I installed both Kali and Metasploitable 2 on internal network 10.10.10.0 in a VirtualBox VM. I gave the Metasploitable 2 (Ubuntu) machine an IP address of10.10.10.2 for “target practice”. The documentation for Metasploitable 2 is found here: https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide/
The first exercise is a simple port scan of the well-known ports using nmap as root. We find 3 of the Unix “R-services” ports are open that are used for remote login on Unix machines on tcp ports 512, 513, 514:
#nmap -p0-65535 10.10.10.2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-17 18:48 EST
Nmap scan report for 10.10.10.2
Host is up (0.00010s latency).
Not shown: 65506 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
3632/tcp open distccd
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
6697/tcp open ircs-u
8009/tcp open ajp13
8180/tcp open unknown
8787/tcp open msgsrvr
34864/tcp open unknown
35281/tcp open unknown
46972/tcp open unknown
50179/tcp open unknown
MAC Address: 08:00:27:B3:EF:46 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 16.33 seconds
For the second exercise, as long as the rsh client is installed in our Kali system we can create a root level connection to the remote device. (The “-l” switch allows you to choose the user you want to log in as).
#rlogin -l root 10.10.10.2
Last login: Wed Jan 17 18:54:27 EST 2024 from 10.10.10.3 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
root@metasploitable:~#
And now we have root access to the remote computer. For the third exercise we use the remote control protocol command to show the active remote ports:
Running the rpcinfo command as root from the remote machine shows us active ports we can use. Here we see that there are nfs “network file system” ports available (udp and tcp).
root@metasploitable:~# rpcinfo -p 10.10.10.2
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 45372 status
100024 1 tcp 58302 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 52388 nlockmgr
100021 3 udp 52388 nlockmgr
100021 4 udp 52388 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 35971 nlockmgr
100021 3 tcp 35971 nlockmgr
100021 4 tcp 35971 nlockmgr
100005 1 udp 33215 mountd
100005 1 tcp 37136 mountd
100005 2 udp 33215 mountd
100005 2 tcp 37136 mountd
100005 3 udp 33215 mountd
100005 3 tcp 37136 mountd
Exercise four: In the first nmap scan we can see the SSH is active (port 22, tcp) so we can set up our own ssh connection since we have root access to the MSF2 remote computer. To do so we create a new SSH keys and install them on the remote target computer as accepted cryptographic keys.