Metasploitable 2 Penetration Test Report

[email protected]

Name- Mukesh Nirala

Copyright © 2023 Metasploitable 2 Ltd. All rights reserved.

No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast
for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written
permission from Metasploitable 2 .

1 | Page
Table of Contents

1. Metasploitable 2 Penetration Test Report ....................................................................................................................................... 3

1.1 Introduction ................................................................................................................................................................................. 3

1.2 Objective ...................................................................................................................................................................................... 3

1.3 Requirements .............................................................................................................................................................................. 3

2. High-Level Summary........................................................................................................................................................................... 4

2.1 Recommendations....................................................................................................................................................................... 4

3. Methodologies .................................................................................................................................................................................... 5

3.1 Information Gathering ................................................................................................................................................................ 5

3.2 Service Enumeration ................................................................................................................................................................... 5

3.3 Penetration .................................................................................................................................................................................. 5

3.4 Maintaining Access ...................................................................................................................................................................... 6

3.5 House Cleaning ............................................................................................................................................................................ 6

4. Independent Challenges..................................................................................................................................................................... 7

4.1 Target #1 – 172.20.10.6 .............................................................................................................................................................. 7

4.1.1 Service Enumeration ........................................................................................................................................................... 7

5.0 I VNC Server 'password' Password ....................................................................................................................................... 7
5.1. Bind Shell Backdoor Detection ........................................................................................................................................ 7
5.1.1 Debian OpenSSH/OpenSSL Package Random Number Generator Weakness (SSL check) .......................... 7
5.1.2 Apache Tomcat SEoL (<= 5.5.x)
................................................................................................................................................................................................................. 8

5.1.3 SSL Version 2 and 3 Protocol Detection........................................................................................................................... 8

5.2 CGI Generic Remote File Inclusion.................................................................................................................................. 9

5.2.1 rlogin Service Detection ...........................................................................................................................................10
5.2.2 rsh Service Detection .................................................................................................................................................13
5.2.3 Samba Badlock Vulnerability
.......................................................................................................................................................................................................... 14

6.0 Unencrypted Telnet Server……………………………………………………………………………………………………………………………16

2 | Page
1. Metasploitable Penetration Test Report
1.1 Introduction

The Metasploitable 2 Lab and Exam penetration test report contains all efforts that were con-
ducted in order to pass the Metasploitable 2 course. This report should contain all items that
were used to pass the overall exam and it will be graded from a standpoint of correctness and
fullness to all aspects of the exam. The purpose of this report is to ensure that the student has a
full understanding of penetration testing methodologies as well as the technical knowledge to
pass the qualifications for the Metasploitable 2 Certified Professional.

1.2 Objective

The objective of this assessment is to perform an internal penetration test against the
Metasploitable 2 Lab and Exam network. The student is tasked with following methodical ap-
proach in obtaining access to the objective goals. This test should simulate an actual penetra-
tion test and how you would start from beginning to end, including the overall report. An exam-
ple page has already been created for you at the latter portions of this document that should
give you ample information on what is expected to pass this course. Use the sample report as a
guideline to get you through the reporting.

1.3 Requirements

The student will be required to fill out this penetration testing report fully and to include the fol-
lowing sections:

 Overall High-Level Summary and Recommendations (non-technical)

 Methodology walkthrough and detailed outline of steps taken

 Each finding with included screenshots, walkthrough, sample code, and proof.txt if appli-
cable.

 Any additional items that were not included

3 | Page
2. High-Level Summary (FINDING and IMPACT ) CRITICAL> HIGH> ME-
DIUM> LOW
1. NFS Exported Share Information Disclosure was/were found configured on one/multiple
host/system/server due to which the remote server could be mounted by the attacker. Also,
attacker can read or write the files on the system.

2. Unssupported OS was found installed on one host hacing iP ADrrsss and lack of support implies
that no security patches will be available. As a result, it is likely to contain security vulnerabili-
ties.

3. CGI Generic Remote File Inclusion vulnerability was found on one host which could lead an at-
tacker toinculde a remote file from a remote server and execute arbitrary commands on the target
host.

4. TLS 1.0 vuerabiltiy was found which has number of cryptographic design flaws

When performing the internal penetration test, there were several alarming vulnerabilities that
were identified on Metasploitable 2 network. When performing the attacks, I was able to gain
access to multiple machines, primarily due to outdated patches and poor security configura-
tions.During the testing, I had administrative level access to multiple systems. All systems were
successfully exploited and access granted

2.1 Recommendations ( MITIGATION patching solution fixing) critical high

mdedium low

1. Configure NFS on the remote host so that only authorized hosts can mount its remote shares.

2. Upgrade to a version of the Unix operating system that is currently supported.

3. Restrict access to the vulnerable application

4. Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

5. Make sure that every sensitive form transmits content over HTTPS.

4 | Page
I recommends patching the vulnerabilities identified during the testing to ensure that an attack-
er cannot exploit these systems in the future. One thing to remember is that these systems re-
quire frequent patching and once patched, should remain on a regular patch program to protect
additional vulnerabilities that are discovered at a later date

3. Methodologies
I utilized a widely adopted approach to performing penetration testing that is effective in testing
how well the Metasploitable 2 Labs and Exam environments are secure. Below is a breakout of
how I was able to identify and exploit the variety of systems and includes all individual vulnera-
bilities found.

3.1 Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the
penetration test. During this penetration test, I was tasked with exploiting the lab and exam net-
work. The specific IP addresses were:

Exam Network:

172.20.10.6

3.2 Service Enumeration

The service enumeration portion of a penetration test focuses on gathering information about
what services are alive on a system or systems. This is valuable for an attacker as it provides
detailed information on potential attack vectors into a system. Understanding what applications
are running on the system gives an attacker needed information before performing the actual
penetration test. In some cases, some ports may not be listed.

3.3 Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety
of systems. During this penetration test, John was able to successfully gain access

5 | Page
3.4 Maintaining Access

Maintaining access to a system is important to us as attackers, ensuring that we can get back
into a system after it has been exploited is invaluable. The maintaining access phase of the
penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer
overflow), we have administrative access over the system again. Many exploits may only be ex-
ploitable once and we may never be able to get back into a system after we have already per-
formed the exploit.

I added administrator and root level accounts on all systems compromised. In addition to the
administrative/root access, a Metasploit meterpreter service was installed on the machine to en-
sure that additional access could be established.

3.5 House Cleaning

The house cleaning portions of the assessment ensures that remnants of the penetration test
are removed. Often fragments of tools or user accounts are left on an organizations computer
which can cause security issues down the road. Ensuring that we are meticulous and no rem-
nants of our penetration test are left over is important.

After the trophies on both the lab network and exam network were completed, I removed all us-
er accounts and passwords as well as the Meterpreter services installed on the system.
Metasploitable 2 should not have to remove any user accounts or services from the system.

6 | Page
4. Independent Challenges
4.1 Target #1 – 172.20.10.6

4.1.1 Service Enumeration

Port Scan Results

The scan shows us that the following ports are open:

FTP Enumeration

Upon manual enumeration of the available FTP service, I noticed it was running an outdat-
ed version 2.3.4 that is prone to the remote buffer overflow vulnerability.

7 | Page
5. VNC Server 'password' Password
Vulnerability Explanation The VNC server running on the remote host is secured with a weak pass-
word. Nessus was able to login using VNC authentication and a password of 'password'. A remote, un-
authenticated attacker could exploit this to take control of the system.

Vulnerability Fix: Secure the VNC service with a strong password.

Severity: Critical
Launching Metasploit and searching for exploits

5.1 Bind Shell Backdoor Detection

Vulnerability Explanation: A shell is listening on the remote port without any authentication being
required. An attacker may use it by connecting to the remote port and sending commands directly.

Vulnerability Fix: Verify if the remote host has been compromised, and reinstall the system if neces-
sary.

Severity: Critical

8 | Page
5.1.1 Debian OpenSSH/OpenSSL Package Random Number Generator Weakness (SSL check)
Vulnerability Explanation: The remote x509 certificate on the remote SSL server has been generated
on a Debian or Ubuntu system which contains a bug in the random number generator of its OpenSSL
library.

The problem is due to a Debian packager removing nearly all sources of entropy in the remote version
of OpenSSL.

An attacker can easily obtain the private part of the remote key and use this to decipher the remote
session or set up a man in the middle attack.
Vulnerability Fix: Consider all cryptographic material generated on the remote host to be guessable. In

9 | Page
particuliar, all SSH, SSL and OpenVPN key material should be re-generated.
Severity: Critical
Steps to reproduce the attack
Postgres is associated with SQL is runs on port 5432 and we have a great little exploit that can be used
here.

5.1.2 Apache Tomcat SEoL (<= 5.5.x)

Vulnerability Explanation: According to its version, Apache Tomcat is less than or equal to 5.5.x. It is,
therefore, no longer maintained by its vendor or provider.

Lack of support implies that no new security patches for the product will be released by the vendor. As a
result, it may contain security vulnerabilities.

Vulnerability Fix: Upgrade to a version of Apache Tomcat that is currently supported.

Severity: Critical

Steps to reproduce the attack: We saw during the service scan that Apache Tomcat is running

10 | Page
on port 8180. Incidentally, Metasploit has an exploit for Tomcat that we can use to get a
Meterpreter session. The exploit uses the default credentials used by Tomcat to gain access.
This module can be used to execute a payload on Apache Tomcat servers that have an exposed
“manager” application. The payload is uploaded as a WAR archive containing a JSP application
using a POST request against the /manager/html/upload component. NOTE: The compatible pay-
load sets vary based on the selected target. For example, you must select the Windows target to
use native Windows payloads.

5.1.3 SSL Version 2 and 3 Protocol Detection

Vulnerability Explanation: he remote service accepts connections encrypted using SSL 2.0 and/or SSL
3.0. These versions of SSL are affected by several cryptographic flaws, including:

- An insecure padding scheme with CBC ciphers.

- Insecure session renegotiation and resumption schemes.

11 | Page
An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communica-
tions between the affected service and clients.

Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so
that these versions will be used only if the client or server support nothing better), many web brows-
ers implement this in an unsafe way that allows an attacker to downgrade a connection (such as in
POODLE). Therefore, it is recommended that these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of
enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong
cryptography'.
Vulnerability Fix: Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.2 (with approved cipher suites) or higher instead.
Severity: Critical

5.2 CGI Generic Remote File Inclusion

Vulnerability Explanation: The remote web server hosts CGI scripts that fail to adequately sanitize re-
quest strings. By leveraging this issue, an attacker may be able to include a remote file from a remote
server and execute arbitrary commands on the target host.
Vulnerability Fix: Restrict access to the vulnerable application. Contact the vendor for a patch or up-
grade.
Severity: High
Steps to reproduce the attack: We know that port 80 is open so we type in the IP address of
Metasploitable 2 in our browser and notice that it is running PHP. We dig a little further and find
which version of PHP is running and also that it is being run as a CGI. We will now exploit the ar-
gument injection vulnerability of PHP 2.4.2 using Metasploit

12 | Page
5.2.1 rlogin Service Detection
Vulnerability Explanation: The rlogin service is running on the remote host. This service is vulnerable
since data is passed between the rlogin client and server in cleartext. A man-in-the-middle attacker
can exploit this to sniff logins and passwords. Also, it may allow poorly authenticated logins without
passwords. If the host is vulnerable to TCP sequence number guessing (from any network) or IP spoof-
ing (including ARP hijacking on a local network) then it may be possible to bypass authentication.
Finally, rlogin is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv
files.
Vulnerability Fix: Comment out the 'login' line in /etc/inetd.conf and restart the inetd process. Alter-
natively, disable this service and use SSH instead.

Severity: High
Steps to reproduce the attack: A remote login is a tool that was used before ssh came into the pic-
ture. Since we have the login credentials for Metasploitable 2, we will be using Rlogin to connect
to it, using the “-l” flag to define the login name.

13 | Page
 5.2.2 rsh Service Detection

Vulnerability Explanation: The rsh service is running on the remote host. This service is vulnerable
since data is passed between the rsh client and server in cleartext. A man-in-the-middle attacker can
exploit this to sniff logins and passwords. Also, it may allow poorly authenticated logins without pass-
words. If the host is vulnerable to TCP sequence number guessing (from any network) or IP spoofing
(including ARP hijacking on a local network) then it may be possible to bypass authentication.

Finally, rsh is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv
files.

Vulnerability Fix: Comment out the 'rsh' line in /etc/inetd.conf and restart the inetd process. Alterna-
tively, disable this service and use SSH instead.

Severity: High

5.2.3 Samba Badlock Vulnerability

14 | Page
Vulnerability Explanation:The version of Samba, a CIFS/SMB server for Linux and Unix, running on the
remote host is affected by a flaw, known as Badlock, that exists in the Security Account Manager (SAM) and
Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotia-
tion over Remote Procedure Call (RPC) channels. A man-in-the-middle attacker who is able to able to inter-
cept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a down-
grade of the authentication level, which allows the execution of arbitrary Samba network calls in the con-
text of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory
(AD) database or disabling critical services.

Vulnerability Fix: Upgrade to Samba version 4.2.11 / 4.3.8 / 4.4.2 or later.

Severity: Medium

Steps to reproduce the attack: Samba is running on both port 139 and 445, we will be exploiting it
using Metasploit. The default port for this exploit is set to port 139 but it can be changed to port
445 as well.

7.0 Unencrypted Telnet Server

15 | Page
Vulnerability Explanation: The remote host is running a Telnet server over an unencrypted channel.

Using Telnet over an unencrypted channel is not recommended as logins, passwords, and commands are
transferred in cleartext. This allows a remote, man-in-the-middle attacker to eavesdrop on a Telnet session
to obtain credentials or other sensitive information and to modify traffic exchanged between a client and
server.

SSH is preferred over Telnet since it protects credentials from eavesdropping and can tunnel additional
data streams such as an X11 session.

Vulnerability Fix: Disable the Telnet service and use SSH instead.

Severity: Medium
Steps to reproduce the attack: we are using Wireshark to capture the TCP traffic, it is set to run in the
background while we connect to Metasploitable 2 through telnet using “msfadmin” as credentials for user
name and password.

16 | Page
17 | Page