Penetration Testing

Metasploitable 3 Walkthrough: Advanced Penetration Testing

By SecureLayer7 Lab

5 min read

Metasploitable3 Walkthrough: Penetration Testing

Metasploitable3 is an updated version of Metasploitable2, developed to provide a more realistic environment for practicing advanced penetration testing techniques. This version introduces new vulnerabilities and services, offering a broader range of challenges for ethical hackers and security enthusiasts. Let’s explore what makes this version different and its key features!

Network Discovery 

Let’s first start with the NMAP to scan the network first.

Nmap: is (a network mapper tool) used to discover hosts, services, and vulnerabilities  and it’s one the essential tools for hackers and security workers 

 sudo nmap -sV -sS 10.0.2.6

-sS: Stealth scan (SYN scan), detects open ports without completing the TCP handshake, making it faster and stealthier

-sV: Detects the version of services running on open ports.

This command is a quick scan targeting 10.0.2.6 to identify open ports and service versions. It focuses on commonly used ports, not all 65,535 ports.

Note: This quick scan does not cover all 65,535 ports. Since this is just a walkthrough and not an in-depth exploitation, a more comprehensive scan might be explored in a future series.

Nmap network discovery scan of the Metasploitable3 host showing open ports

The Exploitation process

Port 21 ProFTPD 1.3.5

So, the vulnerability is on port 21. By accessing this port, it was identified that ProFTPD 1.3.5 contains a remote code execution (RCE) vulnerability via the mod_copy module, which allows attackers to execute code on the server, as demonstrated below

Manual Exploitation

First, connect to the port via the telnet 10.0.2.6 21 tool which it’s a command-line interface for communicating with remote devices or servers over a TCP/IP network and then site `cpfr /etc/passwd`

  • SITE: Initiates a server-specific command.
  • CPFR: Indicates the file to copy from (in this case, `/etc/passwd`).

So the structure of the command will be like this SITE CPTO /path/to/destination, site cpto /var/www/html/test.php to overwrite the test.php file

FTP SITE CPTO command used to overwrite test.php on the target

The test.php has been overwritten with the content of the `/etc/passwd` file 

As the picture below :

Browser showing test.php overwritten with the contents of /etc/passwd

With the Metasploit

Metasploit console selecting the module for the exploit

Setting the options as the below picture

Metasploit module options being set before running the exploit

And then, run the exploit

Running the Metasploit exploit in the console

Apache httpd 2.4.7

Apache httpd 2.4.7 service banner identified on the target

Payroll_app

Payroll has SQL injection vulnerability type UNION SQL injection in the login page

As the below picture: by trying to manipulate the password parameters it shows it has SQL injection

Payroll_app login page showing a UNION SQL injection in the password parameter

so let’s pass it to Sqlmap and it’s and also so it’s specific the level and risk and the parameter by adding (“*”) to the password which is the vulnerable parameter as seen in the burp suite Repeater 

Burp Suite Repeater marking the vulnerable password parameter with an asterisk for sqlmap

Using the Sqlmap tool 

sqlmap -r req.txt –dbms=”MySQL” –level=1 –risk=1 –dump –output-dir=output –batch

As the following picture:

sqlmap command run against req.txt with MySQL DBMS to dump the database

–dbms : This specifies the target DBMS (Database Management System). In this case, SQLMap is instructed that the database is MySQL.

–level=1 : Defines the intensity of tests to perform. Level 1 is the lowest intensity, focusing on basic SQL injection tests.

–risk=1 : This defines the risk factor associated with the tests SQLMap will conduct. Risk 1 is the least aggressive and is generally used to avoid causing damage to the target system.

–dump : This option instructs SQLMap to dump (extract) the database content.

–output-dir=output : This specifies the directory where the results of the SQL injection tests will be saved.

–batch: This option runs SQLMap in batch mode, meaning it will automatically answer any prompts without requiring user interaction

The output result was users.csv and was contain the following

sqlmap output dumping users.csv with extracted credentials

I have tried this user on SSH and it’s valid I have accounts on the server 

some of them are valid users using hydra

Hydra confirming valid SSH accounts using the dumped credentials

Phpmyadmin

This vulnerability is an authentication vulnerability and the password of Phpmyadmin was provided in the wiki 

Explaining the bug 

So setting the options to the port which was 80 and the TARGETURI /phpmyadmin/ with the password and the username root:sploitme

Metasploit phpMyAdmin module options set with port 80, TARGETURI /phpmyadmin/ and root:sploitme

As you see in the below picture and run the exploit As we see we got a meterpreter shell 

Running the exploit and receiving a Meterpreter shell

Drupal

then the /drupal/

Drupal site running on the target at /drupal/

after running the directory fuzzing 

file that contains the version of Drupal

Directory fuzzing of the Drupal site revealing the version file

I have tried all the modules that related to this version but I realized it was a rabbit hole it wasn’t 7.5 because when i have tried Nmap scanning it was the version before 7.5  it was vulnerable to CVE-2014-3704 which affected only versions before 7.32

Nmap identifying Drupal version before 7.32 vulnerable to CVE-2014-3704

With The Metasploit, I have here found the drupageddon module for this CVE

Metasploit search finding the Drupageddon module for CVE-2014-3704

After running the exploit we got the shell as below picture 

Shell obtained after running the Drupageddon exploit

Conclusion

This Metasploitable 3 walkthrough – Part 1 highlights practical penetration testing techniques. Using tools like Nmap, Metasploit, Hydra, and SQLmap, we explored vulnerabilities in services like ProFTPD, Apache, and the Payroll app. By exploiting issues such as remote code execution and SQL injection, we demonstrated how attackers could gain access to systems. Tools like Telnet and Metasploit helped automate the process, while Hydra was used to brute-force SSH passwords. Overall, this exercise shows the importance of scanning for vulnerabilities and keeping software up to date to protect against attacks.

Suggested Reading: Metasploitable 3 Walkthrough: Penetration Testing (Part 2)