Metasploitable3 is an updated version of Metasploitable2, developed to provide a more realistic environment for practicing advanced penetration testing techniques. This version introduces new vulnerabilities and services, offering a broader range of challenges for ethical hackers and security enthusiasts. Let’s explore what makes this version different and its key features!
Network Discovery
Let’s first start with the NMAP to scan the network first.
Nmap: is (a network mapper tool) used to discover hosts, services, and vulnerabilities and it’s one the essential tools for hackers and security workers
sudo nmap -sV -sS 10.0.2.6
-sS: Stealth scan (SYN scan), detects open ports without completing the TCP handshake, making it faster and stealthier
-sV: Detects the version of services running on open ports.
This command is a quick scan targeting 10.0.2.6 to identify open ports and service versions. It focuses on commonly used ports, not all 65,535 ports.
Note: This quick scan does not cover all 65,535 ports. Since this is just a walkthrough and not an in-depth exploitation, a more comprehensive scan might be explored in a future series.
The Exploitation process
Port 21 ProFTPD 1.3.5
So, the vulnerability is on port 21. By accessing this port, it was identified that ProFTPD 1.3.5 contains a remote code execution (RCE) vulnerability via the mod_copy module, which allows attackers to execute code on the server, as demonstrated below
Manual Exploitation
First, connect to the port via the telnet 10.0.2.6 21 tool which it’s a command-line interface for communicating with remote devices or servers over a TCP/IP network and then site cpfr /etc/passwd
- SITE: Initiates a server-specific command.
- CPFR: Indicates the file to copy from (in this case, /etc/passwd).
So the structure of the command will be like this SITE CPTO /path/to/destination, site cpto /var/www/html/test.php to overwrite the test.php file
The test.php has been overwritten with the content of the /etc/passwd file
As the picture below :
With the Metasploit
Setting the options as the below picture
And then, run the exploit
Apache httpd 2.4.7
Payroll_app
Payroll has SQL injection vulnerability type UNION SQL injection in the login page
As the below picture: by trying to manipulate the password parameters it shows it has SQL injection
so let’s pass it to Sqlmap and it’s and also so it’s specific the level and risk and the parameter by adding (“*”) to the password which is the vulnerable parameter as seen in the burp suite Repeater
Using the Sqlmap tool
sqlmap -r req.txt –dbms=”MySQL” –level=1 –risk=1 –dump –output-dir=output –batch
As the following picture:
–dbms : This specifies the target DBMS (Database Management System). In this case, SQLMap is instructed that the database is MySQL.
–level=1 : Defines the intensity of tests to perform. Level 1 is the lowest intensity, focusing on basic SQL injection tests.
–risk=1 : This defines the risk factor associated with the tests SQLMap will conduct. Risk 1 is the least aggressive and is generally used to avoid causing damage to the target system.
–dump : This option instructs SQLMap to dump (extract) the database content.
–output-dir=output : This specifies the directory where the results of the SQL injection tests will be saved.
–batch: This option runs SQLMap in batch mode, meaning it will automatically answer any prompts without requiring user interaction
The output result was users.csv and was contain the following
I have tried this user on SSH and it’s valid I have accounts on the server
some of them are valid users using hydra
Phpmyadmin
This vulnerability is an authentication vulnerability and the password of Phpmyadmin was provided in the wiki
Explaining the bug
So setting the options to the port which was 80 and the TARGETURI /phpmyadmin/ with the password and the username root:sploitme
As you see in the below picture and run the exploit As we see we got a meterpreter shell
Drupal
then the /drupal/
after running the directory fuzzing
file that contains the version of Drupal
I have tried all the modules that related to this version but I realized it was a rabbit hole it wasn’t 7.5 because when i have tried Nmap scanning it was the version before 7.5 it was vulnerable to CVE-2014-3704 which affected only versions before 7.32
With The Metasploit, I have here found the drupageddon module for this CVE
After running the exploit we got the shell as below picture
Conclusion
This Metasploitable 3 walkthrough highlights practical penetration testing techniques. Using tools like Nmap, Metasploit, Hydra, and SQLmap, we explored vulnerabilities in services like ProFTPD, Apache, and the Payroll app. By exploiting issues such as remote code execution and SQL injection, we demonstrated how attackers could gain access to systems. Tools like Telnet and Metasploit helped automate the process, while Hydra was used to brute-force SSH passwords. Overall, this exercise shows the importance of scanning for vulnerabilities and keeping software up to date to protect against attacks