2112

adot@pwnbox:~/oscp/provinggrounds/easy/potato$ ftp 192.168.205.101 -p 2112
Connected to 192.168.205.101.
220 ProFTPD Server (Debian) [::ffff:192.168.205.101]
Name (192.168.205.101:adot): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230-Welcome, archive user [email protected] !
230-
230-The local time is: Thu Jun 27 18:40:23 2024
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||60702|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 ftp      ftp          4096 Aug  2  2020 .
drwxr-xr-x   2 ftp      ftp          4096 Aug  2  2020 ..
-rw-r--r--   1 ftp      ftp           901 Aug  2  2020 index.php.bak
-rw-r--r--   1 ftp      ftp            54 Aug  2  2020 welcome.msg
226 Transfer complete
ftp> mget *
mget welcome.msg [anpqy?]? y
229 Entering Extended Passive Mode (|||52224|)
150 Opening BINARY mode data connection for welcome.msg (54 bytes)
    54      712.62 KiB/s 
226 Transfer complete
54 bytes received in 00:00 (1.11 KiB/s)
mget index.php.bak [anpqy?]? y
229 Entering Extended Passive Mode (|||55795|)
150 Opening BINARY mode data connection for index.php.bak (901 bytes)
   901        9.33 MiB/s 
226 Transfer complete
901 bytes received in 00:00 (16.89 KiB/s)
ftp> exit
221 Goodbye.

index.php.bak

<html>
<head></head>
<body>

<?php

$pass= "potato"; //note Change this password regularly

if($_GET['login']==="1"){
  if (strcmp($_POST['username'], "admin") == 0  && strcmp($_POST['password'], $pass) == 0) {
    echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>";
    setcookie('pass', $pass, time() + 365*24*3600);
  }else{
    echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>";
  }
  exit();
}
?>


  <form action="index.php?login=1" method="POST">
                <h1>Login</h1>
                <label><b>User:</b></label>
                <input type="text" name="username" required>
                </br>
                <label><b>Password:</b></label>
                <input type="password" name="password" required>
                </br>
                <input type="submit" id='submit' value='Login' >
  </form>
</body>
</html>

ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)Exploit Database

Previousdir busting NextFoothold

Last updated 12 months ago