Metasploitable 3 Ubuntu Walkthrough: Part VII

Exploiting Port 6697 – Unreal IRCd

This service was already exploited in Metasploitable 2. But is it the same version?

Service detection using Nmap

It is not possible to determine the specific version running on Metasploitable3 but because there is only one exploit available in MSF, we better try it.

MSF exploit module

Like before, this is a very easy exploit:

Exploiting Unreal IRCd using Metasploit

This is a low privilege shell because boba_fett is not part of the sudo group. But he is also part of the docker group…

Metasploitable 3 Ubuntu Walkthrough: Part VI

Exploiting Port 631 – CUPS

The Metasploitable 3 VM is running the C Unix Printing System (CUPS) with the web-based interface enabled:

CUPS web interface

A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.

Searching in MSF you will find one exploit for this service:

CUPS exploit in MSF

Let’s use it:

Exploiting CUPS using Metasploit

The exploit fails due to a configuration error in the Metasploitable 3 VM. You can read about the details here:

https://github.com/rapid7/metasploitable3/issues/459

Metasploitable 3 Ubuntu Walkthrough: Part V

Port 137 (UDP) – NetBIOS Name Service

The name service operates on UDP port 137. Usually, not exploitable but useful for enumeration purposes.

Enumerating NetBIOS with NBTScan

NBTScan is a command line tool used for scanning networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and ships with Kali Linux by default.

Enumerating NetBIOS with NBTScan

In this case, not a lot of information but always better than nothing.

Enumerating NetBIOS with Nmap

Nmap contains a script that we can also use to discover NetBIOS shares. This has the advantage that it can be ran with other NSE scripts, ultimately saving time when enumerating many different things on a network.

Enumerating NetBIOS with Nmap