Starting my first attempt at hacking Metasploitable 1, I was confident in my education, and that my practical lab experiences were enough to get me a shell. I was wrong. Of course, I knew the basics of using Kali Linux to conduct reconnaissance and how to determine which hosts are on the network.
I also knew about a handy tool called “netdiscover” which would give me the IP of my target vulnerable host. You could of course cheat and save time by logging into the target machine and run “ifconfig” to obtain the IP but I wanted a more real world scenerio.
As a side note, if this is your first time hearing of “netdiscover,” I would recommend running the tool at least once. You never know if it is something you would like to build into your methodology.
After finding my target, to determine the ports and services running, I used Nmap. To try it yourself, while in Kali and in a terminal window, just run “nmap [host IP address].” By running this command with no parameters, the default top 1,000 ports are scanned. This is common practice to scan the most common ports first. The command I used is here in the following screenshot.
This command is excellent because it provides all the listening services for the default ports, the port number, and the version of the service. All the information you need to get started with potentially vulnerable services on the machine.
Based upon this evidence and my education thus far I attempted to exploit Telnet and then SSH. Both tasks could be easy; The credentials for the virtual machine are easily found online and also in the readme file provided with the VM.
As a side note, credentials are something you could also find online if the host were using default username and passwords for login. To me, that was just too easy, and I couldn't imagine being that common in the real world.
Editor’s Note: Yup, sometimes it is that easy.
Instead, I tried to utilize Metasploit as a brute force tool against the usernames and passwords because some great lists come with Kali. For whatever reason, I just couldn’t get the brute force tool to work, probably a configuration error on my part.
This failed process resulted in some severe frustration, mostly at myself. So, I then proceeded to look up some guides online for Metasploitable. People like me enjoy posting their experiences on their journey in cybersecurity plus it was a way for me to work through some material I haven’t thought of or seen before.
I ultimately found a guide to take advantage of tikiwiki: https://www.youtube.com/watch?v=PJCWgqDY9t4.
This walk through showed me how to utilize Metasploit, an application on Kali, to find vulnerabilities, their description, and run exploits all from the same tool.
One significant benefit of using this tool, which I learned during this adventure, is the ability to check the options available. For example, the exploit for tikiwiki requires setting the RHOST, the target address. If you don’t do this then the exploit won’t have any idea what machine to execute on.
Next, you have to select a compatible payload. One thing to keep in mind when choosing the payload, make sure it's compatible with the host machine. The example the walk through provided is not to use a Linux exploit on a Windows machine or vice versa.
So, after executing the exploit with the appropriate payload, you get roughly 10 shell sessions open on the target machine. I actually ran the exploit multiple times resulting in 9 sessions once and 10 the other run.
Once you have a shell, the author of the walk through provides some code to spawn a bash shell, which gives you a different type of access. From here, you can start to determine the weaknesses present on the target system.
I was able to see that the user had restricted access and the version of the operating system. Here, the host is running Linux Kernel 2.6, which was determined to have a privilege escalation vulnerability. Awesome!
By searching for the exploit online, you can find some code that you can configure to match your victim. However, Metasploit actually has the exploit, UDEV, built-in. By setting the appropriate options, the exploit is quickly executed.
To use this exploit, you set your session ID option to match one of the sessions create previously between Kali and the victim. Next, you need to find the PID for the Netlink. This can be found using the shell created earlier. Finally, after setting the PID option to the Netlink PID and executing Bang! – Root access. You can verify this through some Linux-fu in the command line, whoami.
Formal education alone is insufficient in cybersecurity. This is especially true when it comes to pen testing and identifying vulnerabilities. Entry level and experienced cyber professionals need time working a variety of pen tests scenarios to grasp the different aspects. This is something I plan to do more of to increase my proficiency as a cybersecurity professional. The sheer amount of knowledge and skills you are exposed to, you need to learn and apply to every aspect of your work. Whether you’re going into pen testing, system administration, network administration, etc., having exposure to what attackers are doing is beyond needed.
My second lesson is that penetration testing probably is not the role for me, at least for now. It was very frustrating trying to get root access on such a blatantly insecure host. Let alone thinking about what real world enterprise companies will have in place to protect their data.
Moving forward, I look forward to my growth and knowledge base as a cyber professional and this lesson in humility definitely gives me cause to invest in my education, training, and skills as I move out of my college and into the workforce.
Jake is a student at a local college working on his degree in cyber security. As he is about to wrap up his degree, he will soon be joining the information security workforce and is looking forward to getting his hands dirty IRL. His long term goal is to be a professional Penetration Tester.