What is username that is used over FTP when you want to log in without having an account HTB?

Probably a stupid question, but when connecting to FTP servers, there is sometimes an option for account. What is the significance of this vs the username?

Table of Contents Show

Scan Result
Open Ports Analysis
2. Gain Access
Reverse Shell
3. Elavation of Privilege
Transfer File to victim machine

See this method from the Apache FTP Client for example:

/** * Login to the FTP server using the provided username, password, * and account. If no account is required by the server, only * the username and password, the account information is not used. * * @param username The username to login under. * @param password The password to use. * @param account The account to use. * @return True if successfully completed, false if not. * @throws FTPConnectionClosedException * If the FTP server prematurely closes the connection as a result * of the client being idle or some other reason causing the server * to send FTP reply code 421. This exception may be caught either * as an IOException or independently as itself. * @throws IOException If an I/O error occurs while either sending a * command to the server or receiving a reply from the server. */ public boolean login(final String username, final String password, final String account) throws IOException { .... }

As usual, let's start with nmap:

nmap -sV -sC IP

Replace IP by the IP of the target machine (Fawn)

Note: The IP of the target machines are always changing so make sure you type the correct one. You can find it on your Hack The Box account.

We can see that port 21 is open on the target machine. Port 21 is associated with FTP (File Transfer Protocol).

Notice the line : ftp-anon: Anonymous FTP login allowed

This means that this FTP server has been misconfigured and we can use the username anonymous to login! When we are prompted to enter a password for anonymous, we should be able to enter whatever we want because the server will disregard the password for the anonymous account.

Let's see if that works!

Foothold

ftp 10.129.252.202

Type:

anonymous

and press enter

When prompted to enter a password, type whatever you like and press enter.

We are in!

Let's list the files available in our current directory using:

There is a file called flag.txt This seems interesting!

Let's use the get command to download this file directly onto our VM:

get flag.txt

Now go to your home directory and the you can see flag.txt is there.

Open the file flag.txt

Congratulations! You got the flag!

HTB is a platorm which provides a large amount of vulnerable virtual machines. The goal is to find vulnerabilities, elevate privileges and finally to find two flags — a user and a root flag. As I am planning to take the OSCP exam, my focus is to exploit some HTB machines as preparation.

As I tend to remember stuff easier, when writing them down, I decided to summarize the walkthroughs as documentation for later reference or anyone who is interested in this topic.

This is my first HTB writeup!

This machine has an anonymous FTP login, meaning that anyone with the username anonymous and any string as a password can login and access the files on the server. Allowing users to gain access from any part of the globe can be dangerous, if they in addition have write access it is even worse. Normally the anonymous user should have limited access rights and operation restrictions, which is not the case here. The anonymous user can upload any binary and execute it directly in the browser as the ftp root is equal to the \inetpub\wwwroot directory, which is the default folder for publishing web pages.

Furthermore, the machine has several Windows Kernel Vulnerabilities which allows to elevate privileges.

In order to identifiy vulnerabilities in order to proceed with exploitations, it is necessary to do a little bit of port scanning and to collect as much information as possible about the target network. I start with a Nmap scan to retrieve an overview of open ports and running services.

nmap -A -T4 10.10.10.5 -oX nmap/scan.xml --webxml

A: Enable OS detection, version detection, script scanning, and traceroute
-v: Increase verbosity level
-T4: Faster execution (default is T3)
-oX: Save output as xml

Scan Result

Nmap xml output

Open Ports Analysis

Port 80: Potentially risky methods/ Microsoft-IIS/7.5
I navigated to 10.10.10.5 and checked out the start page and the files mentioned in the above nmap result. I found nothing interesting in the HTML pages (iisstart.html is the starting page).

Port 21: Anonymous FTP allowed
This information from the nmap scan looks very promising. Anonymous FTP is allowed, which means, that anyone can log into the FTP Server with anonymous as user and any string as password to access the files. The ftp root directory shows a directory aspnet_client. This seems to be a default folder which is obsolete in .net 4.0.

The first step will be to test if file upload to the ftp server is possible. Given that this is the case we can upload a payload and try to execute it through the browser to get a shell.

2. Gain Access

Login as anonymous into the FTP Server.
Check out the directory structure and files. As outlined above, the files do not contain any helpful information.
Check if upload function works via put command. Create a simple txt file, upload it and try to access the file via 10.10.10.5/<filename>.txt. We see, that this is indeed sucessful. The next step is to upload the malicious payload.

ftp login and file upload

Now where we know that ftp login & upload is working, we can create our own reverse shell, upload it and execute it, in order to get access to the machine via a reverse shell to our attacker machine.

Reverse Shell

We can use msfvenom to create our custom payload for the exploit. For a clear understanding make sure to understand the various reverse shells available and to choose the right one. For example, select windows/meterpreter/reverse_tcp only if you use the Metasploit. Make sure to understand the difference between staged and unstaged payloads. In our case we use the non-meterpreter unstaged reverse shell payload windows/shell_reverse_tcp to generate the aspx payload. With this, we have the option to get a shell with a basic netcat listener. The staged version will not work with the netcat listener.

The listening host is the attacking machine (ip address |grep tun) and the port is the one we will listen on. We have created our backdoor executable binary. Upload this file as mentioned above to the FTP root directory.

As we want to get a shell, we start a netcat listener on the attacking machine and visit 10.10.10.5/test.aspx.

Low Privilege Shell

As soon as we visit the malicious URL 10.10.10.5/test.aspx the exploitation process starts. In the listener we can see, that we have a shell running as iis apppool\web.

low priv shell

Our next goal is to escalate our privileges. Windows Exploit Suggester is a tool which checks if public exploits are available for a specific machine. For this, I saved the output of systeminfo to a text file.

systeminfo output

3. Elavation of Privilege

We need to elevate the privileges into a system level user.

As mentioned I am using Windows Exploit Suggester to detect which public exploits exist. The only requirement to use this tool is the systeminfo command output from a Windows Machine. Before executing the below command make sure you have all relevant dependencies installed (as explained on their Github page).

available exploits (E -> public Exploit; M -> Metasploit Module)

We are interested in the public exploits.

In order to make a quick decision which exploit to try, I chose one that is marked as public and listed here https://github.com/SecWiki/windows-kernel-exploits (they provide compiled versions). MS11–011 did not work, thus I used MS10–059, which worked like a charm. The description gives a good insight, if elevation of privilege is possible.

For this challenge I used the compiled version from this git repo.

Transfer File to victim machine

We have various ways to transfer the file to the victim machine. As we have a Target Machine with Windows OS, wget,nc,etc. are not recognized as an internal or external command.

Via Pythons’s Built-in HTTP Server

Execution of exploit (MS10–059)

In the listener we can see, that we have a shell running as nt authority\system.

Via FTP

We can upload the exploit binary via FTP to the server and navigate to the respective folder on the victim machine.

The \inetpub\wwwroot is the default directory for all web pages and content that is published on the web. \inetpub itself is the default folder for Microsoft Internet Information Services (IIS).

Flags

Now where we have escalated our privilege, we can access the root and user text files.

When ever possible I will focus to solve HTB Challenges without using Metasploit. This chapter is a quick step by step tutorial, in case someone is interesting to walk this through.

overview of available exploit modulesMetasploit exploit priv esc

In order to secure the server from anonymous user login, anonymous login should not be allowed.
If anonymous FTP is necessary, make sure, that only a small amount of people should be able to write to the server.
FTP root should not be equal to the web server root (in case of IIS \inetpub\wwwroot directory)
Update systems, when updates/patches are available. This mitigates the risk that a malicous actor uses a Windows kernel vulanerability to elevate priv.