Exploiting Linux-based Systems

Mahran Al-Zyoud
|
14 steps

Firstly, power on the Kali Linux and Metasploitable 2 virtual machines.

On Kali Linux, open Terminal and use Nmap to identify whether Metasploitable 2 (target) is running any FTP services on port 21 and determine its service version. [[nmap -A -p 21 172.17.2.21]] Using the -p syntax enables Nmap to scan for a specific port on a targeted system. This helps us focus on identifying security vulnerabilities on a specific port and services on a target.

Next, let’s perform additional research using Google Search to identify whether **vsFTPd 2.3.4** has any known security vulnerabilities and how a real adversary can exploit it. As shown in the screenshot below, the **Rapid7** link describes a known security vulnerability within the vsFTPd 2.3.4 application and provides details on specific exploitation modules within Metasploit that can be used to test whether the vulnerability exists on a targeted system. Furthermore, the **Exploit-DB** link provides information on the exploit code, which can be compiled and executed by a threat actor to exploit the vsFTPD 2.3.4 service on the target.

Next, let’s use **Metasploit**, an exploitation development framework pre-installed on Kali Linux, to test whether a real adversary can exploit the vulnerable service. On Kali Linux, use the following command to start Metasploit: [[msfconsole]]

Next, use the [[search ]]command within **Metasploit** to find all relevant modules that contain the keyword vsftpd. As shown in the following screenshot, Metasploit contains an auxiliary mode for performing a Denial of Service (DoS) attack, and an exploit mode for compromising the vulnerable FTP service to obtain a backdoor with command execution:

Next, use the following Metasploit commands to leverage the exploit module and compromise the target: [[use exploit/unix/ftp/vsftpd_234_backdoor]] [[set payload cmd/unix/ interact]] [[set RHOSTS 172.17.2.21]] [[exploit]] **Note**: Use the [[options ]]or [[show options]] command within a Metasploit module to determine which options are mandatory prior to executing the module.

The following screenshot shows that Metasploit has packaged the exploit code (**weaponization**), delivered the exploit onto the target over the network (**delivery**), took advantage of the security vulnerability (**exploitation**), and spawned a bind shell by delivering the payload (**post-exploitation**). As shown in the screenshot below, the exploit module was able to create a backdoor with the **root** account on the target and **provide a shell** to us. When entering any Linux command, such as whoami and dir, it will be remotely executed and the results will be returned on the shell.

It can be a bit challenging to work with a bind shell from a Linux-based system. Therefore, using the following commands enables us to create a Python-based pseudo-Terminal shell from the existing bind shell: [[python -c 'import pty; pty.spawn("/bin/bash")']] As shown, spawning this shell interface enables us to better interpret our input and differentiate the responses from the targeted system. For instance, entering the whoami command provided the response as the root user. Since we’ve obtained a shell on the targeted system with root privileges, let’s attempt to retrieve a list of local user accounts that are stored within the shadow file on the targeted system. Use the following command: [[cat /etc/shadow]] This will show the contents of the **/etc/shadow** file, which includes the local user accounts and their password hashes. The contents of this file can be useful in later phases of penetration testing, such as performing password cracking to retrieve the plaintext form of the password from its hash. Retrieving such information will further help us gain unauthorized access to the target and enable us to leverage privileged accounts.

Next, copy and paste the contents of the /etc/shadow file into **Simple TextEditor**, click on the **Kali Linux** icon (top-left corner) > **Usual Applications** > **Accessories** > **Text Editor**, and save the file as **user_hashes.txt** in the home directory.

Next, we can use a popular password-cracking tool such as **John the Ripper** to perform offline password cracking to retrieve the plaintext password from the **user_hashes.txt** file by querying the **rockyou.txt** wordlist. Keep in mind that when performing directory-based password attacks with a wordlist, if the password does not exist within the wordlist, the attack will not be successful. Therefore, it’s recommended to try additional wordlists to increase the likelihood of retrieving the password for all user accounts found within the /etc/shadow file.