Pentesting: Metasploit in Practice.

About.

In this article-example we'll perform an attack using nmap and metasploit.

This time our goal is to login as non-root user, and to obtain reverse shell access using metasploit.


Scanning & Intelligence Gathering.

First we'll perform initial nmap scan on target machine (with IP Address: 10.87.23.82, in this case).

We have found a service running on port 3000. Let's dig deeper and perform 'Version Scan' for that port (with -sC and -sV parameters).

As we can see on image above, we have found Gitea application with web interface, running on 10.87.23.82:3000.

Let's connect to this webapp using a web browser.

We can see that there's option to Register ourselves as a new user, in upper right part of the screen. Perhaps we'll need to do it later.

In lower left part of the page is listed Gitea's version 1.12.5.

Let's look for this vulnerability in, for example, exploit-db webpage.

We can see that there's vulnerability related to Gitea 1.12.5, and we have a link to PoC (Proof of Concept) in exploit-db's article. Let's dig deeper, let's follow this link.

So we know about Git hook exploit that requires authentication to execute.


Exploitation & 'Initial Foothold'.

First let's create user in our target machine, using 'Register' button. Exploit we did find requires authentication afterall.

We use the following registration data:
- user: nm108
- email: nm108@myemail.com
- password: Nm108!

Let's run metasploit framework console, using msfconsole command.

Let's search for gitea in metasploit, perhaps we'll find something useful (msfconsole command: search gitea).

We've found some modules, but we need to determine Operating System on which Gitea is running. Let's perform an OS scan in nmap (-O parameter).

In the 'fingerprint' part of nmap's report we find following text: 'aarch64-unknown-linux-gnu', so we can assume that target machine probably uses linux. Let's return to metasploit and use module in line 7 (GitHook, Linux). We've found earlier the vulnerability for githook in the Gitea version 1.12.5, and we have credentials to authenticate with.

Let's show module's configuration using 'show options' msfconsole's command.

Some options are required, and can be set using 'set' msfconsole's command.

Required options that we set are:
- PASSWORD : Nm108!
- RHOSTS (attacked machine's IP Address) : 10.87.23.82
- USERNAME : nm108
- LHOST (our IP Address, we want attacked machine to connect to us) : 10.111.0.16

Now that we have metasploit configured, let's run the exploitation process (using msfconsole's 'run' command).

Success! Target machine connected to us, and we can issue commands to it. Let's spawn (reverse) shell for example, using 'shell' command.