In an earlier post, we were able to exploit an FTP service (Vsftpd) on our Metasploitable machine. In this post, we’ll be attacking another FTP service: ProFTPD.
As a refresher of the services running on the Metasploitable machine, let’s open up a terminal in Kali and run Nmap against it.
As we can see, ProFTPD is an available service, running on port 2121. Let’s get right to it, and see if we can exploit it!
Open up Metasploit and do a search for ProFTPD.
We’re going to see if we can brute-force our way into the FTP server with found credentials, so let’s select the module “auxiliary/scanner/ftp/ftp_login”. Once selected, we’ll need to configure the appropriate options for the module.
We’ll need to set our RHOSTS to the IP Address of our target machine, which is Metasploitable. We’ll also have to change the RPORT from 21 to 2121. Once theses options are set, we’ll need to configure the files we’ll be using for our brute-force attack. I used a basic Unix usernames list for the USER_FILE option, and I set the USER_AS_PASS option to true. Before running a bigger brute-force attack, I wanted to see if I could grab any accounts that use the same username/password combo, so setting the USER_AS_PASS to true will allow for that option. In order for this option to run smoothly, I created a blank.txt file and used that for the PASS_FILE option. The reasoning for this is to force the exploit to cut down on the time it will be brute-forcing, as we are now making sure it will only run the USER_AS_PASS option with the usernames that are in the USER_FILE we specified.
Another option I changed was BRUTEFORCE_SPEED, which was switched from 5 to 1. The attack will be slower, but it will be more efficient.
Once everything is set, let’s fire off the exploit! The attack may still take some time, so feel free to go get a coffee or read an NFL mock draft (I did both!) while the exploit runs.
After a little bit, we start to get some results back:
Looks like we had some success! The accounts postgres, service, and user all came back with their passwords being the same as their usernames. Our next step is going to be to login to the ftp server with one of the credentials we found. Let’s try the user account.
We’re connected! But we do have an issue: we’re still not the root user, which is what our main goal is. Looks like we’re going to have to escalate our privileges somehow. If we type ls -a at the command prompt, we’ll get a list of all files in the current directory:
Right off the bat, the .bash_history file should grab your attention. This file stores a user’s command history, so we can check that out to see if it will give any clues as to what our next step is. Let’s first copy this file over to our Kali system.
Great! Now it’s time to display its contents to see what we have!
Now, would you look at that! It looks like this user created an SSH key and it was added to the user ‘msfadmin’!
Before we try anything with the msfadmin account, we’re going to ssh into the Metasploitable system with the user account in order to verify that there is a msfadmin account there.
Now let’s display the contents of /etc/passwd.
Sure enough, we see the msfadmin account. Alright, now let’s try to ssh into the system with that account and see what we can do!
Now we don’t have the msfadmin account password, but looking at the three accounts that we cracked earlier, the msfadmin account could very easily follow that same “same password as its username” format. No harm in trying, right?
Bingo! Almost as easy as Josh Allen throwing a 70 yard TD to Robert Foster.
We’re still not the root user yet, but we’re close! Check out this intriguing message we get:
Let’s see if we can switch users over to the root account by using the sudo command. FYI, when we do a ‘sudo su’, not specifying a user will default to root.
Perfect! We were able to switch to the root user using the sudo su command, giving us root access!
Thanks for reading!