I found the following services in a testing environment:
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 5.1
The FTP server allows anonymous logins and the content can be displayed website.
How can this be exploited to gain further access to the server?
I assume I need to verify if ASP or something similar is running and then upload an exploit, which I then access via the website, correct?
edit:
I scanned multiple hosts in a testing environment and amongst others this one target hosts an FTP service, which allows anonymous logins.
With the anonymous login I can upload files to a directory, which can then be accessed with the Browser, by directing it to the targets IP address (e.g. http://192.168.0.58/uploads/myfile).
I'm unsure how to exploit this, to gain access to the server. My first thought was to create a reverse TCP shell in form of an ASP file.
What could I do to exploit this scenario?
edit2
I've tried to upload the reverse TCP shell to the target and accessed it with my browser, having a listener on my side ready.
That resulted in an unprivileged shell on the server, which is a nice first step.
Now the question for me is, are there other approaches to exploit this? Other than serving malicious files via the FTP server.
