Metasploitable 3 Ubuntu Walkthrough: Part VII

Exploiting Port 6697 – Unreal IRCd

This service was already exploited in Metasploitable 2. But is it the same version?

Service detection using Nmap

It is not possible to determine the specific version running on Metasploitable3 but because there is only one exploit available in MSF, we better try it.

MSF exploit module

Like before, this is a very easy exploit:

Exploiting Unreal IRCd using Metasploit

This is a low privilege shell because boba_fett is not part of the sudo group. But he is also part of the docker group…

Metasploitable 3 Ubuntu Walkthrough: Part VI

Exploiting Port 631 – CUPS

The Metasploitable 3 VM is running the C Unix Printing System (CUPS) with the web-based interface enabled:

CUPS web interface

A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.

Searching in MSF you will find one exploit for this service:

CUPS exploit in MSF

Let’s use it:

Exploiting CUPS using Metasploit

The exploit fails due to a configuration error in the Metasploitable 3 VM. You can read about the details here:

https://github.com/rapid7/metasploitable3/issues/459

Metasploitable 3 Ubuntu Walkthrough: Part V

Port 137 (UDP) – NetBIOS Name Service

The name service operates on UDP port 137. Usually, not exploitable but useful for enumeration purposes.

Enumerating NetBIOS with NBTScan

NBTScan is a command line tool used for scanning networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and ships with Kali Linux by default.

Enumerating NetBIOS with NBTScan

In this case, not a lot of information but always better than nothing.

Enumerating NetBIOS with Nmap

Nmap contains a script that we can also use to discover NetBIOS shares. This has the advantage that it can be ran with other NSE scripts, ultimately saving time when enumerating many different things on a network.

Enumerating NetBIOS with Nmap

Metasploitable 3 Ubuntu Walkthrough: Part IV

Exploiting Port 80 – Apache Server

Let’s start by getting as much information as possible about the remote website. Let’s try getting some additional information with Metasploit:

Enumerating Apache Server using Metasploit

There is something interesting here; the /cgi-bin/ directory. Is there any exploit for this?

Looking for an exploit in the ExploitDB

There is a Metasploit module to exploit his vulnerability:

Exploiting Apache Server using Metasploit

Another failed attempt. This was supposed to work, but it didn’t…

Exploiting Port 80 – WebDAV

Let’s get more information about the target using Directory Buster:

Enumerating using Directory Buster

Enumerating using Directory Buster

The uploads directory appears to be promising. But is it writable? Let’s check it out. You can do WebDav Enumeration using Metasploit.

Testing WebDAV using Metasploit

As you can see, the uploads directory is writable and a number of different file formats can be uploaded over there.

From here you need to create a payload, deploy it, set up a listener, execute the payload and you will have a shell…!

For detailed step-by-step instructions using multiple tools and options, please check my other Metasploitable 3 tutorial.



Metasploitable 3 Ubuntu Walkthrough: Part III

Exploiting Port 80 – Drupal

Drupal is a free and open-source web content management framework written in PHP and distributed under the GNU General Public License.

When browsing port 80 with Firefox, Apache will present you with a directory listing containing a number of entries:

Port 80 directory listing

If you go back to the OpenVAS report, you will see a lot of potential on port 80:

OpenVAS list of port 80 services vulnerabilities

The first thing to do should be to identify Drupal’s version. Analyzing the source code for the Drupal page you can immediately get some information about the website’s structure, namely the fact that many things are coming from the drupal/modules folder.

Drupal webpage source code

Digging and researching online will lead you to the discovery of the blog.info file located inside the drupal/modules/blog folder.

Drupal version

Now you know Drupal is version 7.5

Exploiting Drupal using Metasploit

Searching inside MSF, you will find there are several modules available to use against Drupal:

List of Metasploit modules for Drupal

Comparing this list with the vulnerabilities identified by OpenVAS will tell you exploits 2 and 3 are probably going to succeed.

Let’s try to exploit the SQL Injection vulnerability:

Exploiting Drupal using Metasploit

This is a low privilege session…

NOTES:

  • The targeturi was set to /drupal/ instead of root (/) because that is the Drupal directory on the Apache web server.
  • This exploit is supposed to work only against Drupal 7.0 and 7.31 (the vulnerability was fixed in 7.32). The server apparently has version 7.5 and is still vulnerable.

Now let’s try to exploit the remote code execution vulnerability:

Exploiting Drupal using Metasploit

And this is another low privilege shell…

Exploiting Port 80 – Payroll Application

Another interesting item is the file payroll_app.php. Clicking on it will load a Payroll Login interface.

Payroll Login

The Nmap scan identified a MySQL server running on Metasploitable3. Therefore, it might be a good idea to try a basic SQL injection attack. Let’s use the classic ' OR 1=1#.

Trying basic SQL injection

Clicking the Ok button with the classic injection string in the User input box will immediately reveal a total of 15 users in the Payroll App.

Successful SQL injection

This could be the beginning of a real SQL Injection attack but instead I went after the code for the Payroll app. I remembered the file was listed in a previous exploit, namely ProFTPD. So, I repeated the exploit and investigated the contents of the file payroll_app.php.

Credentials inside the payroll_app.php file

These appear to be the credentials for the Payroll application but they are not…

Payroll failed logon

However, let’s not forget about these credentials as they might still be useful.

Exploiting Port 80 – phpMyAdmin

Opening the phpMyAdmin link will take you to the service login page:

phpMyAdmin login page

Brute forcing phpMyAdmin using Hydra

Brute forcing this service requires a bit of research but nothing special. You can use the wordlists provided with Kali, or you can add the previous credentials to the customized wordlists.

Brute forcing phpMyAdmin using Hydra

The credentials are valid for the phpMyAdmin service!

Brute forcing phpMyAdmin using Metasploit

There is a scanner module to use against phpMyAdmin but it’s broken and therefore completely useless:

Brute forcing phpMyAdmin using Metasploit

Exploiting phpMyAdmin using Metasploit

The phpMyAdmin web application running on Metasploitable 3 has a remote code execution vulnerability which can be exploited using the phpmyadmin_preg_replace module:

Exploiting phpMyAdmin using Metasploit

Unfortunately, something went wrong with this exploit. It might be a simple thing but I decided not to waste time investigating it. Instead, I tried to use the previously collected credentials…

Exploiting phpMyAdmin using Metasploit

It worked! The created session is a low privilege one, but this means the credentials are valid for phpMyAdmin. Therefore, instead of using them inside MSF, why not use them directly in the phpMyAdmin login page?

Inside the phpMyAdmin dashboard

From here, everything is your disposal. Take a look at the users table inside the payroll database:

The payroll database

You still need to get root access to the target, so why don’t you add all this information to your user/pass custom wordlists and try to brute force SSH again?

Brute forcing SSH with the new credentials

It works! All these accounts have SSH access and on top of that, Leia, Luke, and Han all have sudo privileges so some of these sessions have root access to the target machine.



Metasploitable 3 Ubuntu Walkthrough: Part II

Exploiting Port 21 – ProFTPD

The FTP service can potentially be exploited in several ways. Let’s try a few of them. Users can access the Metasploitable VM by logging into the FTP server with a valid set of credentials. Therefore, it is a good idea to try get access to this service. Pay attention to the results you got from OpenVAS:

OpenVAS reporting ProFTPD vulnerability

Brute forcing ProFTPD using Hydra

Kali Linux has a number of wordlists that can be used for this purpose. Let’s use Hydra to launch an attack:

hydra -L [users file] -P [passwords file] [IP] [service]

Brute forcing ProFTPD using Hydra

This will take a very long time because the tool will try every password for each user. And it might not return any good results unless you use carefully selected wordlists.

Brute forcing ProFTPD using Nmap

Using wordlists provided with Kali, and using the proper Nmap script (ftp-brute) you will also get positive results and sometimes faster than you what can get using Hydra.

Brute forcing ProFTPD using Nmap

Brute forcing ProFTPD using Metasploit

Metasploit has an auxiliary module that can also be used to brute FTP force passwords just like Hydra did. I like to use it last with custom wordlists.

Brute forcing ProFTPD using Metasploit

Using the custom wordlists previously created will produce the same results. But using Metasploit has a major advantage over Hydra because the credentials found are automatically added to the database.

MSF database with found credentials

Enumerating via ProFTPD

Once you have found a valid credential set, you can use it to login to the remote FTP server:

Enumerating via ProFTPD

You have now a list of the systems’ users and you can explore further to get extra data.

Exploiting ProFTPD using Metasploit

If you look closely at the OpenVAS scan results, you will see this:

OpenVAS reporting ProFTPD vulnerability

Searching for an exploit in MSF will return these results:

Searching for and exploit in MSF

As you can see, there a specific module for this vulnerability. Use it!

Exploiting ProFTPD using Metasploit

This exploit gained remote access as the www-data user. Not very useful but always better than nothing, right?

Don’t forget to clean your tracks by removing the payload used.

Deleting the PHP payload

Exploiting Port 22 – SSH

This port/service can also be attacked using the usual tool of the trade. Besides, keep in mind that sometimes it will be easy to get credentials for other running services. Then, using the previously identified credentials it is easy to create a small custom list of usernames and passwords and attempt to get more using the usual tools.

OpenVAS reporting SSH vulnerability

Brute forcing SSH using Hydra

Basically, the same as before, but this time much slower due to limitation in SSH.

Brute forcing SSH using Hydra

Brute forcing SSH using Nmap

Using Kali’s wordlists, you will get some results.

Brute forcing SSH using Nmap

Brute forcing SSH using Nmap

Brute forcing SSH using Metasploit

Now that you have at least one valid credential, it might be a good idea to use it in Metasploit. Each successful login will immediately open a session on the remote machine and the valid credentials are added to the MSF database.

Brute forcing SSH using Metasploit

You will get a command session and you can upgrade it to a Meterpreter session!

Metasploitable 3 Ubuntu Walkthrough: Part I

Metasploitable3 is a Ubuntu 14.04 VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit. Not every type of vulnerability on Metasploitable3 can be exploited with a single Metasploit module, but some can.

Network Setup

To conduct these exercises, you need to have 2 machines. One computer is used for attacking, the second computer is used as the victim. Using virtual machines is always the best solution for training purposes so in the following examples a Kali Linux VM and a Metasploitable 3 VM connected to a Virtual Box internal network with a router between the two VMs.

To change the settings of the Metasploitable 3 VM just follow the normal procedure to configure network interfaces in Linux. Besides, the VM might have some IPTables rules being enforced.

Metasploitable 3 Ubuntu IPTables

Having the firewall turned off from the start will allow you to get complete scan results.

But if you decide to attack this VM with the firewall on, turning it off could be one of the first tasks. Or you can get a shell and then create an SSH tunnel that will allow you to bypass the firewall.

Resetting can be easily achieved using the following command:

  • sudo iptables --policy INPUT
  • sudo iptables --policy OUTPUT
  • sudo iptables --policy FORWARD
  • sudo iptables –F

Metasploitable 3 Ubuntu IPTables

Scanning and Enumerating

The first step is to gather as much information as you can about the remote system. Use Nmap, Legion and OpenVAS to identify the open ports, running services and vulnerabilities on the target.

Nmap Scan

Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. You can run Nmap directly from the CLI but it might be a good idea to run Nmap from within Metasploit so that the results are added to the MSF database for further analysis and later use.

There are many scanning possibilities but the following choices of options will balance speed with accuracy. As you add more options, you might sacrifice speed in order to get better results:

  • nmap -sS [IP Address]
  • nmap -sV [IP Address]
  • nmap -T4 -sV --version-all --osscan-guess -A [IP Address]

Typical results:

Nmap scan initial results

However, the previous options won’t show you all the open ports because the -sV scan mode for service and version detection will use the nmap-services database of about 2,200 well-known services.

Therefore, it might be a good idea to run some scans covering wider ranges of ports:

  • nmap -sV --osscan-guess -p 1-10000 [IP Address]
  • nmap -T4 -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
  • nmap -T4 -PA -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
  • nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
  • nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-65535 [IP Address]

and even UDP ports:

  • nmap -sU -sV --version-all -p 1-10000 [IP Address]

And these are the results:

Nmap scan final results

As you can see, there are many open ports and running services on the target VM.

Legion Scan

Another easy way to get initial information on the target is to use Legion. This tool will run a number of Nmap scans and it will also load a number of other tools and use them to get information about the target machine.

Some of the tools will immediately try to test the found services and even brute force the logins.

Metasploitable 3 Ubuntu Legion scan results

You can save the result of this scan for later usage or for a quick reference. But for proper vulnerability scanning, you will need a better tool.

OpenVAS Scan

For a comprehensive scan, try the Open Vulnerability Assessment Scanner. This this tool has a full range of capabilities including unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.

It can be installed on Kali Linux and it can be updated daily with the latest vulnerability tests.

Metasploitable 3 Ubuntu OpenVAS scan results


Previous post: Metasploitable 3 Windows Walkthrough: Part X