Metasploitable2 Vulnerability Assessment Detailed

Author Yuleitest

Vulnerability assessment is the core content of penetration testing and an integral part of risk assessment.

Last talked about a port scan of Metasploitable2, this article will explain in detail the vulnerability of this system, the network has the basic tutorial of this system, but all of them are only a few of the end or copy others, so I decided to manually identify these vulnerabilities, A tutorial for a relative teaching full. Do not use the method of leakage, because the accuracy of the automation tool is still need people to identify. This time we evaluated using NMAP and MSF, and we updated the Kali and the program to the latest version before using it.

Here is a list of what has been evaluated:

21	tested	445	tested
22	tested	512	-
23	tested	513	-
25	-	514	-
53	-	1099	tested
80	tested	1524	tested
111	-	2049	-
139	tested	2121	-
3306	tested	3632	tested
5432	tested	5900	tested
6000	-	6667	tested
6697	tested	8009	-
8180	tested	8787	tested
35307	-	48359	tested
48446	-	52004	-

Based on the previous information collection, let's look at the content of this assessment:

First we look at the 21 port, generally this I first see what is built, there may be a middleware loophole, and then we can try to explode.

VSFTPD 2.3. Version 4 There is a backdoor that already has the use of the backdoor script on MSF.

22 ports

First of all, this is an SSH port, I usually start with weak password blasting.

We use this SSH scan module

This useless dictionary, I import an existing dictionary from Windows. After a few seconds, the user name password is cracked.

User name Msfadmin password msfadmin

23 Port, this is a Telnet remote terminal, the same as this kind of service with the log in general I first try to explode.

The user name Msfadmin password msfadmin for successful blasting.

We can log in with the username and password just now.

80 port, this HTTP inside we take the test of the web, the Web vulnerability involves too much, we will add more detail later. Here I only show one of them.

According to the Nmap script HTTP enumeration, there is a phpinfo

Let's open up and look.

This phpinfo not only leaked the server information, but also we see the server API is still CGI mode, this way in PHP a certain version of a serious vulnerability-CGI parameter injection

We'll join in after phpinfo.php?-S

The discovery succeeded in restoring the file. This is the 2012 public loophole. We use MSF to evaluate directly. Found already Getshell

139 Ports, 445 ports Both are SMB types, are shared services, preferred we need to know which of its shared directories, after enumeration you can see that there are 5 of the following

Secondly, we enumerate the accounts and find a large number of accounts, which is one of the bases of the previous user names we exploded.

Then we use another scan script, the script port is 445, here to populate the shared directory you just acquired, found that has successfully access to the TMP shared directory

Now we can go to the shared directory and browse freely.

See what's Under Rootfs

1099 port, there is a reverse-sequencing remote command execution vulnerability that can be seen already getshell

1524 msfable a back door, directly connected to it

3306 Port, MySQL port, since allow remote connection, then burst it, directly on the previous password dictionary

After success, the user name root password is empty

Direct Login

3632 DISTCCD service, Remote command execution vulnerability, direct exp

5432 Port, PostgreSQL burst, user name password

5900 port, VNC service, VNC service is composed of two parts, part is service, one is client, we carry out blasting

After getting the password for password we use vnc-client to connect

6667-Port 6697 IRC service, IRC service This version exists backdoor vulnerability, direct exp after Getshell

8180 http tpmcat Default port, we access directly

Explosion, get account password Tomcat;tomcat

Deploying the War Package Getshell

8787-Port DRB Service, there is a remote code execution vulnerability

Direct exp Get the shell

48339 is also a java-rmi service, which leverages the default configuration of RMI. Registry and RMI Activation services, which allow the load class to come from any remote (HTTP) URL. So also remote code execution vulnerability, below is exp after Getshell

End, so far we have done a relatively comprehensive vulnerability assessment of the system, but one thing you should know, we do is based on the TCP protocol, the UDP protocol is still a technical blind spot, and only stay on the existing tools and resources on the mining, you can see that there are some service vulnerabilities have not been tested, So there may be some potential problems have not been excavated, after all, offensive and defensive indefinitely, we have to do a lot. More wonderful articles, please look forward to.

Metasploitable2 Vulnerability Assessment Detailed