FILE TRANSFER POST-EXPLOITATION WITH "NON-INTERACTIVE" FTP
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMZw-CRTWsqwVXD5lSkpPzRNw_0UbY4RySF4uFTy0jwpCW8ANH9wn2abti_cGAQ0bfOXvZmX74wgoJIpx8cEJndNEm5bgLNR9PGkq2ay8PZD0eSnLPvV_Sqln2zxHFG417HGW9cQkhw5cJ/s1600/Linux_W7.jpg)
1 - Introduction
- The goal of this exercise is to develop a method to transfer files from an attacking Kali Linux machine to a remote exploited Windows 7 machine using the command line.
- The problem with using FTP in "interactive" mode from a remote command line is that the transfer gets stuck even though the connection is successfully established.
- However, using FTP in "non-interactive" mode skips that problem and allows to transfer files to the exploited machine, what is essential in post-exploitation procedures.
2 - Setting up a FTP server at Kali Linux
- First of all, let's install and establish an FTP server at Kali Linux machine where the target Windows 7 will connect to download interesting files for post-exploitation purposes.
- Pure-FTPd is a free BSD license FTP server with a strong focus on security:
https://www.pureftpd.org/project/pure-ftpd
https://en.wikipedia.org/wiki/Pure-FTPd
- Installing the Pure-FTPd on Kali Linux:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjpOa7tEVQMwSTVYAk1jbrgXLDkNlefhTUsWOFwFRt7Tf2wQT5DLDikA8gQvWrBZTZ5VVGYvRbl6ZVRf94WIoAxhyMN0iGTez_hhaSGu9UVNwizCdnTDupfTJm4MrnuE9SOaR8zXq2wOO7/s1600/screenshot.6.jpg)
- Writing a bash script to configure the FTP server in order to create a user whitelist and its corresponding groups, also a folder /ftphome, and finally restarting the service:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1QaqGGNx_6WLuLfZwqrVcDvWszppHzN4amSTzAxHWTG-0vMTPNXw7UsIWIbeL_XUAjyeecCGS_gAp_fapDRbZTvoDCfAA6LfYZAkAMddDyQCwyro1RJeS5Ruqfyuk0gzbuI6yF48_Yix4/s400/screenshot.13.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSHuMeX3hqfMU2HXf8HUlBV9NHRz8mFz03rPcXCOdqL71DONizEtlwmJuctHKrE4whWZX2OMJKKrOy47ymE3J0cAj6kdOueTy-HIfZTpPcdgAMl8AnPa_Fo95W4i6CXQW4p6YQ-cCsuPve/s1600/screenshot.14.jpg)
- Giving permissions to the bash script:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHPyIgO8hkCWri8hYE2zqkSGPu3WZZWYYjs9Pmirom8bVmqkmq9vBhyphenhyphenJ30F2n8qvz4Zrb_yQIpJI1YNbjkhevgUQZ5jj85GHJjfJp9iSbh8T5352VQtF31hk96-YFMHuDIWUbXRWPtChIa/s400/screenshot.20.jpg)
- Running the script:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg86NzwYk7iLMzu4hJl2_GqMqgBq_4tMVh8QQLFo7mnj7KGZcFoiJQOeOU2LdUGW5S3-hjCBCLByAAKvR4q1_zPxLaBJpu9HB6puK69UufURWjRIkwVB8YiA4dvULFKsuYSzsLw9Bf01cMG/s1600/screenshot.21.jpg)
- Now, let's check that the Pure-FTPd service is locally running at TCP port 21:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvAY5sTQNhSisvI6jEB_HzUQtnomcxyL-FYzQpuHOspmNdyPn9XYj1HHFnSuyEkoPbheEAbzWuqrqtHjxHhHNN4w4sQgBK3uRjy1DySjGOa-IG208OBATZOOrikYjj0ulXtzAogVioBXip/s1600/screenshot.19.jpg)
- Copying a windows binary file sbd.exe to /ftphome that will be later transferred to the target machine Windows 7:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcC_LJ-hTsB8JdnD8JqyfkkwIEA3w6QgT_CtZbsHElbPi6cw-Xeljoar0051nFzYB6t1TnScFEGluLmA3uKLyyZybPepyBGnoaOCWOHYysZ5DgYMgDRJ7Wps0Q-vJu9QxUUbfZpD-_q4va/s1600/screenshot.25.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijyvDXMX3cs6ruESdxt1O3z8QXdyFfh_NMOjUpstA1DdD95q_AEgbU7AE1nZVzSohYgPV27MWYJ_Eyd7POpW8iLWDzBs8g_RLXRLP5wnGQaelXNa27UqAQHlhz6ccsUWLJRi9CS2ZCnvds/s400/screenshot.26.jpg)
3 - Exploiting the target Windows 7
- The target to be exploited runs the vulnerable BadBlue HTTP server at port TCP 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtgwCOJ0ZZ55KuyAV9cxoStJq4ZP6GkZpjdDw8swTDtDO8_DmHZ5iBl9Fcsb21bxokHp48VwpZr1FUh0u5nd6IapXe_UGyehArIh-COL0xodnIr7I-j-zUkUDIBv0sf3WdEA5LFsce6DBM/s1600/screenshot.1.jpg)
- Starting Metasploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4HbcyRU_Fy5i2ACz_Ycyi7MByOZHXNSt5GYEXoo63azbzqHHHA_bsdvQFww30-rgJijfPIXiCKbnllXXKMv9nwu9Fu7IulHinwBeSikg9TcKVYGWLEQ1GVhpnq4KkXgoPHeCSOIga6PnG/s400/screenshot.2.jpg)
- Using a BadBlue exploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0-xfWrCswmCGsEUiSXwBvypGR4PNqpfYgsrj4FWYWlz_QQygEyQ2L74zDOC3x-trxGq5ByBADOlN8vxChtEYJfJxv3rOjjnNzA_5eeZe_7nlb6Qx_lOQZGOFekx-1mEqZyARzhwaD5pZ2/s1600/screenshot.3.jpg)
- Setting the target IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvi2v2wHd5arLKISAFTJ-2Ktd_NBUU7R18OiOcgsB_DuSE2V517oSCNjCi8ZR2mwUPpH7yXxG0NyYtpYdxA1XKO4cENRLMsWxAAYJtUfUI0SMhPYF_NYp9AEo1a_RqbtJwjwLd0aS42nlu/s1600/screenshot.4.jpg)
- Running the exploit, finally a remote shell from Windows 7 is achieved locally at Kali Linux:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL-pOl5dwgfXIqpKzOY7rE20pRD-uRNvQeBZrZ4oE2X1YlHNezVkoD4n6tiGdQfYSGKjmrWqbadkZbik_0p-EvEI-V1ZeYBIFpNBtPJowI_Snq0Ll08K6wP70J6PucwQudd-lM6PoBq2CH/s1600/screenshot.5.jpg)
4- Post exploitation with "non-interactive" FTP
- Let's check that the "interactive" FTP mode does not work for transferring files.
- After connecting to the FTP server and entering username and password the process gets stuck, not being possible to perform any transferring task:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiD4geJ0yPVRhQKinLIHAFlxJYLRxnKT0ayzjDqQGQEvlxWLlFSNRSE3Or3PI_pds2Z1GjVG49hwaF0cv1RPgRHfiNLCPOwWR7M-dBIAPQYxuPFhiF-kL2rIm3VcM97oyBXZiHfRehrGHVC/s1600/screenshot.6.jpg)
- So we can conclude that the normal way of using interactive FTP commands is not useful for transferring files when using a remote command line, usually achieved after exploitation of the target machine.
- However, there is a non interactive FTP way of perform file transfers, using the -s filename option for the ftp command:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEeuDNhaoQ-q2rK8wRNvXywRFjQq7KykhW0ltK1Msz2uj9WgGoY2AIq0Z6O2ntsbxgRGXKYWeJByn5GYHT6_U0_Qp4tRDiMzwVRvIaNDsLIw0m6VTXBj7Ky0uQZHkAvijNrNFL41F4tI4L/s1600/screenshot.12.jpg)
- The ftp -s:filename option refers to a text file containing all the necessary commands to perform an FTP transfer file.
- Before checking how it works, let's create an specific directory /FTPtransfer where to transfer files from Kali Linux to the Windows 7 machine:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1EjBqLVHMoBFLXRz3StJf4jlbIiUNCAtGydZpKRUHdEUYFperDiW5okU1DyaGUF1CUey4hau2TbdVr-ttV9mm44P3I6L3R2YmPPTJF1jML69QaYgH-OVNb1r5SPQzGe0wBLUszk9AvKur/s1600/screenshot.23.jpg)
- Let's check that at this point /FTPtransfer is empty:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMH1DCinR95tsYE9VpC16_DHZE79SXcTkLS1zUVizljZjsgz5tuxKq5zM1qaaV9pIY8gwxcAvHe1FiATHBoPzV7IaQc44UmUkdt21fQnUa2KzuZBgmuBMi1aA56GDFWDJCjlVtBoYdBbQZ/s1600/screenshot.24.jpg)
- As said before, the file to be transferred is the sbd.exe located at /ftphome:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFYYSPfvk1WXqb1akRU3VSBTtIxl2UWOexqqr6O25zp1cEeGaSXsuz78tasRxyEFOP2BV-4gzk31g5hYOZkT6_AqJskDo-4bz-2BAXH8l8ItESIcuKj2556RjkL8oC9NNQttmkOy7UyKIV/s400/screenshot.26.jpg)
- Now, using the echo command, let's create a text file ftp_commands.txt where to write all the FTP commands that will perform the transfer:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9USvyJUoVqGlmdDBPr9WC_p0Y6Kc3BVt-z9nWwaR1-f8chvOX3ckcbcT4F2neSfmd-XDhKGAEk-qnrbN8wmO7luPoiEJQaJqyLy4IL9Tkr1oo7baTMzD8Yq92LY893C4f_0B9nwrR0TAW/s1600/screenshot.2.jpg)
- Checking the contents of ftp_commands.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxzc4LvxRP10hPefWDJ1DzUyzrXpl-mS1f-l3bJ7BrsFHIzwTZ8bS53_sY7ErGsfmhk5lK7dWESMV1cAVgfrgIZGNEgTSfNv76R9S8Gjxedgr44mkTzH-5jdlYh4sQmbfy7SuIpHylE8FE/s1600/screenshot.3.jpg)
- Now it's time to run the ftp command in "non-interactive" mode, just adding the -s:ftp_commands.txt option:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaBGlF1oLpK5Dpgk5ISO7PI12Gj9rCkhq7T6Z8ogE1J4lqvAPz7DayjYXi1s9JLZaEqo-zOW1HX0nmy3cGPUyToj8e8jVhuJZZl-jO2QjmsvHmh8Fa5HRGTw5viAWViPVq4VIzQWqm8Iq3/s1600/screenshot.4.jpg)
- Eventually the transfer is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivG3ZtQry-mRwNyLRpRaS4HeOGW3CO3gNBwko1Uj_5uz3uRx0qud25BRTJXTRu4rXvSQB2Ua9pI8jh1cxc9XxVPsInFvbFnHr2UIB4FUDn0xrbLmKkc6MsnVUirnT51ae61C4kjBjGNEDA/s1600/screenshot.5.jpg)