Learn

We have been asked to perform a basic penetration test against an internal server. The server’s IP is 10.0.0.219.

The goal of this penetration test is to determine if there are any potential paths an attacker could take to compromise the system.

Note: Some of these services are not running on this box so we have faked some terminal interactions in this specific exercise. This is so you can experience how these commands would work in the real world.

Instructions

1.

Network Enumeration with Nmap

We’ll first start by performing some basic enumeration on the host using the following command:

nmap -sV 10.0.0.219

Note: Network enumeration is the process of obtaining information about a network. The command you will run will make Nmap perform a service scan to identify if a vulnerable service exists.

2.

Searching Databases with SearchSploit

Now that we have a list of running services from the terminal output, we’ll start searching through these services for potential exploits. Specifically, we want to look at vsftpd 2.3.4 which was on port 21.

To search through these services, we’ll use the tool SearchSploit.

To use SearchSploit and see a list of potential vulnerabilities to exploit, we’ll pass the service name and version to SearchSploit using the following command:

searchsploit "vsftpd 2.3.4"
3.

It appears as if we’ve found several potential exploits:

  • vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
  • vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb

Let’s look into the python file unix/remote/49757.py by inputting the following command into the terminal:

python3 /usr/share/exploitdb/exploits/unix/remote/49757.py

Note: We’re using python, version 3, to run the file path that searchsploit provided.

4.

Hm, we get an error. It looks like the python program needs up to input a host.

Let’s provide the code with our target: 10.0.0.219.

Type the following command into the terminal:

python3 /usr/share/exploitdb/exploits/unix/remote/49757.py 10.0.0.219
5.

Great, we’re in! Now, let’s see what user we’re running as by typing the following command into the terminal:

whoami

You’ll notice this says we’re root. That means we have elevated privileges after running this script. With elevated privileges, we are able to execute code remotely and gain access to sensitive information.

Note: whoami is a command-line tool that displays the username of the current user*

Sign up to start coding

Mini Info Outline Icon
By signing up for Codecademy, you agree to Codecademy's Terms of Service & Privacy Policy.

Or sign up using:

Already have an account?