Linux Lateral Movement 2
overview
You will learn to find and exploit vulnerable services in this lab. It will also cover post-exploitation and lateral movement techniques to extract sensitive information to progressively move through a network.
Lab Environment
In this lab environment, the user will access a Kali GUI instance. A vulnerable application can be accessed using the tools installed on Kali at http://demo.ine.local
Objective: Exploit both the target and find all flags!
Dictionaries to use: * /usr/share/metasploit-framework/data/wordlists/common_users.txt * /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Tools
The best tools for this lab are:
Metasploit Framework
Nmap
Bash Shell
Hydra
MySQL Client
Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!
Solution
Step 1: Open the lab link to access the Kali GUI instance.
Step 2: Check if the provided machine/domain is reachable.
Command
The machine is reachable.
Step 3: Check open ports on the demo.ine.local machine.
Command
We can observe ports 22 and 79 open on the demo.ine.local machine. Port 22 is the default port for the SSH service, and port 79 is the default port for the finger service.
Let's find the version of both the services.
Step 4: Running the Nmap on ports 22 and 79 to find all possible information about the target server.
Command
-sV: Probe open ports to determine service/version info.
-p: Port
-sC: Equivalent to --script=default
Target is running OpenSSH 6.6.1p1 and finger Linux
Step 5: Now, let's enumerate the finger service running on host demo.ine.local.
Finger Protocol
The Name/Finger protocol and the Finger user information protocol are simple network protocols for the exchange of human-oriented status and user information. The finger daemon runs on TCP port 79. The client will (in the case of remote hosts) open a connection to port 79. An RUIP (Remote User Information Program) is started on the remote end of the connection to process the request. The local host sends the RUIP one line query based upon the Finger query specification, and waits for the RUIP to respond. The RUIP receives and processes the query, returns an answer, then initiates the close of the connection. The local host receives the answer and the close signal, then proceeds to close its end of the connection. Source: https://en.wikipedia.org/wiki/Finger_(protocol)
We could use the Metasploit module to enumerate the valid usernames on the target machine via finger protocol.
We all know that root is a built-in account on all Linux systems. First, let's use the finger command on the target to get root user information.
Command
We can observe that we have received root user information, but nothing interesting was found.
We will use the provided dictionary /usr/share/metasploit-framework/data/wordlists/common_users.txt to find the valid users using the finger-user-enum.pl script.
The script is located in /root/Desktop/tools/finger-user-enum directory.
Command
We have identified two users using the finger enum script.
sysadmin
auditor
We can also get these results properly using the finger utility.
Commands
We can observe nothing interesting found! But, the SSH service is exposed, and we have valid users. We can launch a bruteforce attack to find the correct password of these users.
Step 6: Let's run the hydra tool to find the valid password of the sysadmin and auditor users.
First, create a file and keep these two users in it.
Commands
Now, let's run the hydra tool.
Command
-L: List of users
-P: Password list
demo.ine.local ssh: Target Address and Target Protocol
We can observe that we have only found the password for the sysadmin user.
Step 7: Let's use ssh utility and login to the target server using sysadmin user credential.
Commands
We have successfully logged into the server using sysadmin user. Let's find out if we can use sudo to gain the privileges.
Command
We do not have permission to run the sudo command.
Step 8: Remember, we have not found the password for the auditor user. Let's check auditor user home files.
Commands
We do not have permission to check auditor users' home files. Permission is modified, and only root and owner (auditor) can read/write files.
This looks interesting.
Step 9: Let's check all the running processes on the target machine.
Command
We can observe that the MySQL server is running with the root user. However, we haven't discovered the MySQL default port 3306 while scanning the target machine. Let's check all bind ports on the target machine.
Command
We can observe MySQL is running on localhost:mysql, i.e., port 3306. This is why we have not discovered the server. It is not exposed to the public IP address.
Step 10: We can forward the port using SSH tunneling and access port 3306 on the attacker's machine local port.
Let's exit the SSH active session and forward the target local port 3306 to the attacker's machine port 8000 using ssh.
Command
We can verify it by running the netstat command on the attacker machine.
Command
Now, do not terminate the new SSH session, and let's run the Metasploit Framework and run the mysql_login module to find MySQL root user password.
Step 11: Running Metasploit on MySQL service to find the valid password.
We are running a brute force attack on port 8000 where we have performed ssh tunneling. This allows us to connect to the target machine MySQL service to find the password.
Running Metasploit framework and search the mysql_login module.
Commands
We have found the module. Let's use it and check all available module options.
Commands
We need to set the RHOSTS, RPORT, and PASS_FILE values.
Also, we need to change the value for STOP_ON_SUCCESS and VERBOSE.
In this case, we need to provide RHOST (localhost) and RPORT to port 8000.
Commands
We can observe that we have found the password of the MySQL root user. i.e root:nirvana
We can use this credential to gain root access by using the MySQL UDF (User Defined Function) exploit module.
Step 12: Running mysql UDF exploit module to gain root access on the target machine.
First, search the module and use it.
Commands
Now, let's check all the module options.
Command
We need to set the RHOSTS value to 127.0.0.1, and for the RPORT, we need to set 8000.
Also, the TARGET and LHOST values are invalid. We need to set it right.
First, let's check the attacker machine IP address for the LHOST.
Command
Note: In your case, the IP would be different. Please make sure about it.
Now, let's exploit the target.
Commands
Great! We have successfully exploited the MySQL server and gained the meterpreter session.
Note: If you have not used the exploit -j command then, maybe msf would stuck on Meterpreter session 1 opened. In that case, press CTRL + C to continue and interact with the session.
Awesome. We got the root privileges on the target machine.
Step 13: Let's read the second flag.
Commands
We have found the FLAG1: 39493c859daa977560a8ac0917edb054
Step 14: Now, let's try to access auditor user home directory.
Commands
There is one .bash_history file present on the target machine. Let's read the file and check if we can get any interesting information.
Command
After investigating all the bash_history commands, we have found that the user (auditor) has accessed another mssql machine using CLI, which is running on the 192.3.178.3 host.
Note: In your case, the IP address would be different.
Let's run the ping command and verify that the host is still up and accessible.
Command
The host is up. Let's run the same command to access the second mysql server.
Command
This machine is not directly accessible from the attacker machine, and hence we can't connect to it. Let's use the sysadmin user ssh session and try to access the mysql server.
Command
Great. This time it worked. This confirms that the host 192.3.178.3 is not reachable directly using the Kali machine.
Before we move, let's add the route and check all open ports on the target machine.
Step 15: Let's access the meterpreter session and check the details of all interfaces on the target host.
Command
We found two interfaces attached to target demo.ine.local. We can add the route for the second subnet, i.e., 192.3.178.2, and scan for the live hosts and open ports.
Note: In your case, the IP range would differ. Please make sure about it.
Let's add the route.
Command
We have successfully added the route. Now, let's run the auxiliary port scanner module.
Commands
TCP ports 3306 and 80 are open on the second target machine. We already have full access to the mysql database server using the root user. Next, let's forward port 80 and run the nmap to identify the running service name. We will forward remote port 80 to port 1234.
Commands
We have forwarded the port. Now, let's run nmap and identify the running service.
Commands
The target is running Apache httpd 2.4.7. Let's use the firefox browser and access the webserver to identify what application is running.
URL: http://localhost:1234
Well, nothing interesting we have found on the target server.
Just a message: Website is under development. Stay Tuned!,
You can upload files to /webtemp
But, what if we can access the /webtemp directory directly from the browser. Let's try to access it.
URL: http://localhost:1234/webtemp
We can access the /webtemp directory without any issues.
Step 16: Now, we can leverage the MySQL database access to dump the file into /var/www/html/webtemp folder using DUMPFILE syntax.
About SELECT INTO DUMPFILE Syntax:
SELECT ... INTO DUMPFILE is a SELECT clause which writes the resultset into a single unformatted row, without any separators, in a file. The results will not be returned to the client. file_path can be an absolute path, or a relative path starting from the data directory. It can only be specified as a string literal, not as a variable. However, the statement can be dynamically composed and executed as a prepared statement to work around this limitation. This statement is binary-safe and so is particularly useful for writing BLOB values to file. It can be used, for example, to copy an image or an audio document from the database to a file. SELECT ... INTO FILE can be used to save a text file. The file must not exist. It cannot be overwritten. A user needs the FILE privilege to run this statement. Also, MariaDB needs permission to write files in the specified location. If the secure_file_priv system variable is set to a non-empty directory name, the file can only be written to that directory. Let's access the second MySQL server on the
sysadminssh session.
By default, the latest version of the apache web server root directory is '/var/www/html.'
The root directory is based on the Apache webserver version. For older versions, it would be '/var/www/').
We will dump a PHP backdoor into a file, i.e., backdoor.php, to the web server's root directory.
Commands
We have successfully written a backdoor.php file in /var/www/html/webtemp directory. Now, access the backdoor using the browser.
Commands
We have successfully uploaded the PHP backdoor, and we can now execute the commands on the pivot machine.
Step 17: Let's read the flag.
URLs
We have found the FLAG2: 4c537c0dfd18bafdcd59f53c7015550e
We have successfully exploited both machines.
Last updated