Tips for an Information Security Analyst/Pentester career - Ep. 30: vsFTP 2.3.4 backdoor

In this post, I'm going to exploit a vulnerability existing in a software called VsFTP (Very Secure FTP).

A while ago, its repositories for version 2.34 got hacked and the legit version was replaced by a backdoored one, available on Metasploitable 2.

The backdoor can be leveraged by adding a smiley face to the username.

When doing so, you can enter any password and you'll be able to log in directly, no matter what you input.

As in previous posts, I used two VMs, a Kali machine, having a network interface set up on a custom network, on the same subnet as a Metasploitable 2 VM.

Both machines are configured with static IP addresses.

I connected to the vsFTP server on Metasploitable 2 by running the FTP command, followed by its IP address I had previously configured.

At the same time, I opened a listener with netcat in another terminal, realizing a bind shell.

When this backdoor is exploited, it'll "phone home" on port 6200.

I entered a random password and, though at first it looked as if nothing happened, in the other terminal I could immediately connect as root.

At that point, I simply had to launch my favorite Python one-liner command to spawn an interactive shell: python -c 'import pty;pty.spawn("/bin/bash")'

That allowed me to view the /etc/shadow file, and grab password hashes.

I've completely pwned the machine.

This vulnerability has been patched, but that shows you why a healthy skepticism can go a long way in cyber security.

Episode 31

Episode 29