Metasploitable – Gaining Root on a Vulnerable Linux System
As I mentioned in my previous post, Metasploitable is a purposefully vulnerable Ubuntu 8.04 image that is running several unpatched services. Metasploitable is a great platform to practice and develop your penetration testing skills. In this tutorial, I will show you how to scan the system, find one of the vulnerable services and then exploit the service to gain root access.
On your Backtrack system, run the Metasploit console.
(From the GUI menu -Backtrack/Exploitation Tools/Network Exploitation Tools/Metasploit Framework/Msfconsole)
Scan the host
First thing we will do is scan the target (192.168.0.117 in this case) with nmap:
The -Ss option tells nmap to perform a stealth scan, the -A option tells it to try to discover OS and service version levels. As you can see from the above picture, several services are running on multiple ports. If you notice, you will see this box is running Samba on ports 139 and 445. Samba provides SMB file and print services for Windows clients.
In this tutorial we will focus on the Samba service. Nmap says it is running version 3.x, let’s see if we can get more specific information. Metasploit has some amazing auxiliary modules, one section being the scanner section. Let’s search the scanner section for the SMB Protocol:
Looks like the scanner section has a SMB version detector. In the picture above, I select and run the SMB detector program. The program responds with the exact version of Samba – 3.0.20.
Doing a online quick search for vulnerabilities for this version of Samba returns “Username Map Script”. If we use the “search samba” command in Metasploit it lists available exploits.
An exploit exists for “Username Map Script” and it has a rating of excellent, which means it is very solid and reliable exploit.
Now we will use the “Username Map Script” to gain a root level shell on the system:
In the picture above, we simply chose the exploit to use, configured it with the target address, 192.168.0.117, then told it to run the exploit. The exploit ran the exploit against the system, created a remote session with the target and opens up a command shell. As you can see, I ran the “id” command in the remote shell and it returned:
We do in fact have a remote access root command shell with the target machine.
There you have it, a remote root shell from a vulnerable Linux service. In a real world situation, the attacker would then make moves to recover data from the machine (passwords, documents, etc), and possibly use this machine to penetrate deeper into the target network.
As you can see, if software updates are not done on your system (OS manufacturer does not matter) your system could be at risk of being compromised. And as always, do not try these techniques on a system that you do not have permission to do so.
For a more involved series of tutorials on compromising all the services of Metasploitable (and tons of other great Linux Security info), check out the Metaploitable series done by my friend Dangertux. Dangertux is an amazing Linux/Unix security guru that has probably forgotten more about Linux security than I will ever know.
~ by D. Dieterle on April 25, 2012.