Lab 11.0 - Client-Side Exploitation
Lab 11.0 - Client-Side Exploitation
LAB ID: 11
CLIENT-SIDE EXPLOITATION
Social Engineering
Client-side Exploitation
Pivoting
Linux FTP Service Exploitation
CLIENT-SIDE EXPLOITATION LAB ID: 11
1. LAB
You are a Penetration Tester and you’re asked to determine if the
corporate network is secure and if we are able to reach the servers
withing the DMZ. We have few information about our client ( named
foocompany.com ):
2. GOALS
Gain access to the internal network
Pivoting
To guide you during the lab you will find different Tasks.
Tasks are meant for educational purposes and to show you the usage of
different tools and different methods to achieve the same goal.
Armed with the skills acquired though the task you can achieve the Lab
goal.
If this is the first time you do this lab, we advise you to follow these Tasks.
Once you have completed all the Tasks, you can proceed to the end of
this paper and check the solutions.
4. RECOMMENDED TOOLS
metasploit
nmap
proxychains
5. IMPORTANT NOTE
Further information:
SMTP: 25 - NO SSL
With this configuration you should be able to send and receive email to
the organization email addresses.
6. TASKS
Since we only have the internal network IP addresses and they are not
directly reachable from Internet, we have to think of a way to get in the
network. One way is to use client side attacks against the employees in
order to gain access to their machines.
Task 2: Post-Exploitation
Task 3: Pivoting
Use the pivoting technique in order to reach the server in the DMZ.
Now that you have a connection to the server, run nmap in order to
discover what services and which versions of these services are in use.
You should now know that the server is running an FTP service and you
should know the daemon version. Find an exploit for that specific version
and try to exploit it!
Solutions
Since we have to use a client side exploit we are going to select one of the
newest java exploits: java_jre17_exec.
Now we have to lure the victim to open this link. To do that we will create
an email as follows:
http://192.168.70.45:8080/agenda
After few seconds we can see that in the metasploit console something is
happening. It seems that the user clicked the link in the mail and we are
getting the meterpreter shell! So the target is vulnerable to this java
vulnerability.
Task 2: Post-Exploitation
Now that we have a meterpreter shell to this machine we can start the
data harvesting phase. Let’s then list the network interfaces and find out
routes:
We can verify which connections are active on the machine issuing the
command netstat.
Task 3: Pivoting
Let’s use pivoting to send our traffic towards the other subnet. To do it
we can run the following command.
Since we want to run a version detection scan on the FTP server using
nmap, we have to configure a proxy where all the nmap traffic will pass
through. To do it let’s put the meterpreter session in background and
issue the following commands:
With this module (socks4a), all the traffic sent to our local address on port
1080 will go through metasploit. We can now use nmap with proxychains
in order to redirect the whole scan.
As we can see, using proxychain we are able to redirect the nmap traffic
through the metasploit proxy, that will then redirect it through the
meterpreter session.
Now that we know the FTP server version (ProFTPD v 1.3.2a) and that it is
running on Unix, we can search if an exploit exists for this specific version.
Let’s search if there is an exploit for this specific version of the FTP server,
issuing the following command in metasploit:
As we can see it exists. Let’s then try to configure the module and exploit
the server.
As we can see, since we have already configured the pivoting we are able
to run the exploit against the address 10.10.51.21. Indeed we now have a
command shell on the FTP server and we can start gathering information
on it: