Metasploitable 2 Walkthrough: Part VI

Exploiting Port 1009 – Java RMI

GNU Classpath is a set of essential libraries for supporting the Java programming language. The Metasploitable VM runs a remote object registry for GNU Classpath using default credentials which can be leveraged to gain a shell on the machine using the Java RMI Server Insecure Default Configuration Java Code Execution Metasploit module.

This exploit is quite straight forward; just choose the exploit, set the proper options and run.

Exploiting Java RMI with MSF

NOTE: After this exploit will need to reboot the Metasploitable2 as it will go to 100% CPU.

NOTE: There is another exploit available for this port (exploit/multi/browser/java_rmi_connection_impl) but it only creates a local listener ready to accept connections from the Metasploitable machine. It can be used in conjunction with the previous exploit or with other Java malicious implants to create persistence on the target machine.

Exploiting Port 1524 – Shell

Many attack scripts install a backdoor shell at this port.

Exploiting Bindshell service

Metasploitable 2 comes with an open bindshell service running on port 1524. Use Netcat to connect to it.

Connecting to Bindshell with Netcat

Exploiting Ingreslock service

Ingreslock is used legitimately to lock parts of an Ingres database. However, there are known trojans that also use port 1524 as a backdoor into a system. Some sysadmins allow this port to be open thinking it is needed.

This vulnerability could fall into the same group as Telnet, and rlogin, in the sense that it can be used as an unintentional backdoor. All you need to do is connect via Telnet to the port to gain access to the victim’s machine. You will be logged in with the same rights as the user in which the service is running.

Connecting to Ingreslock via Telnet

Exploiting Port 2121 – ProFTPD

Telnet access

Connect to the target machine’s port 2121 via Telnet using the default credentials for Metasploitable 2.

Connecting to ProFTPD via Telnet

FTP access

The FTP access can be brute forced exactly like you did for the vsFTPd running on port 21. Likewise, the connection to the ProFTPD is a normal FTP connection. Try using the “user” account:

Connecting to ProFTPD

From here you can GET these files and open them to extract additional info. Or you can try to login with one of the other accounts.

Exploiting Port 2049 – NFS

The Network File System is a distributed file system protocol allows a user on a client computer to access files over a network in the same way they would access a local storage file.

Connecting to NFS

Start by checking out what network services are running - use the rpcinfo command to do that:

Checking out running network services

There is an NFS service listening on port 2049 and need you need to use the showmount command to show what file systems are mountable on this NFS.

Checking what file systems are mountable on NFS

Yes! The entire filesystem is mountable/writable! To mount the network filesystem, you need to run the RPC service rpcbind. Start the service, create a temporary directory to act as a mount point, and then mount the filesystem at the IP address, with no credentials.

Mounting the remote file system

Abusing NFS to escalate privileges

Now you can abuse your write access to the filesystem. You can also download anything you want from the remote machine, like the shadow file to crack the passwords with John the Ripper.

Or you can try a different form of privilege escalation by copying an SSH key into the remote machine's trusted SSH keys, and obtain passwordless remote access. In this method, you will create an SSH key without a passphrase and exchange it with the SSH key of the victim machine for the root user.

You start by using ssh-keygen to generate an RSA keypair without a key phrase

Generating an RSA keypair without a key phrase

Now you will place that key in the /root/.ssh folder where the key is found by default.

Placing the RAS key

Don’t forget to unmount the remote file system

Unmounting the remote file system

Now you have SSH root access without a password!

SSH root access via RSA key



No comments: