How to not be a script kiddie:Stop the Metasploit Over-reliance! Part 1
Every pen tester loves metasploit. And why shouldn’t they , after all it automates everything for them!
No more writing exploits, no more thinking much , just set lhost,rhost and exploit boom you’re in.
That’s great , but what if your metasploit showed an error like this?
Huge error right? There’s actually quite a simple fix for this ;) But anyone this picture kinda made you sit up and take note of my point right.
So basically your most prized and precious hacker tool is not there. What do you do? You were always used to typing use exploit/blah blah and hammering the enter key after typing exploit right?Before that you should know what metasploit is and why it was made specifically.
Metasploit is written in ruby , an extremely powerful tool for automation (well duh). Trust me at the end of this article , you would understand that metasploit is nothing magic, infact sometimes in web app pentesting , metasploit is completely useless like for example when you find a misconfigured NFS , metasploit would be pretty useless. Metasploit comes handy when the target uses unpatched software or using multiple machines. in my experience , the best time when metasploit is really really handy is while performing pivoting(new term? Google it;) )
Metasploit is basically a database of publicly available exploits configured for automation. Yes all the exploits in metasploit are publicly available , they are all literally an appropiate google search away from you.
So the point of this article is more of a demonstration of how public exploits can be (and should be) used. I shall use two machines from vulnhub I had pwned a few months ago which I feel would be perfect for this demonstration namely
These are actually quite simple machines , so if you want to , you are most welcome to try pwning them before as there are some spoilers ahead. I shall first demonstrate the easy script kiddie way( metasploit) and then show the proper way by using the public exploit.
This article is going to be in two parts so as to not bore the reader. The first part will be demonstrating DC-1 and the other part shall deal with Dina. Let’s get cracking!
DC-1 :
Information I gathered: Found a server running , when I visited the ip address(because of no dns server in these machines) ,then found this:
(Pro tip- In a real life scenario, this sort of information will never be handed over to you like this ,use wappalyzer like I do.)
So we see that the CMS of this website is drupal. Let’s try to get inside the server the script kiddie way first by using metasploit.
Fire up metasploit by typing msfconsole. Then search fro drupal exploit by typing like this
Normally when an exploit is ranked excellent , it works smoothly. You can try each of the exploit and see which one works.
Spoiler alert: The fifth one works perfectly for me in this scenario. I didn’t try the first two because as you can see ,they were just scanners. So let deploy that exploit and all options.
So basically the API was vulnerable to command code execution. A command code execution is a goldmine for any hacker because that just means that a shell can be popped up combining netcat,python,php or perl depending on what is installed in the system. Linux users know that all of them come pre-installed with them so you can use any of them to pop up a shell. I am not gonna be telling here because it should be something you should know.
So I got my gold mine when I saw this
From there on you can look for files and escalate privilleges and do proper post exploitation.Not the point here because the important thing is we have gained access to the server easily through metasploit.
Let’s try using public exploit. Assume your best friend metasploit does not exist(irrelevant because metasploit has existed since 2002) , then how would you do it?Let’s see just that.
There are two ways you can basically go about this:
-Use searchsploit in Kali
-Use Google
In my experience , a google search is much better simply because it’s much simpler and chances of going wrong is less. That being said , searchsploit is useful when there’s a problem with your internet. We’re gonna assume we don’t live in the 1960’s and have internet with us.
Simply search this :”drupal exploitdb”
(Exploitdb is the official database housing for all public exploits. It’s any hacker’s encyclopedia you might say. You need to be very good in exploitdb if you want to be a hacker)
The results are somewhat like this:
and some more. You get the point. But here’s a question I am sure you must be pondering:
Which one to deploy?How to know which one is the correct one?
The answer is quite simple ,try all of them and see which one is working. As you can see I have tried two of them.I have also tried the other two in a separate search but you might think I am a bloody liar because it’s not purple HAHAHAHA
Anyway, I had first tried the third one here’s a link for that
https://www.exploit-db.com/exploits/46459
Let’s analyze the source code a little .
So it seems to be a python file for command execution. Seems to be pretty simple to work on it. Just run it as a python program with url and command to execute and it should work. Let’s see that now shall we
It showed an error. Hmm wonder why. Let’s investigate.
If you notice the shebang(first line of the exploit code) we can see that it’s clearly calling a python3 interpreter whereas we are executing it as python2 . This probably means that this program should have been executed using python3 . So let’s try executing as python3 now shall we.
(Takeaway tip: Sometimes you need to use this thing called logic and not blindly follow what the exploit says. Programming experience is useful, but programming workflow knowledge is what works best. )
Then I got this. True to my word I tried it a little later and it still didn’t work . I tried all I could try . It might be that this particular server might not be vulnerable to this as the message suggests. So I moved on to the next exploit.
https://www.exploit-db.com/exploits/44449
This was a little advanced exploit. While the previous exploit if worked would have had to still open a netcat shell manually, the description of this exploit promised me a fully working shell if it was succesful. So I downloaded the source code and analysed it
So it’s a ruby file. Good thing I know a little ruby , atleast enough to analyze this file. If you scroll down , you’ll actually find how it works , but I’ll leave that to you.It’s actually quite straightforward actually.
Anyway , let’s run the file
So we get this error. Having some knowledge of ruby helped me understand what was wrong with this exploit. The problem was tha Kali didn’t come pre-installed with a ruby package called highline. So the fix was to simply download the package. To install packages(for now highline) for ruby, you need to type
gem install highline
After installing the package , I again used the exploit and hurrah it worked!You might need to zoom in a little
I got a fully working shell , all without metasploit. Basically the server was vulnerable to php passthru command injection passed into an url , or useless jargon you can say.
So this was for DC-1 . In the next part , I shall demonstrate another public exploit for Dina 1.0.1 from vulnhub.
Before ending ,some things you can keep in mind:-
- In a real life , you’ll probably have to do a lot more tinkering what with proxies and different urls. Don’t worry though , it’s not that hard.
- Don’t just write code, understand code properly. Understand the part which matters.
- Few programming modules which should be your best friends are — socket,os,subprocess,netfilterqueue,scapy,and most of all requests.
- It’s useless if you write a lot of code without understanding, better would be to write a program with less lines but understanding it perfectly. You’ll be surprised that some exploit code hardly 10 lines but are much more difficult to understand
Part 2 is coming soon stay tuned!
📝 Read this story later in Journal.
👩💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.
