Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mastering Metasploit

You're reading from   Mastering Metasploit Take your penetration testing and IT security skills to a whole new level with the secrets of Metasploit

Arrow left icon
Product type Paperback
Published in May 2018
Publisher Packt
ISBN-13 9781788990615
Length 492 pages
Edition 3rd Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Nipun Jaswal Nipun Jaswal
Author Profile Icon Nipun Jaswal
Nipun Jaswal
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Approaching a Penetration Test Using Metasploit 2. Reinventing Metasploit FREE CHAPTER 3. The Exploit Formulation Process 4. Porting Exploits 5. Testing Services with Metasploit 6. Virtual Test Grounds and Staging 7. Client-Side Exploitation 8. Metasploit Extended 9. Evasion with Metasploit 10. Metasploit for Secret Agents 11. Visualizing with Armitage 12. Tips and Tricks 13. Other Books You May Enjoy

Revisiting the case study

To set up the test environment, we will require multiple operating systems with primarily two different host-only networks. Also, we will need the following components:

Component name

Type

Version used

Network details

Network type

Kali Linux VM Image

Operating System

Kali Rolling (2017.3) x64

192.168.174.128 (Vmnet8)

Host-only

Ubuntu 14.04 LTS

Operating System

14.04 (trusty)

192.168.174.132 (Vmnet8)

192.168.116.129

(Vmnet6)

Host-only

Host-only

Windows 7

Operating System

Professional Edition

192.168.116.133

(Vmnet6)

Host-only

Ubuntu 16.04 LTS

Operating System

16.04.3 LTS (xenial)

192.168.116.133

(Vmnet6)

Host-only

PhpCollab

Web Application

2.5.1

Disk Pulse

Enterprise Disk Management Software

9.9.16

WinSCP

SSH and SFTP

5.7

Revising the approach

Throughout this exercise, we performed the following critical steps:

  1. We started by conducting an Nmap scan on the target IP address, which is 192.168.174.132.
  2. The Nmap scan revealed that port 80 at 192.168.174.132 is open.
  3. Next, we did a fingerprint of the application running on port 80 and encountered Apache 2.4.7 running.
  4. We tried browsing to the HTTP port. However, we couldn't find anything.
  5. We ran the dir_scanner module to perform a dictionary-based check on the Apache server and found the PhpCollab application directory.
  6. We found an exploit module for PhpCollab using searchsploit and had to import the third-party exploit into Metasploit.
  7. Next, we exploited the application and gained limited user access to the target system.
  8. To improve our access mechanism, we uploaded a backdoored executable and achieved a better level of access to the target.
  9. To gain root access, we run the exploit suggester module and found that the overlayfs privilege escalation exploit will help us achieve root access to the target.
  10. We downloaded the overlayfs exploit from https://exploit-db.com/, compiled it, and run it to gain root access to the target.

  1. Using the same previously generated backdoor, we opened another Meterpreter shell, but this time with root privileges.
  1. We added persistence to the system by using the sshkey_persistence module in Metasploit.
  2. Running the arp command on the target, we found that there was a separate network connection to the host, which is in the target range of 192.168.116.0/24.
  3. We added a route to this network by using the autoroute script.
  4. We scanned the system found from the arp command using the TCP port scanner module in Metasploit.
  5. We saw that port 80 of the system was open.
  6. Since we only had access to the target network through Meterpreter, we used the socks4a module in Metasploit for making other tools connect to the target through Meterpreter.
  7. Running the socks proxy, we configured our browser to utilize the socks4a proxy on port 1080.
  1. We opened 192.168.116.133 through our browser and saw that it was running the Disk Pulse 9.9.16 web server service.
  2. We searched Metasploit for Disk Pulse and found that it was vulnerable to an SEH-based buffer overflow vulnerability.
  1. We exploited the vulnerability and gained the highest level of privileges on the target since the software runs with SYSTEM-level privileges.
  1. We enumerated the list of installed applications and found that WinSCP 5.7 is installed on the system.
  2. We saw that Metasploit contains an inbuilt module to harvest saved credentials from WinSCP.
  3. We collected the root credentials from WinSCP and used the ssh_login module to gain a root shell on the target.
  1. We uploaded another backdoor to gain a Meterpreter shell with root privileges on the target.
lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime