All right, we have been having some real fun playing with Metasploitable 2. We found a vulnerable service, exploited it and now have root access, but what else can we do? Sure we have god-like rights on this box, but it would be nice to know the existing users and their passwords. In a pentest, these could be used to gain access to other servers and boxes.
Let’s take a look at grabbing the passwords from the Linux box and cracking them, then we will take a look at a new way to search for web app vulnerabilities using the popular command line tool, Grep.
My friend Dangertux created an exceptional tutorial on the first version of Metasploitable, and cracking the Linux password files. Let’s step through this with Metasploitable 2.
Cracking Linux Passwords
(As always, these techniques are for security professionals only, do not attempt to connect to a machine or network that you do not have permission to do so. Doing so could cost you your job and you could wind up in jail!)
We already have root level access from the past tutorial. So all we need now is to recover the password hashes and then crack them. Simply run the cat command on the /etc/passwd file:
Now just copy the text from this file to your Backtrack system by simply selecting the text with the mouse and copying it into an identically named text file in a local temporary directory, like /root/passwords.
Here is a screenshot of the passwd file data that was copied and pasted into a Gedit text file:
Now just do the same exact thing with the “shadow-” file. You should now have two text files, /root/passwords/passwd and /root/passwords/shadow- on your local Backtrack system.
Next we need to take both newly created text files and run the “Unshadow” command on them from the John the Ripper utilities. This command takes the files and places them into a single file (passwords.db) that John the Ripper can crack:
Okay, now that we have the combined “passwords.db” file, we can unleash John the Ripper on it to attempt to retrieve passwords:
And there we go, we now have 6 user names and passwords.
- sys/ batman
- klog/ 1234567898
- msfadmin/ msfadmin
- postgres/ postgres
- user/ user
- service/ service
Hmm… Looks like the administrator of the box used simple passwords, not a good idea.
And there you go, because we had a root shell, we were able to grab the Linux password hashes from the system by simply copying them and pasting them on our local machine. We were then able to use John the Ripper to crack them. We now have 6 passwords to play with.
If you took a good look at the Metasploit service scanner programs mentioned in an earlier tutorial, you probably noticed some had a place to set usernames and passwords. How cool would it be to just feed our newly cracked passwords into these scanners and unleash them on the Metasploitable box?
Also, as many times admins use the same passwords on other boxes, we could use the same scanners to target the whole network address space to see how many other machines we could get access to!
All from one old service that was not updated…
Pentesting with Grep
One last thing, while we still have our root shell on the Metasploitable machine. During the port scan it seemed that this machine was also a web server. Wouldn’t it be cool to be able to check from the command prompt to see if the box also had vulnerable web applications?
Well, we can! Thanks to an article by “Shipcode” on Rootcon, we can look for common web vulnerabilities and even backdoors by simply using the Grep command!
grep -Rn “shell_exec *(” /var/www
This searches the web server directory and returns any files that contain the shell_exec command. This usually is used in apps that are vulnerable to common web attacks. And as you can see a ton of files are found. The majority of the returns are from the “dvwa” – the “Damn Vulnerable Web Application” and Irongeek’s “Mutillidae” both are loaded with vulnerabilities so you can practice your web app pentest skills.
Now that we know they are there, and in what file the vulnerabilities exist, (thanks to Grep and Shipcode!) we could switch to testing the Web app side of this box.
(If you are enjoying this tutorial series, please leave a quick note or feedback and let me know. I appreciate your feedback and would love to hear from you!)