AllSignsPoint2Pwnage (WIP)
Nmap
First up checking FTP shows we can login with anonymous login. From here listing the contents only shows notice.txt.
Viewing the contents we become aware of a hidden SMB share called 'images'. The notice also implies uploading is possible on the share.
Checking for shares with smbclient.
We can then connect to the images$ share. List the contents and confirmd file upload with the put command using test.txt
Browsing to port 80 to check out the webserver we are presented with a slideshow. Using the contextual menu to save the images shows us the name of the image which matches that in the SMB share.
We can test if we can read the contents of test.txt to confirm we can execute uploaded files. We can try the /images/ directory as we known the share exists.
Knowing this works we can start to work towards getting a reverse shell. Checking information regarding the web server using Nikto shows it is powered by PHP.
Ideally we should create a PHP reverse shell and upload it to the SMB share. We can achieve this with msfvenom as shown below.
Then upload the shell to the SMB share.
Open a netcat listener to the port specified in the payload.
Then execute the shell with curl.
Which connects our listener.
Last updated
