Metasploitable

Breaking Tutorial on Hacking Metasploitable 2 with MetaSploit

What is Metasploitable?

Metasploitable is a test environment provides a secure place to perform penetration testing and security research. For your test environment, you need a Metasploit instance that can access a vulnerable target. The following sections describe the requirements and instructions for setting up a vulnerable target.

The default login and password is msfadmin : msfadmin.

Never expose this VM to an untrusted network (use NAT or Host-only mode if you have any questions what that means).

Metasploitable
Metasploitable

Metasploitable Download VM

The easiest way to get a target machine is to use Metasploitable 2, which is an intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.

SourceForce

https://information.rapid7.com/metasploitable-download.html

The compressed file is about 800 MB and can take up to 30 minutes to download. After you have downloaded the file, you will need to unzip the file to see its contents.

Once the VM is available on your desktop, open the device, and run it with VMWare Player. Alternatively, you can also use VMWare Workstation or VMWare Server.

Recon Metasploitable Virtual Machine

Scanning the Machine for Open Ports

msf5 > db_nmap 172.16.74.129 -p0-65535

Attacking Metasploitable Services

Attack Linux DistCC Daemon Command Execution

Attack Linux DistCC Daemon Command Execution Port 3632
Attack Linux DistCC Daemon Command Execution Port 3632

Attack Linux DistCC Daemon – This module uses a documented security weakness to execute arbitrary commands on any system running distccd.

Attack PostgreSQL Server Port 5432

Attack PostgreSQL Server Port 5432
Attack PostgreSQL Server Port 5432

Attack PostgreSQL Server – This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.

Attack Samba Server Port 139

Attack Samba Server Port 139
Attack Samba Server Port 139

Attack Samba Server – This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands.

Attack Samba Server Port 445

Attack Samba Server Port 445
Attack Samba Server Port 445

Attack Samba Server – This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writable share must be specified. The newly created directory will link to the root filesystem.

Attack Apache and PHP 5.3

Attack Apache and PHP 5.3
Attack Apache and PHP 5.3

Attack Apache – When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution.

Attack FTP Service Port 21 (vsftpd 2.3.4)

Attack FTP Service Port 21 (vsftpd 2.3.4)
Attack FTP Service Port 21 (vsftpd 2.3.4)

This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands.

Attack Unreal IRC Server Port 6667

Attack Unreal IRC Server Port 6667
Attack Unreal IRC Server Port 6667

Attack Unreal IRC Server – This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

Attack Apache PHP CGI Argument Injection

Metasploit Metasploitable

When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution.

From the advisory: “if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary.”

This module can also be used to exploit the plesk 0day disclosed by kingcope and exploited in the wild on June 2013.

Leverage Metasploitable Backdoors

Attack Metasploitable Web Services

Metasploitable Weak Passwords

References

PopLab Portfolio

Leave a Comment

Your email address will not be published. Required fields are marked *