{"id":4286,"date":"2012-06-28T21:39:23","date_gmt":"2012-06-29T00:39:23","guid":{"rendered":"http:\/\/www.ethicalhacker.com.br\/site\/?p=4286"},"modified":"2019-07-18T12:34:26","modified_gmt":"2019-07-18T15:34:26","slug":"metasploitable-maquina-virtual-para-pentest","status":"publish","type":"post","link":"https:\/\/www.ethicalhacker.com.br\/site\/2012\/06\/exploits\/metasploitable-maquina-virtual-para-pentest\/","title":{"rendered":"Metasploitable M\u00e1quina Virtual para Pentest"},"content":{"rendered":"

A m\u00e1quina virtual Metasploitable \u00e9 equipada com sistema LINUX Ubuntu e possui v\u00e1rias \u201cbrechas\u201d e servi\u00e7os vulner\u00e1veis para execu\u00e7\u00e3o de pentest.<\/p>\n

Voc\u00ea pode baixar a m\u00e1quina no endere\u00e7o : http:\/\/updates.metasploit.com\/data\/Metasploitable.zip.torrent<\/a> e execut\u00e1-la em uma Virtual Box ou VMPlayer.<\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

Abaixo as configura\u00e7\u00f5es:
\nSystem credentials:
\n——————-
\nmsfadmin:msfadmin
\nuser:user
\nservice:service
\npostgres:postgres
\n(2 other system accounts)<\/p>\n

Discovery:
\n————-
\nftp 21\/tcp 220 ProFTPD 1.3.1 Server (Debian) [::ffff:127.0.0.1]
\nssh 22\/tcp SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
\ntelnet 23\/tcp Ubuntu 8.04\\x0avulnerability login:
\nsmtp 25\/tcp 220 ubuntu804-base.localdomain ESMTP Postfix (Ubuntu)
\ndns 53\/tcp ISC BIND 9.4.2
\ndns 53\/udp ISC BIND 9.4.2
\nhttp 80\/tcp Apache\/2.2.8 (Ubuntu) PHP\/5.2.4-2ubuntu5.10 with Suhosin-Patch
\nnetbios 137\/udp VULNERABILITY::U :VULNERABILITY::U :VULNERABILITY::U :MSFVULN::G :MSFVULN::G :00:00:00:00:00:00
\nsmb 139\/tcp
\nsmb 445\/tcp Unix Samba 3.0.20-Debian (language: Unknown) (domain:MSFVULN)
\nmysql 3306\/tcp 5.0.51a-3ubuntu5
\ndistccd 3632\/tcp
\npostgres 5432\/tcp 8.3.8
\nhttp 8180\/tcp Apache-Coyote\/1.1 (Tomcat 5.5)<\/p>\n

Bruteforce:
\n———–
\nsmb Anonymous
\nssh 6 sessions
\ntelnet 6 sessions
\nbind n\/a
\napache 2 web apps (twiki and tikiwik)
\npostgres db compromise (postgres:postgres)
\nmysql db compromise (root:root)
\ntomcat 5.5 shelled (tomcat:tomcat)<\/p>\n

Exploits:
\n———
\ndistcc Excellent 1 session on all ranking levels
\ntomcat_mgr_deploy Excellent requires credentials
\ntikiwiki_graph_formula Excellent 1 session on all ranking levels
\ntwiki Excellent information disclosure
\nmysql_yassl_getname Good triggers crash, but not working<\/p>\n

TODO:
\n—–
\nswitch to a vulnerable version of sendmail
\nconfigure proftpd with vulnerabilities (sql injection? others? downgrade?)<\/p>\n

Expected sessions:
\n——————
\nFrom Bruteforce:
\n6 ssh, 6 telnet, 1 tomcat
\nFrom Exploit:
\n1 distcc and 1 tikiwiki_graph_formula<\/p>\n\r\n\t\t

\r\n\t\t\t
\r\n\t\t\t\t
\r\n\t\t\t\r\n\t\t\t
<\/div>\r\n\t\t<\/div> \r\n\t\t
\r\n\t\t\t

Autor:\u00a0S\u00edlvio C\u00e9sar Roxo Giavaroto<\/strong><\/p>\n

\u00c9 MBA Especialista em Gest\u00e3o de Seguran\u00e7a da Informa\u00e7\u00e3o,\nTecn\u00f3logo em Redes de Computadores, C|EH Certified Ethical Hacker,\natua como Pentest e Analista de Seguran\u00e7a em Servidores Linux no\nGoverno do Estado de S\u00e3o Paulo, Professor Universit\u00e1rio , \u00a0Instrutor\nC|EH e C|HFI.<\/p>\n

\u00a0<\/em>\r\n\t\t<\/div> <\/p>\r\n\t\t\t<\/div> \r\n\t\t<\/div> \n","protected":false},"excerpt":{"rendered":"

A m\u00e1quina virtual Metasploitable \u00e9 equipada com sistema LINUX Ubuntu e possui v\u00e1rias \u201cbrechas\u201d e servi\u00e7os vulner\u00e1veis para execu\u00e7\u00e3o de pentest. Voc\u00ea pode baixar a m\u00e1quina no endere\u00e7o : http:\/\/updates.metasploit.com\/data\/Metasploitable.zip.torrent e execut\u00e1-la em uma Virtual Box ou VMPlayer.             Abaixo as configura\u00e7\u00f5es: System credentials: ——————- msfadmin:msfadmin user:user service:service postgres:postgres (2 […]<\/p>\n","protected":false},"author":1,"featured_media":4083,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-4286","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exploits"],"_links":{"self":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/4286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/comments?post=4286"}],"version-history":[{"count":14,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/4286\/revisions"}],"predecessor-version":[{"id":10574,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/4286\/revisions\/10574"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media\/4083"}],"wp:attachment":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media?parent=4286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/categories?post=4286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/tags?post=4286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}