Exploitation (part 5) Using Backdoor to Access an FTP Server

00:04

all right. We also saw that we have very secure FTP 2.3 point four, which was at one point subject to a backdoor. Said someone broke into the repositories for very secure ftp d under place the source with

00:22

a little something extra. It was found on put back. But if you did install during that short time period where it was back toward you could end up with

00:34

short aside, pre owned,

00:36

um,

00:37

code. So we aren't entirely sure just from the version, because there wasn't a virgin number change before, after

00:44

the back door was put in, but are necessary. Seemed to think that it was there, and there's really no reason not to try it.

00:53

We look at the block post about it where it goes through the source count.

00:57

All it's gonna do is if there's a smiley face in the user name,

01:02

it will spawn a back door. So if it doesn't work, what will happen is that you'll just get a bad log in error and the FDP sugar will go on as usual. There's no reason not to try it,

01:14

so I want to you ftp

01:17

to our linear system.

01:21

Georgia smiley face

01:23

the smiley face being the key. And it doesn't want of power and always put in any password.

01:27

And it appears toe hang. Our FTP server doesn't do anything. We opened up another terminal,

01:36

and in the information about this, it said that its bones a Schellas route

01:42

on Fort 6200 TCP.

01:45

So we didn't get anything that said it couldn't connect. But we don't get a prompt either one of you who am I

01:52

route. Well, that was easy.

01:55

Um, so what? My cat out at sea

01:57

shadow,

02:00

I actually added a ton of extra accounts. As you can see, I'm the one that you can download. Just has the Georgia

02:10

user.

02:13

But I added a ton of other ones for our password section, and you could do the same.

02:19

Put in a lot of user names and passwords into it,

02:24

and we'll see if we can crack some of these in the next section will

02:29

do the same thing with windows.

02:35

All right, so this would be good information to save for later.

02:43

Get Georgia as well.

02:45

Used these in the password section

02:47

on exit out of here.

02:52

No, we're

03:04

Posner password.

03:07

That's odd.

03:15

notice like this one here,

03:20

there's Ah, one at the beginning are the rest of these Have a sick. So maybe they're using different algorithms. That might be something

03:27

you wanna check out when we do our password attacks.

03:38

So that was pretty easier. Well, it's also a medicine flight module fist, but our is based on how this works.

03:47

We're not actually gonna do any better

03:53

with this medicine white model. You can try it out if you like.

04:00

We sure payloads on this.

04:03

Actually, the only problem we have is just this command UNIX interact. So all is going to do is connect to that

04:11

6200 port if it's successful.

04:15

So we'll get the exact same thing from this case. Using menace way doesn't even give us

04:19

better option. We could

04:21

once we have root access. Certainly used, like, w gets on and build like an l file

04:30

of our units, my interpreter

04:33

or some other language that

04:36

clinics knows python

04:40

pearl,

04:42

and we could get

04:44

better shell. But we already have root access, and it is

04:48

interactive, so I'm side from not having a prompt. We haven't really lost anything here, so I would say

04:56

this is sufficient. Sir,

04:58

you may run into something like this. I mean, it's possible I have certainly had clients who have been hacked before or thought it would be a good idea to set up some, like, removed administration for themselves. And I leave viene see listening on a non standard port. Or

05:13

worse yet, they download some hack tool, and it's like, Oh, maybe this will let me do all this stuff to it

05:18

on, you know, they just leave it running. It's just kind of a way to remotely control their devices,

05:26

not thinking about the security implications of it.

05:30

I mean, I've certainly been

05:31

guilty of leaving vulnerable software, running around my network of them, doing research on it, or working on new exercises for class and leave vulnerable software and forget about it for a few days just running there. But I always at least try and keep the official machines that don't have any of my

05:50

work stuff on it. So we're not exposing my clients to anything,

05:57

so but you should always look out for things like this. I mean, non centered towards that are listening. Our reserve it working just as easily been some sort of back door from a previous compromise, or