21 hours 43 minutes
All right. More hands on demos here.
So we're gonna use end map against this host I identified port 21 21 open which is not our default port for FTp. But it's like port 21. So hopefully this will also be an FTP server. You can notice I'm also doing my default S VSc, which I always like to do.
And you can see those default scripts with the S. C. Flag shows us. Um that FTp is in fact on port 21 21 with a quantum computer server. It's gonna become important here a little bit later. We also see that anonymous logins are allowed and that we have some writable permissions. Now I could do more enumeration with end map scripting engine
but because I can log in anonymously let's just go ahead and see what we can do from here. So I'm gonna use the FTP client in Cali and I'm going to specify port 21 21 I'm just gonna make my user name anonymous.
I'll enter whatever password I want.
And we can see here that we're using binary mode which is the mode we want to use. If you wanted to switch to ask me which I don't recommend. You can type in a ski but let's stick to binary mode.
So let's see what we can find here. You can do directory, you can do L. S. You can also type help and see what commands are available to you.
So if I wanted to get something let's say I want to get
uh index at html. M
I could type that and we can see that uh that we now have index dot. HTM.
I can also try to put files on the server. So
we created that web shell back in SMB I've renamed that web shell to FTp shell.
not that we're in the web route. Um but let's see if we could just put a file here into,
let's see where we are. Program files X 86 4 metre shared. Let's see if we can just put a file in here. So put
desktop, FTp Shell,
we'll name it FTp Shell,
that S p
And we noticed that we got a permissions denied.
So that's to say perhaps the anonymous user doesn't have the right permissions.
So let's get out of here.
so let's do some further enumeration on familiar. And I'm gonna use search split
and we can see we have a whole bunch of different vulnerabilities here for directory traversal. So maybe we can break out of this uh shared folder and go in enumerate the file system. But let's try to figure out if we have more permissions as as perhaps the admin user. So if you just google
um default ftp credentials
should even spell right,
We can see the account admin as a password of password. So let's try that.
So we'll go back
And sure enough, we're now logged in as the admin user.
So let's try to leverage this directory, traversal vulnerability
and like we could do change directory dot dot and go back a directory. Um Let's try that with directory to see if we can enumerate this uh this windows box
so we can see here that we did go back and um we can go to users,
we can go to admin
and we see that there's a flag here.
So if we we could try we could try to get this and see if it works
and we can see that it didn't find it. So let's try to figure out if we can put things on this server now.
So I told you we have that FTp show which we made before the SMB block. So let's see if I can put
that file on the is web server. So we're putting
dub, dub, dub route
and we'll just call it ftp shell
So it looks like we're able to put that file on there and when one way we can verify it, of course, as we want to get our listener ready.
So I'm going to set our listener up
with MSF console
already setting on my options here.
You see the payload, the host, the port, just like the SMB module. Now we're just using that same uh same a sp shell.
So because I put this in the web root as ftp to sp
let's give that a try.
So ftp shell dot sp.
And we see in fact, that that material recession opened
so we can then interact with that session says info
and drop into a shell if we want.
I also want to show you another thing with directory traversal over here, so I can do D. I. R dot dot slash that slash that slash.
And you might go, well, how do I get program files? Well, we can try quotations and see if that works. But there's also short names and Windows. So what you do is in the first six letters a tilde
And one. So that should give us program files.
I should check my math here.
Six. And there we go. We can see program files. Now, we're gonna say Clint. There's program files. X 86. Well,
let's try math again here. Program too.
And now we see program files. X 86. So that's a little trick that you can use, uh, to use short file names on windows hosts when you have something like a directory traversal vulnerability that you're trying to exploit.
So in summary. Now, we should understand what FTP is used for, and we can now demonstrate how to enumerate FTP.