Metasploitable Complete Walkthrough | FTP

0
Metasploit Complete-Walkthrough FTP

Metasploitable2 full walkthrough

 

This machine has several ways to get exploited. All ports are exploitable, also there will be various exploits which can be directly handled fro m metasploit and that’s why the name of machine is metasploitable.

 

Lets get into it

 

┌──(root💀kali)-[~]

└─# nmap -A -sC -sV 192.168.1.39

Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-24 03:04 EDT

Nmap scan report for 192.168.1.39

Host is up (0.0013s latency).

Not shown: 977 closed ports

PORT     STATE SERVICE     VERSION

21/tcp   open  ftp         vsftpd 2.3.4

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

| ftp-syst:

|   STAT:

| FTP server status:

|      Connected to 192.168.1.40

|      Logged in as ftp

|      TYPE: ASCII

|      No session bandwidth limit

|      Session timeout in seconds is 300

|      Control connection is plain text

|      Data connections will be plain text

|      vsFTPd 2.3.4 – secure, fast, stable

|_End of status

 

 

Now we can search for exploit vsftpd 2.3.4

 

$ searchsploit vsftpd 2.3.4

It will give result for 49757.py

 

You have to do some adjustments to run it with python3 like adding brackets after print( <content> )

Now run it python3

 

$ python3 49757.py –help

$ python3 49757.py 192.168.1.39

 

And you will get the shell

 

Brute force FTP using Hydra

Complete Walkthrough FTP 1

This is an example of successful results using custom created wordlists:

Metasploit Complete Walkthrough FTP

Once you have found a valid credential set, you can use it to login to the remote FTP server:

Metasploit Complete Walkthrough FTP

 

Brute force FTP Metasploit

Metasploit has auxiliary modules that can be used to brute force passwords of FTP just like Hydra  did.

 

Metasploit Complete Walkthrough FTP

Using the custom wordlists

Metasploit Complete FTP

Metasploit has merits over Hydra since the credentials are automatically stored in the database:

Metasploit Walkthrough FTP

Open the backdoor manually
vsFTPd 2.3.4 contained a backdoor that was smuggled into the server where the source code resides by an unknown person. Certain versions of vsFTPd included in the Metasploitable VM contain a vulnerability that opens a backdoor shell
. This allows users to get a root shell, view and modify file contents. (Note that the login attempt does not have to be successful!)

  • Opening backdoor
    To open a backdoor on port 6200 using vsFTP:
  • We begin by scanning the Metasploitable VM to show that port 6200 is closed:

Metasploit Walkthrough FTP

Metasploit Complete Walkthrough FTP

  • You can close this window – you’re done.
  • Now check the same port 6200 with Nmap. It’s open!

Metasploit Complete Walkthrough

Exploiting the backdoor

Connect on port 6200 with Telnet client. There ,execute normal shell commands:

E.g. command_name args; ( to dump the contents of the /etc/shadow file)

  • You can even grab SSH key information (authorized_keys, known_hosts, private and public keys)

Metasploit Complete Walkthrough FTP

This vsFTPd technique always opens a backdoor on port 6200, making it a convenient way to connect to and execute commands on a remote victim’s computer. However, other connection techniques may be more convenient. For example, using SCP without a password to deliver a payload to the victim’s computer.

When you disconnect from the remote shell on port 6200, the port is closed again. You can always resume using the methods above.

 

Written By

Name : Shubham Gupta

 

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Hello
Can we help you?