Table of Contents
The way hackers gain access to machines is through vulnerabilities. You can think of these vulnerabilities as open doors to your system. Hackers leverage these open doors (vulnerabilities) to gain access to systems. The Metasploitable server has an FTP vulnerability (vsftpd 2.3.4).
In this section of the lab, you will exploit this vulnerability to gain access to the server.
Vulnerability: The Vulnerability that we are going to exploit in this lab is a malicious developer to an open-source UNIX FTP server called vsftpd. The back door allowed the attacker to gain access to the terminal on the vulnerable machine. The attack was activated when the attacker logged into the username ending in :) and an invalid password. Once the attack was activated it opened a reverse shell on port 6200.
Reverse Shell:
A reverse shell is a malicious program that connects to an attacker’s machine, allowing the attacker to execute terminal commands on the compromised machine. In a later lab, we will write a reverse shell.
Background: A FTP (File Transfer Protocol) server is a program that allows users to upload and download files from a machine.
In this section, I will demonstrate you in 3 different ways:
Method 1: Manually Exploit
Follow the below instructions to get a backdoor connection:
Step 1: Connect to the FTP server using telnet
Open the terminal, and type the following command:
- Remember to add the port number towards the end: [Important: telnet is an old technology, no backspace]
This is a part of a vulnerability that was placed in the open-source FTP server, by an unknown user. This user created this vulnerability by modifying the opensource code for the vsFTP server, to include a check for :) in the username field if a user included a :) in the username, the backdoor was activated.
So you might be wondering. What is a backdoor?
A backdoor is a program, that an attacker places on a machine that gives the hacker access to that machine’s terminal.
In the step above, the attacker is activating the backdoor. In the subsequent steps, the attacker connects to the backdoor running on port 6200 and issues a command to the terminal.
Step 2: Connect the backdoor using Netcat
Now that you activated the back door you can log in to get access to the terminal (Get Shell). By connecting to the “ backdoor ” that is running on 6200.
Connect the backdoor using Netcat.
Notice: Executes the ls command in the terminal of the compromised machine and returns the directory listing on the machine.
Method 2: Using msfconsole (Metasploit Framework)
Using Metasploit is quite the easiest to exploit a machine. This will work if the exploit is within the search list.
Remember: If you want to be an Elite Hacker then you have to study coding and find out your own path to get a backdoor connection.
Follow the below steps to get exploit the server:
Step 1: Start the Metasploit Framework
Metasploit Framework comes preinstalled with ParrotSec and also in Kali. You can run it from Application → Pentesting → Exploitation Tools → Metasploit Framework → Metasploit Framework's console.
Step 2: Seach Exploit
Run the search command to find if is there any exploit available or not:
Step 3: Use Exploit
Run the "use" command to use the exploit to get interact with our target: You can also use the path (use eploit/unix/ftp/vsftpd_234_backdoor).
Step 4: Configure exploit options
Run show options and check the needed parameters.
- Here it only needs RHOSTS (Remote Hosts).
Step 5: Gain Access
Once All done! run exploit to get the shell:
Method 3: Using Armitage
Armitage also comes pre-installed with ParrotSec (Learn More).
Follow the below steps to exploit using Armitage:
Step 1: Setting up Armitage
You can run it from Application → Pentesting → Exploitation Tools → Metasploit Framework → Armitage.
Once started click Connect:
Step 2: Quick Scan
Once you get connected you need to scan the hosts [Hosts→Scan→Quick Scan or Quick Scan(OS Scan)]. Enter the scan range to the vboxnet0 IP address on your machine in my case 192.168.56.1/24.
Step 3: Find Attacks
Once You find out your target then click on Attacks → find Attacks.
Note: Some time it may not work. Click on Armitage → Set Exploit Rank → Poor.
Step 4: Attack using vsftpd 2.3.4
Right-click on the target machine → Attack → ftp → vsftpd_234_backdoor.
Once everything ok click on Launch. If the exploit is successful then the look will be changed to attack mode:
Step 5: Get shell interaction
Right-click on the target machine → Shell 1 → interact. Now you can run commands in the below shells:
How to fix it?
So how do we fix this vulnerability? Newer versions of the vsftpd FTP server, have identified and patched these vulnerabilities, so the best way to secure this server is an updated version of vsftpd. sudo apt-get update vsftpd.(The Metasploitable machine is designed to be vulnerable so it is not configured to support updates.)