Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mastering Metasploit

You're reading from   Mastering Metasploit Discover the next level of network defense with the Metasploit framework

Arrow left icon
Product type Paperback
Published in Sep 2016
Publisher Packt
ISBN-13 9781786463166
Length 440 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
Nipun Jaswal Nipun Jaswal
Author Profile Icon Nipun Jaswal
Nipun Jaswal
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Approaching a Penetration Test Using Metasploit FREE CHAPTER 2. Reinventing Metasploit 3. The Exploit Formulation Process 4. Porting Exploits 5. Testing Services with Metasploit 6. Virtual Test Grounds and Staging 7. Client-side Exploitation 8. Metasploit Extended 9. Speeding up Penetration Testing 10. Visualizing with Armitage

Vulnerability analysis of HFS 2.3

According to the CVE details for this vulnerability (CVE-2014-6287), the findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (otherwise known as HFS or HttpFileServer) 2.3x (in versions prior to 2.3c) allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

Here is the vulnerable function:

function findMacroMarker(s:string; ofs:integer=1):integer;
 begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;

The function will not handle a null byte safely, so a request to http://localhost:80/search=%00{.exec|cmd.} will stop regex from parsing the macro, and remote code injection will happen.

Exploitation and post exploitation

Let us find the relevant exploit module via the search command in Metasploit in order to load the exploit for the HFS 2.3 server:

Exploitation and post exploitation

We can see we have the exploit/windows/http/rejetto_hfs_exec module matching the vulnerable target. Let's load this module using the use command and set the RHOST option to the IP address of the target and RPORT to 8080. We must also configure the payload as windows/meterpreter/reverse_tcp and set HOST to our IP address and LPORT to 4444 (or anything usable). Once all the options have been configured, let's see if everything is set properly by issuing the show options command as follows:

Exploitation and post exploitation

We can see that we have everything set on our module and we are good to exploit the system using the exploit command, as follows:

Exploitation and post exploitation

Bingo! We breached the server, and we are inside it. Let us perform some post exploitation tasks as follows:

Exploitation and post exploitation

We successfully gained access to a Windows Server 2012 box with Administrator privileges. Let us issue the getsystem command and escalate the privileges to system level. We can see in the preceding screenshot that the privileges are now changed to SYSTEM.

Let's explore more and run some basic post exploitation commands, such as getpid and ps, which are used to gather the list of running processes. The getpid command is used to print the process ID in which meterpreter resides, as shown in the following screenshot:

Exploitation and post exploitation

We can see that we have the process ID 2036, which corresponds to eIJDRPTHQ.exe. Therefore, if an administrator kills this particular process, our meterpreter session is gone. We must escalate our access to a better process, which should evade the eyes of the administrator. The explorer.exe process is a good option. We will migrate to explorer.exe, the main process on Windows-based distributions, as follows:

Exploitation and post exploitation

Once migrated, we can check the current process ID by issuing the getpid command as shown in the preceding screenshot. We can gather password hashes from the compromised system using the hashdump command, which can be seen in the following screenshot:

Exploitation and post exploitation

After gathering the hashes, we can always execute a pass-the-hash attack and bypass the limitation of not having a plain text password.

Note

Refer to http://www.cvedetails.com/vendor/26/Microsoft.html for more information on various vulnerabilities in Windows based operating systems. Refer to http://www.cvedetails.com/top-50-vendors.php?year=0 for more information on vulnerabilities in the top 50 vendors in the world.

You have been reading a chapter from
Mastering Metasploit - Second Edition
Published in: Sep 2016
Publisher: Packt
ISBN-13: 9781786463166
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image