Post-Exploitation
overview
You will learn to find and exploit a vulnerable application in this lab. It will also cover post-exploitation techniques to extract sensitive information and pivot!
Lab Environment
In this lab environment, the user will access a Kali GUI instance. A vulnerable application can be accessed using the tools installed on Kali on http://demo.ine.local and http://demo1.ine.local
Objective: Exploit both the target and find the flag!
Tools
The best tools for this lab are:
Metasploit Framework
Nmap
Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!
Solution
Step 1: Open the lab link to access the Kali GUI instance.
Step 2: Check if the provided machine/domain is reachable.
Commands
Only one provided machine is reachable, i.e., demo.ine.local, and we also found the target's IP addresses.
Step 3: Check open ports on the demo.ine.local machine.
Command
Multiple ports are open on the demo.ine.local machine.
We can launch attacks on exposed ports. But first, let's check what is publicly accessible. In this case, we will target port 80 to find the running application name and version.
Step 4: Running the Nmap on port 80 to find all possible information about the target server.
Command
-sV: Probe open ports to determine service/version info.
-p: Port
Target is running HFS 2.3 on port 80. HFS is a file-sharing server. Aka. HFS ~ HTTP File Server.
Now, we have discovered a running application name and version. Let's find if it is vulnerable to any known public exploits.
Step 5: We will search for the public exploit of the hfs 2.3 application using searchsploit.
Command
About "searchsploit"
searchsploit is a bash script that helps find exploits for services, OSes, and applications.
We have received an output stating that the hfs 2.3 server is vulnerable to RCE (Remote Command Execution)
Step 6: Now, we will run the Metasploit framework and find the hfs exploit module.
Commands
There is a Metasploit exploit module available for the Rejetto HttpFileServer 2.3.
We have successfully identified the running application and discovered the vulnerability of the HFS server. Also, found the exploit module.
Step 7: Let's use the hfs exploit module and check all the available options.
Command
We need to set "RHOSTS" (A target Machine Address: IP or URL). In this case, it is demo.ine.local where the hfs application is running.
Port 80 is by-default mentioned in the module, also windows/meterpreter/reverse_tcp payload is set along with "LHOST" and "LPORT" (Local Machine IP Address and Port) for reverse connection of the meterpreter shell.
Note: Always make sure about LHOST and LPORT values if they don't match your lab setup. And make sure to change if required.
Step 8: Now, set the target information, i.e. "set RHOSTS" and exploit the hfs application
Command
We have successfully exploited the hfs app using the Metasploit framework.
Step 9: Now, we will discover target machine information, e.g., current user, system information, arch, etc.
Command
We notice that target is running a windows server, and we have received a meterpreter session with administrator privileges.
Step 10: We can obtain "SYSTEM" (or "NT Authority") privileges on the machine
Commands
The getsystem is a meterpreter command for privilege escalation. It uses pre-defined methods to gain the highest privilege (i.e. SYSTEM) on the compromised machine.
0 : All techniques available
1 : Named Pipe Impersonation (In Memory/Admin)
2 : Named Pipe Impersonation (Dropper/Admin)
3 : Token Duplication (In Memory/Admin)
4 : Named Pipe Impersonation (RPCSS variant)
We can notice that the Named Pipe Impersonation technique is used to gain the SYSTEM privileges.
We have successfully exploited the first target and have full access to the machine. Now, depending on the attacker's objective, we can modify/change the target machine.
Step 11: Let's check if we can access demo1.ine.local from the compromised host.
Before, ping to the second target machine from the compromised host. We need to know the IP address for the demo1.ine.local host.
Remember, when we did ping to both the targets and discovered IP addresses of these target machines:
1. demo.ine.local: 10.0.23.218
2. demo1.ine.local : 10.0.21.170
Now, let's ping to the 10.0.21.170 and verify that it is reachable from the second machine.
Commands
As we can see, we can access the demo1.ine.local machine, i.e., 10.0.21.170.
However, we cannot access that machine (10.0.21.170) from the Kali machine. So, here we need to perform pivoting by adding route from the Metasploit framework.
Step 12: Let's add the route using the meterpreter session and identify the second machine service.
Command
We have successfully added the route to access the demo1.ine.local machine.
Step 13: Now, let's enumerate all the installed applications on the target machine.
Command
We can notice that we have found all the installed applications on the target machine.
The exciting application is FileZilla Client 3.57.0. A victim must be using this application to connect FTP service to access the data.
Step 14: We can use the FileZilla credentials extractor post-exploitation module to dump the FTP stored credentials.
Multi Gather FileZilla FTP Client Credential Collection
This module will collect credentials from the FileZilla FTP client if installed. Source: https://www.rapid7.com/db/modules/post/multi/gather/filezilla_client_cred/
Command
We can observe that we have received FileZilla credentials using the post exploit module. But, it is not visible properly.
Note: When running the above FileZilla_Client_cred post module, the results may vary. For instance, the credentials may come back in an unreadable format.
In that case, launch a shell and manually view the configuration file, or use meterpreter to download the configuration file specified in the module output.
The credential extracted from the sitemanager.xml file is located in the C:\Users\Administrator\AppData\Roaming\FileZilla directory.
Let's read the sitemanager.xml file manually and read the password correctly.
File Path: C:\Users\Administrator\AppData\Roaming\FileZilla\sitemanager.xml
Command
We have found the FTP login details as follow:
Server: 10.0.21.78
User: admin
Pass: FTPStrongPwd
The IP address (10.0.21.78) belongs to the demo1.ine.local machine. If demo1.ine.local is exposed to port 21, these credentials might work and be valid.
Step 15: First start the socks4a server using the Metasploit module. We will use proxychains for port scanning.
Socks4a Proxy Server
This module provides a socks4a proxy server with built-in Metasploit routing to relay connections. Source:: https://www.rapid7.com/db/modules/auxiliary/server/socks4a/
Note: The proxychains should have configured with the following parameters (at the end of /etc/proxychains4.conf):
Command
We can notice, socks4 port is 9050.
Now, let's run the Metasploit socks proxy auxiliary server module on port 9050.
Commands
We notice that SRVPORT is 1080, and VERSION is 5 mentioned in the module options. But, we need to set the port to 9050 and the version to 4a. Let's change both the values then run the server.
Commands:
We can notice that the server is running perfectly.
Step 16: Now, let's run nmap with proxychains to identify all open ports on the pivot machine, i.e. demo1.ine.local
Command:
demo1.ine.local: The pivot machine
-sT : TCP connect scan
-Pn : Skip host discovery and force port scan.
-p 1-50 : Define port range to scan
This scan is the safest way to identify the open ports. We could use an auxiliary TCP port scanning module. But those are very aggressive and can kill your session.
We notice that two ports are open on the target machine, i.e., 21 and 22. We can forward these ports to find the running application name and version. However, looking at them, we can easily guess that port 21 is for FTP service and port 22 is for OpenSSH service.
All these ports are the default for specific services.
Step 17: We already know that port 3389 (RDP) is exposed on the demo.ine.local machine. Now, let's create another user and add it to the RDP group to gain GUI access over the target.
Commands
We have created a guest_1 user and added that user to the RDP group.
Step 18: Let's login through RDP using these credentials.
Commands
Now, find the FileZilla Client utility and access 10.0.21.78, i.e. demo1.ine.local machine.
Connect to the 10.0.21.78 machine using ftp credentials.
Username: admin
Password: FTPStrongPwd
We can notice that there is a usernames.txt file is present. Let's download the file and check all the users.
The file downloaded in C:\Users\guest_1 folder.
Now, let's open the file and check all the usernames.
As we can see, there are three users mentioned. administrator, sysadmin, and student.
We are going to target the administrator account.
Step 19: Remember port 22 also exposed on demo1.ine.local. Let's find what is running on it by forwarding its port to the attacker's machine.
Commands
We have successfully forwarded port 22 to local port 1234. Let's run nmap and identify the service name.
Command
It is evident that on port 22, the OpenSSH service is running. However, the target is Windows operating system.
Step 20: Now, let's use the proxychains command to run the hydra tool to find the valid password of the administrator user.
The proxy server is already running. So, we could directly run the below command to find the valid password of the administrator user.
Command:
We have successfully launched the brute-force attack and found the valid password of the administrator user, i.e., password1.
Step 21: Now, we can use Metasploit Framework ssh_login module to gain the shell.
Let's use the ssh login module and check all the available options.
Commands:
We need to set RHOSTS, USERNAME, and PASSWORD values in the module. Let's set and run the module to gain the shell.
Commands:
We have gained the shell! Now let's interact with the session and find the flag.
Step 22: Reading the flag.
Commands:
We have found the flag: a3dcb4d229de6fde0db5686dee47145d
Last updated