LAB 7 - Exploitation Craig T. CiullaNCS430 Date Assigned: 2015/03/17Ronny L. Bull Due Date: 2015/03/29

Objective:

The objective of this lab was to practice exploiting vulnerabilities present in target machines ofdissimilar operating systems. These attacks leveraged the vulnerabilities detected and examinedin lab 6.

1 Metasploit - Server Side Exploits

In this section, I ran exploits against server related vulnerabilities present on the Windows XPVM. These exploits relied on service vuneribilities, default passwords, and misconfigurationspresent on the server being attacked.

1.1 MS08-067

The first vulnerability I exploited allowed for remote code execution in unpatched versions ofWindows Vista and Windows XP.

I was able to use Metasploit with the windows/smb/ms08 067 netapi attachment to exploit thevunerability.

With the proper options configured, I was able to open a Meterpreter session with a targetWindows XP machine. From the newly opened session I could run commands remotely.

1

1.2 Webdav

The second vulnerability I exploited was the use of default passwords within the XAMPP servicehosted on the Windows XP machine. With these defaults present, there was a good possibilityof getting an interface through which I could manage the content hosted on the server.

Using Cadever, I was able to log into an administrator console for the service. Through this Iwas given control over hosted content.

Although I could continue having fun with this level of access, I was able to elevate my permis-sions to that of a meterpreter shell easy enough. To do this, I compiled a PHP script whichwould send my machine a reverse shell when run and uploaded the script using my accessthrough Cadever.

With my script uploaded and set to open a reverse shell upon being run, I ran a session onmetasploit to listen for the reverse shell.

2

After running the script, Metasploit was able to capture and hold a system level Meterpretershell.

1.3 Open phpMyAdmin

I continued playing with my ability to upload and run scripts, though I switched from usingCadever to using the running SQL database to upload my scripts. The next script allowed meto run remote code through simple page quarries. The ability to access and modify the SQLdatabase without authentication was either a misconfiguration or a vulnerable configuration.

The script run successfully, though it required a command to be entered in as input.

Again, I used this minimal access to elevate my ability. I began by hosting the file system onmy Kali machine.

From there, I used my ability to launch commands remotely to upload the Meterpreter scriptonto the remote machine at the default Apache path.

3

With the transfer successful, I was able to get the remote machine to send a reverse shell toMeterpreter.

1.4 Zervit

Another server related vulnerability I exploited was present in Zervit, but demonstrates the riskassociated when hosting any content online. The vulnerability allows for quarries to be madeon files hosted outside of the normal hosting directory, potentially exposing sensitive files onthe machine.

To demonstrate the presence of this vulnerability, I pulled the boot.ini file present on the rootof the Windows XP machine’s C drive.

Although fun, having the contents of the boot.ini did not prove very useful in this case. Withthat in mind I pulled a potentially more useful file. The FileZilla Server.xml file located withinthe FileZillaFTP directory contains the names and password hashes of the FTP users. Usingthe proper tools, these hashes could be reversed to reveal the passwords associated with theaccounts.

4

Going even further, I attempted to download the password hashes and the password hash keyfor the Windows system itself [SAM]. The first attempt to do this failed, possibly due to a filepermission error.

By grabbing the SAM file from a backup, I was able to bypass the permission error and retrievethe file without difficulty. Using both these files, reversing the passwords for the Windowsaccounts should be possible.

5

1.5 SLMail 5.5

Yet another server related vulnerability I exploited was one present in SLMail 5.5. This vulner-ability was due to a POP3 issue making the service susceptible to a buffer overflow, documentedin CVE-2003-0264.

Though the setup appeared to be correct, the exploit failed to work on the machine. This maybe due to a misconfiguration on the Windows XP machine, or even a misunderstanding of theproper procedure to exploit the vulnerability.

1.6 TikiWiki CMS 1.9.8

Another server side vulnerability I leveraged was one present in a TikiWiki 1.9.8 PHP script,graph formula.php. From this, PHP code could run on the server remotely.

Again, the result was not as expected. Though the setup appeared correct, the exploit failedto run the payload.

1.7 Very Secure FTP 2.3.4

When vsftpd 2.3.4 was released, it contained an easily exploitable backdoor. When :) wasentered in as the password for any valid user, a reverse shell would become available on theport.

Using the backdoor present in the server service vsftpd, I connected to the FTP service andgrabbed the root shell spawned on port 6200 of the server.

6

1.8 NFS mount to SSH

The server also hosts the user directory as a share, allowing for read and write access whenmounted. With this in mind, I should be able to mount the share and add the public key ofthe Kali VM to allow for passwordless ssh access.

As shown by the screenshot above, the MU VM had kernel panicked. I spent some timetroubleshooting from the Kali machine when the NFS share would not mount, only for MU tobe the issue.

Though I was able to mount the share successfully, the MU VM continued to kernel panic andmade continuing difficult.

7

After several reboots and some patience, I was able to properly follow my procedure to gainSSH root access.

2 Password Attacks

While leveraging detected vulnerabilities is the path with a likelier chance of success, passwordbased attacks are simpler and do not rely on a vulnerable service being present.

2.1 FTP

Using my knowledge of the FTP user accounts on the target machines, I attempted to bruitforce the passwords.

Using the built in JTR password list failed, which I thought was strange as the password thatwould have allowed a successful login was in that file.

8

Suspicious of the results, I attempted to bruit force the FTP service using a password filecontaining only the password. When that failed, I manually logged in to the ftp service usingthe password in question to verify its validity. With the account accessible through a manuallogin, I assume Hydra may be missing a prerequisite to run correctly.

2.2 JTR

Using the sam and system files captured from the Windows XP VM earlier, I attempted torecover the Windows account password hashes.

While this was successful, the found accounts brought the freshness of the hashes into question.One of the known accounts on the system, georgia, was not within the listing of users.

9

Using the MS08 067 netapi module in Metasploit to open a Meterpreter session, I ran thecommand hashdump to pull a fresh copy of the Windows account hashes.

With the fresh password hashes, I used JTR to bruit force the passwords from the hashes.This was successful for three of the accounts accessible on the VM, leaving only one accessibleaccount uncracked.

With the Windows XP password hashes tested, I grabbed the MU hashes to test as well.

10

As shown, JTR was able to find the passwords for six of the seven accounts present on themachine.

3 Metasploit - Client Side Exploits

In this section I practiced running exploits on client systems. Since such systems are not likelyhosting content or actively listening for many incoming connections by default, it is usuallythe case that a targeted user must run an exploit manually. For the sake of simplicity, onlythe creation of the exploit will be addressed. The exploit will be run on the target systemautomatically.

3.1 Failed Attempts

At first I tried using a IE browser vulnerability to spawn a Meterpreter shell, only Metasploitwould crash when attempting to serve the malicious page.

The next attack I attempted was the creation and transport of a PDF set to spawn a shell whenran.

11

Like with similar reverse shell related exploits, I set Metasploit to watch for a reverse shell onthe target VM. Unexpectedly, running the PDF had no result and a reverse shell was nevercaptured.

With the bad luck trend faced so far, I revisited the PDF related exploits in hopes of somegood luck. Using the adobe pdf embedded exe module in Metasploit, I attempted to create aPDF which would open a reverse TCP shell with my Kali VM upon execution. Like client sideattempts previous, this failed. In this particular instance, I could not find a PDF compatiblewith the module.

12

3.2 Java based exploits

My first success in client side exploitation, even if only partially, was using a Java related exploit.

Using the java jre17 jmxbean exploit with the reverse http payload, I attempted to gain aMeterpreter shell on the targeted VM. Though this was a failure from the perspective of itsintended purpose, it curiously gave me the equivalent of a telnet banner grab.

Not quite ready to give up, I attempted the exploit using several of the available options. Whilethe errors were all dissimilar, none resulted in any notable progress. Featured above was myattempt at using the reverse tcp payload from a non-default port.

Still in hope of success, I attempted to use the java signed applet module to create and servea signed java appelt to the target machine. The applet would prompt the user to allow for themalicious code to be run, bypassing the need for a Java vulnerability as leverage. This failed

13

due to the recommended payload not being listed as compatible with the exploit. Some otherswere tried, but ultimately another exploit was placed on hold.

With my hope dwindled, I began to wonder if either my Kali or Windows XP VM were tamperedwith between the successful beginning of the lab and now. The next attempt was use thebrowser autopwn module to fingerprint to detect and make use of discovered vulnerabilities.This search generated the error ”No exploits,” giving my earlier thoughts some merit.

3.3 Winamp based exploits

With little success in the PDF and Java based exploits, I attempted to run an exploit hiddenwithin a Winamp configuration file. As it was common to modify the Winamp configurationfiles when installing an intricate Winamp skin, a maliciously modified configuration file was avery real threat on early versions of Winamp.

I used the Metasploit module winamp maki bof to do just that. With it compiled correctly, Isent it over to my Windows 7 VM with my fingers crossed.

14

With the proper setup, the exploit ran successfully and I was given a administrator level Me-terpreter shell.

15