Metasploitable Walk-through 1 – Reconnaissance

Welcome to the new series, which is going to be a tutorial-like walk-through of a popular metasploitable project. The main reason is that for some time I’ve been lacking ideas about how to learn and I decided to do something systematic, even if simple. For some time I was loosing interest in the topic, I felt my learning process lacked organization, so here we go with my attempt to fix it. Last thing before we begin: remember to subscribe to the newsletter not to miss further posts. If you like my work, you can support me on Patreon.

Assumptions

In this metasploitable walk-through series I am going to simulate penetration test of a VM. However, to make it more interesting I am not going to use Metasploit Framework or even Kali Linux. At least to the point where I discover a vulnerability and start to exploit, the fewer tools the better. I’m OK with automating tasks that are already in action. So if I discover an SQL injection and bring it to the point where I can pull some data, I’m OK with using sqlmap. Same applies to some simple tools like nmap, or situation where scripting something myself would be highly ineffective like in the case of password cracking.

Entire series will be divided logically (there may be more articles) into 3 parts:

  1. reconnaissance, where I will gather information and try to prioritize stuff.
  2. Attacks, where I will actually use found vulnerabilities.
  3. Post-exploitation, where I will try to asses the severity of the vulnerabilities.

Metasploitable Walk-through: Service Discovery

First step is to try to assess what services are available on the target host. In order to achieve this, I will use nmap scan with some scripts. Here’s complete output of the initial scan:

# Nmap 7.80 scan initiated Wed Apr  1 20:56:20 2020 as: nmap -sV -p1-65535 -oA recon/basic 192.168.56.4
Nmap scan report for 192.168.56.4
Host is up (0.00035s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login
514/tcp   open  shell       Netkit rshd
1099/tcp  open  java-rmi    GNU Classpath grmiregistry
1524/tcp  open  bindshell   Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
6697/tcp  open  irc         UnrealIRCd
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
38834/tcp open  status      1 (RPC #100024)
42073/tcp open  java-rmi    GNU Classpath grmiregistry
48859/tcp open  nlockmgr    1-4 (RPC #100021)
57121/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 08:00:27:B3:09:EA (Oracle VirtualBox virtual NIC)
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

There are multiple services which are worth checking, but there are things that immediately strike me as worth checking.

  • On port 1524 there’s a process called “Metasploitable root shell” – maybe there’s another attacker who left an obvious backdoor?
  • 2 FTP clients – maybe they allow for anonymous login and contain interesting data?
  • Samba and nfs servers – maybe there’s an option to connect to the resources and find something interesting?

These are the few things that I am going to put on the top of my list before I even start looking at the possibility to search for exploits for other services.

In further steps I want to check whether avalable services allow for logging with default credentials (like postgres/postgres or tomcat/tomcat). I’d rather like to avoid brute-forcing the loggin process since it’s quite loud and there’s a risk of attack detection.

Searching for known vulnerabilities

Another nmap scan to discover any known issues. I’m cutting out uninteresting findings like issues with the we apps that are running on this server since I’ll be scanning it manually later.

# Nmap 7.80 scan initiated Wed Mar 25 06:57:14 2020 as: nmap -sC --script vuln -p1-65535 -oA recon/metasploitable-vuln 192.168.56.4
# ...
21/tcp    open  ftp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| ftp-vsftpd-backdoor: 
|   VULNERABLE:
|   vsFTPd version 2.3.4 backdoor
# ...
1099/tcp  open  rmiregistry
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rmi-vuln-classloader: 
|   VULNERABLE:
|   RMI registry default configuration remote code execution vulnerability
|     State: VULNERABLE
|       Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
|       
|     References:
|_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
# ...
3632/tcp  open  distccd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| distcc-cve2004-2687: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
# ...
8180/tcp  open  unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750

Very few issues when you consider the fact that project is intended to have many holes in it. In some cases the available exploits are prepared for metasploit usage only (like the one for ditccd), so I’ll have to figure out how it works internally and rewrite it. On the other hand this might be a perfect reason to learn some ruby.

Having said this, I always have an option to go service to service and manually check whether there are any known issues with them.

Network resources

Since the server seems to have some SMB and NFS resources it might be a good idea to give them a look.

For some reason scan with nmap didn’t show any interesting results, but I managed to mount the nfs shares on second linux machine with Xubuntu and interestingly I found out that it had .ssh folder in /root directory. The obvious step is to add own public key and check out whether logging in via ssh would succeed.

Mounting metasploitable's nfs shares
Mounting nfs shares on Ubuntu

After mounting it we can list resources. Open this image in separate tab to see it more clearly.

Listing metasploitable's nfs shares
Listing nfs shares

And authorize ourselves to access root’s account via ssh. Thanks to this, not only will I be able to list files, but also execute commands on this system.

Adding ssh key to metasploitable's root authroized_keys and logging in

BTW, mounting NFS share on macOS was pain in the ass. Finder (the file manager) could not get it up and running and for the command line I had to pass some unintuitive options. Somehow I did manage to get it up and running through sudo mount -o rw -o resvport -t nfs 192.168.56.4:/ /Users/wgonczaronek/nfs/ and when trying to log into root’s shell I had to use sudo -I instead of sudo su I’m used to.

And this leads us to the next phase, which I’ll cover in more details in 2 weeks 😉 If you don’t want to miss it, subscribe to the newsletter. If you find what I’m doing valuable, consider supporting me on Patreon.

See also