Class Activity 11.1 - The Metaspolit Framework

Metasploit is a sophisticated tool. It can greatly enhance the efficiency of a pen test. It can also be extended to deal with new exploits as they are discovered. Before launching an exploit, it is advisable to look at the metasploit exploit ruby module description and code. In many cases, they credit the work of someone who took the time to find the exploit by hand.

Exploiting Cupcake with Metasploit

In the following file there is an illustration of the process of using the Metasploit Framework to achieve a foothold on Cupcake and escalating the privileges to root/administrator.

5MB
Metasploit Framework demonstration-1.pptx

Ping host to see if its running 

ping 10.0.5.23

Run Nmap Scan to discover ports 

sudo nmap -sS -vvv 10.0.5.23

  • ports found:

    • 22/tcp ssh

    • 80/tcp http

Nmap to find more about open ports 

sudo nmap -sC -sV 10.0.5.23 -p 80,22

Investigate Ports Manullay

  • From manual investigation we know that Apache 2.2.15 has the shellshock vulnerability

    • cgi-bin

    • CVE 2014-6278, 6271

Investigating Ports with Metasploit

Starting Metasploit

Fixing outdated packages to be able to run Metasploit

When I tried to start Metasploit, it would just abort with no error. I ran dmesg | tail to figure out what the error was and it was failing because PostgreSQL 15 was obsolete and crashing due to incompatibility with system libraries like OpenSSL. The follow instructions install PostgreSQL to the corrent version.

  1. Install PostgreSQL 17 (if not already):

bashCopyEditsudo apt update
sudo apt install postgresql-17 postgresql-client-17

  1. Stop and delete the default 17/main cluster (so you can upgrade your existing 15 cluster to version 17):

bashCopyEditsudo pg_dropcluster --stop 17 main

  1. Upgrade your old cluster (15 → 17):

bashCopyEditsudo pg_upgradecluster 15 main

  1. Check that the upgrade worked:

bashCopyEditpg_lsclusters

You should now see only 17/main and it should be online.

  1. Start PostgreSQL again:

bashCopyEditsudo systemctl restart postgresql

  1. (Optional but recommended) Remove PostgreSQL 15 packages:

bashCopyEditsudo apt remove postgresql-15 postgresql-client-15

  1. Now try launching Metasploit:

bashCopyEditmsfconsole

  • type msfconsole into the command line

  • in the console run exploit(multi/http/apache_mod_cgi_bash_env_exec)

  • The type options

  • Change the options

  • Start exploiting:

  • get server username with getuid

  • Create a shell

    • After “shell”, we can run commands on cupcake such as id, pwd

  • A more interative shell:

Gathering more information for escalation

  • cat etc/passwd for the samwise username

  • uname -a for the kernel version

  • Quick search for exploit of this kernel

  • You can find the dirty.c code in the link

  • 40839 is given as the CVE number

  • Find the path to the exploit

  • Change the backup filename (so its not password.bak)

  • Upload the file

  • find the file

  • Compile, give execute permissions and run

  • enter new password and it will create the firefart user

Deliverable 1. A screenshot showing your session information from your foothold session and optionally, a screenshot showing your root shell.

  • use su firefart to now become the new root user!

PreviousModule 11: The Metasploit Framework and the Final PentestNextMetasploit Commands

Last updated