Pentesting Vulnerabilities in Metasploitable (part 2)

In this article we continue to demonstrate discovering & exploiting some of the intentional vulnerabilities within a Metasploitable penetration testing target.

In Part 1 of this article we covered some examples of Service vulnerabilities, Server backdoors, and Web Application vulnerabilities. Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM).

Our Pentesting Lab will consist of Kali Linux as the attacker and Metasploitable 2 as the target. Both operating systems will be running as VM’s within VirtualBox. Please check out the Pentesting Lab section within our Part 1 article for further details on the setup.

Damn Vulnerable Web App

DVWA is PHP-based using a MySQL database and is accessible using admin/password as login credentials. Below is the homepage served from the web server on Metasploitable and accessed via Firefox on Kali Linux:

DVWA homepage after logging in as ‘admin’. Security Level is ‘high’ and PHPIDS is ‘disabled’.

DVWA features

Features of DVWA v1.0.7 accessible from the menu include:

  • Instructions – covers Licensing, Installation, Database Setup & Troublshooting.
  • Setup – enables the Setup or Reset of the MySQL database.
  • Vulnerabilities:
    • Brute Force
    • Command Execution
    • CSRF (Cross-Site Request Forgery)
    • File Inclusion
    • SQL Injection
    • SQL Injection (Blind)
    • Upload
    • XSS reflected*
    • XSS stored*
  • DVWA Security:
    • Security Level (low, medium or high)
    • PHPIDS (PHP-Intrusion Detection System enable/disable)
  • PHP Info – Information about the PHP settings.
  • About – Links to further information about DVWA and credits.

* Cross-Site Scripting

A ‘More Info’ section is included on each of the vulnerability pages which contains links to additional resources about the vulnerability. Sources referenced include OWASP (Open Web Application Security Project) amongst others. For hints & tips on exploiting the vulnerabilities there are also ‘View Source’ and ‘View Help’ buttons.

Command Execution vulnerability

The purpose of a Command Injection attack is to execute unwanted commands on the target system. The advantage is that these commands are executed with the same privileges as the application.

Command Execution vulnerability screen with pop-up Source viewer.

On Linux multiple commands can be run after each other using ‘;’ as a delimiter:

Results after submitting multiple commands via the Ping Form.

These results are obtained using the following string in the form field:

127.0.01; ls -la; uname -r > uname.txt; ls -lta; cat uname.txt

The above string breaks down into these commands being executed:

  • Perform a ping of IP address three times.
  • Long list the files with attributes in the local folder.
  • Redirect the results of the ‘uname -r’ command into file ‘uname.txt.
  • Relist the files & folders in time descending order showing the newly created file.
  • Display the contents of the newly created file.

The above demonstrates that havoc could be raised on the remote server by exploiting the above vulnerability.

Metasploit Framework vs TWiki

In this demonstration we are going to use the Metasploit Framework (MSF) on Kali Linux against the TWiki web app on Metasploitable.

TWiki is a flexible, powerful, secure, yet simple web-based collaboration platform. Use TWiki to run a project development space, a document management system, a knowledge base or any other groupware tool on either on an intranet or on the Internet. You can edit any TWiki page.

Initializing Metasploit

First let’s start MSF so that it can initialize:

MSF starting & creating the databases plus creating a database user, configuration file & schema.

By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability:

  • Name: TWiki History TWikiUsers rev Parameter Command Execution
  • Disclosed: Sep 14, 2005
  • Created: May 30, 2018
  • Description: This module exploits a vulnerability in the history component of TWiki. By passing a ‘rev’ parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands.

Alternatively the command ‘search <search string>’ can be used at the MSF Console prompt.

Attempting to exploit TWiki

Under the Module Options section of the above exploit there were the following commands to run:

msf > use exploit/unix/webapp/twiki_history
msf exploit(twiki_history) > show targets
msf exploit(twiki_history) > set TARGET < target-id >
msf exploit(twiki_history) > show options and set options...
msf exploit(twiki_history) > exploit

Note: The ‘show targets’ & ‘set TARGET’ steps are not necessary as 0 is the default.

Our first attempt failed to create a session:

Metasploit Twiki History Exploit fail
TWiki History Exploit fails to create a session with Metasploit v6.0.15-dev.

The following commands to update Metasploit to v6.0.22-dev were tried to see if they would resolve the issue:

sudo apt update

sudo apt install metasploit-framework

Fixing Metasploit (?)

Unfortunately the same problem occurred after the version upgrade which may have been down to the database needing to be re-initialized. A reinstall of Metasploit was next attempted:

sudo apt remove metasploit-framework

sudo apt install metasploit-framework

Retesting the TWiki Exploit

Following the reinstall the exploit was run against with the same settings:

Metasploit Twiki History Exploit success
Loading the TWiki History Exploit after reinstall and successfully generating a Session.

This seemed to be a partial success … a Command Shell session was generated and able to be invoked via the ‘sessions 1’ command. There was however an error generated though this did not stop the ability to run commands on the server including ‘ls -la’ above and more:

Metasploit Twiki History Exploit running commands
Running more commands via the exploit; ‘pwd’ to show the current directory, ‘cd ../..’ to move up 2 directory levels, ‘ls -la’ to long list directory contents and ‘uname -r’ to show the kernel version.

Whilst we can consider this a success, repeating the exploit a few times resulted in the original error returned. In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue. More investigation would be needed to resolve it.

Have you used Metasploitable to practice Penetration Testing? Do you have any feedback on the above examples or a resolution to our TWiki History problem? If so please share your comments below.

Leave a Reply