Exercise Results

How was Metasploitable exploited?

- Nmap was able to identify all open ports

- rlogin -l msfadmin was able to remotely login because the “r” services have been misconfigured.

- rpcinfo -p was used to identify which services were running

- showmount -e was used to identify which drives were mounted.

- Using a vulnerability in an old ftp version, we were able to open a remote port an attacker could connect to via
telnet. By ending the username with “:)” a malicious bug in the remote system caused the remote pot tcp 6200
to open. Subsequently, we were able to telnet to this port and obtain root privileges.

- Metasploit was used to exploit a vulnerability in the UnrealRCD daemon giving us a root shell on the remote
system.

- Ingreslock is open, which has an inherent vulnerability giving root access to a user who telnets.

- We were able to use MSF to exploit the distccd service, giving us remote shell root access.
 - We were able to use MSF to exploit a samba vulnerability that allowed us to browse to remote file system and
retrieve the password file.

Where did I run into difficulties?

- Needed to execute the following commands for rpcinfo -p to work:
o apt-get install rpcbind
o apt-get install nfs-common
- Wasn’t able to get root by moving a certificate to the authorized user’s folder.
o It still requested the root password, which we do not have.

What other ways could it have been exploited?

- The user account passwords are very weak and could easily be brute forced.
- Vulnerable web applications:
o Mutillidae are both DVWA (by design) vulnerable web applications that could be attacked with injection
attacks, XSS, packet sniffing (wireshark), missing authentication, missing encryption, and all of the other
OWASP top 10.