Professional Documents
Culture Documents
Fall 2023
Université d'Ottawa
Introduction :
This document details the process and findings of the Labtainers Metasploit lab exercise,
aimed at understanding penetration testing techniques using the Metasploit framework. The
lab environment is set up using a Kali Linux system as the attacker and a Metasploitable
system as the victim. Each section includes detailed steps, screenshots, and an explanation of
the commands used.
Steps :
Reasoning: Ping is a network utility that checks the reachability of a host on an Internet
Protocol (IP) network and measures the round-trip time for messages sent from the
originating host to a destination computer.
Step 2: Get a List of Vulnerable Services on the Victim
Objective: To identify open ports and potentially vulnerable services running on the
victim's system.
Steps :
Reasoning: Nmap ("Network Mapper") is a free and open-source utility for network
discovery and security auditing. Scanning all ports provides a complete view of the
potential attack surface.
Step 3: Vulnerably Configured rlogin Service (port 513)
Objective: To demonstrate remote access to the victim's system via a misconfigured
rlogin service.
Steps :
Reasoning: The rlogin command allows a user to log in on another Unix system via
the network, and viewing a root-owned file demonstrates the level of access gained.
Step 4: Vulnerable ingreslock Service (port 1524)
Objective: To exploit the ingreslock service to gain unauthorized root access to the
system.
Steps :
Steps :
Steps :
1. Accessed the Metasploit console and searched for the Unreal IRCd exploit
using search unreal_ircd.
2. Selected the exploit with use
exploit/unix/irc/unreal_ircd_3281_backdoor.
3. Set the RHOST to the victim's IP with set RHOST 192.168.1.2.
4. Executed the exploit with exploit and demonstrated access by displaying the
root file.
Reasoning: Unreal IRCd had a known backdoor in certain versions, which could be
exploited to gain unauthorized access to the system.
Step 7: Vulnerable VSFtpd Service (port 21)
Objective: To demonstrate the exploitation of a backdoor in the VSFtpd service.
Steps :
1. In the Metasploit console, located the vsftpd exploit with search vsftpd_234.
2. Chose the exploit with use exploit/unix/ftp/vsftpd_234_backdoor.
3. Configured the RHOST as before and executed the exploit.
4. Verified success by displaying the root file.
Reasoning: The vsftpd 2.3.4 version contains a malicious backdoor that was
introduced by an unknown attacker, which can be exploited to gain shell access to
the system.
Step 8: Vulnerable Samba Service (port 139)
Objective: To exploit the Samba service for unauthorized code execution.
Steps :
Reasoning: The usermap script in Samba versions prior to 3.0.20 allows attackers to
execute programs as an administrator, making it a critical vulnerability.
Step 9: Vulnerable HTTP (php) Service (port 80)
Objective: To take advantage of a PHP CGI argument injection vulnerability.
Steps :
1. Searched for the relevant PHP CGI exploit in Metasploit with search php_cgi.
2. Selected the appropriate exploit with use
exploit/multi/http/php_cgi_arg_injection.
3. Configured the necessary options, including RHOST, and ran the exploit.
4. Upon successful exploitation, dropped to a shell and displayed the root file.
Reasoning: PHP CGI argument injection can be used to execute arbitrary code on the
web server, potentially allowing for full system control.
Step 10: Vulnerable Postgres Service (port 5432)
Objective: To exploit a vulnerability in the Postgres service which allows for arbitrary
code execution.
Steps :
I had prepared everything necessary to exploit the target, and the chosen payload
required a listener on port 4444. Typically, this would be set up using a command like
nc -lvnp 4444 to listen for incoming connections. However, I faced a constraint as I
did not have access to another attacker terminal to establish this listener. Despite
successfully executing the exploit, this lack of a listener resulted in no session being
created. This outcome highlights the importance of the listener in reverse shell
payloads, where the exploited system attempts to connect back to the attacker's
system. Without this listener in place, even a successful exploit cannot establish the
necessary back-connection for a session.
References :
https://nps.edu/web/c3o/labtainers
https://www.offsec.com/metasploit-unleashed/
https://owasp.org/www-project-web-security-testing-guide/