Skip to content

Vulnerabilities

Pearce Barry edited this page Mar 12, 2019 · 29 revisions

GlassFish

Ports

  • 4848 - HTTP
  • 8080 - HTTP
  • 8181 - HTTPS

Credentials

  • Username: admin
  • Password: sploit

Access

Start/Stop

  • Stop: Open task manager and kill the java.exe process running glassfish
  • Start: Go to Task Scheduler and find the corresponding task. Right-click and select Run.

Vulnerability IDs

  • CVE-2011-0807

Modules

  • exploits/multi/http/glassfish_deployer
  • auxiliary/scanner/http/glassfish_login

Apache Struts

Ports

  • 8282 - HTTP

Credentials

  • Apache Tomcat Web Application Manager
    • U: sploit
    • P: sploit

Access

Start/Stop

  • Stop: Open services.msc. Stop the Apache Tomcat 8.0 Tomcat8 service.
  • Start: Open services.msc. Start the Apache Tomcat 8.0 Tomcat8 service.

Vulnerability IDs

  • CVE-2016-3087

Modules

  • exploit/multi/http/struts_dmi_rest_exec

Tomcat

Ports

  • 8282 - HTTP

Credentials

  • U: sploit
  • P: sploit

Access

  • To access the Apache Tomcat Manager, point your browser on Metasploitable3 to http://localhost:8282. Login with the above credentials.

Start/Stop

  • Stop: Open services.msc. Stop the Apache Tomcat 8.0 Tomcat8 service.
  • Start: Open services.msc. Start the Apache Tomcat 8.0 Tomcat8 service.

Vulnerability IDs

  • CVE-2009-3843
  • CVE-2009-4189

Modules

  • auxiliary/scanner/http/tomcat_enum
  • auxiliary/scanner/http/tomcat_mgr_login
  • exploits/multi/http/tomcat_mgr_deploy
  • exploits/multi/http/tomcat_mgr_upload
  • post/windows/gather/enum_tomcat

Jenkins

Ports

  • 8484 - HTTP

Credentials

  • None enabled by default

Access

Start/Stop

  • Stop: Open services.msc. Stop the jenkins service.
  • Start: Open services.msc. Start the jenkins service.

Modules

  • exploits/multi/http/jenkins_script_console
  • auxiliary/scanner/http/jenkins_enum

IIS - FTP

Ports

  • 21 - FTP

Credentials

Windows credentials

Access

Any FTP client should work

Start/Stop

  • Stop: net stop msftpsvc
  • Start: net start msftpsvc

Modules

  • auxiliary/scanner/ftp/ftp_login

IIS - HTTP

Ports

  • 80 - HTTP

Credentials

  • U: vagrant
  • P: vagrant

Access

Start/Stop

  • Stop: Open services.msc. Stop the World Wide Web Publishing service.
  • Start: Open services.msc. Start the World Wide Web Publishing service.

Vulnerability IDs

  • CVE-2015-1635

Modules

  • auxiliary/dos/http/ms15_034_ulonglongadd

psexec

Ports

  • 445 - SMB
  • 139 - NetBIOS

Credentials

  • Any credentials valid for Metasploitable3 should work. See the list here

Access

  • Use the psexec tool to run commands remotely on the target.

Start/Stop

  • Enabled by default

Vulnerabilities

  • Multiple users with weak passwords exist on the target. Those passwords can be easily cracked and used to run remote code using psexec.

Modules

  • exploits/windows/smb/psexec
  • exploits/windows/smb/psexec_psh

SSH

Ports

  • 22 - SSH

Credentials

  • Any credentials valid for Metasploitable3 should work. See the list here

Access

  • Use an SSH client to connect and run commands remotely on the target.

Start/Stop

  • Enabled by default

Vulnerabilities

  • Multiple users with weak passwords exist on the target. Those passwords can be easily cracked. Once a session is opened, remote code can be executed using SSH.

Modules

WinRM

Ports

  • 5985 - HTTPS

Credentials

  • Any credentials valid for Metasploitable3 should work. See the list here

Access

Start/Stop

  • Stop: Open services.msc. Stop the Windows Remote Management service.
  • Start: Open services.msc. Start the Windows Remote Management service.

Vulnerabilities

  • Multiple users with weak passwords exist on the target. Those passwords can be easily cracked and WinRM can be used to run remote code on the target.

Modules

  • auxiliary/scanner/winrm/winrm_cmd
  • auxiliary/scanner/winrm/winrm_wql
  • auxiliary/scanner/winrm/winrm_login
  • auxiliary/scanner/winrm/winrm_auth_methods
  • exploits/windows/winrm/winrm_script_exec

chinese caidao

Ports

  • 80 - HTTP

Credentials

  • Any credentials valid for Metasploitable3 should work. See the list here

Access

Start/Stop

  • Stop: Open services.msc. Stop the World Wide Web Publishing service.
  • Start: Open services.msc. Start the World Wide Web Publishing service.

Modules

  • auxiliary/scanner/http/caidao_bruteforce_login

ManageEngine

Ports

8020 - HTTP

Credentials

Username: admin Password: admin

Access

On Metasploitable3, point your browser to http://localhost:8020. Login with the above credentials.

Start/Stop

  • Stop: In command prompt, do net stop ManageEngine Desktop Central Server
  • Start: In command prompt, do net start ManageEngine Desktop Central Server

Vulnerability IDs

  • CVE-2015-8249

Modules

  • exploit/windows/http/manageengine_connectionid_write

ElasticSearch

Ports

9200 - HTTP

Credentials

No credentials needed

Access

On Metasploitable3, point your browser to http://localhost:9200.

Start/Stop

  • Stop: In command prompt, do net stop elasticsearch-service-x64
  • Start: In command prompt, do net start elasticsearch-service-x64

Vulnerability IDs

  • CVE-2014-3120

Modules

  • exploit/multi/elasticsearch/script_mvel_rce

Apache Axis2

Ports

8282 - HTTP

Credentials

No credentials needed

Access

On Metasploitable3, point your browser to http://localhost:8282/axis2.

Start/Stop

Log into Apache Tomcat, and start or stop from the application manager.

Vulnerability IDs

  • CVE-2010-0219

Modules

  • exploit/multi/http/axis2_deployer

WebDAV

Ports

8585 - HTTP

Credentials

No credentials needed

Access

See the PR here: https://github.com/rapid7/metasploitable3/pull/16

Start/Stop

  • Stop: In command prompt, do net stop wampapache
  • Start: In command prompt, do net start wampapache

Modules

SNMP

Ports

161 - UDP

Credentials

Community String: public

Access

Load the auxiliary/scanner/snmp/snmp_enum module in Metasploit and to parse the SNMP data.

Start/Stop

  • Stop: In command prompt, do net stop snmp
  • Start: In command prompt, do net start snmp

Modules

  • auxiliary/scanner/snmp/snmp_enum

MySQL

Ports

3306 - TCP

Credentials

U: root P:

Access

Use the mysql client to connect to port 3306 on Metasploitable3.

Start/Stop

  • Stop: In command prompt, do net stop wampmysql
  • Start: In command prompt, do net start wampmysql

Modules

  • windows/mysql/mysql_payload

JMX

Ports

1617 - TCP

Credentials

No credentials needed

Access

Download the connector client and use the instructions found here: http://docs.oracle.com/javase/tutorial/jmx/remote/index.html

Start/Stop

  • Stop: In command prompt, do net stop jmx
  • Start: In command prompt, do net start jmx

Vulnerability IDs

  • CVE-2015-2342

Modules

  • multi/misc/java_jmx_server

Wordpress

Ports

8585 - HTTP

Credentials

No credentials needed

Access

On Metasploitable3, point your browser to http://localhost:8585/wordpress.

Start/Stop

  • Stop: In command prompt, do net stop wampapache
  • Start: In command prompt, do net start wampapache

Vulnerable Plugins

  • NinjaForms 2.9.42 - CVE-2016-1209

Modules

  • unix/webapp/wp_ninja_forms_unauthenticated_file_upload

Remote Desktop

Ports

3389 - RDP

Credentials

Any Windows credentials

Access

Use a remote desktop client. Either your OS already has one, or download a 3rd party.

Start/Stop

  • Stop: net stop rdesktop
  • Start: net start rdesktop

Modules

N/A

PHPMyAdmin

Ports

8585 - HTTP

Credentials

U: root P:

Access

On Metasploitable3, point your browser to http://localhost:8585/phpmyadmin.

Start/Stop

  • Stop: In command prompt, do net stop wampapache
  • Start: In command prompt, do net start wampapache

Vulnerability IDs

  • CVE-2013-3238

Modules

  • multi/http/phpmyadmin_preg_replace

Ruby on Rails

Ports

  • 3000- HTTP

Credentials

N/A

Access

Start/Stop

  • Stop: Open task manager and kill the ruby.exe process
  • Start: Go to Task Scheduler and find the corresponding task. Right-click and select Run.

Vulnerability IDs

  • CVE-2015-3224

Modules

  • exploit/multi/http/rails_web_console_v2_code_exec
Clone this wiki locally