Idea Transcript
LAB 7 - Exploitation
Craig T. Ciulla
NCS430 Ronny L. Bull
Date Assigned: 2015/03/17 Due Date: 2015/03/29
Objective: The objective of this lab was to practice exploiting vulnerabilities present in target machines of dissimilar operating systems. These attacks leveraged the vulnerabilities detected and examined in lab 6.
1
Metasploit - Server Side Exploits
In this section, I ran exploits against server related vulnerabilities present on the Windows XP VM. These exploits relied on service vuneribilities, default passwords, and misconfigurations present on the server being attacked.
1.1
MS08-067
The first vulnerability I exploited allowed for remote code execution in unpatched versions of Windows Vista and Windows XP.
I was able to use Metasploit with the windows/smb/ms08 067 netapi attachment to exploit the vunerability.
With the proper options configured, I was able to open a Meterpreter session with a target Windows XP machine. From the newly opened session I could run commands remotely.
1
1.2
Webdav
The second vulnerability I exploited was the use of default passwords within the XAMPP service hosted on the Windows XP machine. With these defaults present, there was a good possibility of getting an interface through which I could manage the content hosted on the server.
Using Cadever, I was able to log into an administrator console for the service. Through this I was given control over hosted content.
Although I could continue having fun with this level of access, I was able to elevate my permissions to that of a meterpreter shell easy enough. To do this, I compiled a PHP script which would send my machine a reverse shell when run and uploaded the script using my access through Cadever.
With my script uploaded and set to open a reverse shell upon being run, I ran a session on metasploit to listen for the reverse shell.
2
After running the script, Metasploit was able to capture and hold a system level Meterpreter shell.
1.3
Open phpMyAdmin
I continued playing with my ability to upload and run scripts, though I switched from using Cadever to using the running SQL database to upload my scripts. The next script allowed me to run remote code through simple page quarries. The ability to access and modify the SQL database without authentication was either a misconfiguration or a vulnerable configuration.
The script run successfully, though it required a command to be entered in as input.
Again, I used this minimal access to elevate my ability. I began by hosting the file system on my Kali machine. From there, I used my ability to launch commands remotely to upload the Meterpreter script onto the remote machine at the default Apache path.
3
With the transfer successful, I was able to get the remote machine to send a reverse shell to Meterpreter.
1.4
Zervit
Another server related vulnerability I exploited was present in Zervit, but demonstrates the risk associated when hosting any content online. The vulnerability allows for quarries to be made on files hosted outside of the normal hosting directory, potentially exposing sensitive files on the machine.
To demonstrate the presence of this vulnerability, I pulled the boot.ini file present on the root of the Windows XP machine’s C drive.
Although fun, having the contents of the boot.ini did not prove very useful in this case. With that in mind I pulled a potentially more useful file. The FileZilla Server.xml file located within the FileZillaFTP directory contains the names and password hashes of the FTP users. Using the proper tools, these hashes could be reversed to reveal the passwords associated with the accounts.
4
Going even further, I attempted to download the password hashes and the password hash key for the Windows system itself [SAM]. The first attempt to do this failed, possibly due to a file permission error.
By grabbing the SAM file from a backup, I was able to bypass the permission error and retrieve the file without difficulty. Using both these files, reversing the passwords for the Windows accounts should be possible.
5
1.5
SLMail 5.5
Yet another server related vulnerability I exploited was one present in SLMail 5.5. This vulnerability was due to a POP3 issue making the service susceptible to a buffer overflow, documented in CVE-2003-0264.
Though the setup appeared to be correct, the exploit failed to work on the machine. This may be due to a misconfiguration on the Windows XP machine, or even a misunderstanding of the proper procedure to exploit the vulnerability.
1.6
TikiWiki CMS 1.9.8
Another server side vulnerability I leveraged was one present in a TikiWiki 1.9.8 PHP script, graph formula.php. From this, PHP code could run on the server remotely.
Again, the result was not as expected. Though the setup appeared correct, the exploit failed to run the payload.
1.7
Very Secure FTP 2.3.4
When vsftpd 2.3.4 was released, it contained an easily exploitable backdoor. When :) was entered in as the password for any valid user, a reverse shell would become available on the port.
Using the backdoor present in the server service vsftpd, I connected to the FTP service and grabbed the root shell spawned on port 6200 of the server.
6
1.8
NFS mount to SSH
The server also hosts the user directory as a share, allowing for read and write access when mounted. With this in mind, I should be able to mount the share and add the public key of the Kali VM to allow for passwordless ssh access.
As shown by the screenshot above, the MU VM had kernel panicked. I spent some time troubleshooting from the Kali machine when the NFS share would not mount, only for MU to be the issue.
Though I was able to mount the share successfully, the MU VM continued to kernel panic and made continuing difficult.
7
After several reboots and some patience, I was able to properly follow my procedure to gain SSH root access.
2
Password Attacks
While leveraging detected vulnerabilities is the path with a likelier chance of success, password based attacks are simpler and do not rely on a vulnerable service being present.
2.1
FTP
Using my knowledge of the FTP user accounts on the target machines, I attempted to bruit force the passwords.
Using the built in JTR password list failed, which I thought was strange as the password that would have allowed a successful login was in that file.
8
Suspicious of the results, I attempted to bruit force the FTP service using a password file containing only the password. When that failed, I manually logged in to the ftp service using the password in question to verify its validity. With the account accessible through a manual login, I assume Hydra may be missing a prerequisite to run correctly.
2.2
JTR
Using the sam and system files captured from the Windows XP VM earlier, I attempted to recover the Windows account password hashes.
While this was successful, the found accounts brought the freshness of the hashes into question. One of the known accounts on the system, georgia, was not within the listing of users.
9
Using the MS08 067 netapi module in Metasploit to open a Meterpreter session, I ran the command hashdump to pull a fresh copy of the Windows account hashes.
With the fresh password hashes, I used JTR to bruit force the passwords from the hashes. This was successful for three of the accounts accessible on the VM, leaving only one accessible account uncracked.
With the Windows XP password hashes tested, I grabbed the MU hashes to test as well.
10
As shown, JTR was able to find the passwords for six of the seven accounts present on the machine.
3
Metasploit - Client Side Exploits
In this section I practiced running exploits on client systems. Since such systems are not likely hosting content or actively listening for many incoming connections by default, it is usually the case that a targeted user must run an exploit manually. For the sake of simplicity, only the creation of the exploit will be addressed. The exploit will be run on the target system automatically.
3.1
Failed Attempts
At first I tried using a IE browser vulnerability to spawn a Meterpreter shell, only Metasploit would crash when attempting to serve the malicious page.
The next attack I attempted was the creation and transport of a PDF set to spawn a shell when ran.
11
Like with similar reverse shell related exploits, I set Metasploit to watch for a reverse shell on the target VM. Unexpectedly, running the PDF had no result and a reverse shell was never captured.
With the bad luck trend faced so far, I revisited the PDF related exploits in hopes of some good luck. Using the adobe pdf embedded exe module in Metasploit, I attempted to create a PDF which would open a reverse TCP shell with my Kali VM upon execution. Like client side attempts previous, this failed. In this particular instance, I could not find a PDF compatible with the module.
12
3.2
Java based exploits
My first success in client side exploitation, even if only partially, was using a Java related exploit.
Using the java jre17 jmxbean exploit with the reverse http payload, I attempted to gain a Meterpreter shell on the targeted VM. Though this was a failure from the perspective of its intended purpose, it curiously gave me the equivalent of a telnet banner grab.
Not quite ready to give up, I attempted the exploit using several of the available options. While the errors were all dissimilar, none resulted in any notable progress. Featured above was my attempt at using the reverse tcp payload from a non-default port.
Still in hope of success, I attempted to use the java signed applet module to create and serve a signed java appelt to the target machine. The applet would prompt the user to allow for the malicious code to be run, bypassing the need for a Java vulnerability as leverage. This failed 13
due to the recommended payload not being listed as compatible with the exploit. Some others were tried, but ultimately another exploit was placed on hold.
With my hope dwindled, I began to wonder if either my Kali or Windows XP VM were tampered with between the successful beginning of the lab and now. The next attempt was use the browser autopwn module to fingerprint to detect and make use of discovered vulnerabilities. This search generated the error ”No exploits,” giving my earlier thoughts some merit.
3.3
Winamp based exploits
With little success in the PDF and Java based exploits, I attempted to run an exploit hidden within a Winamp configuration file. As it was common to modify the Winamp configuration files when installing an intricate Winamp skin, a maliciously modified configuration file was a very real threat on early versions of Winamp.
I used the Metasploit module winamp maki bof to do just that. With it compiled correctly, I sent it over to my Windows 7 VM with my fingers crossed.
14
With the proper setup, the exploit ran successfully and I was given a administrator level Meterpreter shell.
15