1 00:00:00,360 --> 00:00:02,070 Instructor: Welcome to another attack 2 00:00:02,070 --> 00:00:04,840 that we will perform on our metasploitable machine 3 00:00:05,820 --> 00:00:08,793 and this one is aimed on telnet. 4 00:00:09,720 --> 00:00:13,260 Keep in mind that this vulnerability is only possible 5 00:00:13,260 --> 00:00:16,560 due to information disclosure and you will see 6 00:00:16,560 --> 00:00:19,020 by the end of this video why. 7 00:00:19,020 --> 00:00:20,820 So I got my scan right here 8 00:00:20,820 --> 00:00:25,820 and we can see that the telnet is running on port 23. 9 00:00:26,010 --> 00:00:29,553 If we check out the version, it says Linux telnetd. 10 00:00:31,050 --> 00:00:33,300 That doesn't seem to give us that much 11 00:00:33,300 --> 00:00:36,240 of information about the actual version. 12 00:00:36,240 --> 00:00:39,063 If we just copy this version right here, 13 00:00:39,981 --> 00:00:41,583 open another terminal, 14 00:00:42,480 --> 00:00:44,197 we could just do the same thing that we did 15 00:00:44,197 --> 00:00:45,840 with the FTP version. 16 00:00:45,840 --> 00:00:48,210 So we could type searchsploit 17 00:00:48,210 --> 00:00:50,373 and then paste the version name. 18 00:00:51,750 --> 00:00:54,820 And it seems that we got two different results 19 00:00:55,770 --> 00:00:57,660 and from looking at them, 20 00:00:57,660 --> 00:01:00,300 they don't seem to be useful for us. 21 00:01:00,300 --> 00:01:04,260 The first one says netkit-telnet 0.17 22 00:01:04,260 --> 00:01:08,970 and it says in brackets that it's for Fedora 31. 23 00:01:08,970 --> 00:01:11,280 And the second one doesn't seem to be something 24 00:01:11,280 --> 00:01:13,380 we are looking for either. 25 00:01:13,380 --> 00:01:16,080 We can't get the exact version of telnet. 26 00:01:16,080 --> 00:01:17,793 So what are we going to do? 27 00:01:18,810 --> 00:01:22,410 Well, we know that telnet requires username and password 28 00:01:22,410 --> 00:01:24,540 in order to log in. 29 00:01:24,540 --> 00:01:28,620 So let's maybe try the default credentials. 30 00:01:28,620 --> 00:01:31,500 To try them and to connect to the telnet port 31 00:01:31,500 --> 00:01:32,880 on some machine 32 00:01:32,880 --> 00:01:35,070 we can type in our terminal. 33 00:01:35,070 --> 00:01:36,480 Let's first clear the screen, 34 00:01:36,480 --> 00:01:39,600 telnet and then the IP address of the machine 35 00:01:39,600 --> 00:01:40,860 that we want to connect to. 36 00:01:40,860 --> 00:01:44,613 In my case, 192.168.1.5. 37 00:01:45,750 --> 00:01:47,343 And I press here enter. 38 00:01:49,537 --> 00:01:51,120 Do you see it? 39 00:01:51,120 --> 00:01:54,690 Not only do we get the banner for the telnet, 40 00:01:54,690 --> 00:01:57,240 but we also get some additional information 41 00:01:57,240 --> 00:01:58,953 that shouldn't be here. 42 00:02:00,030 --> 00:02:02,070 We get this statement that says 43 00:02:02,070 --> 00:02:07,070 log in with msfadmin/msfadmin. 44 00:02:07,110 --> 00:02:08,940 And if you remember this banner 45 00:02:08,940 --> 00:02:12,720 and these things are exactly the same as the banner 46 00:02:12,720 --> 00:02:15,930 that we get once we log in to the metasploitable, 47 00:02:15,930 --> 00:02:17,280 as you can see right here. 48 00:02:17,280 --> 00:02:19,860 These two are exactly the same. 49 00:02:19,860 --> 00:02:21,630 They just hosted the same banner 50 00:02:21,630 --> 00:02:24,570 on the telnet open port as well. 51 00:02:24,570 --> 00:02:27,240 So if they already gave us username and password, 52 00:02:27,240 --> 00:02:28,230 let's use it. 53 00:02:28,230 --> 00:02:31,050 Let's see whether it will work on telnet. 54 00:02:31,050 --> 00:02:36,050 If I type msfadmin and msfadmin as the password. 55 00:02:38,400 --> 00:02:39,660 Here we are. 56 00:02:39,660 --> 00:02:42,903 Once again, we are on the metasploitable machine. 57 00:02:43,740 --> 00:02:45,720 Just this time you will notice 58 00:02:45,720 --> 00:02:48,510 that we are not root account, so if you type, who am I? 59 00:02:48,510 --> 00:02:50,250 We are the msfadmin. 60 00:02:50,250 --> 00:02:52,350 We are not the root account 61 00:02:52,350 --> 00:02:55,560 and this is something that we can easily bypass. 62 00:02:55,560 --> 00:02:58,540 If I type the command sudo su 63 00:02:59,460 --> 00:03:02,400 it'll ask me for the password for the msfadmin. 64 00:03:02,400 --> 00:03:04,470 And we already know it from the banner. 65 00:03:04,470 --> 00:03:06,896 It is also msfadmin. 66 00:03:06,896 --> 00:03:09,183 I type it in, press enter. 67 00:03:10,980 --> 00:03:15,870 And now we are root account, as we can see right here. 68 00:03:15,870 --> 00:03:17,613 And also if I type, who am I? 69 00:03:18,571 --> 00:03:21,339 It'll tell me we are root account. 70 00:03:21,339 --> 00:03:23,490 Now I know what you're thinking. 71 00:03:23,490 --> 00:03:25,230 This is too easy. 72 00:03:25,230 --> 00:03:28,470 Something like this will never happen in real life 73 00:03:28,470 --> 00:03:29,970 and you are correct. 74 00:03:29,970 --> 00:03:32,850 These types of vulnerabilities will rarely happen. 75 00:03:32,850 --> 00:03:35,310 However, we are slowly processing to higher 76 00:03:35,310 --> 00:03:37,530 and higher vulnerabilities. 77 00:03:37,530 --> 00:03:40,050 The last two were just misconfigurations 78 00:03:40,050 --> 00:03:41,880 and information disclosure, 79 00:03:41,880 --> 00:03:44,040 while the first FTP vulnerability 80 00:03:44,040 --> 00:03:46,023 had a vulnerable software running. 81 00:03:46,950 --> 00:03:49,410 After we finish showing a few more vulnerabilities 82 00:03:49,410 --> 00:03:51,510 for the metasploitable machine, 83 00:03:51,510 --> 00:03:54,360 we're going to go on to the Windows machines 84 00:03:54,360 --> 00:03:56,850 and you will see that we will manage to exploit them 85 00:03:56,850 --> 00:03:59,550 without them having any additional softwares 86 00:03:59,550 --> 00:04:01,350 like metasploitable does. 87 00:04:01,350 --> 00:04:05,040 So things are soon about to get even more interesting. 88 00:04:05,040 --> 00:04:06,340 See you in the next video.