Last week we performed an in-depth vulnerability scan against MS2 and it produced
quite a few findings. In the lecture we went through some examples of how to
find and perform some exploits based on those results. In this assignment you will
continue performing exploits using Metasploit.
In your virtual environment you'll need to launch MS2 and Kali. In Kali you'll
need to launch Firefox and pull up the Nessus scan results (http://kali:8834).
NOTE: It is possible that the Nessus service is not longer running (causing the page
to be not found). If that is the case then you'll need to go to the command line and
restart the nessus service: sudo systemctl start nessusd
If you can load the page but it gives an error saying the API is not enabled you'll
need to delete the Firefox cache and the refresh the page.
Create a text document that you will upload into Canvas as evidence of your work.
In the text document create three all-caps headers corresponding to the
headers below.
Effective pentesters rely on a store of background knowledge when trying to
compromise a system. Some background information that may be helpful:
- We know that Apache v2.2.8 is running on port 80.
- Apache is a widely used web server.
- Many Apache systems provide a web-coding language called PHP.
- PHP is a common target for attackers.
Do these steps:
- (1 pts) Search your Nessus scan results for “PHP” and determine what version
of PHP is running under Apache on MS2. What is the PHP version
reported by Nessus.
- (2 pts) Do a web search for that PHP version together with the terms PHP and
exploit. Jot down a couple of vulnerabilties that may have pre-built
exploits in Metasploit.
- Startup msfconsole in Kali and switch to the ms2 workspace. Don't run
any DoS exploits because we don't want to crash MS2. Try a built-in
Metasploit exploit and see if you can get a meterpreter shell. If you have
tried several and you can't find something that works you can narrow your
search by typing this command in msfconsole: “search php cgi shell”.
Once you have access enter a meterpreter command that will show who the
current user is.
- (2 pts) In your text document enter the msfconsole commands you used to
set up the exploit, run it, and determine the user.
- (1 pts) Take a screen shot showing the exploit and the command used to
determine the user.
- Take a moment to explore in the command-line a little bit to see
if you can figure out how powerful the shell is. After exploring do
the following:
- (1 pts) In your text document answer this question: What kind of access
did this shell provide? Specifically, were there any directories
you were prevented from accessing?
- (1 pts) Do a brief internet search on this user name and see what you
can learn about this user. Type in your text document a sentence
summarizing what you learned.
Samba is a favorite target of pentesters. Let's go:
- (1 pts) In msfconsole do this: “search samba”. There are quite a
a few results that match. Let's focus on a linux exploit called trans2open.
Go ahead an run the exploit setting options as needed. In your text document
show the commands you tried and the results of the attempted exploit.
- Let's try another search: “search samba shell” to see if any
of these may result in opening a shell. This search should have three
results. Only two of those are exploits. Try those exploits. One of them
should work. Once you identify the working exploit issue commands that
will identify which user is active. NOTE: This exploit does not create
a meterpreter shell so you can't use meterpreter commands. Also, it
did does not return a prompt, but instead appears to hang. You can still
type commands from this blank prompt, though. NOTE: You can type CTRL-C
to exit the shell when you are finished.
- (2 pts) In your text document enter the msfconsole commands you used to
set up the exploit, run it, and determine the user.
- (1 pts) In your text document answer this question: What do you know
about the privileges of the user for this shell?
- (1 pts) Take a screen shot showing the exploit and the command used to
determine the user.
PostgreSQL is a database management system. In this particular case if you
search Nessus scan results for “PostgreSQL” you will not find much
information of value. Our original nmap scan did give us some version
information though. Let's get started:
- (1 pts) What version of PostgreSQL is running on MS2? Record this
in your text document.
- (1 pts) What port is the PostgreSQL service running on? Record
this in your text document.
- Do the next steps without performing an internet search.
Find a working Metasploit exploit that will give you shell access to
to MS2. If you get stuck, read one or both of the hints at the end of this
section. Record your results as follows:
- (2 pts) In your text document enter the msfconsole commands you used to
set up the exploit, run it, and determine the user.
- (1 pts) What user privileges were in place for this shell?
- (1 pts) Take a screen shot showing the exploit and the command
used to determine the user.
- Hint 1: PostgreSQL is often referred to by a nickname: postgres
- Hint 2: Remember, MS2 is running postgres on a Linux box, so you
should focus on Linux-specific exploits before looking at multi-OS
exploits.
- Hint 3: It may take a few seconds for the exploit to complete so don't
assume failure if you don't get a result right away.
Turn in your work by uploading your completed text document and your screenshots
to this assignment in Canvas.