.png "wing ftp server review")
Wing ftp server review upgrade#
However, let’s go one step further and upgrade the web shell to a meterpreter session. The web shell is great for initial access and in this case you could capture the flags and be done with this box since no privilege escalation is required. I could capture the flags from the browser if I wanted to. I do a “whoami” command and see that I already have NT Authority\System access. We see the contents of the htdocs folder. If you haven’t encountered a web shell before, you can add windows commands to be executed after cmd= in the URL and the output will be displayed on the web page. To interact with the php web shell add a command to the URL. SELECT “” into outfile “C:\\xampp\\htdocs\\backdoor.php” This allows Windows commands to be executed inside the web browser and display the output on the web page.
Wing ftp server review code#
The SQL query creates a file called backdoor.php which contains the php code for a standard web shell.
If you scroll down into the article there’s a malicious SQL query that can be executed to create a web shell vulnerability on the web server. Check out the second link from Hacking Articles. Start with a google search for something like phpMyAdmin reverse shell.
Wing ftp server review how to#
We have phpMyAdmin access but what can we do with it? If you aren’t familiar with phpMyAdmin, what is is, or how to exploit it. list_tokens -uįrom here its a simple matter of capturing the flags. Use the Impersonate_token command followed by “NT AUTHORITY\SYSTEM” and you’ll elevate your Meterpreter shell to SYSTEM. That’s what we need, so let’s use it and complete the box. We see below that we have available tokens for NT AUTHORITY\SYSTEM. First we will use the List_tokens command to view available tokens for our current user. Help command will list out available commands to be used. Type “ Load Incognito” from your Meterpreter prompt to load the module. However we can make use of a built in feature of the Meterpreter payload a module called Incognito. We could look into various Potato attacks, which hinge on this user privilege. This allows us to, you guessed it, impersonate a user after authentication. The Lian user has SeImpersonatePrivilege enabled. I’ll begin the process by running a simple command to check what privileges our current user has. With access to the target as the low privileged user Lian we can start to enumerate the system and find our path to privilege escalation.
Meterpreter session established from 172.31.1.20 We are logged in as Admin to the Wing FTP administration console. In this case I tried a few different username/password combinations. It won’t always be an easy win but sometimes you get lucky. I recommend doing this anytime you find a login page. Let’s try a couple of weak and or default password combinations. We find an administrative login page for Wing FTP. Let’s browse to this page and investigate. The one port that stands to me is port 8080. While we have multiple ports open most of the services being hosted on those ports require authentication and therefore credentials before we can connect to and utilize them. In the output we see multiple open ports, let’s drill into these and figure determine what to focus on first.
0 kommentar(er)
