Replace <IP-Address> with the target’s IP address.
The username is “-l admin”. Replace the username as necessary, and if you’re using a user list, change the parameter to “-L /path/to/userlist.txt”.
Change the PHPSESSID to one you capture with Wireshark, Burp, ZAP, etc when you manually enter a login/password.
Notice the while the request url has is typically “/dvwa/vulnerabilities/brute/?username=user&password=pass&Login=Login”, in hydra you need to specify “index.php” between “/brute/” and the “?”, and you replace the “?” with “:”.
Command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” containing shell meta characters, attackers can execute arbitrary command. No authentication is required to exploit this vulnerability!
Note: I had to run this exploit multiple times before it found the right key. I found a blog post that gave Metasploitable2’s root key that worked. That key was in the key directory, it works to login, but the exploit wasn’t finding it. After some searching I read a blog post about pwnos by g0tM1lk that says sometimes it fails to find the key.
After running this exploit for the third time if finally finds the key and prints the command to run to ssh to Metasploitable2 as root without password.