Poppin' Shells and Takin' Names

For our FINAL event of the year, we are setting up a vulnerable server for all Hacking Club members to compromise. We have spun up a VM of metasploitable on a LAN and have given our members the tasks of doing the following:

  1. Launch a Virtual Machine with Kali Linux.
  2. Setup a PostgreSQL Server locally.
  3. Running a network scanning tool, nmap.
  4. Enumerating the server.
  5. Uploading a php shell to access the server later
  6. Gain root access.
  7. Profit.

For this exercise, you will need the following:

  • Computer (any OS)
  • Virtualization Software
    • Virtualbox is free and works on all platforms
    • VMware is also a great suit
  • An iso copy of Kali Linux.
  • Metasploitable VM, which can be downloaded here.

Create a virtual machine (VM) of Kali Linux, and make sure the network configure is bridged. This enables your VM to use your network card as if it was its own. Don't worry, your main host and your guest host will both be able to use it, and have different IP addresses on the network. 

Launch Metasploitable in your visualization software. The most difficult part of this configuration, is making sure the two VMs are connected. If the bridge connection on both VMs don't work. Connect them using custom specific VirtualNet.

Here is what your VM will look like when it's starts.


You will know if it is setup correctly, if the IP's look about the same, and they have the same netmask.

You can run the following command to check your IP.

root@kali:~# ifconfig

This command has many uses, but for this exercise, we will only concentrate of the finding the ip aspect. If your IP says 169...., it means it could not get an IP address from the router. 

When we run this, we can see that this VM's IP address is and the subnet is


Now let's have some fun! We will be scanning the local network for our metasploitable server. Click Applications, 01 - Information Gathering, and then the zenmap button on the left side. Alternatively, you can enter zenmap in the terminal. It opens the nmap (gui).

So we know that the network subnet is This means there can be a total of 254 computers/devices connected to this network. Here is a cheatsheet to determine the "slider" of the network. For, the slider is /24. 

For more information on network sizes and sliders, check out RFC 1878.

When zenmap comes up, enter the network IP as well as the slider and execute a ping scan. A ping scan scans all IPs specified. It gather's their MAC Address and IP Address. 

By knowing a devices MAC address, you can determine the manufacturer of the device. The first three octets in a MAC Address is specific to a vendor. If we take a look at, we can see that it's MAC address is 00:c0:02:63:00:08. The first 3 octets are 00:C0:02. If we enter this into a mac-address lookup such as http://www.coffer.com/mac_find/, we can see that it's vendor is Sercomm, just as it says in our nmap scan. 

The OUI is the Vendor #, such as Apple, Cisco, etc.
The UAA is like the fingerprint of the device. There will be no other device with the same fingerprint and THIS is one way a person can be de-anonymized. One way around this, is to use macchanger to change your MAC address.

An important thing to note, the scan results gave us back the IP This is the first IP in the network, which means this IP address is MOST LIKELY the router. For further investigation, one can do a more intensive scan on the router, but for this exercise, we are targeting a different server. Let's now see which servers we can remote into.

root@kali:~# nmap -sV -p 20-23

-sV: Probe open ports to determine service/version info
-p <port ranges>: Only scan specified ports
    Ex: -p 20-23 (lol)

As you can see, not only is the router running Dropbear sshd, but it's also running DD-WRT telnetd. This tells us the router has been flashed with DD-WRT firmware. But since htis isn't our target, we will keep checking what else we got in this scan.

Looks like we can connect to this server. :)

Alright, so we know a few of the ports are open. Let's check all the ports on this server.

-T4: prohibits the dynamic scan delay from exceeding 10 ms for TCP ports
-A: Enable OS detection, version detection, script scanning, and traceroute

So we have a server, know all of the ports that are open, and the version. What we can do now, is save the scan results, and import them into Metasploit Framework. In Zenmap, click Scan > Save Scan and save it somewhere you will remember. Desktop, Downloads, or Documents are fine locations. Now it's time to get Metasploit running. But first, we have to create a database where we can store our port scan results. In a terminal, run...

root@kali:~# service postgresql start

To verify this is working, you can run ss -ant like so.

Now let's finish configuring our database with...

root@kali:~# msfdb init

Now let's launch metasploit.

root@kali:~# msfconsole

Ladies, Gentlemen, and all others, welcome to the one of the most powerful hacking tools there is.

Alright, so now that we have metasploit running, we should check to see if the database we created in connected to metasploit.

Looks about right. :D

Looks about right. :D

msf > use exploit/multi/http/tomcat_mgr_deploy

msf exploit(tomcat_mgr_deploy) > show options

Open Leafpad with Applications > Favorites > Leafpad and save the shadow file.


Learn more here.