๐ฏ Report Objective
This report documents all phases of the penetration testing process performed on the vulnerable machine Metasploitable 1. It includes:
-
๐ ๏ธ The tools and techniques used in each phase.
-
๐ Analysis of the discovered vulnerabilities.
-
๐ A breakdown of how root access was obtained.
๐งพ General Information
-
Target Machine: Metasploitable-1
-
Operating System: Ubuntu 8.04
-
Difficulty Level: Beginner to Intermediate
-
Target IP:
192.168.84.132 -
Attacker IP (Kali):
192.168.84.131 -
Network Setup: All machines are connected to the same NAT network (internal LAN).
๐งฐ Tools Used:
nmap, msfconsole, nikto , smbclint, searchsploit, enum4linux, telnet , etc.
First, let's make sure we're on the same network :
-
Since I put all the machines on one LAN network (NAT)
-
The IP of the Attack machines (Kail) :
๐งญ Phase 1: Discovery
๐น Discover active devices:
sudo netdiscover -r 192.168.84.0/24
nmap -sn 192.168.84.0/24
-sn: Scan without port detection (Ping Scan only) 192.168.84.0/24 : Scan the entire Class C network (256 IP addresses)
๐ Results: 5 live devices confirmed:
192.168.84.1
192.168.84.2
192.168.84.132 โ
Possible Target
192.168.84.131
192.168.84.254
Device 192.168.84.132 appears in both netdiscover and nmap, which makes it likely the target device.
Step 3: Scan for open services and ports on the target
๐น Tool: nmap โ Command:
nmap -p- -sV -T5 -O IP-Target| tee Kiopxrix.txt
Analyzing open port scan results :
| Port | Service | Version | Initial Notes |
|---|---|---|---|
| 21 | FTP | ProFTPD 1.3.1 | Known for vulnerabilities |
| 22 | SSH | OpenSSH 4.7p1 | Probably won't be exploited initially |
| 23 | Telnet | Linux telnetd | Open, can be tried with default privileges |
| 25 | SMTP | Postfix smtpd | Can be exploited or guessed |
| 53 | DNS | ISC BIND 9.4.2 | Has old vulnerabilities |
| 80 | HTTP | Apache 2.2.8 + PHP 5.2.4 | Very important web gateway |
| 139/445 | Samba | smbd 3.X - 4.X | Very exploitable |
| 3306 | MySQL | 5.0.51a | Try connecting without a password |
| 3632 | distccd | v1 | Contains a known vulnerability (CVE-2004-2687) |
| 5432 | PostgreSQL | 8.3.x | Highly likely without a password |
| 8009 | AJP13 | Apache JServ | Targeting it later with Tomcat |
| 8180 | HTTP | Tomcat/JSP engine | Vulnerable (sometimes very strongly) |
Phase 2: Enumeration โ Gathering Information from Open Services We'll start testing each open service one by one and see if we can benefit from it :
1 -We will start with FTP โ Port 21 (ProFTPD 1.3.1) :
- The FTP service does not allow anonymous login. โ This means that it is currently impossible to access files via FTP without actual privileges.
2- We will start with Telnet โ Port 23 :
-
The service is operating normally on port 23.
-
I tried the password with the same username that I entered
-
The login is visible, and the user is prompted for a username and password.
-
The usernames I tried (anonymous, root, admin) did not work, and some caused the connection to be disconnected after incorrect attempts.
3. SMB (Samba) โ Port 139, 445
โ Check anonymous sharing :
๐งพ Available sheers :
-
print$ => Disk Printer Driver => Mostly unimportant.
-
tmp => Disk Oh noes! => Very interesting
-
opt => Disk (uncommented) => We might find additional files in it.
-
IPC$ => IPC: Internal connection, usually without files => Sometimes used to execute commands.
-
ADMIN$ => IPC: Same as above, may request permissions => We probably won't be able to connect to it anonymously.
Let's start by reviewing the important shares, and we'll start with tmp because it contains an interesting comment: oh noes! :
Advanced Scan :
-
The workgroup name of the target machine is WORKGROUP. This is common in SMB setups, especially in older Windows/SMB environments.
-
grep "^user:": Displays all accounts/users present on the victim system.
-
rid is a relative identifier, used in Windows/Samba systems to identify a user within a domain (SID).
### โ
Summary from enum4linux:
Domain Name : WORKGROUP
OS Info : Samba 3.0.20-Debian on Linux Ubuntu 8.04
Users Enumerated :
- root => The highest-authority user on the system (key to control)
- msfadmin => A user
- mysql => Indicates the presence of a MySQL database
- postgres
- tomcat55
- distccd
- service
Samba Shares :
- `tmp`: Listing OK, Write: No
- `opt`: Access Denied
Password Policy
- Minimum length: 5
- Complexity: Disabled
4 . Website Analysis (HTTP) :
-
Apache/2.2.8 and PHP/5.2.4-2ubuntu5.10 => very old and outdated versions, containing known vulnerabilities => Excellent for exploitation
-
phpinfo.php exposed => allows the collection of sensitive information about the system such as paths and server environment => It can be used to collect information before exploitation.
Open in browser : You will find more valuable information that you can exploit this way :
๐ฏ Phase 3: Exploitation
We will begin by focusing on the most exploitable services, which are:
Use searchsploit :
The vulnerability is already present in Metasploit tools :
โ
Steps to exploit the vulnerability using Metasploit Open msfconsole
1- I wrote in msfconsole :
2 -Use the exploitation unit :
3 -Adjust basic settings :
4-Run the exploit :
Confirm the exploit. Change the root password :
Try logging in using root username and password :
username : root
pass : AS
So remember:
๐ฌ "Control the code, and you control the world." ๐ From wiping metadata to gaining root access โ every step is documented and my goal is to deeply understand the system, not just hack!
See You Soon
AS Cyber โ)).