Hacking Metasploitable Enumeration & vsFTPd vulnerability

In this series, I plan to show how I owned Rapid7’s vulnerable Virtual Machine, Metasploitable2.

When hacking computer systems, it is essential to know which systems are on your network, but also know which IP or IPs you are attempting to penetrate. In Metasploitable that can be done in two ways, first, you can quickly run the ifconfig command in the terminal and find the IP address of the machine or you can run a Nmap scan in Kali. I will attempt to find the Metasploitable machine by inputting the following stealth scan.

The SYN scan is the default scan in Nmap. It is also a quick scan and stealthy because it never completes TCP connections. This scan specifically searched all 256 possible IP addresses in the 10.0.2.0-10.0.2.255 range, therefore, giving me the open machines. In my test lab, I had four computers running, one being my Kali box, I was able to find the Metasploitable2 box and all of the open ports.

The next step thing I want to do is find each of the services and the version of each service running on the open ports. Again I will use Nmap for this by issuing the following command.

This scan is again doing the Stealth Scan, but also the -sV flag is verifying the versions of the services, and the -O flag is verifying the operating system running on the machine.

So, what type of information can I find from this scan?

Now I know the operating system s Linux version 2.6.9-2.6.33, the host is running Telnet, which is vulnerable. Also older versions of Apache web server, which I should be able to find a vulnerability for, I see that port 445 is open, this is the SMB or server message block port, I know these are typically vulnerable and can allow you to enumerate the system reasonably easy using Nmap. These are the ones that jump out at me first. I know these will likely give me some vulnerabilities when searching CVE lists.

Next, since I saw port 445 open, I will use a Nmap script to enumerate users on the system.

I decided it would be best to save the results to a file to review later as well. I receive a list of user accounts. Here is where I should stop and say something. You should never name your administrator accounts anything like admin, It is easy for an attacker to determine which username is the administrator and then brute force that password and gain administrator access to that computer.

We found a user names msfadmin, which we can assume is the administrator.

Next, I am going to run another Nmap script that will list vulnerabilities in the system.

Using this script we can gain a lot of information. I saved the results to a text document to review later, and I’m delighted I did. I knew the system was vulnerable, but I was not expecting the amount of information I got back from the script. The script gives a lot of great information, below I am showing the first line I was able to retrieve.

As you can see, the script gives me a lot of information. It tells me that the service running on port 21 is Vulnerable, it also gives me the OSVBD id and the CVE id, as well as the type of exploit. This is very useful when finding vulnerabilities because I can plan an attack, but also, I can see the exact issue that was not patched and how to exploit it.

I decided to go with the first vulnerable port. As the information tells us from the Nmap vulnerability scan, by exploiting the vulnerability, we can gain access to the server by creating a backdoor. I decided to find details on the vulnerability before exploiting it. I followed the blog link in the Nmap results for scarybeastsecurity and was able to find some information about the vulnerability. From reading the documentation, I learned that vsFTPd server is written in the C programming language, also that the server can be exploited by entering a : ) smiley face in the username section, and a TCP callback shell is attempted.

I used Metasploit to exploit the system. The first step was to find the exploit for the vulnerability. I did this by searching vsFTPd in Metasploit.

Searching for the exploit returned the above exploit for the service, so the next steps were pretty simple. In Metasploit, I typed the use command and chose the exploit. Next, I ran the command show options, which told me I needed to provide the remote hosts (RHOSTS) IP address; this is the target machine’s IP address. After that, I just had to set the RHOSTS value to the 10.0.2.4 IP address and type exploit in the command prompt.

From there, a remote shell was created and I was able to run commands.

Next, I wanted to set up proof that I had access. So I decided to write a file to the root directory called pwnd.txt.

I went to the Metasploitable server and changed my directory to the root directory; from there, I was able to see the pwnd.txt file and read the data.

I was left with one more thing. I wanted to learn how to exploit this vulnerability manually. So I tried it, and I sort of failed. First, I decided to use telnet to enter into the system which worked fine, but then I ran into some issues. I assumed that the username could be a smiley face; however, after searching on the web, I found out I needed to have a smiley face after the user parameter.

I did a Nmap scan before trying the manual exploit and found that the port at 6200, which was supposed to open was closed, after running the manual exploit the port is open.

The next step was to telnet into port 6200, where the remote shell was running and run commands.

In conclusion, I was able to exploit one of the vulnerabilities in Metasploitable2. Next, I will look at some of the websites offered by Metasploitable, and look at other vulnerabilities in the server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s