Home Audience Admin Pen Testing: Attacking a Vulnerable Metasploitable Machine

Pen Testing: Attacking a Vulnerable Metasploitable Machine

0
hacker

The Metasploitable framework is an open source framework created by the Rapid7 Metasploit team. It is used by many cyber criminals and ethical hackers to study different vulnerabilities on servers and networks. It is easily customisable and is compatible with most operating systems. Metasploitable is used by penetration testers to study the weak spots of a network.

In this article we will see how we can attack the Metasploitable framework. In this attack we will be able to access the file system of a vulnerable Metasploitable machine.

You can download the .iso file from https://www.vulnhub.com/entry/metasploitable-2,29/ and run it using any virtualisation software like VMware or VirtualBox.

Now open your Metasploitable machine and enter the user name and password – ‘msfadmin’ in both cases. Then use the command ifconfig to find the IP address of the Metasploitable machine, as shown in Figure 1.

Figure 1: ifconfig on the Metasploitable machine

Now open a Kali Linux terminal and run the following command to find out all the vulnerable services available in Metasploitable. Run the command:

nmap -T4 -sV <metasploitable IP address>
Figure 2: Vulnerabilities in Metasploitable

Open msfconsole in Kali Linux using the command msfconsole, as shown in Figure 3.

Figure 3: msfconsole in Kali linux

Now search the vsftpd exploits available in the Metasploitable framework, which could give us a backdoor entry to Metasploitable.

Figure 4: Searching vsftpd exploits

Use that exploit and set the rhosts parameter to the IP address of the Metasploitable machine, as shown in Figure 5.

Figure 5: Use exploit and set rhosts value

Use options to check if rhosts is assigned properly or not.

Figure 6: Check rhosts

Go back to your Metasploitable machine and create a new file, as shown in Figure 7.

Figure 7: Creating a new file in Metasploitable

Use the ls command to see all the files in the Metasploitable machine.

Figure 8: All files in the Metasploitable machine

Go back to your Kali Linux machine and use the command run to run the exploit. A session will be opened.

Figure 9: Running the exploit

Whatever command you type now will be equivalent to giving a command in the Metasploitable machine’s command shell. For example:

  • ls: Prints all files/folders under the service.
  • cd home: Changes directory to home.
  • ls: Files in home directory.
  • cd msfadmin: Changes directory to msfadmin
  • ls: Lists files in the Metasploitable machine
Figure 10: Output of ls

Here you can see all the files in the Metasploitable machine including the new file just created, named newfile.txt. Do try it out!

Figure 11: All the files in the home directory

Once you try this you can also try to exploit many more different vulnerabilities of the Metasploitable machine, as shown in Figure 1. The more you get into it, the more interesting it will become.

Figure 12: All the files in Metasploitable machine

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Exit mobile version