Exploiting Port 3389 – RDP
By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Metasploitable 3 has several RDP vulnerabilities.
Just by typing rdesktop [Target IP] you can get access to the remote machine, as long as you have valid credentials.
There are two vulnerabilities to be exploited in this service
DoS Exploit
The MS-020 vulnerability can be exploited to cause a Denial of Service condition in the remote machine. Metasploit has a couple of modules to test and exploit this vulnerability.
Bluekeep Exploit
This service is also vulnerable to the Bluekeep attack and you can use the proper Metasploit module to check the existence of this vulnerability in the target machine.
However, even if the scanner module reports the target as being vulnerable the exploit module will systematically fail. It will finish without opening a session and crashing the target machine. The solution can be found in the exploit module’s information:
Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set!
After setting the registry key to the correct setting, the exploit module will work flawlessly:
Exploiting Port 4848 – GlassFish
GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform. Accessing this port, you will see the interface for the Administration console:
Getting GlassFish credentials
Try to brute force your way in using Metasploit and the custom wordlists including the credentials from Wordpress:
Or try to get credentials in another way:
By default, the module will download the win.ini file:
But you should try to get something far more important like the user’s credentials. And those are located at:
glassfish/glassfish4/glassfish/domains/domain1/config/admin-keyfile
You have found the hash for the admin account.
Try to get another one:
But this one is not associated with any user. From here you can try to identify them, crack them, etc.
Or you can try to login using the last hash as password:
User: admin, Password: 183511DE8C2E7E281BE95DC1A3B6AAC3A51F9262
Using the previous credentials, try to exploit the Glassfish service
Exploiting GlassFish using Metasploit
Load the appropriate module and set the correct options:
Unfortunately, this module is sometimes a bit unstable so if it fails the first time just run it again.
Exploiting GlassFish using manual injection
Try to inject a malicious payload manually using the Administration Console. In the Applications node, select the Deploy page
In the Deploy page you will see where to upload the file into the server.
Assume you are dealing with the same format and generate a .war file with msfvenom:
Prepare the handler/listener:
Then browse to your payload and press Ok to upload it:
You will now see your payload properly uploaded. Click Launch:
That will open a secondary page:
Note the links are using the target’s name instead of IP address. So, the bowser won’t be able to resolve them:
This can be easily solved by replacing the name by the IP in the URL:
Move back to Metasploit and you will see the inbound connection from the GlassFish server
No comments:
Post a Comment