This service was already exploited in Metasploitable 2. But is it the same version?
It is not possible to determine the specific version running on Metasploitable3 but because there is only one exploit available in MSF, we better try it.
Like before, this is a very easy exploit:
This is a low privilege shell because boba_fett is not part of the sudo group. But he is also part of the docker group…
The Metasploitable 3 VM is running the C Unix Printing System (CUPS) with the web-based interface enabled:
A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.
Searching in MSF you will find one exploit for this service:
Let’s use it:
The exploit fails due to a configuration error in the Metasploitable 3 VM. You can read about the details here:
The name service operates on UDP port 137. Usually, not exploitable but useful for enumeration purposes.
NBTScan is a command line tool used for scanning networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and ships with Kali Linux by default.
In this case, not a lot of information but always better than nothing.
Nmap contains a script that we can also use to discover NetBIOS shares. This has the advantage that it can be ran with other NSE scripts, ultimately saving time when enumerating many different things on a network.
Let’s start by getting as much information as possible about the remote website. Let’s try getting some additional information with Metasploit:
There is something interesting here; the /cgi-bin/ directory. Is there any exploit for this?
There is a Metasploit module to exploit his vulnerability:
Another failed attempt. This was supposed to work, but it didn’t…
Let’s get more information about the target using Directory Buster:
The uploads directory appears to be promising. But is it writable? Let’s check it out. You can do WebDav Enumeration using Metasploit.
As you can see, the uploads directory is writable and a number of different file formats can be uploaded over there.
From here you need to create a payload, deploy it, set up a listener, execute the payload and you will have a shell…!
For detailed step-by-step instructions using multiple tools and options, please check my other Metasploitable 3 tutorial.
Drupal is a free and open-source web content management framework written in PHP and distributed under the GNU General Public License.
When browsing port 80 with Firefox, Apache will present you with a directory listing containing a number of entries:
If you go back to the OpenVAS report, you will see a lot of potential on port 80:
The first thing to do should be to identify Drupal’s version. Analyzing the source code for the Drupal page you can immediately get some information about the website’s structure, namely the fact that many things are coming from the drupal/modules folder.
Digging and researching online will lead you to the discovery of the blog.info file located inside the drupal/modules/blog folder.
Now you know Drupal is version 7.5
Searching inside MSF, you will find there are several modules available to use against Drupal:
Comparing this list with the vulnerabilities identified by OpenVAS will tell you exploits 2 and 3 are probably going to succeed.
Let’s try to exploit the SQL Injection vulnerability:
This is a low privilege session…
NOTES:
Now let’s try to exploit the remote code execution vulnerability:
And this is another low privilege shell…
Another interesting item is the file payroll_app.php. Clicking on it will load a Payroll Login interface.
The Nmap scan identified a MySQL server running on Metasploitable3. Therefore, it might be a good idea to try a basic SQL injection attack. Let’s use the classic ' OR 1=1#.
Clicking the Ok button with the classic injection string in the User input box will immediately reveal a total of 15 users in the Payroll App.
This could be the beginning of a real SQL Injection attack but instead I went after the code for the Payroll app. I remembered the file was listed in a previous exploit, namely ProFTPD. So, I repeated the exploit and investigated the contents of the file payroll_app.php.
These appear to be the credentials for the Payroll application but they are not…
However, let’s not forget about these credentials as they might still be useful.
Opening the phpMyAdmin link will take you to the service login page:
Brute forcing this service requires a bit of research but nothing special. You can use the wordlists provided with Kali, or you can add the previous credentials to the customized wordlists.
The credentials are valid for the phpMyAdmin service!
There is a scanner module to use against phpMyAdmin but it’s broken and therefore completely useless:
The phpMyAdmin web application running on Metasploitable 3 has a remote code execution vulnerability which can be exploited using the phpmyadmin_preg_replace module:
Unfortunately, something went wrong with this exploit. It might be a simple thing but I decided not to waste time investigating it. Instead, I tried to use the previously collected credentials…
It worked! The created session is a low privilege one, but this means the credentials are valid for phpMyAdmin. Therefore, instead of using them inside MSF, why not use them directly in the phpMyAdmin login page?
From here, everything is your disposal. Take a look at the users table inside the payroll database:
You still need to get root access to the target, so why don’t you add all this information to your user/pass custom wordlists and try to brute force SSH again?
It works! All these accounts have SSH access and on top of that, Leia, Luke, and Han all have sudo privileges so some of these sessions have root access to the target machine.
The FTP service can potentially be exploited in several ways. Let’s try a few of them. Users can access the Metasploitable VM by logging into the FTP server with a valid set of credentials. Therefore, it is a good idea to try get access to this service. Pay attention to the results you got from OpenVAS:
Kali Linux has a number of wordlists that can be used for this purpose. Let’s use Hydra to launch an attack:
hydra -L [users file] -P [passwords file] [IP] [service]
This will take a very long time because the tool will try every password for each user. And it might not return any good results unless you use carefully selected wordlists.
Using wordlists provided with Kali, and using the proper Nmap script (ftp-brute) you will also get positive results and sometimes faster than you what can get using Hydra.
Metasploit has an auxiliary module that can also be used to brute FTP force passwords just like Hydra did. I like to use it last with custom wordlists.
Using the custom wordlists previously created will produce the same results. But using Metasploit has a major advantage over Hydra because the credentials found are automatically added to the database.
Once you have found a valid credential set, you can use it to login to the remote FTP server:
You have now a list of the systems’ users and you can explore further to get extra data.
If you look closely at the OpenVAS scan results, you will see this:
Searching for an exploit in MSF will return these results:
As you can see, there a specific module for this vulnerability. Use it!
This exploit gained remote access as the www-data user. Not very useful but always better than nothing, right?
Don’t forget to clean your tracks by removing the payload used.
This port/service can also be attacked using the usual tool of the trade. Besides, keep in mind that sometimes it will be easy to get credentials for other running services. Then, using the previously identified credentials it is easy to create a small custom list of usernames and passwords and attempt to get more using the usual tools.
Basically, the same as before, but this time much slower due to limitation in SSH.
Using Kali’s wordlists, you will get some results.
Now that you have at least one valid credential, it might be a good idea to use it in Metasploit. Each successful login will immediately open a session on the remote machine and the valid credentials are added to the MSF database.
You will get a command session and you can upgrade it to a Meterpreter session!
Metasploitable3 is a Ubuntu 14.04 VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit. Not every type of vulnerability on Metasploitable3 can be exploited with a single Metasploit module, but some can.
To conduct these exercises, you need to have 2 machines. One computer is used for attacking, the second computer is used as the victim. Using virtual machines is always the best solution for training purposes so in the following examples a Kali Linux VM and a Metasploitable 3 VM connected to a Virtual Box internal network with a router between the two VMs.
To change the settings of the Metasploitable 3 VM just follow the normal procedure to configure network interfaces in Linux. Besides, the VM might have some IPTables rules being enforced.
Having the firewall turned off from the start will allow you to get complete scan results.
But if you decide to attack this VM with the firewall on, turning it off could be one of the first tasks. Or you can get a shell and then create an SSH tunnel that will allow you to bypass the firewall.
Resetting can be easily achieved using the following command:
The first step is to gather as much information as you can about the remote system. Use Nmap, Legion and OpenVAS to identify the open ports, running services and vulnerabilities on the target.
Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. You can run Nmap directly from the CLI but it might be a good idea to run Nmap from within Metasploit so that the results are added to the MSF database for further analysis and later use.
There are many scanning possibilities but the following choices of options will balance speed with accuracy. As you add more options, you might sacrifice speed in order to get better results:
Typical results:
However, the previous options won’t show you all the open ports because the -sV scan mode for service and version detection will use the nmap-services database of about 2,200 well-known services.
Therefore, it might be a good idea to run some scans covering wider ranges of ports:
and even UDP ports:
And these are the results:
As you can see, there are many open ports and running services on the target VM.
Another easy way to get initial information on the target is to use Legion. This tool will run a number of Nmap scans and it will also load a number of other tools and use them to get information about the target machine.
Some of the tools will immediately try to test the found services and even brute force the logins.
You can save the result of this scan for later usage or for a quick reference. But for proper vulnerability scanning, you will need a better tool.
For a comprehensive scan, try the Open Vulnerability Assessment Scanner. This this tool has a full range of capabilities including unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
It can be installed on Kali Linux and it can be updated daily with the latest vulnerability tests.
Previous post: Metasploitable 3 Windows Walkthrough: Part X