Metasploitable 3 Windows Walkthrough: Part VII

Exploiting Port 3389 – RDP

By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Metasploitable 3 has several RDP vulnerabilities.

Just by typing rdesktop [Target IP] you can get access to the remote machine, as long as you have valid credentials.

Accessing RDP

There are two vulnerabilities to be exploited in this service

DoS Exploit

The MS-020 vulnerability can be exploited to cause a Denial of Service condition in the remote machine. Metasploit has a couple of modules to test and exploit this vulnerability.

Exploiting RDP to cause a DoS

Exploiting RDP to cause a DoS

Bluekeep Exploit

This service is also vulnerable to the Bluekeep attack and you can use the proper Metasploit module to check the existence of this vulnerability in the target machine.

Checking for BlueKeep vulnerability

However, even if the scanner module reports the target as being vulnerable the exploit module will systematically fail. It will finish without opening a session and crashing the target machine. The solution can be found in the exploit module’s information:

Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set!

After setting the registry key to the correct setting, the exploit module will work flawlessly:

Exploiting the BlueKeep vulnerability

Exploiting Port 4848 – GlassFish

GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform. Accessing this port, you will see the interface for the Administration console:

GlassFish Administration Console

Getting GlassFish credentials

Try to brute force your way in using Metasploit and the custom wordlists including the credentials from Wordpress:

Brute forcing GlassFish with Metasploit

Or try to get credentials in another way:

Dumping hashes with Metasploit

By default, the module will download the win.ini file:

But you should try to get something far more important like the user’s credentials. And those are located at:

glassfish/glassfish4/glassfish/domains/domain1/config/admin-keyfile

Dumping hashes with Metasploit

Dumping hashes with Metasploit

You have found the hash for the admin account.

Try to get another one:

Dumping hashes with Metasploit

Dumping hashes with Metasploit

But this one is not associated with any user. From here you can try to identify them, crack them, etc.

Or you can try to login using the last hash as password:

User: admin, Password: 183511DE8C2E7E281BE95DC1A3B6AAC3A51F9262

Accessing GlassFish

Using the previous credentials, try to exploit the Glassfish service

Exploiting GlassFish using Metasploit

Load the appropriate module and set the correct options:

Exploiting GlassFish with Metasploit

Unfortunately, this module is sometimes a bit unstable so if it fails the first time just run it again.

Exploiting GlassFish using manual injection

Try to inject a malicious payload manually using the Administration Console. In the Applications node, select the Deploy page

Looking for the place to deploy the payload

In the Deploy page you will see where to upload the file into the server.

Looking for the place to deploy the payload

Assume you are dealing with the same format and generate a .war file with msfvenom:

Creating the payload

Prepare the handler/listener:

Preparing the handler/listener

Then browse to your payload and press Ok to upload it:

Deploying the payload

You will now see your payload properly uploaded. Click Launch:

Launching the payload

That will open a secondary page:

Launching the payload

Note the links are using the target’s name instead of IP address. So, the bowser won’t be able to resolve them:

Launching the payload

This can be easily solved by replacing the name by the IP in the URL:

Launching the payload

Move back to Metasploit and you will see the inbound connection from the GlassFish server

Reverse shell



No comments: