Metasploitable VM is vulnerable by design Linux box provided by Rapid7 to practice Metasploit framework. You can download it from vulnhub. I used Kali box and VMWare Player for this exercise also made sure that both VMs are set to host-only.
Now the purpose of Metasploitable is to find a way to root the box, and there are number of ways to do that, but it depends on your approach. It took me 3 exploits to r00t the box and am gona go thru all of them in the following section.
Fire up nmap to see what we have here.
Well, you can see there is a lot you can go after over here but am gona go with the easiest just because I’m lazy.
I’ll go after distccd v1 even though I don’t really know what it does. so I fired metasploit and searched for distccd and I was able to get shell with daemon privilege.
However, we’re shooitng for r00t.
Next, I looked for postgres exploits and found one with excellent rating but you’d have to have username n password so I fired up Metasploit postgres login scanner and got hit on postgres:postgres, and then used it to exploit.
Again no rØØt shell. On to the next one.
Looked for all Samba exploits with excellent and Linux filter which lead me to usermap_script and BOOM! I got r00t shell.
Finally decided to copy shadow and passwd hashes and give it a try, below are the list of usernames and passwords that John the Ripper cracked.
In this blog, we’re going walkthrough how to get root shell on Kioptrix Level 1 VM. First things first, after downloading/importing VM, make sure that its network settings set to host-only as well as; your Kali box. without further ado, let’s get right to it.
Fire up nmap and kick-off an intensive scan
Looks like its running apache test webpage on port 80 & 443, ssh on port 22, NetBIOS-ssn on port 139, and rpcbind on port 111
Fire up dirb and see if we can get anything interesting
Well, turns out there is nothing useful on the webpage.
Tried to look for any mountable shares with no luck, but then I threw enum4linux at it and got bunch of interesting information. The one that stuck out for me was VM is using Samba 2.2.1a which I know for a fact there is metasploit module for it (CVE-2003-201).