Revising the approach

Throughout this exercise, we performed the following critical steps:

1. We started by conducting an Nmap scan on the target IP address, which is 192.168.174.132.
2. The Nmap scan revealed that port 80 at 192.168.174.132 is open.
3. Next, we did a fingerprint of the application running on port 80 and encountered Apache 2.4.7 running.
4. We tried browsing to the HTTP port. However, we couldn't find anything.
5. We ran the dir_scanner module to perform a dictionary-based check on the Apache server and found the PhpCollab application directory.
6. We found an exploit module for PhpCollab using searchsploit and had to import the third-party exploit into Metasploit.
7. Next, we exploited the application and gained limited user access to the target system.
8. To improve our access mechanism, we uploaded a backdoored executable and achieved a better level of access to the target.
9. To gain root access, we run the exploit suggester module and found that the overlayfs privilege escalation exploit will help us achieve root access to the target.
10. We downloaded the overlayfs exploit from https://exploit-db.com/, compiled it, and run it to gain root access to the target.

1. Using the same previously generated backdoor, we opened another Meterpreter shell, but this time with root privileges.

1. We added persistence to the system by using the sshkey_persistence module in Metasploit.
2. Running the arp command on the target, we found that there was a separate network connection to the host, which is in the target range of 192.168.116.0/24.
3. We added a route to this network by using the autoroute script.
4. We scanned the system found from the arp command using the TCP port scanner module in Metasploit.
5. We saw that port 80 of the system was open.
6. Since we only had access to the target network through Meterpreter, we used the socks4a module in Metasploit for making other tools connect to the target through Meterpreter.
7. Running the socks proxy, we configured our browser to utilize the socks4a proxy on port 1080.

1. We opened 192.168.116.133 through our browser and saw that it was running the Disk Pulse 9.9.16 web server service.
2. We searched Metasploit for Disk Pulse and found that it was vulnerable to an SEH-based buffer overflow vulnerability.

1. We exploited the vulnerability and gained the highest level of privileges on the target since the software runs with SYSTEM-level privileges.

1. We enumerated the list of installed applications and found that WinSCP 5.7 is installed on the system.
2. We saw that Metasploit contains an inbuilt module to harvest saved credentials from WinSCP.
3. We collected the root credentials from WinSCP and used the ssh_login module to gain a root shell on the target.

1. We uploaded another backdoor to gain a Meterpreter shell with root privileges on the target.