All posts for the month October, 2017

In the previous howto, we saw how information about the services running in the target system can help us in researching about them and finding vulnerabilities in those software. For example, imagine I am a black hat who performed a Nmap scan on the target (in this case, Metasploitable). The target has displayed so many banners of the services running.

Let us see if we can try out the FTP service at port 21 to get access to the system. Since I am a black hat, assume I have not performed any automated vulnerability scan. Following the process shown in the last howto, I google about vsftpd 2.3.4.

I got a lot of information about the FTP service at port 21. Vsftpd stands for very secure FTP daemon and the present version installed on Metasploitable 2 (1.e 2.3.4) has a backdoor installed inside it. It seems somebody uploaded a backdoor installed Vsftpd daemon to the site. This malicious version of vsftpd was available on the master site between June 30th 2011 and July 1st 2011. So our target might be using the malicious version. While searching for exploit on exploit database, I found a Metasploit exploit for this vulnerability. So I start Metasploit and search for the exploit. I found it after some time.

I loaded the module and checked its options using “show options” command.

The only option required is the IP address of our target to be specified in the RHOST option. I set the RHOST option and execute the exploit using the “run” command.

I successfully got a shell on the target system as shown in the image above. I try out some basic Linux commands. As this shell has root privileges (shown in the above image), I decided to have a look at the passwd file of the target. Here it is.

Since we have shell access, we can perform all tasks which we perform from the terminal of a Linux system. We can even shutdown the remote system but keep in mind that you will lose your access to the system.

Recently, we saw the Windows Fodhelper Privilege escalation exploit. Today we will learn about another Windows privilege escalation exploit that works on machines from Windows 7 to Windows 10. This exploit bypasses the User Account Control of the Windows and gives us system privileges. Its called Windows BypassUAC COMhijack exploit. How does it do this? Let us see.

COM stands for Component Object Model. It acts as a binary interface between various processes of different programming languages. In Windows, is is the basis for several other Microsoft technologies like OLE, OLE Automation, Browser Helper Object, ActiveX, COM+, DCOM, Windows shell, DirectX and Windows Runtime.

This module will bypass Windows UAC by creating COM handler registry entries in the Hive Key Current User hive. These created registry entries are referenced when certain high integrity processes are loaded which eventually results in the process of loading user controlled DLLs (as you already know DLLs are Dynamic Link Libraries).

These DLLs the exploit loads contain the payloads that result in elevated sessions. After the payload is invocated, registry key modifications this module makes are cleaned up. This module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.

Now let us see how this exploit works. As for every privilege escalation exploit, we need to already have a meterpreter session like the one we have here, here and here.  Background the current meterpreter session and remember the session id. Search for the bypassuac_comhijack module as shown below.

Load the bypassuac_comhijack module as shown below and check its options by using the “show options” command as shown below.

Set the session id as shown below and execute the exploit using “run” command as shown below. If everything went right, we will have another meterpreter session as shown below.

Check the privileges using the “getuid” command. If you still don’t have system privileges, run command “getsystem” and even if it results in an error, check your privileges once again using command “getuid“. You should definitely have system privileges by now.

Hello aspiring hackers. Welcome back. Previously we have seen how to exploit vulnerabilities in C&C servers of some popular malware like Darkcomet and PoisonIvy RATs. Today we will see how to exploit a vulnerability in another popular RAT named GhostRAT and hack a system.

Gh0st RAT is a remote access trojan designed for the Windows platform which was used by operators of GhostNet to hack into some of the most sensitive computer networks. It is actually a cyber spying computer program. Every RAT has a command & control server also called controller.

This module exploits a buffer overflow vulnerability in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability allows a hacker to execute remote code on the target machine.

Its highly unlikely that you will find a system with Gh0stRAT command and control server installed during a pentest, but we can’t say anything. So imagine a scenario where I am port scanning a network for systems with port 80 open and find this machine.

Then I perform a verbose scan on this machine to know what exactly is running on port 80 and I get this.

In the ensuing research I find out that this is a GhostRAT Command and Control Server and there is a Metasploit module for this RAT. I am not yet sure if my target is running the vulnerable version of this RAT. So I fire up Metasploit and search for the module as shown below.

I load the exploit and check its options as shown below.

I set the target IP and use the “check” command to see if our target is vulnerable to this exploit. The target appears to be vulnerable. I execute the exploit using the “run” command and voila, I get a meterpreter session successfully as shown below.


I check the privileges and system information using “getuid” and “sysinfo” commands respectively.