PentesterAcademy Vulnerable Servers II Lab Write-Up | metasploit-pivoting
Lab Link : https://attackdefense.pentesteracademy.com/challengedetails?cid=1747
Vulnerable Servers II is a lab from PentesterAcademy, which is rated as easy. The lab topology shows two machines which means, there are two targets and the attacker has to perform pivoting in order to hack and get the flag from the target machine.
First Select the nearest Server and Click on Run the lab.
Once the lab is up, a web based terminal will be opened in the Web Browser. Firstly, check the IP address of the attacking machine.
We can see that, there are two interfaces. And as per the instructions, the first target machine should be 192.17.147.3. Let’s perform an Nmap scan of the target.
The scan result shows that TCP port 8080 is open and is running an Apache Tomcat webserver/Coyote JSP engine 1.1. Let’s try to connect the webserver using netcat.
We can see that the Webserver is running OpenKM, a Document Management System. Let’s perform a google search for Vulnerabilities on OpenKM. The search results show an exploit-db link associated with the OpenKM vulnerability and the CVE-2019-11445.
On doing further search, I have found out that there is a Metasploit module to exploit vulnerability in OpenKM. Let’s use Metasploit to perform exploitation.
However, the simple module search on OpenKM doesn’t return anything. So, I have used the module
path directly.
Metasploit Module (exploit/multi/http/openkm_upload_jsp_exec)
Let’s set the options.
Set the options. The target RHOSTS is 192.17.147.3 and the LHOST is our attacking machine 192.17.147.2. Run the module.
Running the exploit module opens up a remote shell successfully.
Check the IP address configuration of the machine. This reveals our next target. Following the instructions, the IP address of our final target should be 192.147.13.3
Background the session and now we need to perform pivoting to access the final target. In order to perform pivoting using Metasploit, we need to have an active meterpreter shell.
Let’s open a meterpreter shell using our current remote session. For this use the post/multi/manage/shell_to_meterpreter module.
Run the module and it will give the meterpreter shell. Verify using the show sessions command.
Now let’s add the route. This is the first step while configuring pivoting. Metasploit having a module named as autoroute. Use it to add the route so that we get the access of the target network.We have added the route successfully. Verify the route using the route command.
Now the target is accessible and let's perform a TCP portscan to identify the open ports in the machine.
To perform a portscan, use the auxiliary/scanner/portscan/tcp module.
Set the target, RHOSTS to 192.147.13.3. and ports 1-1000. Which means we are going performing the scan of first 1000 ports.
The scan results shows that TCP port 21 is open on the target server. We need to dig deep in to the machine and we need to hack in to it. Firstly, configure portforward so that we can access the machine locally from the attacking machine.
Access the meterpreter shell and configure port forwarding. I am assigning local port 5555 to 192.147.13.3:21. This enables us to access the target machine on localhost:5555
Now, perform an Nmap scan to identify the service.
The scan result return that the target server is running ProFTPD version 1.3.3c. Let’s search for any known Metasploit modules on proftpd.
We can see multiple modules related to ProFTP, but for our version 1.3.3c, lets use the exploit/unix /ftp/proftd_133c_backdoor module.
Set the target machine IP as RHOSTS and select he payload cmd/unix/bind_perl. Run the exploit, and we have got the root shell.
The flag is present in the root (/) location. Copy the flag and verify.
The target was successfully hacked and grabbed the flag, therefore the objective of the lab is successfully completed. The lab was extremely good to learn and practice pivoting using Metasploit.