Lame

---

After starting the machine, I got the target's ip address(10.10.10.3). First, i scanned the open port in this machine by using nmap.

nmap's result

I found that four TCP ports are open on the remote host. And also i can see that the ftp service's version is vsftpd 2.3.4.

searchsploit's result

From using searchsploit to search about vsftpd 2.3.4's vuln. I found that there is a backdoor I could use.

backdoor command execution

But it doesn't work. So i try to exploit smb service. I found that Samba's version is 3.0.20-Debian.

enum4linux's result

There is a command execution vuln in 3.0.20-Debian which's CVE is 2007-2447.

CVE-2007-2447

We can exploit this vuln by using metasploit. Below is the options settings. We just need to add RHOSTS and LHOST.

metasploit's options

After a successful exploit, i check the shell's user. and i found that it is root.

exploit successful

So i can simply read all the flags using the "cat" command.

flag

But why the backdoor from VSFTPd does not work in this case? I checked network status and protocol statistics by using netstat.

netstat's result

I found that there are so many listeners in this shell. That means the firewall must be blocking a lot. So i also check the listening port in VSFTPd backdoor.

backdoor's script

It's using port 6200. For demonstration purposes, I’ll switch to the user makis. And when I trigger the backdoor again, now I can connect and get a shell as root.

backdoor is working