Understanding FTP

What is FTP?


File Transfer Protocol (FTP) is, as the name suggests , a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this, and- as we'll come on to later- relays commands and data in a very efficient way.
All about ftp network services

How does FTP work?

A typical FTP session operates using two channels:

•     a command (sometimes called the control) channel
•     a data channel.

As their names imply, the command channel is used for transmitting commands as well as replies to those commands, while the data channel is used for transferring data.


FTP operates using a client-server protocol. The client initiates a connection with the server, the server validates whatever login credentials are provided and then opens the session.


While the session is open, the client may execute FTP commands on the server.

Active vs Passive

The FTP server may support either Active or Passive connections, or both.

In an Active FTP connection, the client opens a port and listens. The server is required to actively connect to it.
In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it. 


This separation of command information and data into separate channels is a way of being able to send commands to the server without having to wait for the current data transfer to finish. If both channels were interlinked, you could only enter commands in between data transfers, which wouldn't be efficient for either large file transfers, or slow internet connections.



More Details:


You can find more details on the technical function, and implementation of, FTP on the Internet Engineering Task Force website: https://www.ietf.org/rfc/rfc959.txt. The IETF is one of a number of standards agencies, who define and regulate internet standards.



#1 What communications model does FTP use?



Ans :- client-server


#2 What's the standard FTP port?

Ans :- 21



#3 How many modes of FTP connection are there?  


Ans :-  2


Enumerating FTP


Lets Get Started


Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

Enumeration

By now, I don't think I need to explain any further how enumeration is key when attacking network services and protocols. You should, by now, have enough experience with nmap to be able to port scan effectively. If you get stuck using any tool- you can always use "tool [-h / -help / --help]" to find out more about it's function and syntax. Equally, man pages are extremely useful for this purpose. They can be reached using "man [tool]".

Method

We're going to be exploiting an anonymous FTP login, to see what files we can access- and if they contain any information that might allow us to pop a shell on the system. This is a common pathway in CTF challenges, and mimics a real-life careless implementation of FTP servers.





As we're going to be logging in to an FTP server, we're going to need to make sure therre is an ftp client installed on the system. There should be one installed by default on most Linux operating systems, such as Kali or Parrot OS. You can test if there is one by typing "ftp" into the console. If you're bought to a prompt that says: "ftp>" Then you have a working FTP client on your system. If not, it's a simple matter of using "sudo apt install ftp" to install one.
Alternative Enumeration Methods


It's worth noting  that some vulnerable versions of in.ftpd and some other FTP server variants return different responses to the "cwd" command for home directories which exist and those that don’t. This can be exploited because you can issue cwd commands before authentication, and if there's a home directory- there is more than likely a user account to go with it. While this bug is found mainly within legacy systems, it's worth knowing about, as a way to exploit FTP.


This vulnerability is documented at: https://www.exploit-db.com/exploits/20745

Now we understand our toolbox, let's do this.                


#1 Run an nmap scan of your choice.

How many ports are open on the target machine?

Ans :- 2



#2 What port is ftp running on?

Ans :- 21



#3 What variant of FTP is running on it? 

Ans :- vsftpd



#4 Great, now we know what type of FTP server we're dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing "ftp [IP]" into the console, and entering "anonymous", and no password when prompted.


What is the name of the file in the anonymous FTP directory?


Ans :- PUBLIC-NOTEICE.txt


#5 What do we think a possible username
could be?



Ans :- mike



#6 Great! Now we've got details about the FTP server and, crucially, a possible username. Let's see what we can do with that...

Exploiting FTP

Similarly to Telnet, when using FTP both the command and data channels are unencrypted. Any data sent over these channels can be intercepted and read.

With data from FTP being sent in plaintext, if a man-in-the-middle attack took place an attacker could reveal anything sent through this protocol (such as passwords). An article written by JSCape demonstrates and explains this process using APR-Poisoning to trick a victim into sending sensitive information to an attacker, rather than a legitimate source.

When looking at an FTP server from the position we find ourselves in for this machine, an avenue we can exploit is weak or default password configurations.




Method Breakdown



So, from our enumeration stage, we know:

    - There is an FTP server running on this machine

    - We have a possible username

Using this information, let's try and bruteforce the password of the FTP Server.





Hydra


Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more. Hydra comes by default on both Parrot and Kali, however if you need it, you can find the GitHub here.


The syntax for the command we're going to use to find the passwords is this:
"hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp"


Let's break it down:





SECTION             FUNCTION

hydra                   Runs the hydra tool

-t 4                    Number of parallel connections per target

-l [user]               Points to the user who's account you're trying to compromise

-P [path to dictionary] Points to the file containing the list of possible passwords

-vV                     Sets verbose mode to very verbose, shows the login+pass combination for each attempt

[machine IP]            The IP address of the target machine

ftp / protocol          Sets the protocol

Let's crack some passwords!






#1 What is the password for the user "mike"?

Ans :- password


#2 Bingo! Now, let's connect to the FTP server as this user using "ftp [IP]" and entering the credentials when prompted



#3 What is ftp.txt?

Expanding Your Knowledge

Further Learning


There is no checklist of things to learn until you've officially learnt everything you can. There will always be things that surprise us all, especially in the sometimes abstract logical problems of capture the flag challenges. But, as with anything, practice makes perfect. We can all look back on the things we've learnt after completing something challenging and I hope you feel the same about this room.



Reading



Here's some things that might be useful to read after completing this room, if it interests you:

•     https://medium.com/@gregIT/exploiting-simple-network-services-in-ctfs-ec8735be5eef
•     https://attack.mitre.org/techniques/T1210/
•     https://www.nextgov.com/cybersecurity/2019/10/nsa-warns-vulnerabilities-multiple-vpn-services/160456/

   
   
   

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

   

The communication with the drone happens over UDP, which is short for User Datagram Protocol. UDP is one of the dominant transport-layer protocols in use today. The other is TCP.

Contents

Enumeration with the Nmap:

 

 

Exploitation:

Privilege Escalation:

busybox cat /root/root.txt

Quiz Time

[Task 1] Introduction

Task 2] Methodology

This room will be divided into sections, each section talking about a specific vulnerability. The sections will follow this format: an introduction on what the vulnerable thing is, what the vulnerability(s) is/are(their may be multiple tasks on this), a guided exploitation in which I show pictures of how it's exploited, and finally a virtual machine where you will be asked to exploit it and collect a flag.

Since this room is divided into sections that don't follow one another, you can do this room in any order you please.

[Task 3] [Section 1 - SSTI] - What is SSTI

A template engine allows developers to use static HTML pages with dynamic elements. Take for instance a static profile.html page, a template engine would allow a developer to set a username parameter, that would always be set  to the current user's username


Server Side Template Injection, is when a user is able to pass in a parameter that can control the template engine that is running on the server.


For example take the code

[Task 4] [Section 1 - SSTI] - Manual exploitation of SSTI.

Turning the code earlier into a full flask application, gives us this page. It takes a prompt for a name, and then returns Hello <name>!.










Fortunately, we don't have to do much recon as we already know this is vulnerable to SSTI, lets try injecting some basic template code







Boom! That's template injection. We can use the wonderful repository PayloadsAllTheThings, to find some payloads for flask's template engine. The repo says we can use the code


{{ ''.__class__.__mro__[2].__subclasses__()[40]()(<file>).read()}}  to read files on the server. Effectively all that payload does is load the file object in python, from there we can use basic file operations. Let's try to read /etc/passwd using this method














We have LFI! Unfortunately(or fortunately depending on how you view it), that is not the extent of this vulnerability. The same repo, also includes a payload for remote code execution.


We can use the code


{{config.__class__.__init__.__globals__['os'].popen(<command>).read()}} to execute commands on the server. All that payload does is import the os module, and run a command using the popen method.









From there, an attacker has already won, they can use this ability to gain a shell on the server.



#1 How would a hacker(you :) ) cat out /etc/passwd on the server(using cat with the rce payload)

 

Ans :-  {{ ''.__class__.__mro__[2].__subclasses__()[40]()(<file>).read()}}

#2 What about reading in the contents of the user test's private ssh key.(use the read file one not the rce one)

Ans :- {{ ''.__class__.__mro__[2].__subclasses__()[40]()(/home/test/.ssh/id_rsa).read()}}

[Task 5] [Section 1 - SSTI]: Automatic Exploitation of SSTI

Fortunately, we don't have to go searching for payloads to see how we can use SSTI to our advantage, because there is a tool known as Tplmap that does that for us! The tool can be found here.


Note: use python2 to install the requirements. python2 -m pip



The basic syntax for tplmap is different depending on whether you're using get or post

• GET    tplmap -u <url>/?<vulnparam>
• POST    tplmap -u <url> -d '<vulnparam>'

Since our code operates via a form, the post syntax will be used.







From there we can effectively do everything we did in the manual exploitation task, from a command line. Let's try running id using tplmap.






 #1 How would I cat out /etc/passwd using tplmap on the ip:port combo 10.10.10.10:5000, with the vulnerable param "noot".

Ans :- tplmap -u http://10.10.10.10.5000/ -d 'noot' --os-cmd ' cat /etc/passwd'

[Task 6][Section 1 - SSTI]: Challenge

 

I've created a vulnerable machine for you to test your SSTI skills on! I've placed a flag in /flag aswell, good luck and have fun!


# What is the flag?

Hint - ./tplmap.py -u http://10.10.314.20/ -d 'name' --os-shell

Ans :- cooctus

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.






I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

[Task 1] Introduction

Cross-site scripting (XSS) is a security vulnerability typically found in web applications. Its a type of injection which can allow an attacker to execute malicious scripts and have it execute on a victims machine.


A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS. TryHackMe Cross Site Scripting - A Walkthrough by Kumar Atul Jaiswal


The extent to the severity of this vulnerability depends on the type of XSS, which is normally split into two categories: persistent/stored and reflected. Depending on which, the following attacks are possible:

• Cookie Stealing - Stealing your cookie from an authenticated session, allowing an attacker to login as you without themselves having to provide authentication.
• Keylogging - An attacker can register a keyboard event listener and send all of your keystrokes to their own server.
• Webcam snapshot - Using HTML5 capabilities its possible to even take snapshots from a compromised computer webcam.
• Phishing - An attacker could either insert fake login forms into the page, or have you redirected to a clone of a site tricking you into revealing your sensitive data.
• Port Scanning - You read that correctly. You can use stored XSS to scan an internal network and identify other hosts on their network.
• Other browser based exploits - There are millions of possibilities with XSS.

[Task 2] Deploy your XSS Playground

[Task 1] Deploy

Local File Inclusion (LFI) is the vulnerability that is mostly found in web servers. This vulnerability is exploited when a user input contains a certain path to the file which might be present on the server and will be included in the output. This kind of vulnerability can be used to read files containing sensitive and confidential data from the vulnerable system. TryHackMe LFi walkthrough Local file inclusion


The main cause of this type of Vulnerability is improper sanitization of the user's input. Sanitization here means that whatever user input should be checked and it should be made sure that only the expected values are passed and nothing suspicious is given in input. It is a type of Vulnerability commonly found in PHP based websites but isn't restricted to them.

[Task 2] Getting user access via LFI

[Task 3] Escalating your privileges to root

In this, we are going to focus on getting root-level access on the machine. This step is also known as Privilege escalation; we are going to escalate our privilege from a normal user to a root user (with the highest level of system privileges).


First, we'll have to find a vector that would be exploited to give us root access. A vector can be anything like a binary with some special permission or a cronjob that is not configured properly etc.


I've written a blog post about Linux privilege escalation, you can read it here to know more about it.



#1 What can falcon run as root?

Ans :- /bin/journalctl



#2 Search gtfobins via the website or by using gtfo tool, to see if you find any way to use that binary for privilege escalation.




#3 What is the root flag?

Ans :- H1EQRK5XEX140H2KMO08

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.






I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

Introduction to Heartbleed and SSL/TLS

Analysing the Bug

• http://heartbleed.com/ 
•  
•  
• https://www.seancassidy.me/diagnosis-of-the-openssl-heartbleed-bug.html
•  
•  
• https://stackabuse.com/heartbleed-bug-explained/

Heartbleed Bug Discovery

The Heartbleed bug was uncovered by a group of security engineers from Codenomicon and Neel Mehta from Google Security. ... This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.



Note :- Almost website Effect :- 5 Lakh+


Date discovered: April 1, 2014; 6 years ago
Affected software: OpenSSL (1.0.1)
Date patched: April 7, 2014; 6 years ago

Protecting Data In Transit

In this task, you need to obtain a flag using a very well known vulnerability. Make sure you pay attention to all the information and errors displayed. Pay particular attention to how web servers are configured.




Once the machine is deployed, let's go ahead and scan it with nmap



nmap -A -sC -sV -Pn 34.244.41.119








Looks like the machine is hosting a website and it's not properly patched, let's go ahead and see if there's a metasploit module for this







Looks like there is! Let's go ahead and select it for use and check what options we have to set






Just need to set RHOST (Remote host) and verbose, let's go ahead and set those!






Should be all set, lets run it!






There we go! Update your servers, folks!


Flags: