I. Host Discovery
This attack targets a specific IP address and does not involve the host discovery process, focusing on the “deny of service vsftpd” vulnerability.
II. Port Discovery (Service, Component, Version)
By using the command sudo -u root nmap 172.16.33.51 -n -Pn -p- --reason -sV -sC -O, we discovered the open ports, provided services, used components, and their versions on the host.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
> />
|
Open Ports |
Provided Services |
Used Components |
Component Versions |
|---|---|---|---|
|
21/tcp |
ftp |
vsftpd |
3.0.3 |
|
22/tcp |
Ssh |
OpenSSH |
7.2p2 |
|
80/tcp |
http |
Apache httpd |
2.4.18 |
|
– |
os |
Ubuntu Linux |
? |
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
III. Vulnerability Discovery (Gain Permissions)
Port 21/FTP Service
Component Vulnerabilities
Using the commands searchsploit vsftpd 3.0.3 and searchsploit vsftpd 3, it was discovered that the vsftpd 3.0.3 component has a denial of service vulnerability, which cannot be used to gain permissions.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
> />
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
Password Vulnerabilities
Using the command ftp 172.16.33.51 to connect to the FTP service, log in with an anonymous account anonymous and empty password. Upon using the command ls -la to check the files, nothing was found. Use the command quit to exit the FTP service.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
Port 22/SSH Service
Component Vulnerabilities
By using the command searchsploit OpenSSH 7.2p2 and searchsploit OpensSH 7., it was found that the OpenSSH 7.2p2 component has a username enumeration vulnerability.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
Using the command searchsploit -m 40136, the EXP was copied to the current path and it was found that the EXP was unverified. Be cautious of potential inclusion of rm -rf / command or reverse shell commands.
Using the command less 40136.py to view the EXP code, no malicious code was detected. The formatting with the print statement indicated it was written in Python 3.
Using the command python3 40136.py to get the script’s parameters, a command python3 40136.py --userlist /usr/share/seclists/Usernames/top-usernames-shortlist.txt 172.16.33.51 was constructed to enumerate usernames. An error AttributeError: module 'time' has no attribute 'clock' occurred, indicating that my python version’s time module lacks a clock method.
Consulting the documentation Python Time[2], it is found that since version 3.8, Python’s time module no longer has a clock method. It is officially recommended to use perf_counter methods or process_time methods as replacements.
❝Deprecated since version 3.3, will be removed in version 3.8: The behaviour of this function depends on the platform: use perf_counter() or process_time() instead, depending on your requirements, to have a well defined behaviour.
Using the command sed -i 's/time.clock()/time.perf_counter()/g' 40136.py to modify the EXP, replacing all instances of time.clock() with time.perf_counter().
Using the command python3 40136.py --userlist /usr/share/seclists/Usernames/top-usernames-shortlist.txt 172.16.33.51 to enumerate usernames, but the results were inaccurate and ultimately abandoned.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
Password Vulnerabilities
Using the command hydra -C /usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt 172.16.33.51 ssh to brute force accounts and passwords yielded no results.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
Port 80/HTTP Service
Component Vulnerabilities
01, Middleware Component: By using the command searchsploit Apache httpd 2.4.18 and searchsploit Apache httpd 2.4., no Nday vulnerabilities were found for the Apache httpd 2.4.18 component.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
02, Application Component: Using browser plugins like Wappalyzer and FindSomething for automatic identification, and tools like BurpSuite for manual identification of application components, resulted in no findings.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
URL Vulnerabilities (Directories, Files)
01, Direct Access: Opening http://172.16.33.51/ in a browser reveals only an image of a snake’s body, which was quite unsettling.
Certainly! Please provide the original heading you would like rewritten in English with the keyword “deny of service vsftpd”.
02, Directory Scanning: Using the command dirb http://172.16.33.51/ to scan the site’s directories and files, revealed the presence of a WordPress CMS in the /wordpress/ directory and a Lepton CMS via the LICENSE file and /upload/ directory.
Using the command wpscan --url http://172.16.33.51/wordpress/ to scan the WordPress CMS, iteratively reviewing the scan results: Headers middleware information, had already been checked with no Nday vulnerabilities; XML-RPC provided reference links that were empty, skipped for now; WordPress readme is a default WordPress page, offered nothing useful except version info; browsing the Upload directory turned up empty; WP-Cron revealed a denial of service vulnerability, not exploitable for permissions.
The WordPress version was checked using the command searchsploit WordPress 3.9.14 to find EXP. Discoveries were typically plugin vulnerabilities or denial of service/file deletion flaws that cannot gain permissions. Only a 41497.php username enumeration vulnerability seemed valuable, but yielded a 404 upon request construction, indicating the vulnerability might have been fixed. The WordPress theme ‘twentyfourteen’ was found to have an XSS vulnerability online, it couldn’t gain permissions and returned a 404 upon request construction, suggesting the vulnerability was also fixed.
Checking the Plugin ‘mail-masta’ revealed a local file inclusion vulnerability. The URL is /WordPress directory/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=file address, which could be exploited with a constructed request.
For SSH accounts with SHELL permissions within /etc/passwd, password cracking did not yield an SSH password.
For the local file inclusion vulnerability, using BurpSuite’s Intruder to brute force local files did not uncover sensitive information, nor discover any log files we could write to and thereby execute remote code attacks.
In retrospect, it was found that the SSH brute force attempt failed due to an inadequate password list. The existing SSH dictionary on kali combined accounts and passwords; extracting the password portion for another brute force attempt could have uncovered weak passwords.
Using the command wpscan --url http://172.16.33.51/wordpress/ --enumerate u to brute force WordPress backend accounts revealed accounts btrisk and admin.
Using the command wpscan --url http://172.16.33.51/wordpress/ --usernames admin,btrisk --passwords /usr/share/seclists/Passwords/Common-Credentials/common-passwords-win.txt to brute force WordPress backend passwords discovered that the password for the admin account is admin.
![]("https://www.ids-sax2.com/wp-content/uploads/picture/developer-qcloudimg-com-b43d5844f7fb6ca)