This service was already exploited in Metasploitable 2. But is it the same version?
It is not possible to determine the specific version running on Metasploitable3 but because there is only one exploit available in MSF, we better try it.
Like before, this is a very easy exploit:
This is a low privilege shell because boba_fett is not part of the sudo group. But he is also part of the docker group…
The Metasploitable 3 VM is running the C Unix Printing System (CUPS) with the web-based interface enabled:
A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.
Searching in MSF you will find one exploit for this service:
Let’s use it:
The exploit fails due to a configuration error in the Metasploitable 3 VM. You can read about the details here:
The name service operates on UDP port 137. Usually, not exploitable but useful for enumeration purposes.
NBTScan is a command line tool used for scanning networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and ships with Kali Linux by default.
In this case, not a lot of information but always better than nothing.
Nmap contains a script that we can also use to discover NetBIOS shares. This has the advantage that it can be ran with other NSE scripts, ultimately saving time when enumerating many different things on a network.