You're reading from Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and CloudFormation

Product type Paperback

Published in Apr 2019

Publisher Packt

ISBN-13 9781789136722

Length 508 pages

Edition 1st Edition

Tools

AWS

Concepts

Penetration Testing

Authors (2):

Benjamin Caudill

Karl Gilbert Gupta

View More author details

Exploiting a vulnerable Linux VM

Now that we have finished scanning both the hosts in the vulnerable lab, it is time to start exploitation of these hosts. Our first target is the Ubuntu instance that we set up in our lab. Here, we shall go through the scan results for this host and try to gain unauthorized access to the host.

Understanding the Nessus scan for Linux

We first start with the Nessus scan results for our Ubuntu server host:

Unsurprisingly, we just find a bunch of information vulnerabilities, since there are just two services installed—FTP and SSH. The FTP server has a backdoor baked into it; however, it has not come out as a critical vulnerability. If you look at the last result in the Linux scan, it does detect that vsftpd 2.3.4 is installed, which comes with a backdoor.

To summarize the other results on this page, the Nessus SYN scanner simply lists a number of services enabled on the host:

There is a bunch of more useful information on this page that can be manually inspected. As of now, we shall focus on exploitation of the vsftpd service that we installed on the Ubuntu server.

Exploitation on Linux

For the purpose of exploiting the vsftpd service, we shall use Metasploit, which comes with Kali Linux built in. This can be loaded up by simply entering msfconsole into the Terminal:

Here, we can simply search for the name of the service to see if there are any associated exploits. To do this, simply run the following:

search vsftpd

This will turn up a list of the exploits with that specific keyword. In this case, it is just one exploit:

We can use this exploit by running the following:

use exploit/unix/ftp/vsftpd_234_backdoor

This changes the prompt to that of the exploit. Now all that needs to be done is to run the following:

set RHOST <ip address of Ubuntu server>

And the confirmation is shown as follows:

Finally, just run exploit, and vsftpd exploit would be executed to provide an interactive reverse shell with root privileges:

Using this reverse shell, you have full freedom to run whatever commands are supported on the OS. This is a good place to play around with auxiliary and post-exploitation modules on Metasploit.