Wow, what a week! I spent no less than 30 solid hours this week (in my free time) going through these books a little more and boy is there a lot to cover. Let’s start with my gripes. As you remember I am going through “The Hacker Playbook 2”, “Metasploit, the Penetration Tester’s Guide” and “Penetration Testing, a Hands-On introduction to Hacking”.
Now obviously I knew there was going to be some overlap between these books but jeeeeessussss I am getting sick of reading about MS08-067…. As you will remember from Part 1 of this Series MS08-067 was the first exploit that I managed to get to work on my target environment (which has grown, but more on that in a minute). This was fun to do but shockingly little was learned in it. You simply loaded up metasploit, ran the exploit and it drops you into a shell. An excellent intro to the tool but it’s time to move on… Like fo-real… Sick of hearing about it.
That all said I am pretty pleased so far with my progress. I have been diving in deep into the wonders and powers of NMAP. I also learned how to import your NMAP results directly into metasploit which was pretty baller. Finally I learned what I think is the most useful part of all this, which was researching your findings.
If you don’t know NMAP or Network Mapper, is an amazing tool for finding machines and services on a network. This tool is extremely versatile. It allows you to scan for hosts, their services, fingerprint the services and a ton more. The best part though is that it has built in functionality that allows you to do it silently so as not to arouse suspicion on a network.
To start with I scanned my network to see the hosts that I had up and running. Now, I’m not going to display everything on my network here but suffice to say I found my target virtual machine on the network and decided to probe a little further. It’s ip is 192.168.1.67 in this context. This machine is not the Windows XP machine from my last post but another machine called Metasploitable. It’s a VM that I downloaded. You can find a link to it from here off of the Offensive Security website
As you can see there are a number of services running on the target machine. One thing that we should note though is that I just told nmap to go scan that IP without specifying the ports. Nmap will only search a default set of ports that it deems important. Now, I know this machine isn’t being watched by any monitoring services (at least I don’t think it is lol) so I am comfortable running a full port scan on it. In order to do this I added in the flag for port “-p” and I told it to search from 0-65535 (because that’s how many ports there are on a machine)
Which resulted in this.
As you can see, there are a ton of new ports that my first scan missed. I was curious about the ports listed as unknown so I picked one at random, 8180, and navigated to it in the browser to see what I got.
What do you know! I found an Apache server default page that lists the version number on it.
Let’s start by searching for tomcat and see what comes back.
As you can see we have a few options to interact with so let’s pick one. I want to try brute forcing the password. I would imagine that it’s not uncommon for default or easy to brute force username’s and passwords to appear on services like this. I am going to try tomcat_mgr_login in the auxiliary section.
After setting the correct port and running it you can see below that we got a match!
So now that we know we have a username and password of tomcat tomcat let’s go try it out in the browser.
Sure enough we get access to the admin section.
Now if this wasn’t bad enough, let’s see what else we can do. Back over to metasploit and I am now looking for an actual exploit to get me a shell onto this machine. Remember that my ultimate goal here every time I run these tests is complete control over the system.
I decide to go with tomcat_mgr_upload in the exploit section. Take note that I once again set the RHOST which is my target machine and some other options such as the username and password which we now have. I also need to select the correct target so I first display what targets are available and set it to Linux X86.
Now let’s see what payloads are available
Wow, all types of fun stuff we can try. I want to start with the meterpreter payloads. So I set my payload to the bind_tcp payload. Now let’s see what options we have available.
Looks like we just need to set our listening port. I changed mine to 2222 and I ran it. Sure enough it was able to deploy the payload and drop me into a meterpreter session!
At this point we have a ton of control over the system. I will go into more depth on meterpreter in a later post.
So wow, what an exciting experience that was! Let’s recap.
I was able to:
- Scan my network for machines
- Identify a machine I wanted to target
- Identify services on that machine
- Research a vulnerable service
- Brute force that services credentials
- Finally upload a payload that gave me a shell into the machine
That’s a ton! I’m learning a lot from these books and I know there’s a ton more to learn so I look forward to another packed week next week!