Metasploitable/Apache
From charlesreid1
Metasploit HTTP Modules
First, here's a list of the scanner modules related to HTTP: https://www.offensive-security.com/metasploit-unleashed/scanner-http-auxiliary-modules/
This has a number of interesting modules to do the following:
- check if https certificates are expired
- check if directory listings are enabled on servers
- scan for directories
- bypass authentication using webdav unicode vulnerability [1]
- use delicious.com to farm links
- use archive.org to farm links
- check for presence of interesting files
- brute-force https login
- look for open proxy servers
- query IP addresses for web servers and capabilities
- find robots.txt
- grab SSL certificate information
- get web server version
- brute-force tomcat manager application login
- bpyass authentication using different HTTP verbs
- scan servers for webdav, content disclosure via webdav
- brute-force Wordpress logins
Whew!
Where to Start
This article will cover techniques for exploiting the Metasploitable apache server (running Apache 2.2.8). It will start with some general techniques (working for most web servers), then move to the Apache-specific.
This will also ignore the Tomcat server - we'll get to that later.
More routes to attack the Metasploitable machine are over at Metasploitable/Apache/Python
dir listing
the dir_listing module did not turn up anything useful:
msf > use auxiliary/scanner/http/dir_listing msf auxiliary(dir_listing) > show options Module options (auxiliary/scanner/http/dir_listing): Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes The path to identify directoy listing Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(dir_listing) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(dir_listing) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(dir_listing) >
dir scanner
the dir_scanner module turned up a few finds:
msf auxiliary(dir_listing) > use auxiliary/scanner/http/dir_scanner msf auxiliary(dir_scanner) > show options Module options (auxiliary/scanner/http/dir_scanner): Name Current Setting Required Description ---- --------------- -------- ----------- DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use PATH / yes The path to identify files Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(dir_scanner) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 10.0.0.27 [*] Found http://10.0.0.27:80/cgi-bin/ 404 (10.0.0.27) [*] Found http://10.0.0.27:80/doc/ 200 (10.0.0.27) [*] Found http://10.0.0.27:80/icons/ 200 (10.0.0.27) [*] Found http://10.0.0.27:80/index/ 200 (10.0.0.27) [*] Found http://10.0.0.27:80/test/ 200 (10.0.0.27) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(dir_scanner) >
files dir
The files dir exploit checks for the presence of any interesting files on the web server. By default it uses a dictionary list that comes with Metasploit, /usr/share/metasploit-framework/data/wmap/wmap_files.txt, but you can also use your own.
msf auxiliary(files_dir) > run [*] Using code '404' as not found for files with extension .null [*] Using code '404' as not found for files with extension .backup [*] Using code '404' as not found for files with extension .bak [*] Using code '404' as not found for files with extension .c [*] Using code '404' as not found for files with extension .cfg [*] Using code '404' as not found for files with extension .class [*] Using code '404' as not found for files with extension .copy [*] Using code '404' as not found for files with extension .conf [*] Using code '404' as not found for files with extension .exe [*] Using code '404' as not found for files with extension .html [*] Using code '404' as not found for files with extension .htm [*] Using code '404' as not found for files with extension .ini [*] Using code '404' as not found for files with extension .log [*] Using code '404' as not found for files with extension .old [*] Using code '404' as not found for files with extension .orig [*] Using code '404' as not found for files with extension .php [*] Found http://10.0.0.27:80/index.php 200 [*] Using code '404' as not found for files with extension .tar [*] Using code '404' as not found for files with extension .tar.gz [*] Using code '404' as not found for files with extension .tgz [*] Using code '404' as not found for files with extension .tmp [*] Using code '404' as not found for files with extension .temp [*] Using code '404' as not found for files with extension .txt [*] Using code '404' as not found for files with extension .zip [*] Using code '404' as not found for files with extension ~ [*] Using code '404' as not found for files with extension [*] Found http://10.0.0.27:80/dav 301 [*] Found http://10.0.0.27:80/index 200 [*] Found http://10.0.0.27:80/phpMyAdmin 301 [*] Found http://10.0.0.27:80/test 301 [*] Using code '404' as not found for files with extension [*] Found http://10.0.0.27:80/dav 301 [*] Found http://10.0.0.27:80/index 200 [*] Found http://10.0.0.27:80/phpMyAdmin 301 [*] Found http://10.0.0.27:80/test 301 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(files_dir) >
This turned up severan additional directories, compared with the dir_scanner module - directories returning HTTP code 301 (Moved Permanently).
Telnet to Explore 301s
If we use telnet to connect to port 80 and send a GET request for a resource that returns a 301, we can see more information:
root@morpheus:~# telnet 10.0.0.27 80 Trying 10.0.0.27... Connected to 10.0.0.27. Escape character is '^]'.
Now type out a GET request, with the location being requested, and specify the host:
GET /phpMyAdmin HTTP/1.1 Host: 10.0.0.27
Press enter to make a new line. Press enter two times to finish and send the message. This returns the following:
HTTP/1.1 301 Moved Permanently Date: Sat, 26 Mar 2016 20:29:25 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 Location: http://10.0.0.27/phpMyAdmin/ Content-Length: 316 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://10.0.0.27/phpMyAdmin/">here</a>.</p> <hr> <address>Apache/2.2.8 (Ubuntu) DAV/2 Server at 10.0.0.27 Port 80</address> </body></html>
Whoops. Looks like it is just redirecting http://10.0.0.27/phpMyAdmin to http://10.0.0.27/phpMyAdmin/.
Fixed Telnet Request
Fixing the telnet request:
root@morpheus:~# telnet 10.0.0.27 80 Trying 10.0.0.27... Connected to 10.0.0.27. Escape character is '^]'.
This time adding the slash at the end:
GET /phpMyAdmin/ HTTP/1.1 Host: 10.0.0.27
Now we get a phpMyAdmin page that looks like it has lots of information that could be fuzzed:
HTTP/1.1 200 OK
Date: Sat, 26 Mar 2016 20:32:16 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Set-Cookie: phpMyAdmin=8f4854280c9edc1b1b0686ca3539fd862de240a2; path=/phpMyAdmin/; HttpOnly
Set-Cookie: pma_lang=en-utf-8; expires=Mon, 25-Apr-2016 20:32:20 GMT; path=/phpMyAdmin/; httponly
Set-Cookie: pma_charset=utf-8; expires=Mon, 25-Apr-2016 20:32:20 GMT; path=/phpMyAdmin/; httponly
Set-Cookie: pma_collation_connection=deleted; expires=Fri, 27-Mar-2015 20:32:19 GMT; path=/phpMyAdmin/; httponly
Set-Cookie: pma_theme=original; expires=Mon, 25-Apr-2016 20:32:20 GMT; path=/phpMyAdmin/; httponly
Last-Modified: Tue, 09 Dec 2008 17:24:00 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
1031
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="icon" href="./favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
<title>phpMyAdmin </title>
<link rel="stylesheet" type="text/css" href="phpmyadmin.css.php?lang=en-utf-8&convcharset=utf-8&token=9f26e041b3cb1009de4f2ba11f5caa2e&js_frame=right&nocache=2457687151" />
<link rel="stylesheet" type="text/css" href="print.css" media="print" />
<meta name="robots" content="noindex,nofollow" />
<script type="text/javascript">
//<![CDATA[
// show login form in top frame
if (top != self) {
window.top.location.href=location;
}
//]]>
</script>
</head>
<body class="loginform">
<div class="container">
<a href="http://www.phpmyadmin.net" target="_blank" class="logo"><img src="./themes/original/img/logo_right.png" id="imLogo" name="imLogo" alt="phpMyAdmin" border="0" /></a>
<h1>
Welcome to <bdo dir="ltr" xml:lang="en">phpMyAdmin </bdo></h1>
<form method="post" action="index.php" target="_parent"><input type="hidden" name="phpMyAdmin" value="8f4854280c9edc1b1b0686ca3539fd862de240a2" />
<input type="hidden" name="db" value="" /><input type="hidden" name="table" value="" /><input type="hidden" name="lang" value="en-utf-8" /><input type="hidden" name="convcharset" value="utf-8" /><input type="hidden" name="token" value="9f26e041b3cb1009de4f2ba11f5caa2e" /><fieldset><input type="hidden" name="phpMyAdmin" value="8f4854280c9edc1b1b0686ca3539fd862de240a2" /><legend xml:lang="en" dir="ltr">Language</legend>
<select name="lang" onchange="this.form.submit();" xml:lang="en" dir="ltr">
<option value="en-utf-8" selected="selected">English</option>
</select>
</fieldset>
<noscript>
<fieldset class="tblFooters"><input type="hidden" name="phpMyAdmin" value="8f4854280c9edc1b1b0686ca3539fd862de240a2" />
<input type="submit" value="Go" />
</fieldset>
</noscript>
</form>
<br />
<!-- Login form -->
<form method="post" action="index.php" name="login_form" autocomplete="off" target="_top" class="login"><input type="hidden" name="phpMyAdmin" value="8f4854280c9edc1b1b0686ca3539fd862de240a2" />
<fieldset><input type="hidden" name="phpMyAdmin" value="8f4854280c9edc1b1b0686ca3539fd862de240a2" />
<legend>
Log in</legend>
<div class="item">
<label for="input_username">Username:</label>
<input type="text" name="pma_username" id="input_username" value="" size="24" class="textfield"/>
</div>
<div class="item">
<label for="input_password">Password:</label>
<input type="password" name="pma_password" id="input_password" value="" size="24" class="textfield" />
</div>
<input type="hidden" name="server" value="1" /> </fieldset>
<fieldset class="tblFooters"><input type="hidden" name="phpMyAdmin" value="8f4854280c9edc1b1b0686ca3539fd862de240a2" />
<input value="Go" type="submit" id="input_go" />
<input type="hidden" name="lang" value="en-utf-8" /><input type="hidden" name="convcharset" value="utf-8" /><input type="hidden" name="token" value="9f26e041b3cb1009de4f2ba11f5caa2e" /> </fieldset>
</form>
<div><div class="warning">Cannot load <a href="http://php.net/mcrypt" target="Documentation"><em>mcrypt</em></a> extension. Please check your PHP configuration.</div><div class="notice">Cookies must be enabled past this point.</div></div></div>
<script type="text/javascript">
// <![CDATA[
function PMA_focusInput()
{
var input_username = document.getElementById('input_username');
var input_password = document.getElementById('input_password');
if (input_username.value == '') {
input_username.focus();
} else {
input_password.focus();
}
}
window.setTimeout('PMA_focusInput()', 500);
// ]]>
</script>
</body>
</html>
0
|
Fuzzing?
Fuzzing the phpMyAdmin login page (and attacking vulnerabilities in phpMyAdmin itself) will launch us into a whole new set of tools and concepts, so we'll leave that for the Metasploit/phpMyAdmin page and others.
Metasploit Apache Modules
Searching for Apache-specific modules yields more specific exploits. This is a bit overwhelming, and doesn't help much with figuring out where to begin:
auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal Apache Commons FileUpload and Apache Tomcat DoS auxiliary/dos/http/apache_mod_isapi 2010-03-05 normal Apache mod_isapi Dangling Pointer auxiliary/dos/http/apache_range_dos 2011-08-19 normal Apache Range Header DoS (Apache Killer) auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS auxiliary/gather/apache_rave_creds normal Apache Rave User Information Disclosure auxiliary/gather/impersonate_ssl normal HTTP SSL Certificate Impersonation auxiliary/scanner/http/apache_activemq_source_disclosure normal Apache ActiveMQ JSP Files Source Disclosure auxiliary/scanner/http/apache_activemq_traversal normal Apache ActiveMQ Directory Traversal auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner auxiliary/scanner/http/apache_userdir_enum normal Apache "mod_userdir" User Enumeration auxiliary/scanner/http/axis_local_file_include normal Apache Axis2 v1.4.1 Local File Inclusion auxiliary/scanner/http/axis_login normal Apache Axis2 Brute Force Utility auxiliary/scanner/http/mod_negotiation_brute normal Apache HTTPD mod_negotiation Filename Bruter auxiliary/scanner/http/mod_negotiation_scanner normal Apache HTTPD mod_negotiation Scanner auxiliary/scanner/http/rewrite_proxy_bypass normal Apache Reverse Proxy Bypass Vulnerability Scanner auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) exploit/multi/http/apache_roller_ognl_injection 2013-10-31 excellent Apache Roller OGNL Injection exploit/multi/http/struts_code_exec 2010-07-13 good Apache Struts Remote Command Execution exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual Apache Struts ClassLoader Manipulation Remote Code Execution exploit/multi/http/struts_code_exec_exception_delegator 2012-01-06 excellent Apache Struts Remote Command Execution exploit/multi/http/struts_code_exec_parameters 2011-10-01 excellent Apache Struts ParametersInterceptor Remote Code Execution exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution exploit/multi/http/struts_dev_mode 2012-01-06 excellent Apache Struts 2 Developer Mode OGNL Execution exploit/multi/http/struts_include_params 2013-05-24 great Apache Struts includeParams Remote Code Execution exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Apache Tomcat Manager Authenticated Upload Code Execution
Figuring Out Where to Begin
Recommend starting with Nikos, as covered on the Metasploitable/Apache/Python page.
This reveals the following vulnerability:
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
Load the Metasploit module to take advantage of this vunlerability:
msf > use auxiliary/scanner/http/mod_negotiation_scanner msf auxiliary(mod_negotiation_scanner) >
More information from Metasploit documentation website: https://www.rapid7.com/db/modules/auxiliary/scanner/http/mod_negotiation_scanner
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|