Obtaining Remote Access Using SSH Keys

The basic idea behind this type of exploit is to copy your SSH keys into the remote machine's list of authorized keys. It requires write access to the remote filesystem.

On the attacker machine, the public key is located in ~/.ssh/id_rsa.pub.

Using a remote shell on metasploitable, or by taking advantage of backdoors, or by mounting the remote filesystem using an exploit, gain write access to the victim's machine. Then copy the public key into /root/.ssh/authorized_keys, and you'll have passwordless root access.

If you have write access to a filesystem, this technique can turn that write access into remote shell access without cracking the root password.

Then you'll be able to log in like this:

# ssh root@10.0.0.27
Last login: Tue Mar 22 20:26:16 EDT 2016 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
root@metasploitable:~#

Flags

Metasploit

any and all resources related to metasploit on this wiki

MSF - on the metasploit framework generally

Category:Metasploit - pages labeled with the "Metasploit" category label

MSF/Wordlists - wordlists that come bundled with Metasploit

MSFVenom - msfvenom is used to craft payloads

Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.

Category:Security · Category:Metasploit · Category:Kali

Flags · Template:MetasploitFlag · e

Metasploitable: The Red Team

Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.

Metasploitable Databases:

Exploiting MySQL with Metasploit: Metasploitable/MySQL

Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres

Metasploitable Networking:

Exploiting VSFTP Backdoor: Metasploitable/VSFTP

SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force

SSH Penetration with Keys: Metasploitable/SSH/Keys

SSH Penetration with Metasploit: Metasploitable/SSH/Exploits

Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File

Exploiting NFS: Metasploitable/NFS

Exploiting DNS Bind Server: Metasploitable/DNS Bind

Metasploitable Services:

distcc: Metasploitable/distcc

Metasploitable Apache:

Exploiting Apache (with Metasploit): Metasploitable/Apache

Exploiting Apache (with Python): Metasploitable/Apache/Python

Tor's Hammer DoS Attack: Metasploitable/TorsHammer *

Apache DAV: Metasploitable/Apache/DAV *

Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote

Metasploitable Memory:

General approach to memory-based attacks: Metasploitable/Memory

Investigating memory data: Metasploitable/Volatile Data Investigation

Dumping Memory from Metasploit: Metasploitable/Dumping Memory

Metasploitable Fuzzing:

(Have not done much work on fuzzing Metasploitable...)

Fuzzing · American Fuzzy Lop

Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali

Flags · Template:MetasploitableRedTeamFlag · e

Metasploitablue: The Blue Team

Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.

Hence the name, Metasploita-blue.

Overview: Metasploitable/Defenses

Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting

Metasploitable On-Machine Defenses:

Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation

Linux Artifact Investigation: Metasploitable/Artifact Investigation

Linux Iptables Essentials: Metasploitable/Iptables

Firewall Assurance and Testing: Metasploitable/Firewall

Password Assessment: Metasploitable/Password Assessment

Standard Unix Ports: Unix/Ports

Metasploitable Networking Defenses:

Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat