Welcome to the new series, which is going to be a tutorial-like walk-through of a popular metasploitable project. The main reason is that for some time I’ve been lacking ideas about how to learn and I decided to do something systematic, even if simple. For some time I was loosing interest in the topic, I felt my learning process lacked organization, so here we go with my attempt to fix it. Last thing before we begin: remember to subscribe to the newsletter not to miss further posts. If you like my work, you can support me on Patreon.
In this metasploitable walk-through series I am going to simulate penetration test of a VM. However, to make it more interesting I am not going to use Metasploit Framework or even Kali Linux. At least to the point where I discover a vulnerability and start to exploit, the fewer tools the better. I’m OK with automating tasks that are already in action. So if I discover an SQL injection and bring it to the point where I can pull some data, I’m OK with using sqlmap. Same applies to some simple tools like nmap, or situation where scripting something myself would be highly ineffective like in the case of password cracking.
Entire series will be divided logically (there may be more articles) into 3 parts:
- reconnaissance, where I will gather information and try to prioritize stuff.
- Attacks, where I will actually use found vulnerabilities.
- Post-exploitation, where I will try to asses the severity of the vulnerabilities.
Metasploitable Walk-through: Service Discovery
First step is to try to assess what services are available on the target host. In order to achieve this, I will use nmap scan with some scripts. Here’s complete output of the initial scan:
# Nmap 7.80 scan initiated Wed Apr 1 20:56:20 2020 as: nmap -sV -p1-65535 -oA recon/basic 192.168.56.4 Nmap scan report for 192.168.56.4 Host is up (0.00035s latency). Not shown: 65505 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login 514/tcp open shell Netkit rshd 1099/tcp open java-rmi GNU Classpath grmiregistry 1524/tcp open bindshell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 6697/tcp open irc UnrealIRCd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb) 38834/tcp open status 1 (RPC #100024) 42073/tcp open java-rmi GNU Classpath grmiregistry 48859/tcp open nlockmgr 1-4 (RPC #100021) 57121/tcp open mountd 1-3 (RPC #100005) MAC Address: 08:00:27:B3:09:EA (Oracle VirtualBox virtual NIC) Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
There are multiple services which are worth checking, but there are things that immediately strike me as worth checking.
- On port 1524 there’s a process called “Metasploitable root shell” – maybe there’s another attacker who left an obvious backdoor?
- 2 FTP clients – maybe they allow for anonymous login and contain interesting data?
- Samba and nfs servers – maybe there’s an option to connect to the resources and find something interesting?
These are the few things that I am going to put on the top of my list before I even start looking at the possibility to search for exploits for other services.
In further steps I want to check whether avalable services allow for logging with default credentials (like postgres/postgres or tomcat/tomcat). I’d rather like to avoid brute-forcing the loggin process since it’s quite loud and there’s a risk of attack detection.
Searching for known vulnerabilities
Another nmap scan to discover any known issues. I’m cutting out uninteresting findings like issues with the we apps that are running on this server since I’ll be scanning it manually later.
# Nmap 7.80 scan initiated Wed Mar 25 06:57:14 2020 as: nmap -sC --script vuln -p1-65535 -oA recon/metasploitable-vuln 192.168.56.4 # ... 21/tcp open ftp |_clamav-exec: ERROR: Script execution failed (use -d to debug) | ftp-vsftpd-backdoor: | VULNERABLE: | vsFTPd version 2.3.4 backdoor # ... 1099/tcp open rmiregistry |_clamav-exec: ERROR: Script execution failed (use -d to debug) | rmi-vuln-classloader: | VULNERABLE: | RMI registry default configuration remote code execution vulnerability | State: VULNERABLE | Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution. | | References: |_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb # ... 3632/tcp open distccd |_clamav-exec: ERROR: Script execution failed (use -d to debug) | distcc-cve2004-2687: | VULNERABLE: | distcc Daemon Command Execution | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2004-2687 # ... 8180/tcp open unknown |_clamav-exec: ERROR: Script execution failed (use -d to debug) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750
Very few issues when you consider the fact that project is intended to have many holes in it. In some cases the available exploits are prepared for metasploit usage only (like the one for ditccd), so I’ll have to figure out how it works internally and rewrite it. On the other hand this might be a perfect reason to learn some ruby.
Having said this, I always have an option to go service to service and manually check whether there are any known issues with them.
Since the server seems to have some SMB and NFS resources it might be a good idea to give them a look.
For some reason scan with nmap didn’t show any interesting results, but I managed to mount the nfs shares on second linux machine with Xubuntu and interestingly I found out that it had
.ssh folder in
/root directory. The obvious step is to add own public key and check out whether logging in via ssh would succeed.
After mounting it we can list resources. Open this image in separate tab to see it more clearly.
And authorize ourselves to access root’s account via ssh. Thanks to this, not only will I be able to list files, but also execute commands on this system.
BTW, mounting NFS share on macOS was pain in the ass. Finder (the file manager) could not get it up and running and for the command line I had to pass some unintuitive options. Somehow I did manage to get it up and running through
sudo mount -o rw -o resvport -t nfs 192.168.56.4:/ /Users/wgonczaronek/nfs/ and when trying to log into root’s shell I had to use
sudo -I instead of
sudo su I’m used to.
And this leads us to the next phase, which I’ll cover in more details in 2 weeks 😉 If you don’t want to miss it, subscribe to the newsletter. If you find what I’m doing valuable, consider supporting me on Patreon.