InfoSec LAB

AuthBy_FTP_3145

Created: 4 min read

FTP

Nmap discovered another FTP server on the target port 3145 The running service is zFTPServer admin As the name suggests, this FTP instance appears to be for administration

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/authby]
└─$ ftp $IP -P 3145
Connected to 192.168.203.46.
220 .
Name (192.168.203.46:kali): anonymous
331 User name received, need password.
Password: 
530 Login not accepted: Wrong username or password
ftp: Login failed

The target FTP server does not allow null session A valid credential is required

offsec

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/authby]
└─$ ftp offsec@$IP 3145
Connected to 192.168.203.46.
220 .
331 User name received, need password.
Password: offsec
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

After several trials and errors, I found the password of the offsec user that was enumerated from the other FTP instance;

ftp> ls
229 Entering Extended Passive Mode (|||2081|)
150 Opening connection for /bin/ls.
total 0
drw-rw-r--   1 root     root          512 Feb 28 21:05 E:DRIVE_CDROM:<CD-Rom>
drw-rw-r--   1 root     root          512 Feb 28 21:05 D:DRIVE_CDROM:<CD-Rom>
drw-rw-r--   1 root     root          512 Feb 28 21:05 C:DRIVE_FIXED:
drw-rw-r--   1 root     root          512 Feb 28 21:05 $:NETWORK_NEIGHBORHOOD:
226 Closing data connection.

It would appear that this FTP instance is mapped to several drives in the target system

E and D Drives

ftp> ls E:DRIVE_CDROM:<CD-Rom>
229 Entering Extended Passive Mode (|||2093|)
150 Opening connection for /bin/ls.
total 0
226 Closing data connection.
ftp> ls D:DRIVE_CDROM:<CD-Rom>
229 Entering Extended Passive Mode (|||2094|)
150 Opening connection for /bin/ls.
total 0
226 Closing data connection.

Both E and D drives are empty

$:NETWORK_NEIGHBORHOOD

ftp> dir $:NETWORK_NEIGHBORHOOD:
229 Entering Extended Passive Mode (|||2095|)
150 Opening connection for /bin/ls.
total 0
drw-rw-r--   1 root     root          512 Feb 28 21:15 $NETWORK:Microsoft Windows Network
drw-rw-r--   1 root     root          512 Feb 28 21:15 $NETWORK:Microsoft Terminal Services
226 Closing data connection.
 
ftp> ls $:NETWORK_NEIGHBORHOOD:/$NETWORK:Microsoft\ Windows\ Network
229 Entering Extended Passive Mode (|||2103|)
150 Opening connection for /bin/ls.
total 0
226 Closing data connection.
ftp> ls $:NETWORK_NEIGHBORHOOD:/$NETWORK:Microsoft\ Terminal\ Services
229 Entering Extended Passive Mode (|||2106|)
150 Opening connection for /bin/ls.
total 0
226 Closing data connection.
 
ftp> pwd
Remote directory: /$:NETWORK_NEIGHBORHOOD:/
ftp> cd $NETWORK:Microsoft\ Windows\ Network
ls
550 Access denied
ftp> cd $NETWORK:Microsoft\ Terminal\ Services
550 Access denied

The $:NETWORK_NEIGHBORHOOD: directory has 2 unreachable sub-directories that appear to be empty

C Drive

ftp> cd C:DRIVE_FIXED:
250 CWD Command successful.
ftp> ls
229 Entering Extended Passive Mode (|||2115|)
150 Opening connection for /bin/ls.
total 0
-rw-rw-r--   1 root     root           20 Dec 14  2011 wins.ld
drw-rw-r--   1 root     root          512 Mar 05  2015 Windows
drw-rw-r--   1 root     root          512 Nov 08  2011 wamp
drw-rw-r--   1 root     root          512 Jul 10  2020 Users
drw-rw-r--   1 root     root          512 Dec 20  2009 System Volume Information
drw-rw-r--   1 root     root          512 Nov 09  2011 ProgramData
drw-rw-r--   1 root     root          512 May 22  2013 Program Files
drw-rw-r--   1 root     root          512 Jan 19  2008 PerfLogs
drw-rw-r--   1 root     root          512 Dec 20  2009 ManageEngine
drw-rw-r--   1 root     root          512 Jan 19  2008 Documents and Settings
-rw-rw-r--   1 root     root           10 Sep 19  2006 config.sys
-rw-rw-r--   1 root     root         8192 Dec 20  2009 BOOTSECT.BAK
-rw-rw-r--   1 root     root       333203 Jan 19  2008 bootmgr
drw-rw-r--   1 root     root          512 Dec 20  2009 Boot
-rw-rw-r--   1 root     root           24 Sep 19  2006 autoexec.bat
-rw-rw-r--   1 root     root       439953 Dec 14  2011 AIPHV
drw-rw-r--   1 root     root          512 Mar 30  2020 $Recycle.Bin
226 Closing data connection.

The C:DRIVE_FIXED: directory is the system root directory

ftp> ls C:DRIVE_FIXED:/Users/Administrator/Desktop/
229 Entering Extended Passive Mode (|||2058|)
150 Opening connection for /bin/ls.
total 0
-rw-rw-r--   1 root     root          927 Nov 08  2011 zFTPServer Administration.lnk
-rw-rw-r--   1 root     root          471 Nov 08  2011 WampServer.lnk
-rw-rw-r--   1 root     root           34 Mar 01 07:32 proof.txt
-rw-rw-r--   1 root     root          282 Dec 20  2009 desktop.ini
226 Closing data connection.
 
ftp> more C:DRIVE_FIXED:/Users/Administrator/Desktop/proof.txt
"RETR" Command not implemented.
ftp> less C:DRIVE_FIXED:/Users/Administrator/Desktop/proof.txt
"RETR" Command not implemented.
ftp> get C:DRIVE_FIXED:/Users/Administrator/Desktop/proof.txt
local: C:DRIVE_FIXED:/Users/Administrator/Desktop/proof.txt remote: C:DRIVE_FIXED:/Users/Administrator/Desktop/proof.txt
ftp: Can't access `C:DRIVE_FIXED:/Users/Administrator/Desktop/proof.txt': No such file or directory

It would appear that the current user has either SYSTEM or administrator level privileges, but I cannot access any file. The error “RETR” Command not implemented indicates the server lacks support for the RETR (Retrieve) command. This command is required to transfer files from the server to the client, explaining why get, more, or less fail.

Interactive Graph View

Backlinks