Metasploitable – Gaining Root on a Vulnerable Linux System

As I mentioned in my previous post, Metasploitable is a purposefully vulnerable Ubuntu 8.04 image that is running several unpatched services. Metasploitable is a great platform to practice and develop your penetration testing skills. In this tutorial, I will show you how to scan the system, find one of the vulnerable services and then exploit the service to gain root access.

In this tutorial I am using a system running Backtrack 5r2 and the Ubuntu Metasploitable VMWare image.

On your Backtrack system, run the Metasploit console.

(From the GUI menu -Backtrack/Exploitation Tools/Network Exploitation Tools/Metasploit Framework/Msfconsole)

Scan the host

First thing we will do is scan the target (192.168.0.117 in this case) with nmap:

The -Ss option tells nmap to perform a stealth scan, the -A option tells it to try to discover OS and service version levels. As you can see from the above picture, several services are running on multiple ports. If you notice, you will see this box is running Samba on ports 139 and 445. Samba provides SMB file and print services for Windows clients.

In this tutorial we will focus on the Samba service. Nmap says it is running version 3.x, let’s see if we can get more specific information. Metasploit has some amazing auxiliary modules, one section being the scanner section. Let’s search the scanner section for the SMB Protocol:

Looks like the scanner section has a SMB version detector. In the picture above, I select and run the SMB detector program. The program responds with the exact version of Samba – 3.0.20.

Doing a online quick search for vulnerabilities for this version of Samba returns “Username Map Script”. If we use the “search samba” command in Metasploit it lists available exploits.

An exploit exists for “Username Map Script” and it has a rating of excellent, which means it is very solid and reliable exploit.

Exploiting

Now we will use the “Username Map Script” to gain a root level shell on the system:

In the picture above, we simply chose the exploit to use, configured it with the target address, 192.168.0.117, then told it to run the exploit. The exploit ran the exploit against the system, created a remote session with the target and opens up a command shell. As you can see, I ran the “id” command in the remote shell and it returned:

uid=0(root) gid=0(root)

We do in fact have a remote access root command shell with the target machine.

Conclusion

There you have it, a remote root shell from a vulnerable Linux service. In a real world situation, the attacker would then make moves to recover data from the machine (passwords, documents, etc), and possibly use this machine to penetrate deeper into the target network.

As you can see, if software updates are not done on your system (OS manufacturer does not matter) your system could be at risk of being compromised. And as always, do not try these techniques on a system that you do not have permission to do so.

For a more involved series of tutorials on compromising all the services of Metasploitable (and tons of other great Linux Security info), check out the Metaploitable series done by my friend Dangertux. Dangertux is an amazing Linux/Unix security guru that has probably forgotten more about Linux security than I will ever know.

About these ads

~ by D. Dieterle on April 25, 2012.

5 Responses to “Metasploitable – Gaining Root on a Vulnerable Linux System”

  1. [...] to much depth (there are plenty of Metasploitable tutorials out there already) but in my next post (Metasploitable – Gaining Root on a Vulnerable Linux System) I will show you how to get root access on the image using Backtrack [...]

  2. [...] from: Metasploitable – Gaining Root on a Vulnerable Linux System … This entry was posted in Uncategorized and tagged computers, copyright, facebook, intelligence, [...]

  3. [...] } #themeHeader #titleAndDescription * { color: black; } cyberarms.wordpress.com – Today, 12:14 [...]

  4. [...] on cyberarms.wordpress.com Comments RSS [...]

  5. [...] had some fun a few months ago with gaining root on the first version of Metasploitable, hopefully in a week or two we will take a closer look at Metasploitable 2. In the mean time, [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 267 other followers

%d bloggers like this: