Metasploitable 2 is running distcc.
distcc is a program that is used to distribute compilation of code across machines on a network taking advantage of unused processing power of other computers. Machines on the network need to have distccd daemon and compatible compiler installed.
Scanning port 3632
Enter the command: nmap -sV -p 3632 <<target IP address>>
Nmap scan shows that distccd v1 is running on port 3632.
Searching for exploit in msfconsole
Start up your msfconsole and search for a distcc exploit.
Enter the command: search distcc
There is an exploit available for distcc. More references here and here.
Exploiting distcc using distcc_exec exploit
Lets use the exploit by giving the command: use exploit/unix/misc/distcc_exec
As usual, we need to give the exploit a target.
Enter the command: set RHOST <<target IP address>>
...and exploit :)
Exploit was successful as a command shell session was opened.
However, unlike other time where we got "root" as our id, here we got daemon as the id. that means we compromised the target with daemon rights.
A daemon is a program that runs a background process. It cant do nearly as much as a root.
Good news is that we have privilege escalation. It bumps the privilege level to root by exploiting bugs in the code. We will use privilege escalation soon to bump our access level from daemon to root.
-Jayesh Kerai (@secjay)