<h1>Metasploitable 3 Ubuntu Walkthrough: Part VI</h1>

Exploiting Port 631 – CUPS

The Metasploitable 3 VM is running the C Unix Printing System (CUPS) with the web-based interface enabled:

A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.

Searching in MSF you will find one exploit for this service:

Let’s use it:

The exploit fails due to a configuration error in the Metasploitable 3 VM. You can read about the details here:

https://github.com/rapid7/metasploitable3/issues/459

In order for this exploit to work one of the possible solutions is to add the vagrant user (or any other user) to the lpadmin group by running the below command as root on the Metasploitable VM:

Now the lpadmin group is no longer empty and the vagrant user has the permission to add a printer to the system.

Unfortunately, the exploit still fails…

Exploiting Port 3500 – Ruby on Rails

Ruby on Rails, or Rails, is a server-side web application framework written in Ruby. Rails is a model-view-controller framework, providing default structures for a database, a web service, and web pages. The service has an entry page but we can’t get anything useful from it:

Therefore, it might be a good idea to fuzz the landing page in order to find additional pages that might held some more information.

Enumerating Rails using Web Fuzzer

The Web Fuzzer is a tool been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.

This leads to the discovery of the readme page

Enumerating Rails using Metasploit

Not as flexible as WFuzz, but Metasploit can also get the job done as long as you provide it the right dictionary file:

Time to see what the readme page has to offer:

Clicking on the logos takes you to OS specific pages with the “os” parameter set in the URL:

• http://172.16.3.3:3500/readme?os=windows
• http://172.16.3.3:3500/readme?os=linux

It appears to be a dead end but it always worth to dig in a little deeper.

Directory Traversal

Try to do some directory traversal with the “os” parameter, looking for the passwd file (containing the word root):

The results are a little messy but some of them are useful:

Exploiting Rails using Metasploit

A bit of research will reveal the existence of a vulnerability in the version of the service and the availability of the appropriate MSF module. Time to put the readme page and the os parameter to good use…

Notice the chewbacca user is a member of the docker group… this is interesting and might be helpful in the future.