Subject: Vulnerability Analysis
Code: IKB21403
Name: Ammar Shauqi Bin Nor Amran
ID: 52215125018
U1VDVEYyMDIze2FpX2lzX2Nvb2x9 = SUCTF2023{ai_is_cool}
(No flag provided in document)
| PORT | STATE | SERVICE | VERSION |
|---|---|---|---|
| 21/tcp | open | ftp | vsftpd 2.3.4 |
| 22/tcp | open | ssh | OpenSSH 5.3p1 |
| 80/tcp | open | http | Apache 2.2.8 |
| 139/tcp | open | netbios-ssn | |
| 445/tcp | open | microsoft-ds | Windows 7 Professional 7601 SP1 |
| PORT | SERVICE | ATTACKER CAPABILITIES |
|---|---|---|
| 21/tcp | FTP (vsftpd 2.3.4) | Brute-force credentials; Exploit known backdoor to gain remote root shell. |
| 22/tcp | SSH (OpenSSH 5.3p1) | Brute-force user passwords; Use outdated crypto to downgrade or intercept sessions. |
| 80/tcp | HTTP (Apache 2.2.8) | Enumerate web directories and files. |
| 139/445/tcp | SMB (Windows 7 SP1) | Perform pass-the-hash, SMB relay, or brute-force attacks. |
| SERVICE | VERSION | KNOWN VULNERABILITIES |
|---|---|---|
| vsftpd | 2.3.4 | Backdoor (CVE-2011-2523): Sending a smiley face :) as username gives unauthenticated root shell on port 6200. Also DoS and directory traversal. |
| OpenSSH | 5.3p1 | User enumeration (CVE-2016-6210, CVE-2018-15473); Weak key exchange algorithms; CVE-2010-4478 (potential remote crash). |
| Apache | 2.2.8 | Multiple DoS (CVE-2008-0005, CVE-2011-3192); Directory traversal (CVE-2008-2938). |
| SMB | Windows 7 SP1 | EternalBlue (MS17-010): Remote code execution via SMBv1; Numerous privilege escalation and info disclosure CVEs. |
Highest Risk: Port 21 (vsftpd 2.3.4 backdoor)
Reason: Immediate, unauthenticated root shell. The backdoor requires no credentials. An attacker simply connects to FTP, sends USER :), then connects to port 6200 to get a root shell.
- Step 1: Get root shell via FTP backdoor.
| Service | Action |
|---|---|
| vsftpd 2.3.4 | Upgrade to vsftpd ≥ 2.3.5 (or latest stable). |
| General | If not needed, disable FTP and use SFTP/SCP instead. Ensure FTP is firewalled to only trusted IPs. |
: ttl=64
Answer: Linux / FreeBSD / macOS
: Time to live: 255
Answer: Solaris / Cisco / Network devices
: ttl=128
Answer: Windows
- Affected Port Number: 8009
- Affected Protocol: AJP
- CVSS Score: 9.8
- Exploit Availability: Exploit-DB: The vulnerability is indexed on Exploit-DB, providing downloadable code that demonstrates how the Arbitrary File Read/Inclusion works.
- CVE: CVE-2020-1938