Metasploitable 2 Walkthrough: Part IV

Exploiting Port 80 – PHP

Navigating to the root of the web server, you will see some vulnerable web applications, along with the msfadmin account details which you got earlier with Telnet.

The Mutillidae and the DVWA web applications are outside the scope of this post because this is mostly focused on host-based exploitation. However, you can use easily exploit the other web applications to get a shell.

Port 80 banner

Exploiting PHP using Metasploit

You know port 80 is open so you type the IP address of Metasploitable 2 in our browser and notice that it is running PHP. If you dig a little further you will find which version of PHP is running and also that it is being run as a CGI.

PHP information

When running as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability.

Search and use the appropriate MSF module to get a shell.

Exploiting PHP with MSF

Exploiting Port 80 - TWiki

TWiki is a Perl-based structured wiki application, typically used to run a collaboration platform, knowledge or document management system, a knowledge base, or team portal. Users can create wiki pages using the TWiki Markup Language, and developers can extend wiki application functionality with plugin.

Exploiting TWiki using Metasploit

The OpenVAS scan certainly revealed that the TWiki web application is vulnerable to remote code execution. There are some exploits available in MSF for this application.

MSF modules for TWiki

Both twiki_history and twiki_search are supposed to work flawlessly but that does not appear to be the case.

Exploiting TWiki with MSF

Confusing, but the session is created.

The other one refuses to create a session…

Failed TWiki exploit

Exploiting Port 80 - WebDAV

WebDAV stands for Web Distributed Authoring and Versioning. The WebDAV protocol provides a framework for users to create, change and move documents on a server, typically a web server or web share. WebDAV is exploitable in many different ways.

Exploiting WebDAV using Davtest

You can test out DAV using the davtest command line utility. To scan a WebDAV server using the program just specify the URL:

Scanning WebDAV with davtest

From the davtest scan, you saw a bunch of actions failed. I guess that means you need credentials to do anything. Or maybe you need a better tool…

Exploiting WebDAV using Cadaver

Cadaver is a utility for dealing with WebDAV systems on the command line. With cadaver, we can connect to the DAV server directly. It turns out this method does not require credentials. Once we type the cadaver command to connect to the server, we're immediately connected. Once connected you can issue a number of different commands.

Exploiting WebDAV with cadaver

What this means is, you have access to the WebDAV directory, therefore you can create files. Namely, you can upload web shells to the WebDAV server.

Web shells are the scripts which are coded in many languages like PHP, Python, ASP, Perl and so on which further use as backdoor for illegitimate access in any server by uploading it on a web server. The attacker can then directly perform the read and write operation once the backdoor is uploaded to a destination, you can edit any file of delete the server file.

Kali Linux has inbuilt web shells PHP scripts. They are stored inside /usr/share/webshells/php and a pentester can make use of them without wasting time in writing PHP code for the malicious script.

Listing Kali's web shells

You can take advantage of these scripts to get a remote shell. You start by uploading the script to the server using cadaver.

Upload the simple-backdoor script:

Uploading the simple-backdoor script

Then you execute the script on the web browser.

Executing the script on the browser

The script is now ready to execute commands

Executing a simple command

Dumping the /etc/passwd file

Try using a different script (php-backdoor)

Uploading the php-backdoor script

This script will give you true web shell to perform a number of tasks:

The php-backdoor web shell

Run a command:

Running the ls command in the web shell

Running the ls command in the web shell

Try a different script (qsd-php-backdoor):

Uploading the qsd-php-backdoor script

And you will get an even better web shell:

The qsd-php-backdoor script web shell

You can also create a reverse shell but for that you need to edit the script in order to adjust the settings to your needs. Namely, you will need to insert the IP address of your attacker machine so that the victim knows where to send the shell.

Edit the php-reverse-shell.php file and make the necessary changes:

Editing the php-reverse-shell script

Now put the script on the server with cadaver, start a Netcat listener, and open the script with the web browser as before:

Uploading the modified php-reverse-shell script

Starting a Netcat listener

Running the modified php-reverse-shell script

And you will get a shell:

Netcat shell

Exploiting WebDAV using Metasploit

To check for WebDAV, you can use a couple of different modules:

Wrong MSF results

Wrong results…

Failed MSF module

Also, not very useful…

Failed MSF module

Nothing…

But if you manage to find a writable directory, you can use it to get a remote shell.

Creating a payload with MSFVenom

The msfvenom utility can be used to generate a reverse TCP shell in a PHP script. Basically, here's what you specify with msfvenom:

  • LHOST - This is the machine that you want your target machine to try and connect to. This must be the publicly-visible (or at least visible to the target) IP of your attacker machine.
  • LPORT - this is the port number that you want the target machine to connect to. The attacker machine must have this port open, for the target to connect to it.

In this case, 172.16.1.6 is the IP of the attacker machine and 4444 the listener port on the attacker.

Creating the msfvenom payload

Now use cadaver to connect and put the PHP shell onto the web server:

Uploading the payload

Now start a Metasploit listener using the proper MSF module and choosing the proper payload:

Starting a Metasploit listener

This will wait for the reverse connection from the target machine.

The final step is to execute the PHP file. Click the PHP file or visit its URL in the browser.

Executing the msfvenom payload

This will execute the PHP code, create a shell, and open a connection to your Metasploit console.

Meterpreter reverse shell

Exploiting Port 80 - Apache Server

This chapter will cover techniques for exploiting the Metasploitable Apache server (running Apache 2.2.8). It will start with some general techniques (working for most web servers), then move to the Apache-specific.

This will also ignore the Tomcat server - we'll get to that later.

Exploiting Apache Server using Metasploit

Let’s try some MSF modules:

The files_dir module checks for the presence of any interesting files on the web server. By default, it uses a dictionary list that comes with Metasploit (/usr/share/metasploit-framework/data/wmap/wmap_files.txt) but you can also use your own.

Using MSF to scan the Apache server

Some directories return the HTTP code 301 (Moved Permanently).

Telnet to explore the 301s

If we use telnet to connect to port 80 and send a GET request for a resource that returns a 301, we can see more information:

Connect to port 80 and type out a GET request, with the location being requested, and specify the host (then press ENTER to make a new line):

Telnet to port 80

You will get a phpMyAdmin page that looks like it has lots of information that could be fuzzed. However, fuzzing the phpMyAdmin login page (and attacking vulnerabilities in phpMyAdmin itself) will launch you into a whole new set of tools and concepts, so we'll leave that for some other time.

phpMyAdmin page

Try some other MSF modules:

Failed MSF module

Funny, it doesn’t even show the previously found directories

This next one will find some additional directories

Using MSF to scan the Apache server

There are many Apache-specific modules and that makes it difficult to figure out where to begin. Take a look at Legion/Nikto scan results and you’ll see the following vulnerability:

Selecting an Apache server specific vulnerability

Load the Metasploit module to scan for this vulnerability:

Using MSF to scan for the vulnerability

Running it confirms that the Apache web server is vulnerable (IP addresses of vulnerable web servers are printed out).

Now load the other auxiliary module to try to take advantage of the vulnerability:

Trying to exploit the vulnerability with MSF

In this case, nothing happens confirming what you have found before; the index.php is the only file available on this Apache server.

No comments: