|VulnHub Image:||Basic Pentesting|
When the VulnHub image comes up, you get an Ubuntu 16.04 LTS login screen.
Since we don’t have an IP Address, we can use netdiscover to scan our network and find our target.
I’m using VMWare Fusion, and of course my networking wasn’t correct. I have Kali Linux and my VulnHub target running in separate virtual machines on my Mac. To make this work, use Bridged networking mode to have all three operating systems on the same network.
Running netdiscover again revealed that my VMware image was running at 10.0.1.138.
Based on the VulnHub description and screenshot, it looks like a web server should be running, which we can confirm by visiting our target’s IP address in a browser.
Lets run an nmap scan to see what service are running on the Ubuntu target.
It looks like we have port 21 (ftp), 22 (ssh) and 80 (http) open.
ProFTPD (Port 21)
A quick google search of “ProFTPD 1.3 Exploit” finds this RCE vulnerability on exploit db. We’ll come back to the other services running on the target if this one doesn’t lead anywhere.
Searching for this CVE in Metasploit finds two exploits – one for freebsd and one for linux.
I set the RHOST to our target and tried running both of these exploits, but neither worked (which was pretty surprising).
Fortunately for me, ProTFPD appears to have had a ton of RCE issues, so digging into the available exploits a bit more led me to this Backdoor Command Execution exploit for ProTFPD-1.3.3c. And we have a shell!
Upgrading Simple Shell to TTY
This blog post explains how to upgrade to a fully interactive shell so we can have an easier time on this target.
The first method typically works for me:
python -c 'import pty; pty.spawn("/bin/bash")'
and sure enough, works here as well.
And we’re root!