Exploiting Port 1009 – Java RMI
GNU Classpath is a set of essential libraries for supporting the Java programming language. The Metasploitable VM runs a remote object registry for GNU Classpath using default credentials which can be leveraged to gain a shell on the machine using the Java RMI Server Insecure Default Configuration Java Code Execution Metasploit module.
This exploit is quite straight forward; just choose the exploit, set the proper options and run.
NOTE: After this exploit will need to reboot the Metasploitable2 as it will go to 100% CPU.
NOTE: There is another exploit available for this port (exploit/multi/browser/java_rmi_connection_impl) but it only creates a local listener ready to accept connections from the Metasploitable machine. It can be used in conjunction with the previous exploit or with other Java malicious implants to create persistence on the target machine.
Exploiting Port 1524 – Shell
Many attack scripts install a backdoor shell at this port.
Exploiting Bindshell service
Metasploitable 2 comes with an open bindshell service running on port 1524. Use Netcat to connect to it.
Exploiting Ingreslock service
Ingreslock is used legitimately to lock parts of an Ingres database. However, there are known trojans that also use port 1524 as a backdoor into a system. Some sysadmins allow this port to be open thinking it is needed.
This vulnerability could fall into the same group as Telnet, and rlogin, in the sense that it can be used as an unintentional backdoor. All you need to do is connect via Telnet to the port to gain access to the victim’s machine. You will be logged in with the same rights as the user in which the service is running.
Exploiting Port 2121 – ProFTPD
Telnet access
Connect to the target machine’s port 2121 via Telnet using the default credentials for Metasploitable 2.
FTP access
The FTP access can be brute forced exactly like you did for the vsFTPd running on port 21. Likewise, the connection to the ProFTPD is a normal FTP connection. Try using the “user” account:
From here you can GET these files and open them to extract additional info. Or you can try to login with one of the other accounts.
Exploiting Port 2049 – NFS
The Network File System is a distributed file system protocol allows a user on a client computer to access files over a network in the same way they would access a local storage file.
Connecting to NFS
Start by checking out what network services are running - use the rpcinfo command to do that:
There is an NFS service listening on port 2049 and need you need to use the showmount command to show what file systems are mountable on this NFS.
Yes! The entire filesystem is mountable/writable! To mount the network filesystem, you need to run the RPC service rpcbind. Start the service, create a temporary directory to act as a mount point, and then mount the filesystem at the IP address, with no credentials.
Abusing NFS to escalate privileges
Now you can abuse your write access to the filesystem. You can also download anything you want from the remote machine, like the shadow file to crack the passwords with John the Ripper.
Or you can try a different form of privilege escalation by copying an SSH key into the remote machine's trusted SSH keys, and obtain passwordless remote access. In this method, you will create an SSH key without a passphrase and exchange it with the SSH key of the victim machine for the root user.
You start by using ssh-keygen to generate an RSA keypair without a key phrase
Now you will place that key in the /root/.ssh folder where the key is found by default.
Don’t forget to unmount the remote file system
Now you have SSH root access without a password!
No comments:
Post a Comment