By doing a quick nmap scan we can see that port 21 (FTP) and port 80 (http) are opened.
Let’s do a slightly more advanced nmap scan to determine the Service Version (-sV) and run the default nmap script (-sC)
It looks like anonymous FTP is allowed so let’s start there.
We are able to successfully logged in to the ftp server with the anonymous users. Now it is possible to upload files to the server.
MSFvenom is used to create payloads that can be deployed on a remote server. We should be able to create a payload and upload it to the web server through the FTP session. Once done, a remote shell should be executed on our Metasploit console that we will get ready.
Now we take cesar.aspx and upload it to the web server through FTP.
Now we need to prepare our metasploit console to be listening for a connection from cesar.aspx. We will be using a reverse_tcp listener.
We can now run our exploit with the option -j as a background job.
Now we run our payload on the server by going to 10.10.10.5/cesar.aspx
On the msf console, we will see the following:
We can go into the sessions and open a new meterpreter session.
Now we have successfully gained control of the victim’s machine and we are ready to increase our privileges.
We are not authority yet. For that, we need to do further work.
There is a post exploit suggester that we can run and will give us a list of potential exploits that can be used in this system.
Let’s use kitrap0d
We have successfully obtained authority access.
This virtual machine shows how important it is for administrators to secure their FTP connections. If a hacher is able to successfully log in through FTP, he will be able to gain system level control over the server.