Metasploitable: 1 – Walkthrough

The title is really interest for me because i’m not very good well at metasploit. I will learn more about it later, Ok Let’s try to exploit. Start scanning the network with Nmap.

┌─[[email protected]]─[~/Desktop]
└──> nmap 192.168.1.* -sn -n

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 13:12 +0630
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
MAC Address: 60:E3:27:BE:75:78 (Tp-link Technologies)
Nmap scan report for 192.168.1.73
Host is up (0.00036s latency).
MAC Address: 00:0C:29:99:B5:74 (VMware)
Nmap scan report for 192.168.1.74
Host is up (0.0076s latency).
MAC Address: 40:A5:EF:DC:A7:62 (Shenzhen Four Seas Global Link Network Technology)
Nmap scan report for 192.168.1.100
Host is up (0.00051s latency).
MAC Address: 34:97:F6:C3:0B:66 (Asustek Computer)
Nmap scan report for 192.168.1.101
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.27 seconds

Target ip is 192.1681.73. 😉 . Let’s try another scan again.

┌─[[email protected]]─[~/Desktop]
└──> nmap -sV 192.168.1.73

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 13:13 +0630
Nmap scan report for kioptrix3.com (192.168.1.73)
Host is up (0.0015s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.1
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:99:B5:74 (VMware)
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.79 seconds

woo! a lot of service are running there, I always love to check port 80 but now Samba is more interest than http. So i try to connect Samba first.

┌─[[email protected]]─[~/Desktop]
└──> smbclient -L 192.168.1.73
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            METASPLOITABLE

Anonymous login success and get the Samba version number. Start search this version on google.

https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

Yeah! I found, it can be exploit with metasploit. let’s exploit it. Open metasploit and use use exploit/multi/samba/usermap_script and exploit.

Got Root. Sample and easy with metasploit! 🙂 . Thanks for reading. Happy Hacking.

Note – There are many vulnerable to exploit this machine.