One of the simplest compromises of the Metasploitable box.
We can see from the nmap results:
513/tcp open login?
Nessus also detected the use of rlogin:
High (7.5) 10205 rlogin Service Detection
At this stage we don’t have any info on possible accounts on the Metasploitable box but it probably likely that there is a ‘root’ account.
As such we can try the following command and see what we get:
rlogin -l root 192.168.168.134
- -l: user to login as
So we are prompted for a password – a good sign the root account is valid.
But there is actually more to this than the above suggests.
I am using a fresh install of Kali 2 and the rsh-client is not installed by default. So lets install it with:
apt-get install rsh-client
Now lets try that original rlogin command once more:
Bingo… we’re in, and with root access no less.
Security Aspirations 