Metasploitable 3 Ubuntu Walkthrough: Part VI

Exploiting Port 631 – CUPS

The Metasploitable 3 VM is running the C Unix Printing System (CUPS) with the web-based interface enabled:

CUPS web interface

A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.

Searching in MSF you will find one exploit for this service:

CUPS exploit in MSF

Let’s use it:

Exploiting CUPS using Metasploit

The exploit fails due to a configuration error in the Metasploitable 3 VM. You can read about the details here:

https://github.com/rapid7/metasploitable3/issues/459

In order for this exploit to work one of the possible solutions is to add the vagrant user (or any other user) to the lpadmin group by running the below command as root on the Metasploitable VM:

Fixing Metasploitable 3

Now the lpadmin group is no longer empty and the vagrant user has the permission to add a printer to the system.

Exploiting CUPS using Metasploit

Unfortunately, the exploit still fails…

Exploiting Port 3500 – Ruby on Rails

Ruby on Rails, or Rails, is a server-side web application framework written in Ruby. Rails is a model-view-controller framework, providing default structures for a database, a web service, and web pages. The service has an entry page but we can’t get anything useful from it:

Rails entry page

Therefore, it might be a good idea to fuzz the landing page in order to find additional pages that might held some more information.

Enumerating Rails using Web Fuzzer

The Web Fuzzer is a tool been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.

Enumerating Rails using Web Fuzzer

This leads to the discovery of the readme page

Enumerating Rails using Metasploit

Not as flexible as WFuzz, but Metasploit can also get the job done as long as you provide it the right dictionary file:

Enumerating Rails using Metasploit

Time to see what the readme page has to offer:

The Rails readme page

Clicking on the logos takes you to OS specific pages with the os parameter set in the URL:

  • http://172.16.3.3:3500/readme?os=windows
  • http://172.16.3.3:3500/readme?os=linux

The Linux page on Rails

It appears to be a dead end but it always worth to dig in a little deeper.

Directory Traversal

Try to do some directory traversal with the “os” parameter, looking for the passwd file (containing the word root):

Directory traversal using DotDotPwn

Directory traversal using DotDotPwn

The results are a little messy but some of them are useful:

The passwd file

Exploiting Rails using Metasploit

A bit of research will reveal the existence of a vulnerability in the version of the service and the availability of the appropriate MSF module. Time to put the readme page and the os parameter to good use…

Exploiting Rails using Metasploit

Notice the chewbacca user is a member of the docker group… this is interesting and might be helpful in the future.

3 comments:

Cyberspaceshield said...

Cyberspaceshield is a company with group of certified hacker, who are always ready to assist you with all your cyber problems.

We’ve been in existence for ages now, we are reliable and helpful in terms of cyber bullying.

We can help you get all your cyber threats and bullies solved in less than what you can ever imagine.

These are somethings we specializes on:


➡️ Phone hacks/cloning

➡️ Credit scores Repair

➡️ Social media Hacks (Facebook, Instagram, tik tok).

➡️ Binary options

➡️ Binary Recovery

➡️ Clear criminal records etc.


The internet is full of scammers, that’s why we’re here to help you fight them out.

If you’ve been a victim of scam, don’t hesitate to write us on

EMAIL: Cyberspaceshield@gmail.com

Thank you!!!

Peeter said...

Fresh Fullz & Tools Available

SSN DOB DL Fullz
High Credit Scores Pros
CC Fullz with CVV
Dumps with Pin Codes 101 & 202
Business EIN Fullz
Office365 Leads & Logs
SMTP's/RDP's
Shells/C-panels
Web mailers/Senders
Spamming/Hacking Full Package
Carding Methods/Loan Methods

Bulk Fullz also available
Fresh & Genuine Stuff

Telegram @leadsupplier
ICQ 752822040

Graham Cynthia said...

Cybercriminals take advantage of the low understanding surrounding digital assets to attract potential investors and make off with their money. They promise high returns on investments, with little-to-no risk. GearHead Engineers, a group of white hackers who use their tactics to help victims back on their feet by tracking and recovering funds stolen by cybercriminals. Email gearhead@engineer.com