Metasploitable 2 problem

Table of Content

• Network Scan
• Exploiting Port 21 FTP (Hydra)
• Exploiting VSFTPD 2.3.4
• Exploiting Port 22 SSH
• Bruteforce Port 22 SSH (RSA Method)
• Exploiting port 23 TELNET (Credential Capture)
• Exploiting TELNET (Bruteforce)
• Port 25 SMTP User Enumeration
• Exploiting Port 80 (PHP)
• Exploiting Port 139 & 445 (Samba)
• Exploiting Port 8080 (Java)
• Exploiting Port 5432 (Postgres)
• Exploiting Port 6667 (UnrealIRCD)
• Exploiting Port 36255
• Remote Login Exploitation
• Remote Shell Exploitation
• Exploiting Port 8787
• Bindshell
• Exploiting Port 5900 (VNC)
• Access Port 2121 (ProFTPD)
• Exploiting Port 8180 (Apache Tomcat)
• Privilege Escalation via NFS
• Exploiting Port 3306 (MYSQL)

Network Scan :

 nmap -p- -sV 192.168.80.132

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-21 04:49 EDT

Nmap scan report for 192.168.80.132

Host is up (0.0056s latency).

Not shown: 65505 closed tcp ports (reset)

PORT      STATE SERVICE     VERSION

21/tcp    open  ftp         vsftpd 2.3.4

22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

23/tcp    open  telnet      Linux telnetd

25/tcp    open  smtp        Postfix smtpd

53/tcp    open  domain      ISC BIND 9.4.2

80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)

111/tcp   open  rpcbind     2 (RPC #100000)

139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

512/tcp   open  exec        netkit-rsh rexecd

513/tcp   open  login       OpenBSD or Solaris rlogind

514/tcp   open  tcpwrapped

1099/tcp  open  java-rmi    GNU Classpath grmiregistry

1524/tcp  open  bindshell   Metasploitable root shell

2049/tcp  open  nfs         2-4 (RPC #100003)

2121/tcp  open  ftp         ProFTPD 1.3.1

3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5

3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7

5900/tcp  open  vnc         VNC (protocol 3.3)

6000/tcp  open  X11         (access denied)

6667/tcp  open  irc         UnrealIRCd

6697/tcp  open  irc         UnrealIRCd

8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)

8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1

8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)

37343/tcp open  java-rmi    GNU Classpath grmiregistry

38664/tcp open  nlockmgr    1-4 (RPC #100021)

51382/tcp open  status      1 (RPC #100024)

60637/tcp open  mountd      1-3 (RPC #100005)

MAC Address: 00:0C:29:0E:73:E6 (VMware)

Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 140.21 seconds

Exploiting Port 21: FTP

We have all our ports and services listed now, let’s start by Exploiting port 21 running FTP. We will be using Hydra for this. The two wordlists for this operation will have default login names and passwords.

Hydra shows us that we have 4 valid login ID’s and passwords.