OSCP Prep – Episode 7: Exploits (Part 1)

Finally, after studying a range of theoretical concepts and collecting even more information, I began to exploit my virtual machines.
Some of the exploits are complicated whilst some are as simple of abusing default configuration passwords, but all exploits are dangerous in the wrong hands. This section about running the exploits almost exclusively uses vulnerabilities and information gathered earlier, so it was satisfying to reap those rewards, so to speak.

Georgia’s book had a wide range of exploit examples across a range of vulnerabilities. Unfortunately, the book really started to show it’s age, as I was unable to recreate the majority of these exploits despite my best efforts. Nevertheless, they were good learning opportunities and in the Cybrary videos she went through each one alongside a screen recording which helped to get a better grasp on what was happening.

A brief description of each exploit is as follows:

Exploiting MS08-067

This was one of the few that did work, by revisiting the first ever vulnerability I exploited, MS08-067. Having now understood more about payloads, I exploited the vulnerability again with a reverse_tcp payload as well as a bind_tcp payload to open a meterpreter session.

For revisions sake, here are the two types of payloads that can be used:

Staged Payload – These payloads execute in stages, where the initial string does not contain information to create the reverse shell but instead has information that connects back to the attack machine to ask for further information/instructions. Staged payloads require less memory as the payload does not contain all the necessary code for an exploit.

Inline Payload – Also known as single payloads, these strings contain all necessary code for completion of an exploit. Because the payload does not need to go back and forward between the host and attack machines, they are more stable and consistent.

The custom payload written for Metasploit is Meterpreter, which is loaded to the memory of a machine and not to the disk. This allows meterpreter shells to bypass IPS or IDS systems and also encrypts communication to Metasploit with TLS.
Meterpreter sessions also have useful functions, such as hashdump, which I used to gain hashes of local Windows passwords. These hashes can be used to crack the plaintext passwords which we see in Episode 8.

 Exploiting Default Credentials

When a service uses or has the default credentials enabled, it is extremely easy to gain access and compromise that service. For example, the XAMPP installation of Windows XP machines used default credentials for the WebDAV folder, which is used to upload files to a web server. This means PHP scripts or payloads could be uploaded to the web server to execute commands and gain control over the target. Because the WebDAV folder has system level privileges, it is then possible to take complete control of the Windows system.
This is living proof that giving web server software system privileges is a bad idea!

Exploiting Directory Traversals

The Zervit server on port 3232 had a directory traversal vulnerability, which allowed unauthenticated download access from the remote system. Using the boot.ini configuration file, other files were able to be downloaded. For example, the Windows Security Accounts Manager (SAM) file containing password hashes was downloaded from WINDOWS/system32/config/sam

Exploiting a Compromised Service

The FTP server on the Linux virtual machine used a banner for Very Secure FTP 2.3.4, which is vulnerable to a backdoor. The backdoor code was a simple smiley face, “:)”
Using the “:)” backdoor at the end of the username login gave access to a root shell, which gives total control over the target machine. Again, password hashes were downloaded using the command cat /etc/shadow

exploit

Gaining root access by exploiting the “:)” FTP backdoor. Using netcat with the whoami command proves we have root access. If only all exploits were this easy 🙂

Concluding Thoughts

Like all things, some exploits were far more straight forward than others. In cases where default credentials or easy backdoors were implemented, the corresponding exploits were so easy almost anyone execute them. Even using the Metasploit modules and payloads were relatively straightforward.
In my opinion, this highlights how important Enumeration – information gathering and vulnerability scanning is when it comes to penetration testing. Without having the correct legwork done beforehand, there would have been no way to know these exploits were available. It seems as though the hardest part about penetration testing is gathering the correct information and being able to analyze the data to understand how they might be vulnerable and what ways they can be exploited.
At this stage, I am hoping that the ability to analyze and recognize these things will come with time, practice and a lot of hard work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s