1

Metasploit

CSOL 570

Cameron Walters

2 - 17 - 2020
 2

Contents

Contents 2

Synopsis 3

Rapid7 – Metasploitable 2 – Exploitability Guide 4

Getting Started 4

Kali Linux ifconfig: 4

Metasploitable Server ifconfig: 5

Services 6

Unix Basics 7

Backdoors 11

Unintentional Backdoors 14

Lessons Learned 16

Were you able to successfully exploit a vulnerability in Metasploitable? 16

Where did you run into difficulties? 16

What other methods not mentioned in the exercise might also be used to compromise 16

Command History 17

References 18
 3

Metasploit

Synopsis
The primary goal of this document is to demonstrate possible exploits that are conceivable using

Metasploitable and Metasploit tools. This is a tutorial or my documented proof of attempting a

few exploits using the “Rapid7 Metasploitable Exploitability Guide.” This guide will include a

necessary reconnaissance section using nmap, a Unix basic commands to further gain

information, then exploiting known purposely included backdoors and, finally, some

unintentional backdoors. At the end of the assignment will consist of lessons learned section and

finally a command history, which will display the basic commands used to exploit using the

guide.
 4

Rapid7 – Metasploitable 2 – Exploitability Guide

Getting Started
The first action needed is to grab the IP addresses of both the Kali Linux virtual machine (VM)

and the Metasploitable 2 VM. Displayed below are two screenshots of both systems ifconfig

results which provide their respective IPs.

Kali Linux ifconfig:

Kali Linux IP Address: 10.10.1.16

 5

Metasploitable Server ifconfig:

Metasploitable IP address: 10.10.1.10

 6

Services
Now that we have the IP addresses of both the Kali VM and Metasploitable 2 VM, we can gather

additional information using the popular reconnaissance tool nmap. Our command call will be

“nmap -p0-65535 10.10.1.10”. What this call will do is scan our targeted Metasploitable 2 VM

(10.10.1.10) and scan all the ports between 0 and 65535, which will list all the services running

on those ports. Using the information from the scan results, an attacker could look at the services

and find out what version is running on that port. Which then will allow the attacker to discover

if there are any known exploits for the respective versions found. Below is a screenshot of the

results of the nmap command call.

 7

Unix Basics
Displayed below is a screenshot of how “TCP ports 512, 513, and 514, which are also known as

“r” services” (Rapid7, 2020). These “r” services in the Metasploitable VM have been

misconfigured. The misconfiguration allows remote access from any host without authentication

or verification. This is the first exploit, and to exploit this hole, the use of rlogin will provide us

the ability to break in. Using the following command “rlogin -l root 10.10.1.10,” I was able to

gain access to the server with ease. Below is a screenshot of the command being run.
 8

The next exploit will use the service called Network File System (NFS). Using rpcinfo, we are

able to display all the port information needed to make this attack vector happen. Looking at port

2049 directly will provide us with the exploit vector.

Using showmount, we can discover which share is being exported. Below are the results of using

the showmount command to expand on which share is being exported. Which shows that the root

folder is being exported.

 9

To exploit this vulnerability, we will use SSH, however first, and we must create RSA keys

which will authorize users to gain access to the Metasploitable 2 VM. To do this, we will run

“ssh-keygen” and leave all the inputs blank for ease of use. Below is the command being run and

the results of creating our key.

 10

Now that our key has been created, we must create a new directory to mount this directory to the

share, which will contain our ssh public key for authorization. Below is a list of commands that

will create the directory, mount the directory, copy our key over, and then unmount the directory.

The final step is to ssh to the system and displayed in the last lines of the screenshot below show

us gaining access to the Metasploitable server using our ssh key.

 11

Backdoors
The next exploit will use a found backdoor in vsftpd, which is a popular FTP server. The

interesting fact about this exploit was that it was slipped into the codebase by an unknown user

however was caught very soon after being implemented, but not before some users did download

the codebase and use it. To exploit this backdoor, we must first use telnet to the Metasploitable

VM and enter our username a “:)” at the end, and our example will consist of “user

backdoored:).” This will create a listening shell on port 6200, which we will connect to.

Displayed below is the first telnet connection using the happy face at the end of our username.

Now that the listening shell on port 6200 has been activated, we must connect to the shell using

telnet. To do this, we will use the following command, “telnet 10.10.1.10 6200”, and when

executed in the terminal, we now have access to the server.

 12

The next exploit will consist of using msfconsole on a specific port 6667, which runs the

UnrealIRCD IRC daemon, and msfconsole has a prebuilt in exploit ready for this. First, we must

type msfconsole into the terminal to bring up the console. Below is the result of running the

msfconsole command.
 13

The next step is to run the prebuilt in exploit unreal_ircd_3281_backdoor and target our

Metasploitable VM for the exploit and lastly run the exploit command. Below are the results of

running the command, and as you can see, we have gained access to the server through this

exploit, which gave us a shell within the system.

The next back door will consist of a straightforward and less subtle attack, which is the

“ingreslock” backdoor. This backdoor is listening on port 1524 and can be easily connected to by

telnet. The following command, “telnet 10.10.1.10 1524” will provide an easy backdoor to the

system. Below are the results of running the command.

 14

Unintentional Backdoors
The last section is Unintentional Backdoors, which consists of backdoors that on presumably

safe services, but due to their nature provided backdoors instead. The first exploit demonstrated

will be the “distcc_exec,” which is a service installed on Metasploitable 2. To exploit this

command, we must enter the msfconsole again. Navigate to the distcc_exec exploit, target the

Metasploitable VM, and then run the exploit. Below is the result of running the exploit and, in

the end, is the very same shell we have seen in the previous exploits.
 15

The final exploit on a virtual server will be the attack on Samba, which “when configured with a

writeable file share and "wide links" enabled (default is on), can also be used as a backdoor of

sorts to access files that were not meant to be shared” (Rapid7, 2020). To demonstrate this, we

will attempt to connect to the VM using “smbclient -L //10.10.1.10”. However, this attempt did

not work. I tried to look into the issue and was unable to connect to the server using the

command, as the screenshot displayed below displays.

Nevertheless, I tried to use the Metasploit console, “msfconsole” to attack the service. I was able

to use the prebuilt in-exploit to attack the server. However, I was unable to successfully

demonstrate the exploit after many attempts and looking into possible problems.
 16

Lessons Learned
Were you able to successfully exploit a vulnerability in Metasploitable?

I was able to exploit a vulnerability in Metasploitable successfully; in fact, I was able to exploit

multiple vulnerabilities. Some required some additional research other than following the Rapid7

guide.

Where did you run into difficulties?

I ran into difficulties when applying the Samba exploit. I believe this is due to an improper

version of the smb-client, possibly. I was searching around to find additional information, and

what the problem is pointing to, is a problem with the current version of my Kali Linux distro. I

could either roll back or possibly update and see if a fix is in place. However, I believe my only

option is to roll back as there is no fix reported in the current patch notes.

What other methods not mentioned in the exercise might also be used to

compromise

There are numerous additional exploits in Metasploitable 2 VM. For every port, there are

possibly multiple attack vectors on each connection that could provide an attacker away in.

There are attacks on port 3306, which comprise of a MySQL attack on the database. There is an

attack on port 8180 on the Apache Tomcat service running that msfconsole already has prebuilt

in exploit command ready and waiting.

 17

Command History
Below is my command history running through all the listed exploits above.
 18

References
Rapid7. (2020). Metasploitable 2 Exploitability Guide. Retrieved on February 15, 2020,

from https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide

StuffWithAurum. (July 14, 2015). Metasploitable 2 Walkthrough: An Exploitation

Guide. Retrieved on February 15, 2020, form

https://www.stuffwithaurum.com/2015/06/14/metasploitable-2-walkthrough-an-exploitation-

guide/