Hello aspiring hackers. Today we will learn about Linux Configuration Enumeration POST Exploit. After getting a successful meterpreter session on the target Linux system (as shown here or here), the next logical step is to perform some enumeration on the target Linux machine. Metasploit has many POST exploits corresponding to Linux enumeration.
The first module we will see is Linux configuration enumeration. The enum_configs module is used to collect information from the configuration files found of applications commonly installed in the system. These applications may include Apache, Nginx, Snort, MySQL, Samba, Sendmail, sysctl, cups, lampp and SNMP etc. This POST module searches for a config file in the application’s default path and if the application exists on the target system, the module will download the files and store it.
If the application doesn’t exist or the config file is moved from its default location, this module will display the “file not found” message. (Just like any POST exploit or as shown in the shell_to_meterpreter exploit, we need to background the current session and load the POST module as shown above. Then set the session id and run the exploit). Here is the enum configs module in action as shown below.
Hello aspiring hackers. The module we will learn about today is the Git Submodule Command Execution Exploit. If you are a developer, cyber security enthusiast or at least a computer user, you should have definitely used (or heard about) Github. Git is an open source version control system developed by none other than the awesome Linus Trovalds (yes the same guy who created Linux).
It is a system designed to keep in touch with constant changes made to the code of software by developers. GitHub is a popular hub where developers store their projects and network with like minded people. Github stores information in a data structure called a repository. The particular module exploits a vulnerability in Git submodule.
Git submodules allow users to attach an external repository inside another repository at a specific path. This vulnerability in the Git submodule can be exploited by an attacker who can change the URL of a sub- module in a repository. This URL in the submodule can be changed to point towards a malicious link.
This module is a local exploit and works on Git versions 2.7.5 and lower. Now let us see how this module works. Start Metasploit and load the exploit as shown below. Type command “show options” to see all the options we need for this module to run.
First, we need to configure the malicious Git server. Set the options : LHOST, git_uri and Iport options as shown below. The git_uri option sets the malicious git submodule. Use command “run” to start our Git server. As the user git clones from our URL, we will get a command session on the target.
Now we need to send this malicious Git url to our intended victims. Probably it should be set as a software to convince the users to clone into their machine. Here we are testing this on KaIi Linux 2016 machine which has the vulnerable version of Git installed. We need to instruct the user to update the submodule just cloned. Let us see what happens on the victim machine.
As this happens in our victim system, we will already get a command shell on our attacker system as shown below.
We can see the active sessions using the command “sessions”.
In the previous howto, we saw how information about the services running in the target system can help us in researching about them and finding vulnerabilities in those software. For example, imagine I am a black hat who performed a Nmap scan on the target (in this case, Metasploitable). The target has displayed so many banners of the services running.
Let us see if we can try out the FTP service at port 21 to get access to the system. Since I am a black hat, assume I have not performed any automated vulnerability scan. Following the process shown in the last howto, I google about vsftpd 2.3.4.
I got a lot of information about the FTP service at port 21. Vsftpd stands for very secure FTP daemon and the present version installed on Metasploitable 2 (1.e 2.3.4) has a backdoor installed inside it. It seems somebody uploaded a backdoor installed Vsftpd daemon to the site. This malicious version of vsftpd was available on the master site between June 30th 2011 and July 1st 2011. So our target might be using the malicious version. While searching for exploit on exploit database, I found a Metasploit exploit for this vulnerability. So I start Metasploit and search for the exploit. I found it after some time.
I loaded the module and checked its options using “show options” command.
The only option required is the IP address of our target to be specified in the RHOST option. I set the RHOST option and execute the exploit using the “run” command.
I successfully got a shell on the target system as shown in the image above. I try out some basic Linux commands. As this shell has root privileges (shown in the above image), I decided to have a look at the passwd file of the target. Here it is.
Since we have shell access, we can perform all tasks which we perform from the terminal of a Linux system. We can even shutdown the remote system but keep in mind that you will lose your access to the system.
Hello aspiring hackers, till now we have only seen hacking windows operating systems with customized payload generators. Today we will see hacking Linux OS with Arcanus framework.
Although not as great as Windows, people using Linux OS are growing day by day. In my opinion, Linux OS is a bit easy to hack with payload generators as there is a general myth that Linux is immune to malware. Some of my friends use Linux as dual boot to keep themselves safe from virus.
Good morning friends. Today we will see about hacking Nagios with Metasploit. Nagios, also known as Nagios Core, is a free and open source computer-software application that is used to monitor systems, networks and infrastructure. It offers monitoring and alerting services for servers, switches, applications and services. It also alerts users when things go wrong and alerts them a second time when the problem has been resolved.
Versions of Nagios XI 5.2.7 and below suffer from SQL injection, auth bypass, file upload, command injection, and privilege escalation vulnerabilities. This exploit uses all these vulnerabilities to get a root shell on the victim’s machine. Now let’ see how this exploit works. Start Metasploit and load the module as shown below.
Let us set a new payload as shown below.
Set the target IP address as shown below. Use check command to see whether our target is vulnerable as shown below. If our target is vulnerable, type command “run” to execute our exploit. If everything goes right, we will get a shell on our target as shown below.
How to stay safe:
The current version of Nagios available is 5.29. Please update to the latest version.
Good evening friends, today we will see how to exploit a recent vulnerability found in Dell KACE K1000 systems. To those newbies, who don’t know what they are, the Dell KACE K1000 System Management Appliance offers a comprehensive systems management solution including initial inventory and discovery, software distribution, configuration management, patching, security vulnerability remediation, asset management, helpdesk and reporting.
This module of Metasploit exploits a file upload vulnerability in Kace K1000 versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547 which allows unauthenticated users to execute arbitrary commands. First of all start Metasploit and search for our exploit as shown below.
Next, load that exploit. Once the exploit is loaded, see what are the options required for our exploit to work. We will need the IP address of our target and the remote port.
Well, we already know how to find the targets if you have been following all my previous articles. Set the target IP address as shown below. See what payloads this exploit supports.
Set the payload you want. I chose the first one. Once again, check whether all options are set by typing command “show options”.
Once everything is set, use “check” command to see if our target is vulnerable. Not every system you are trying to attack is vulnerable, so keep a list of target IP’s.
Once you find a vulnerable system as shown above, type “run” command to execute our exploit. We should successfully get the remote system’s shell as shown below. Happy hacking.
Good Evening Friends. Today we will see how to hack a remote Linux PC with phpFileManager 0.9.8 rce exploit. RCE stands for remote code execution. Phpfilemanager is a complete filesystem management tool on a single file. Among the features of phpFileManager:
. server info
. directory tree
. copy/move/delete/create/rename/edit/view/chmod files and folders
. multiple uploads
. works on linux/windows
. php4/php5/apache2 compatible
. english/portuguese/spanish/dutch/french/german/italian/korean/russian/catalan translations.
It is used to manage files of webserver and it boasts of around 382 downloads per week. Its browser interface can be seen below.
We will try to hack into a Ubuntu 12.10 PC from Kali Linux using this phpFilemanager 0.9.8 rce exploit. Given below is the Video version of this howto. If you are interested in the textual version scroll down below the video version.
Start Metasploit. Search for the phpfilemanager exploit by typing command “search phpfilemanager” as shown below.
Load the exploit as shown below. Set the required options as shown below. Most of the options are all set except the remote host address, i.e your target’s IP address.
Type command “show payloads” to see the available payloads and set the payload you want. I have selected the payload highlighted below.
Set the payload and check if all required options are set by typing command “show options”.
Type command “exploit” to execute the exploit. If everything went well, you should get the remote pc’s shell as shown below.
It should look like shown below. Type command “ls” to see the contents of the present directory. as shown below. You can see the two files which we saw in our first picture. Now let us navigate to the etc directory as shown below.
And type command “vi passwd” to open the passwd file of the remote PC. Vi is the default text editor in Linux.