Sergeant's Website

HW07: Exploiting MS2 due Mon 16 Oct 23:59

$\begin{purpose} In this assignment you will use the results of your Nessus scan ... ...gnment to begin performing exploits against Metasploitable2 (MS2). \end{purpose}$

Overview

Last week we performed an in-depth vulnerability scan against MS2 and it produced quite a few findings. In the lecture we went through some examples of how to find and perform some exploits based on those results. In this assignment you will continue performing exploits using Metasploit.

Setup

In your virtual environment you'll need to launch MS2 and Kali. In Kali you'll need to launch Firefox and pull up the Nessus scan results (http://kali:8834). NOTE: It is possible that the Nessus service is not longer running (causing the page to be not found). If that is the case then you'll need to go to the command line and restart the nessus service: sudo systemctl start nessusd

If you can load the page but it gives an error saying the API is not enabled you'll need to delete the Firefox cache and the refresh the page.

Create a text document that you will upload into Canvas as evidence of your work. In the text document create three all-caps headers corresponding to the headers below.

Apache / PHP

Effective pentesters rely on a store of background knowledge when trying to compromise a system. Some background information that may be helpful:

We know that Apache v2.2.8 is running on port 80.
Apache is a widely used web server.
Many Apache systems provide a web-coding language called PHP.
PHP is a common target for attackers.

Do these steps:

(1 pts) Search your Nessus scan results for “PHP” and determine what version of PHP is running under Apache on MS2. What is the PHP version reported by Nessus.
(2 pts) Do a web search for that PHP version together with the terms PHP and exploit. Jot down a couple of vulnerabilties that may have pre-built exploits in Metasploit.
Startup msfconsole in Kali and switch to the ms2 workspace. Don't run any DoS exploits because we don't want to crash MS2. Try a built-in Metasploit exploit and see if you can get a meterpreter shell. If you have tried several and you can't find something that works you can narrow your search by typing this command in msfconsole: “search php cgi shell”. Once you have access enter a meterpreter command that will show who the current user is.
1. (2 pts) In your text document enter the msfconsole commands you used to set up the exploit, run it, and determine the user.
2. (1 pts) Take a screen shot showing the exploit and the command used to determine the user.
Take a moment to explore in the command-line a little bit to see if you can figure out how powerful the shell is. After exploring do the following:
1. (1 pts) In your text document answer this question: What kind of access did this shell provide? Specifically, were there any directories you were prevented from accessing?
2. (1 pts) Do a brief internet search on this user name and see what you can learn about this user. Type in your text document a sentence summarizing what you learned.

SMB aka Samba

Samba is a favorite target of pentesters. Let's go:

(1 pts) In msfconsole do this: “search samba”. There are quite a a few results that match. Let's focus on a linux exploit called trans2open. Go ahead an run the exploit setting options as needed. In your text document show the commands you tried and the results of the attempted exploit.
Let's try another search: “search samba shell” to see if any of these may result in opening a shell. This search should have three results. Only two of those are exploits. Try those exploits. One of them should work. Once you identify the working exploit issue commands that will identify which user is active. NOTE: This exploit does not create a meterpreter shell so you can't use meterpreter commands. Also, it did does not return a prompt, but instead appears to hang. You can still type commands from this blank prompt, though. NOTE: You can type CTRL-C to exit the shell when you are finished.
1. (2 pts) In your text document enter the msfconsole commands you used to set up the exploit, run it, and determine the user.
2. (1 pts) In your text document answer this question: What do you know about the privileges of the user for this shell?
3. (1 pts) Take a screen shot showing the exploit and the command used to determine the user.

PostgreSQL

PostgreSQL is a database management system. In this particular case if you search Nessus scan results for “PostgreSQL” you will not find much information of value. Our original nmap scan did give us some version information though. Let's get started:

(1 pts) What version of PostgreSQL is running on MS2? Record this in your text document.
(1 pts) What port is the PostgreSQL service running on? Record this in your text document.
Do the next steps without performing an internet search. Find a working Metasploit exploit that will give you shell access to to MS2. If you get stuck, read one or both of the hints at the end of this section. Record your results as follows:
1. (2 pts) In your text document enter the msfconsole commands you used to set up the exploit, run it, and determine the user.
2. (1 pts) What user privileges were in place for this shell?
3. (1 pts) Take a screen shot showing the exploit and the command used to determine the user.

Hint 1: PostgreSQL is often referred to by a nickname: postgres
Hint 2: Remember, MS2 is running postgres on a Linux box, so you should focus on Linux-specific exploits before looking at multi-OS exploits.
Hint 3: It may take a few seconds for the exploit to complete so don't assume failure if you don't get a result right away.

Turn In Your Work

Turn in your work by uploading your completed text document and your screenshots to this assignment in Canvas.