Scribd
Upload
95 views

Csol 570

This document discusses exploiting vulnerabilities in Metasploitable 2 using Kali Linux. It begins with downloading required tools like rsh-client, nfs-common, and rpcbind. Nmap is used to find open ports, allowing remote login to the root user using rlogin. Various backdoors are then exploited, including telnet, IRC, and ingreslock, before exploiting unintentional backdoors like distccd and Samba. Vulnerable web applications are also accessed. The document ends with the history of commands used in Kali Linux to complete the exercises.

Uploaded by

api-615679676
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
95 views

Csol 570

This document discusses exploiting vulnerabilities in Metasploitable 2 using Kali Linux. It begins with downloading required tools like rsh-client, nfs-common, and rpcbind. Nmap is used to find open ports, allowing remote login to the root user using rlogin. Various backdoors are then exploited, including telnet, IRC, and ingreslock, before exploiting unintentional backdoors like distccd and Samba. Vulnerable web applications are also accessed. The document ends with the history of commands used in Kali Linux to complete the exercises.

Uploaded by

api-615679676
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Metasploit

Sabrina Toubbeh

CSOL 570

2 August 2021
Overview

This week’s assignment will cover Metasploitable 2 and exploiting the purposefully

built-in weaknesses of the virtual machine (VM). I will be following the Rapid 7 tutorial on

Metasploitable to execute this lab. The first section of this assignment will go over the

vulnerability exploits found and how they were discovered. The second section will simply show

the history of commands used within Kali Linux that demonstrate successful exploits.

After reading the entire Rapid 7 tutorial before starting, I went ahead and downloaded all

the required tools that are needed in this lab. I ran “apt-get install rsh-client”, “apt-get install

nfs-common”, and “apt-get install rpcbind”

Following the guide, we login into metasploitable and run ifconfig to get our IP address.

Next, we go into Kali and run NMAP on the IP address 192.168.56.237 to see what open ports

are vulnerable.
After discovering attack vectors, we run rlogin -l root 192.168.56.237 command (which

required installation of the rsh-client). This gave us remote access into root on Metasploitable OS

without a username or password.


Next, by running rpcinfo -p 192.168.56.237 we can see all the remote procedure calls (RPC)

being made. Then by running showmount -e 192.168.56.237 we can see the root directory being

exported.

Next, we generate a SSH key on our system and output the contents of our public key pair into

the authorized_keys file in the ssh folder in root on Metasploitable.


Metasploitable Backdoors

The telnet backdoor requires a user to login with a username that ends in ‘:)’ After entering the

username ‘user backdoored:)’, the backdoor opens a listening port on 6200.


Metasploitable runs the UnrealRCD IRC daemon on port 6667. It is triggered by sending the

letters “AB” followed by a system command to the server on any listening port. I was able to

connect to Metasploitable on port 6667 by the UnrealRCD IRC daemon. The guide does not

show the steps, but I had to set LHOST and payload before exploiting.

There is also a backdoor known as “ingreslock” backdoor that listens on port 1524. Once you get

in, it grants root access.


Unintentional Backdoors

The service distccd is running on Metasploitable OS and is a backdoor by nature. The program

makes it easy to scale large compiler jobs. Unfortunately, this service can be easily abused by an

attacker in which they can run a command of their choice. I will go ahead and use the

Metasploitable toolset that has the exploit script ready to use. I got the same error as before and

had to set LHOST and payload in order for it to run.

Another unintentional backdoor is the Samba filesharing client that can be used to access files

that were not meant to be shared. I am going to use the Metasploitable module to gain root

access to the filesystem using an anonymous connection and a writable share.


The first step is to write over the current file. Under global, I added “client min protocol =

CORE” and client max protocol = SMB3” (HackerBiTech, 2020).

After exploiting samba, I got access to the root filesystem using an anonymous connection and a

writable share.
Vulnerable Web Services

Metasploitable has deliberate vulnerable web applications. You can access it by opening a web

browser and entering “http://<IP>.” My metasploitable IP address is 192.168.56.237.


History of Commands in Kali

This is the history of some of the commands I used to complete this exercise. There a few

missing so I went ahead and added them to to the bottom.

rlogin -l root 192.168.56.237

nmap -p0-65535 192.168.56.237

rpcinfo -p192.168.56.237

showmount -e 192.168.56.237

ssh-keygen

mkdir /tmp/r00t
mount -t nfs 192.168.56.237//tmp/r00t/

unmount /tmp/r00t/

telnet 192.168.56.237 21

telnet 192.168.56.237 6200

telnet 192.168.56.237 1524

msfconsole
References

Metasploitable 2 Exploitability Guide (n.d). Retrieved from

https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide/

Paul, J. (n.d.). How to close telnet terminal in Linux and windows (quit, exit Not working)?

Example. Javarevisited.

https://javarevisited.blogspot.com/2016/06/how-to-close-telnet-terminal-in-linux-windows-q

uite-exit-not-working.html#axzz728JbwsTq.

Working with active and passive exploits in Metasploit. (n.d.). Retrieved from

https://www.offensive-security.com/metasploit-unleashed/exploits/

“SMB Client Error Fixed.” Youtube. Uploaded by HackerBiTech, 11 May 2020.

https://www.youtube.com/watch?v=IU_jCaMjvaI

You might also like