Welcome back to the series of blogs where I share my learnings and teach about the Metasploit Framework. By now, you guys know me very well. I'm a cybersecurity student passionate about learning something new every day and sharing it with others, so that I can bridge the gap between the theoretical and practical parts of the cybersecurity domain.
In this blog, we'll cover the most exciting part of the cybersecurity domain that excites me every day. The exploitation of vulnerabilities, this phase is all about exploiting the already found vulnerabilities in Part 2 of the blog. The previous blog covered the scanning and enumeration part, also called reconnaissance. In the previous blog, we found a version 'vsftpd 2.3.4' which had an interesting history. In this blog, we'll explore history and cover how to exploit that vulnerability and gain access to the system.
Before jumping to any exploitation process, we should know something very important, which most people mix up: the relationship between exploit and payload. An exploit is something that exploits a vulnerability but does not give us the shell by which we can input commands to get the desired result, that is, the working of a payload. The exploit carries the payload with it and is only responsible for exploiting a vulnerability. After exploiting, the payload comes into action and performs the task of getting a shell (such as a bind shell, reverse shell, etc.). In simple terms, an exploit is a key to lock, and the payload is what you carry through that open door.
Meanwhile, in technical terms, the exploit only exploits a vulnerability (such as vsftpd 2.3.4 on port 21, which we would be exploiting in this blog), and the payload determines what happens after the access is gained (such as bind shell, reverse shell, meterpreter shell).
Now, many of you would be thinking, what are these bind shells and reverse shells? Basically, a shell is like a command terminal where the attacker inputs the commands to get the desired output. The difference between a bind shell and a reverse shell is how they connect back to the attacker. A reverse shell occurs when the target machine connects back to the attacker's machine through a specific port, bypassing the firewalls and initiating the outbound connection. On the other hand, a bind shell opens a port directly on the target machine and waits for the attacker to connect to it, which is often blocked by firewalls. For this practical, we'll be using bind shell to perform our actions on the target system, because the 'vsftpd 2.3.4' provides a pre-configured bind shell, requiring the attacker to directly connect to the target on port 6200.
Talking about 'vsftpd', the vulnerability that we will be exploiting in this blog, also known as 'Very Secure FTP Daemon', is an FTP server used in Unix systems, including Linux. In July 2011, it was discovered that the vsftpd version 2.3.4 downloadable from the original site was compromised, and users were able to gain a shell on port 6200 whenever they entered a username with ':)' smiley face. It was later recognised that this was not in the original code, and the attacker manipulated the source code, and the distribution channel was manipulated; it was rather a supply chain attack rather than compromising the software itself. The CVE of this attack was CVE-2011–2523. This attack was an eye-opener on how version control and verified downloads matter.
Beginning the practical aspect of our blog, the long-awaited thing that you guys want to see. The following screenshots would guide you with two methods to gain the first shell, the methods would be through Metasploit and the FTP service. So, let's begin.
Method 1:
This method of exploitation uses Metasploit to gain a shell on the target system, through Metasploit we basically open a backdoor on the target system by exploiting the basic architecture of the vsftpd vulnerability. The proper steps of the exploitation are given below:
The first step of our exploitation is the most usual one, and reminds us of how far we have come in this exploitation. The exploitation starts with the 'services' command, which helps us remember the reconnaissance phase and determines the importance of the database. The 'services' command lists the vulnerability with the version, to find the vulnerable version, which here is 2.3.4 of the vsftpd vulnerability.
The second step in the exploitation phase is to search for the modules already stored in the Metasploit database. As an attacker, we have to search for the existing modules regarding the vulnerability we have to exploit, which in this case is vsftpd. Upon searching, we came upon 2 modules that can be used in this exploitation. Metasploit helps in determining the best module for this vulnerability by determining the rank of the particular module. In this case, we'll be using the exploit/unix/ftp/vsftpd_234_backdoor module for exploiting the service and gaining access to the target system.
The above screenshot shows the configuration options of the module by which we can customise or configure the module according to our needs, which helps us get the desired result and gain a shell in the target system. The 'options' command shows all the configuration parameters the module requires or accepts and allows the attacker to configure every option that the module uses.
The above screenshot uses the 'set' command that helps in configuring the module, which helps in mapping a specific value to an option. Here, it is used to map the RHOST and LHOST, RHOST, as you know, specifies the target's IP address by which the module knows its destination and where to send the exploit. The LHOST maps the attacker's IP address; it specifies the module where to send the shell back. In simple terms, it tells the module where to send the connection back.
"LHOST is not required for this exploit since it uses a bind shell, but I've shown it here so you're familiar with it for reverse shell exploits in future."
The above screenshot shows us the first shell that we gain by exploiting the vulnerability 'vsftpd', the command 'run' was used to send the module to the destination and helped us gain a shell. As the screenshot also shows us something known as 'meterpreter', which is essential for us as an attacker, and it shows us that the exploit worked, and we have a shell or access to the target system. The best command after gaining access to the target system is the 'help' command. The help command shows all the commands that we, as attackers, can use, which would give us an output. It gives us the commands with proper descriptions. If you feel stuck, you can always type the 'help' command to find the command to get the desired results.
On the target machine, we used some commands after gaining access, just to see what all files or directories we are working with and to know the internal structure of the target machine, to execute our motives and get the desired results. Here we used commands such as pwd, which is used to print the present working directory or the directory we are currently present, to get an idea where we are in the target system and where to move from here to find more information. Ls, the command 'ls' is used to list the directories and files present in the target system, here as seen in the screenshot we used the command 'ls' two times, because the first time it was used to list all the files and directories as we were not present inside any directory, but the second time we used it we were present inside the 'home' directory and it listed all the files and directories present in that directory. The last command that we used in this method was 'cd', which is used to change the directory we are in and move into another directory, as we moved into the 'home' directory.
This method of exploitation showed us the power of Metasploit, the tool, as we started with reconnaissance in the first blog and have now finally gained a session on the target machine.
Method 2:
This method is a bit different and faster, but it can confuse new users in their way of exploitation. The output is somewhat confusing and hard to judge. I remember that even I got confused and did not know if I was successful in gaining a shell. The method we are going to use is through the FTP service and exploiting the vulnerability by triggering the logic of it.
The screenshots below will guide you step by step to gain a shell using FTP:
The first step of the exploitation, is using the FTP service and connecting to the target firsthand, the FTP service as we know is a file transfer service, and in this step we trigger the 'vsftpd' vulnerable version as we know it is already vulnerable, as the vulnerability can be triggered by entering a smiley username, which means that any username if it has a ':)' in it, as you can see in the above screenshot we used a username test with the smiley emoji that triggers the vulnerability, which allows us to open a backdoor in the target system and gain a shell. A special case of this vulnerability is that we can access the account without the need for the password, as the code that triggers the vulnerability bypasses the password check, which means you can enter anything in the password, and that would help you to gain access.
The above screenshot is the second step of this method and the step by which we gain the access of the target system, in this step we use the 'nc' which is also called netcat, the command netcat or nc is used to listen to a particular port to see if they are sending the response back or to receive a connection back by the target syste just like what we did in this practical, by which we listen to the port 6200 on the target system, now many of you will think why only this port? The answer is this port is specific, as the vulnerability in the 'vsftpd' version gives us a backdoor and a shell at port 6200. The interesting part in this step is that we won't know if this step would work, as the terminal just hangs, and we have to type a command to check whether the exploitation was successful. This step confuses many, and it even confused me when I tried it for the first time, as I didn't know what to do.
This method of exploitation of the 'vsftpd' vulnerability is recommended to users who have practised hands-on and know how this vulnerability works on the backend or the process of it. But anyone can give it a try, as it is fun to exploit such machines and then try to find information in the target system.
Note: The above practicals were conducted on Kali Linux within a safe sandbox environment (VirtualBox), isolated from the actual system. The practicals were performed on a vulnerable machine (Metasploitable 2). Running this exploit against any system you don't own or have explicit written permission to test is illegal under the Information Technology Act, 2000 (or equivalent laws in your country). vsftpd 2.3.4 is a known vulnerable version; if you find it in a real environment, the correct action is responsible disclosure to the system owner, not exploitation.
Summarising this whole blog, we started by understanding the relationship between an exploit and a payload, and how they work together rather than independently, which I think is something that is often overlooked. We then dived into the history of vsftpd 2.3.4, a vulnerability that was not a coding mistake but a deliberate supply chain attack, which I personally found very fascinating when I first read about it. We then performed the actual exploitation by selecting the module, configuring it and running it, and most importantly, we understood what happened behind the scenes when the exploit fired, which I think is more important than just knowing the commands.
And with that, we have reached the end of this Metasploit series. When I started this series, I was just a student who was mesmerised by watching my professor gain access to a system without fully understanding what was happening. Over these four blogs, we have gone from understanding what Metasploit is, to building an architecture diagram of it in our heads, to scanning a real target and populating a database with its services, to finally gaining our first real session on a target machine. That journey, I think, is exactly what learning cybersecurity feels like, one layer at a time.
I hope this series gave you the same excitement and curiosity that Metasploit gave me in my first year. If you are also on this journey of learning security, keep going. The deeper you go, the more interesting it gets.
Feel free to comment on your feedback, and connect with me on LinkedIn.