In my last post, I found that much of the software on the target is dated 2003, but in poking around a bit more, I found a 2010 entry on TWiki. More data.
The book (Ethical Hacking, link leads to publisher) next suggests using an FTP hack on a backdoor in Metasploitable, but this feels too artificial, since it relies on the knowledge of the presence of a specific version of the vsFTPd software. Specifically, vsFTPd version 2.3.4 includes a malicious backdoor that was added during development (these things happen, though vulnerabilities are more often accidental). VsFTPd is intended to be a secure ftp server, and is the default ftp server on many Linux distributions. Thus, there's a good chance that some version of it is present on Metasploitable, and perhaps I can use netcat to learn more:
nc 192.168.1.102 21
This directs a connection to Metasploitable on port 21, the control port for FTP. (FTP is peculiar in that it uses two ports, 20 & 21. Data is sent on 20, while control function are sent on 21. Most protocols use a single port for both functions.) I receive a reply:
220 (vsFTPd 2.3.4)
220 is a response code indicating that the server is ready to interact with a new client, and now I have the server software and its version. Thus armed, I know I can use the backdoor described above. The full exploit sends a login username ending in :), a smiley face, then any password. The smiley face username negates the need for the software to check the validity of the password (though it still asks for one, and something must be provided), and opens a connection on port 6200.
Here, I've explored the bare minimum needed to make the connection. At first I included a colon after user, leading the ftp server to reject my entry (Please login with USER and PASS.). Providing a username with the necessary smiley and then hitting return (i.e. trying to bypass a password at my end) doesn't work, either. Not shown, I also tried providing a blank password (pass, then hitting enter), and a username of only a smiley face, neither of which work. But providing a username with a smiley at its end and a random password lets me in, as advertised. Opening another terminal window (so as not to break the connection established in the original window), I use netcat again to open a connection on port 6200. Note that my Kali box can't identify who the Metasploitable box is: unknown host; but the connection is there and I'm logged in as the root user. From here, I can edit or delete files, change user access, shutdown or reboot the machine, plant new listeners; I have the keys to the kingdom.
Edit: 12/28/2023: typos
No comments:
Post a Comment