Metasploitable 2

Metasploitable 2 credentials

Scanning

                                                                                                                                                                      
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -sC -O -p- 192.168.204.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 04:57 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00067s latency).
Not shown: 65505 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.204.137
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2024-04-27T09:00:29+00:00; +7s from scanner time.
53/tcp    open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/udp   nfs
|   100005  1,2,3      48158/udp   mountd
|   100005  1,2,3      53046/tcp   mountd
|   100021  1,3,4      39352/udp   nlockmgr
|   100021  1,3,4      52660/tcp   nlockmgr
|   100024  1          36532/tcp   status
|_  100024  1          37990/udp   status
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login       OpenBSD or Solaris rlogind
514/tcp   open  tcpwrapped
1099/tcp  open  java-rmi    GNU Classpath grmiregistry
1524/tcp  open  bindshell   Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 9
|   Capabilities flags: 43564
|   Some Capabilities: Speaks41ProtocolNew, SupportsTransactions, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, Support41Auth, SupportsCompression
|   Status: Autocommit
|_  Salt: ddGt6L^rC8/!VoJfBTbp
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2024-04-27T09:00:29+00:00; +8s from scanner time.
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
5900/tcp  open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    VNC Authentication (2)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 2:37:34
|   source ident: nmap
|   source host: 97C828B9.D560E8F8.FFFA6D49.IP
|_  error: Closing Link: pydyrtxam[192.168.204.137] (Quit: pydyrtxam)
6697/tcp  open  irc         UnrealIRCd (Admin email [email protected])
| irc-info: 
|   users: 2
|   servers: 1
|   lusers: 2
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 2:37:34
|   source ident: nmap
|   source host: 97C828B9.D560E8F8.FFFA6D49.IP
|_  error: Closing Link: aglkdhksl[192.168.204.137] (Quit: aglkdhksl)
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/5.5
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
36532/tcp open  status      1 (RPC #100024)
43137/tcp open  java-rmi    GNU Classpath grmiregistry
52660/tcp open  nlockmgr    1-4 (RPC #100021)
53046/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:0C:29:71:62:0D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: metasploitable
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: metasploitable.localdomain
|_  System time: 2024-04-27T05:00:17-04:00
|_clock-skew: mean: 1h00m07s, deviation: 2h00m00s, median: 7s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.23 seconds

Enumeration

Netbios Enumeration

We can provide the range to nbstat command on Kali and enumerate complete subnet.

We can see the machine name. Simlarly, we can run an nmap scan with nbstat script.

Windows also have inbuilt tools to enumerate Netbios. Similarly we can check for current cache result of Netbios.

SMB Enumeration

Nmap Provides a number of scripts for SMB Enumeration.

For example we can use script for OS Discovery through smb.

Similalry we can list shares with smbclient

Similarly, we can check if we have read/write access on shares with smbmap.

We can see that we have write access on tmp directory which can be useful in exploitation phase.

We can run an automated script enum4linux to extract usernames as well.

SMTP Enumeration

We can also gather information about a host or network from vulnerable mail servers. The Simple Mail Transport Protocol (SMTP) supports several interesting commands, such as VRFY and EXPN A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which is useful information during a penetration test.

We can use the VRFY commands to verify if users on SMTP servers exits.

We can use a meterpreter module to enumerate SMTP users.

We can use smtp-user-enum to verify list of users if they exists or not.

NFS Enumeration

We can try to list down shares available with showmount.

We can see that root folder is shared and we can mount it and exploit it.

Port 21 FTP Exploitation Metasploitable2

Scanning

Port 21 is open on Metasploitable2 and is running vsftpd 2.3.4 which has an inbuilt backdoor.

Manual Exploitation vsftpd 2.3.4

The trick is to add" :) " at the end of username. It opens a backdoor on port 6200. Which you can now connect.

Manual Exploitation vsftpd 2.3.4 Method 2

We can use exploits from exploit-db. Search for exploit using searchsploit

Now copy the exploit

Now run it against the target. We will get the shell

FTP exploitation - Metasploit

Search for Vsftd in metasploit

Now use it, select the target and run it. We will get the shell.

Port 445 SMB Exploitation Metasploitable2

Scanning with vuln and vulners SMB port

As we did not get exact version of smb service, we can try metasploit auxillary module to check smb version.

We can see that we have scanner at number 9.

Running it we get the samba version (Samba 3.0.20-Debian).

Now let us see what we get at searchsploit.

So, we have a metasploit module to exploit the vulnerability.

Samba exploitation Metasploitable 2 with Metasploit

Manual SMB (Samba Exploitation) on Metasploitable 2 without metasploit

Use smbclient to connect to shares. We can see that we can connect anonymously.

Here we have tmp share. If it writable we can leverage it to get a shell.

Now connect with it and check the available commands with help command.

Now open a listener on the attacking machine.

Now use the following command

And we get the shell

SMB writable share - Wide links

Samba, when configured with a writeable file share and "wide links" enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share.

Now, we can use a meatasploit module to exploit it.

Now, we have a share rootfs where we can access the complete file system.

Port 1524 Remote Shell Metasploitable2

We saw an open port 1524 on the machine. We can try to fingerprint it with version scan for the running service.

We can see that we have a bind shell on the port. We can try connecting to it.

And we are successfully able to connect to our backdoor.

Port 5900 VNC Exploitation Metasploitable2

First scan for the service

The port is open. However, we have not found any vulnerabilities. We will try to brute force it with metasploit.

Bruteforcing VNC Metasploit

search for VNC auxillary modules

We have the vnc_login module. Select the module and see options.

Set the username as root and set the target. We will be using default Metasploit wordlist.

Run the exploit and we will have our password which is password.

Now, we can use VNC viewer to connect to target.

Port 6667 ircd Exploitation Metasploitable2

Scanning port 6667

First scan the port with vuln script so see if we get some useful information

We can see that it finds out that the port may have trojan in it.

Vulnerability Assessment

Let us see if searchsploit finds something.

We do have UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) .

Unreal IRCD Exploitation with Metasploit

Let us fire up metasploit and exploit it.

Set the payload as cmd/unix/bind_ruby .

Now run it, and we will get the shell.

Port 2049 NFS Exploitation Metasploitable 2

First quickly scan the target.

We can see that the port is open. Now we can see what NFS shares are available to be mounted.

┌──(kali㉿kali)-[~] └─$ showmount -e 192.168.204.136

Export list for 192.168.204.136: / *

The command showmount -e 192.168.204.136 is used to display the list of directories shared by an NFS (Network File System) server located at the IP address 192.168.204.136.

The output you provided indicates that there is one shared directory available on the NFS server at that IP address. Here's the breakdown of the output:

• Export list for 192.168.204.136:: This line indicates that the following list displays the directories that are exported (shared) by the NFS server at the specified IP address.

• / *: This line specifies the shared directory and its export options. In this case, / represents the root directory of the file system, and * indicates that it is exported to all hosts. This means that any host in the network that has access to the NFS server can mount this directory and access its contents.

In summary, the output indicates that the NFS server at 192.168.204.136 is sharing its root directory (/) to all hosts on the network.

Now, we can mount it.

Now we can generate a SSH key.

Now copy the public key to target ssh folder.

Now, append it to authorized keys file.

We can now connect to our machine with SSH. (Having errors)

Ports 512,513,514 remote services exploitations - Metasploitable 2

TCP ports 512, 513, and 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).

Lets scan if these ports are open.

Now we can connect to it.

Port 3632 distccd exploitation - Metasploitable 2

This program makes it easy to scale large compiler jobs across a farm of like-configured systems. The problem with this service is that an attacker can easily abuse it to run a command of their choice.

Let us scan it.

We can now use metasploit to exploit it.

Port 1099 - Java-rmi exploitation - Metasploitable 2

Let us first scan the target.

Now, we can use metasploit JAVA RMI module to exploit it.

Port 5432 Postgresql Exploitation - Metasploitable 2

Let us first scan the target.

Let us exploit it.

Apache Tomcat/Coyote JSP engine 1.1 Exploitation

Run a nmap scan against the target

if we browse the site, we can view the homepage. The tomcat manager requires a username and password.

We have a brute force module for bruteforcing the login credentials in Metasploit

Here we can see the cracked password. It is tomcat:tomcat

And we are able to login to the manager with the found credentials.

If we look closely we have a field for uploading WAR Files. Create a payload.

Now upload it.

Open a netcat listener

Now browse to the page.

And we have a connection.

Privilege Escalation with SUID Binaries

Find the files with SUID Binaries

We have got lots of binaries with SUID bit set and I am gonna use nmap here to do the privilege escalation.

Our effective uid is root.