Microsoft Ftpd Exploit
In today’s write-up we’re going to take a look at getting into Hack the Box’s retired Netmon machine, which was a relatively easy box if you just remembered that people tend to have bad password habits.
Recon
1 xpcmdshell 'cd C: & systeminfo'; 2 go output - NULL Host Name: TALLY OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID. Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow. Remote exploit for Windows platform. Microsoft IIS FTPd NLST Remote Buffer Overflow Vulnerability Microsoft reported limited in-the-wild exploitation of this issue. A working commercial exploit is available through VUPEN Security - Exploit and PoCs Service. This exploit is not otherwise publicly available or known to be circulating in the wild.
This exploit specifically targets Pure-FTPd when configured to use an external program for authentication.
We start with an nmap scan which gives us quite a few open ports:
What immediately catches the eye is the ftpd which allows anonymous access on what appears to be the root directory. But before we start exploring this further, let’s have a quick look at port 80 to confirm the nmap result.
We see the PRTG bandwith monitor web app running and can also confirm the version information in the lower left:
Googling for default credentials gives us prtgadmin:prtgadmin
, however, these don’t work ¯(ツ)/¯.
Looking for exploits
Doing a searchsploit
search for PRTG
, we find two exploits matching the running version – one of them for Denial of Service, the other one for an authenticated Remote Code Execution:
Denial of Service is not what we want and the RCE will only work if we have valid credentials for the PRTG web interface.
Enumerating FTP
Let’s look at what the anonymous FTP access can give us, and while looking around, do another nmap -p- 10.10.10.152
to scan all TCP ports, so that we have something to come back to after the FTP enumeration.
Microsoft Ftpd Exploit Download
While we cannot write files, we seem to have pretty wide read access. So much indeed, that we can directly snatch the user.txt
flag at /Users/Public/
.
As we can access /Windows/System32
, we can also verify the OS version (license.rtf
mentions Windows 2016 – different than what nmap reported), which might be handy later on.
Having the promising RCE in PRTG Network Monitor in the back of our minds, let’s see if we can find configuration data that might give us access to the web interface.
Googling around, we quickly find How PRTG Network Monitor Stores its Data, which tells us:
Windows Server 2012 (R2), Windows Server 2016, Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2008 R2: %programdata%PaesslerPRTG Network Monitor
.
… and:
PRTG Configuration.dat | Monitoring configuration (i.e. probes, groups, devices, sensors, users, maps, reports, etc.) | XML |
PRTG Configuration.old | Backup of previous version of monitoring configuration | XML |
So let’s have a look at these and other config files at /ProgramData/Paessler/PRTG Network Monitor
.
To make the process of grepping through the files faster (as we don’t know exactly where and how PRTG Network Monitor stores files), we can actually download the whole folder: wget -m ftp://10.10.10.152/ProgramData/Paessler
(about 14 MB).
Doing something like grep -r . -A1 -ie 'password'
in this folder gives way too many hits, so let’s narrow down on the PRTG Configuration.old.bak
first, as this isn’t a standard file and .bak files are generally interesting for findings.
grep 'PRTG Configuration.old.bak' -A2 -ie 'password' | less
reveals right at the top a username and password:
Exploitation
Trying the password over at http://10.10.10.152 we still get Your login has failed. Please try again!
.
Thinking of bad password habits, though, we might guess that the password could still be the same but with a changed year suffix (as this one was found in an old backup file).
prtgadmin:PrTg@dmin2019
works immediately and we are greeted by the welcome screen:
Guessing the password year increment reads easy here, but it actually had me stuck longer than it should have :-)
Having access, we can now look at the exploit we found earlier via searchsploit
.
Microsoft Ftpd Exploit Definition
Examining it via searchsploit -x 46527
and reading a blog post of the vulnerability, we can see that it does command injection via a notification feature (by using a demo ps1 script) and through that adds a new administrative user to the machine.
As this is not the stealthiest way, let’s see if we can exploit it in a slightly different way without adding a new user.
In Setup -> Account Settings -> Notifications
, we can add a new notification and enable the “Execute Program” option as described in the above blog post. There, we find the two demo scripts and the “Parameter” field which we can (ab)use to add another command of our own, right after the argument to the demo script.
At first, let’s try to do a simple ping to the attacker machine:
And on the attacker machine:
After clicking the “bell” icon on the right to send a test notification, the ICMP packet arrives, meaning we successfully injected the ping command.
To now get a reverse shell, we can grab a Powershell one-liner from the excellent swisskyrepo Reverse Shell Cheat Sheet, and use this instead of the ping:
All we need to do now is change the IP to our own, the port to 80 and start a netcat listener via nc -lvnp 80
. Sending another “test notification” then gives us a shell. And since PRTG Network Monitor is running as System, we are as well:
Cheers!
I hope you’ve enjoyed this write-up. If you have any questions, did it another way or have something else to say, feel free to leave a comment. I’m always happy to learn new things. You can also check out the other write-ups.
In the upcoming Metasploitable 2 exploitation tutorials we will be exploiting the vulnerabilities we have found in the enumeration phase and the vulnerability assessment. We will be exploiting the found vulnerabilities both manually if that is possible and by using Metasploit. In this tutorial we will be exploiting VSFTPD v2.3.4 manually and with Metasploit. This particular VSFTPD exploit is pretty easy to exploit and is a great first start on the Metasploitable 2 box. Instead of quickly running Metasploit to exploit this vulnerability we will start looking at how the application is exactly vulnerable. Than we will analyse the source code, test it in a controlled environment and then exploit it on the Metasploitable 2 machine. This will help you to get a better understanding of the exploitation process and actually see what is happening and how.
The end goal of exploiting vulnerabilities is ultimately to gain a root or administrator shell on the target host and perform post exploitation on the machine. The gained privilege level of a shell is usually in the context of the exploited application. For example if VSFTPD v2.3.4 is running in root context and executes shellcode with a reverse shell, than the reverse shell is also running in root context. Often this is not the case and system administrators run services and software under privileged accounts with no more privileges than strictly necessary. When an exploited service runs shellcode under a privileged account than the shell is in the same privileged context. If a low privileged shell is returned than privilege escalation techniques are necessary to elevate the shell to an administrator shell. Let’s see if we can exploit VSFTPD v2.3.4 on Metasploitable 2 and gain root shell to the Metasploitable 2 machine.
VSFTPD v2.3.4 vulnerabilities
From the vulnerability assessment we’ve learned that this version of VSFTPD might contain a backdoor which has been created by an intruder. Although the backdoor was identified and removed quickly by the developers, many people have downloaded and installed the backdoored version of VSFTPD. The backdoor payload is initiated in response to a :) character combination in the username which represents a smiley face. The code sets up a bind shell listener on port 6200.
VSFTPD v2.3.4 vulnerable source code
Let’s have a look at the source code of the vulnerable version of VSFTPD v2.3.4 to see what the backdoor looks like in the source code. Surprisingly the source code has not been obfuscated in any way so we can easily read it and see how it is working. There is a copy of the vulnerable code available on Pastebin by using the following link: http://pastebin.com/AetT9sS5. The following code validates the user input on the username:
0x3a = :0x29 = )
Line 37 and 38 check for user input containing hexadecimal chars 0x3a followed by 0x29 which represents the smiley face :) characters. When the username contains both characters the else if statement executes the vsf_sysutil_extra function. Let’s have a look at this function.
The ‘struct sockaddr_in sa’ on line 79 is a structure containing an internet address named sa. The structure is defined by the sin_family which is set to the constant AF_INET, sin_port (6200) and the client address set to any on line 83, 84 and 85. The code to follow uses the structure to setup a bind socket and a listener process to listen on the socket for incoming connections. Note that this code is run in the server context, so the server is setting up the bind socket and listener which is used by the remote attacker for setting up a connection. Line 94 presents a shell to anyone connecting to the server on port 6200.
Exploiting VSFTPD v2.3.4 backdoor manually
In the next step we will try to exploit the backdoor vulnerability manually by connecting to the Metasploitable 2 VSFTPD service and use a smiley as the username to authenticate. Assuming you have the Metasploitable 2 virtual machine installed and running
, use the following command from your attack box:
telnet [Metasploitable IP] 21
Than type the following 2 commands:
USER user:)
PASS pass
Than use the escape character ^] or wait a few seconds. When we fire up nmap and scan for port 6200 we should see that the malicious code was executed and port 6200 is open:
Let’s connect to port 6200 using the following command:
telnet [Metasploitable IP] 6200
When we issue the id command followed by a semicolon (;) we can see that the FTP services was running as root and we have a root shell on the box. Let’s see how we can exploit this backdoor vulnerability by using the Metasploit Framework.
Exploiting VSFTPD v2.3.4 video
Exploiting VSFTPD v2.3.4 with Metasploit
The Metasploit Framework had an exploit available to exploit the VSFTPD v2.3.4 vulnerability. In this part of the tutorial we will be exploiting VSFTPD v2.3.4 using Metasploit. Let’s start msfconsole with the following command:
msfconsole
When msfconsole is running select the backdoor exploit using the following command:
use exploit/unix/ftp/vsftpd_234_backdoor
Type the following command to have a look at the exploit options:
Show options
We only need to set the rhost field to the Metasploitable 2 IP.
As we can see we only need to supply a remote host IP and a port which we leave to default on port 21. Now we can type run or exploit to exploit the target.
Exploiting VSFTPD v2.3.4 with Metasploit video
Summary
In this tutorial we have exploited a vulnerability in VSFTPD v2.3.4 both manually with telnet and with Metasploit. We have analysed the vulnerable source code and learned how the backdoor was coded and how it functions. The VSFTPD v2.3.4 service was running as root which gave us a root shell on the box. It is very unlikely you will ever encounter this vulnerability in a live situation because this version of VSFTPD is old nowadays and the vulnerable version was only available for one day. Nevertheless we can still learn a lot about backdoors, bind shells and exploitation from this easy example.
In the next tutorial we will be exploiting another vulnerability we’ve discovered during the vulnerability assessment. Thanks for reading and let us know when you have questions by using the comment functionality and we’ll try to get back to you as soon as possible.
Ready for the next exploitation tutorial? Check out how to hack Unreal IRCd on Metasploitable 2!