Sunday, January 1, 2012

[Learning] Metasploitable - Tikiwiki

watch the HD video online:

"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql."                                                                                     -- metasploit team

Backtrack 5 R2


vulnerability & exploit:
1, TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability
2, TikiWiki tiki-graph_formula Remote PHP Code Execution
3, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit

Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -O -v

found the following services:
[1] HTTP service running on port 80
[2] MYSQL service running on port 3306
[3] Debian openSSH running on port 22

use DirBuster to discover hidden directories
java -jar DirBuster-0.12.jar -u

found the following directory:
[1] tikiwiki (

2, exploit vulnerable services:
[1] exploit tikiwiki service to get Critical Database information (DB user, DB password, DB name and DB type)
[2] exploit tikiwiki service to get www-data privilege and grep SSH key file information
[3] exploit Debian OpenSSH service to get into the victim server as root privilege

[1] Metasploitable download link
[2] Tutorial on g0tmi1k's Blog
[3] Metasploitable official website

No comments:

Post a Comment