Happy Saturday morning!
In this post, I’ll be exploiting a service call rlogin (remote login) on my Metasploitable box. This is a nice and easy exploit, so let’s get started!
Once we have our virtual machines booted up, we can do a quick refresher of what ports and services are open on our Metasploitable machine, by opening up a terminal in Kali and typing nmap -sS -sV -p- 10.10.1.10.
Here, we can see that port 513 is open, and the service is called “login”. A quick Google search of the port tell us that the service refers to the rlogin service. Essentially rlogin will allow us to remotely access a system and execute commands on it. According to https://linoxide.com/how-tos/howto-enable-rshrlogin-on-linux-server/,
” Rlogin uses a hidden file called .rhosts that is present on the host machine. This file allows a machine to login without a password. ” Well now, it can’t get much easier than that!
Before we can exploit this service, we need to install the rsh client. To do this, I opened up another terminal in Kali and typed: apt-get install rsh-client.
Just a side note here; I had a little difficulty installing the client, until I realized I had to switch my Kali network adapter from Host-Only to NAT. After the rsh-client was installed, I switched back to Host-Only to be able to talk to the other systems in my virtual network.
With the rsh-client installed, it is now time to exploit the rlogin service! All I had to do here is type: rlogin -l root -p 513 10.10.1.10. The -l switch specifies the account to login as, the -p switch specifies the port, and 10.10.1.10 is the IP address of the remote system (Metasploitable).
Just like that, we have root access!
As you can see, this was a very simple exploit to attain root access. But hey, whether an exploit is easy or not, they all count!
Thanks for reading!