Exploiting Port 631 – CUPS
The Metasploitable 3 VM is running the C Unix Printing System (CUPS) with the web-based interface enabled:
A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.
Searching in MSF you will find one exploit for this service:
Let’s use it:
The exploit fails due to a configuration error in the Metasploitable 3 VM. You can read about the details here:
https://github.com/rapid7/metasploitable3/issues/459
In order for this exploit to work one of the possible solutions is to add the vagrant user (or any other user) to the lpadmin group by running the below command as root on the Metasploitable VM:
Now the lpadmin group is no longer empty and the vagrant user has the permission to add a printer to the system.
Unfortunately, the exploit still fails…
Exploiting Port 3500 – Ruby on Rails
Ruby on Rails, or Rails, is a server-side web application framework written in Ruby. Rails is a model-view-controller framework, providing default structures for a database, a web service, and web pages. The service has an entry page but we can’t get anything useful from it:
Therefore, it might be a good idea to fuzz the landing page in order to find additional pages that might held some more information.
Enumerating Rails using Web Fuzzer
The Web Fuzzer is a tool been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.
This leads to the discovery of the readme page
Enumerating Rails using Metasploit
Not as flexible as WFuzz, but Metasploit can also get the job done as long as you provide it the right dictionary file:
Time to see what the readme page has to offer:
Clicking on the logos takes you to OS specific pages with the “os” parameter set in the URL:
- http://172.16.3.3:3500/readme?os=windows
- http://172.16.3.3:3500/readme?os=linux
It appears to be a dead end but it always worth to dig in a little deeper.
Directory Traversal
Try to do some directory traversal with the “os” parameter, looking for the passwd file (containing the word root):
The results are a little messy but some of them are useful:
Exploiting Rails using Metasploit
A bit of research will reveal the existence of a vulnerability in the version of the service and the availability of the appropriate MSF module. Time to put the readme page and the os parameter to good use…
Notice the chewbacca user is a member of the docker group… this is interesting and might be helpful in the future.
3 comments:
Cyberspaceshield is a company with group of certified hacker, who are always ready to assist you with all your cyber problems.
We’ve been in existence for ages now, we are reliable and helpful in terms of cyber bullying.
We can help you get all your cyber threats and bullies solved in less than what you can ever imagine.
These are somethings we specializes on:
➡️ Phone hacks/cloning
➡️ Credit scores Repair
➡️ Social media Hacks (Facebook, Instagram, tik tok).
➡️ Binary options
➡️ Binary Recovery
➡️ Clear criminal records etc.
The internet is full of scammers, that’s why we’re here to help you fight them out.
If you’ve been a victim of scam, don’t hesitate to write us on
EMAIL: Cyberspaceshield@gmail.com
Thank you!!!
Fresh Fullz & Tools Available
SSN DOB DL Fullz
High Credit Scores Pros
CC Fullz with CVV
Dumps with Pin Codes 101 & 202
Business EIN Fullz
Office365 Leads & Logs
SMTP's/RDP's
Shells/C-panels
Web mailers/Senders
Spamming/Hacking Full Package
Carding Methods/Loan Methods
Bulk Fullz also available
Fresh & Genuine Stuff
Telegram @leadsupplier
ICQ 752822040
Cybercriminals take advantage of the low understanding surrounding digital assets to attract potential investors and make off with their money. They promise high returns on investments, with little-to-no risk. GearHead Engineers, a group of white hackers who use their tactics to help victims back on their feet by tracking and recovering funds stolen by cybercriminals. Email gearhead@engineer.com
Post a Comment