RCE (Remote Code Execution) vulnerability in the portal

Let's take a closer look at the web service running on the IIS server. Open the Firefox browser and go to the address http://10.0.0.3 (or http://iis1.evilcorp.local).

Click on "Check your downloaded applications".

This appears to be very insecure, the application is directly downloading files to the web root. Let's try to download an ASP file that executes code.

Open the file in the browser and confirm the vulnerability - ASP code is executed on the server.

Start the Metasploit console (msfconsole) now and enable the common listener exploit/multi/handler. Set the payload to windows/meterpreter/reverse_tcp, lhost to 10.0.0.100 (your Kali machine IP), and lport to 1234 (the port on which your listener waits for connections).

If you haven't done the Hakateam Metasploit course yet (it may not have been published yet when you are reading this), here is a brief of what we are doing:

 is an open source penetration testing tool.

 is a versatile agent in metasploit that is executed on the target machine.

 is a module in Metasploit that accepts connections when a successful attack occurs and opens, for example, a meterpreter connection to the target machine.

 means Meterpreter payload for the Windows operating system that is served over a TCP connection.

 determines the IP address of the Metasploit listener.

sets the TCP port for the Metasploit listener.

Create an ASP file now with the msfvenom tool that connects to your Metasploit listener when executed. Just run the msfvenom command in another terminal and provide it with the exact same settings as in the Metasploit listener.

In addition, you specify that the created ASP file is saved in the file evil.asp and that the format is ASP.

Now you just upload the file "evil.asp" and execute it like the file "test.asp" earlier.

You should see that the meterpreter session opens in the listener.

You can try using the "sysinfo" command to see what kind of server you hacked into.

Or if you want a regular Windows command prompt, run the command "shell". You can go back with the command "exit".

This is a scenario, please do not unnecessarily close it within the same course area (Scenario 1) so that you do not lose your progress. Please add time if necessary. It may take a few minutes for the scenario to start, please wait patiently.

Evilcorp - Scenario 1

IIS Server Hacking, Metasploit

Welcome to the Fundamentals of Penetration Testing! This path provides a comprehensive understanding of information security and IT fundamentals, including using the command line in a Linux environment, how networks operate, the basics of web development, and programming fundamentals. Throughout the course, we will also cover important skills for penetration testers, such as the use of tools like Nmap, Metasploit, and Wireshark, as well as Windows-based attacks. You will also practice exploiting some significant vulnerabilities related to various websites, which are valuable for a penetration tester to know.

The purpose of this path is to provide a clear roadmap for what to follow on the Hakatemia platform. However, if you find a specific topic particularly interesting or challenging, feel free to explore the full course on that subject, which you can find on the courses page.

What is ethical hacking?

Important warning

Intro

Linux operating system

Linux Command Line - video

First touch to the command line

Navigating the command line

Creating folders

Creating and editing files

Controlling the output

Moving files and folders

Deleting files and folders

File system permissions

Linux command line

How the Internet works - video

The beginning of the Internet

The structure of information networks

Internet addresses

Data networks and the TCP/IP model

Physical media of information networks

MAC addresses

ARP (Address Resolution Protocol)

IP addresses

Subnets, netmasks and CIDR notation

Gateways and routing

TCP (Transmission Control Protocol)

UDP (User Datagram Protocol)

DNS (Domain Name System)

DHCP (Dynamic Host Control Protocol)

Basics of information networks

Hello world

Variables

Arithmetic

Input

Data types

Conditional sentences

Imports and Random numbers

Lists

A while loop

A for loop

Functions

Python Programming

Browser side and server side

URL structure

HTTP protocol

HTTP methods

HTTP headers

HTTP status codes

Cookies

HTML markup language

JavaScript

Let's build a simple website

Website basics

Python and Flask

HTML Basics

Processing of HTML Forms

SQL Basics

Database connections

Login, session management and access management

Backend basics

What is Nmap?

Defining the destination

Configuring ports

TCP SYN scan

TCP connect scan

UDP scan

TCP FIN, NULL and Xmas scan

Identification of services (-sV)

Scanning networks with the Nmap tool

What is Metasploit?

Using nmap in metasploit

Identifying vulnerabilities

Using modules

Exercise: Unreal IRC backdoor

Continuation of the attack on other services

MSFVenom and multi/handler

Bringing exploits into the metasploit environment

Exercise 1

Exercise 2

Exploiting vulnerabilities with the Metasploit tool

What is wireshark?

Display filters - Display filters

Capture filters

Traffic analysis

Package structure

Exercise 1 - http.pcap

Exercise 5 - http_with_jpegs.pcap

Analyzing network traffic with the Wireshark tool

Mapping the attack surface (Enumeration)

NTLM authentication, SAM database and hash stealing

Psexec and Pass the Hash (PtH) attack on a domain controller

AD and domains, NTDS.dit file and cracked domain controller

JTR and breaking the domain admin's NTLM hash

Windows - From an attacker's perspective

BurpSuite - Proxy

BurpSuite - Scope

BurpSuite - Repeater

BurpSuite - Decoder

BurpSuite - Comparer

BurpSuite - Logger

BurpSuite - Organizer

BurpSuite - Extensions

BurpSuite - Session Manager

BurpSuite - Community

What are XXE attacks?

What are deserialization attacks?

What are SQL Injections?

What are command injections?

Python Jinja2 Template Injections

Server-side attacks via web pages

Fundamentals of Penetration Testing

IIS Server Hacking, Metasploit

RCE (Remote Code Execution) vulnerability in the portal

Metasploit listener

msfvenom

Attack

Exercises

Evilcorp - Scenario 1

Ready to become an ethical hacker?
Start today.

IIS Server Hacking, Metasploit

RCE (Remote Code Execution) vulnerability in the portal

Metasploit listener

msfvenom

Attack

Exercises

Evilcorp - Scenario 1

Ready to become an ethical hacker?Start today.

Ready to become an ethical hacker?
Start today.