Metasploitable Guide Part 1 : Rooting Metasploitable

Posted: November 16, 2011 in and pseudo tutorials, Guides
Tags: , , , ,

For those who don’t know Metasploitable is a vulnerable VM, running Ubuntu, designed as target practice for Metasploit (or manual exploitation). A few weeks ago a friend of mine decided they wanted to experiment with learning a few penetration testing skills using Metasploit.

They also asked me for some pointers, as such I will occasionally make posts illustrating exploitation of some of the vulnerabilities in Metasploitable. Fair warning these posts will contain serious spoilers, so if you are wanting to figure this out yourself. You probably should stop reading now.

For those following along I utilized Back Track 5 r1 for this post however, to follow along you will really only need Metasploit and nmap.

Profiling The System

Note : the metasploitable VM in this instance is IP and the Back
Track machine is

The first step to exploiting the system is getting an idea of what it’s running and how we may exploit it. For this we will use nmap. We will begin with a simple nmap scan, I prefer to do this inside the Metasploit Framework itself as it stores the results in a database and makes it much easier to refer to later on, so if you’re following along you will want to start msfconsole prior to running this.

db_nmap -T4 -v -sS -sV -O -PN

note : in a real world situation you would likely lower your timing to -T1,
however for expedience sake -T4 is fine here.

As you might imagine being a vulnerable set up quite a few of these services are actually vulnerable, however today we’re going to focus on the Samba service on this system.

Profiling The Target Service

So now that we know we want to determine if the Samba service is vulnerable, we’re going to need more information about this particular Samba service. Now if you just want to breeze through this you could in fact just try every Samba exploit in Metasploit and eventually gain access. However, that is silly as you’d likely set off IDS (if there were one) and also this gives us a chance to look at some of the useful (and often overlooked) auxiliary modules in Metasploit. In this particular case we’re going to use the Samba version scanner module, which is basically is just going to grab the version for us. (You could do this using netcat or telnet as well if you were so inclined).

So now that we know our Samba version is 3.0.20. We can do some research on that version of Samba and determine the best exploit to use. Now if you did some half decent research you’d probably come up with this link.

So now we just back out of our scanner and search for the CVE we found in the Metasploit Framework, and voila an exploit that we can use.

Exploiting The Target

Now that we know which exploit module our service is vulnerable to we may load that exploit up, and configure it.

Note : You will notice here we deviated from the default port of 139, though the exploit will work on both ports it is better to choose Port 445 as it does not include the NetBT extras which may cause our exploit to fail (remember reliability is key here).

Next we will want to configure our payload, in this I choose a simple reverse shell (there is no firewall in place so you could easily choose a bind shell instead — however for the sake of ease and building good habits we’ll use the reverse shellcode.)

Now that we have our exploit and payload properly configured we may exploit the target. Here we just execute exploit -j (note the -j just tells metasploit to background the session after it is created).

Note : This is actually a client to client Telnet session, not a true reverse shell (this is equally useful).

Post Exploitation

Now that our exploit has been successful against the vulnerable Samba service, we can do a little post exploitation. I will not go too in depth with this as you can do pretty much whatever you want at this point, however knowing what I’m going to write in the next post on the subject I suggest grabbing a copy of /etc/shadow- and /etc/passwd if you’re following along.

Enjoy your rooted Metasploitable VM, next time I’ll explain what we’re doing with the shadow and passwd files.

  1. Tushar Kumar says:

    This is great. Thanks for sharing.

  2. […] walk through of Metasploitable (A vulnerable VM produced by Rapid7). You may wish to read >part one of the Metasploitable Guide first, as this section will rely on that guide being completed. For […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s