on XP. Even going back to the last “Supported” version which is 3.8.

    I understand the question your posing “does a metasploit module exist for deploying a payload on the file system to gain access / can an auxiliary module help one to get a foothold?” is really of a more general nature.

    My understanding is that there is no magic bullet to get a shell specifically by uploading a file to an FTP server alone, unless the ftp directory is in a folder accessible by the webserver directly through the url (and I may certainly be mistaken). At that point you’re back to the PHP backdoor and similar scenarios.

    Other information that can be gleaned from accessing an FTP server that can be used as part of the bigger picture to exploit the server- for example, the “Shadow” file in linux

    For windows modules are in usr/share/metasploit-framework/modules/exploits/windows/ftp but I’m sure you’re well aware of that as well as using searchsploit in the msfconsole.

    There are dozens of exploits in Metasploit for windows FTP- some are very specific to the version and FTP server being used.



    Sorry if someone has mentioned this already as I only skimmed the initial threads but in response to the initial question, what can i do with anonymous FTP.

    Firstly like a few people have suggested thoroughly Nmap the entire host, get full version scanning and OS detection of the box. If you know what the box is because its in your lab you still might want to do this so as to get into the habit. I also like to double check my findings before going specific paths with at least a second tool to avoid false positives. So for OS detection you could use Xprobe2, and for specific service version detection there is Amap and Banner grabbing which should hopefully back up your findings with Nmap.

    You didn’t mention what OS or any specifics about the box but start off with the usual commands, you can see these normally with help or ? when you have gained access, print the current directory, where have you ended up, list the files where you are. If this is a linux box and you are you in someones home account? can you access the .ssh keys stored in their home directory or grab the bash history file .bash_history. If you can grab those files that is a good start, can you traverse to a higher directory, usually just cd .. without the slash is enough to go up a directory, if its windows can you get to the repair directory to pull out the SAM and System file? Remember you need both ideally to crack passwords, if this is an XP Pro or 2000 box still using LM Passwords then you got your self a quick win there. If there is one thing I learnt from the OSCP course is enumerate, enumerate and then when you think you have enumerated enough, enumerate some more. When you get inside the box the whole information gathering process starts again.

Viewing 3 posts - 21 through 23 (of 23 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?