My workspace on exploiting metasploitable3. Contains:
- Simple custom exploit for ProFTPd 1.3.5
- Payroll_app source code extracted with the exploit
- nmap scan result
- Some sample sql injection
- Writeup (the rest of this readme is the writeup).
- Vagrant file for starting the VM
I'm sure there are many more but here is mine:
- Scan the machine and find that is running a vulnerable service, ProFTPd 1.3.5. Also, it is quite apparent that this is a LAMP setup
- Create an exploit for the vulnerablilty. Easily done by reading about it.
- Get some files, info about the system, users available...
- Then you can explore the websites available. Payroll app seems particularly insecure. The chat also does.
- Use the exploit for ProFTPd to get the php code of the app. It is in /var/www/html/payroll_app/index.php
- You can see the credentials for accessing the DB in the source code of the app: user root and pass sploitme. Also we can see that the thing is vulnerable to the most basic sql injection, but there is no need to use it since we have the admin creds.
- It is not possible to connect with a mysql client from your local machine because MySql is only accepting request from localhost, but we can use the phpmyadmin webservice available in port 80 to bypass this limitation, because the queries are done from localhost.
- You can see a table called users in the payroll app, the credentials are in plain text.
- This credentials happen to be usefull to login through ssh. After checking some users, the leia user happens to belong to the sudo group. So just do sudo su and you will have root access.
- Update ProFTPd
- Phpmyadmin shouldn't be accessible by the end user
- Payroll app is vulnerable to SQL injection
- User passwords are stored in plain text