Penetration Testing #7 - Metasploit lab from INE free course

-

 


Introduction

This time I wanna show you my solution to the Metasploit lab from the INE free cybersecurity course. The Metasploit framework is one of the most important tools in the arsenal of a penetration tester. It's useful for the exploitation phase in the attack surface. I would describe Metasploit as the framework for automatizing exploitation and I think that's enough to understand what this tool can give us. At the time of writing this post, Metasploit has over two thousand exploits in its database. Obviously, this huge tool doesn't only consist of exploits. It also gives a big amount of payloads and even some modules are responsible for scanning networks. The framework is made up of modules and each of them is stored inside the PostgreSQL database. Moreover, this huge tool has a console-based interface with a file-hierarchy structure. This means that when you want to use Metasploit you have to be familiar with some basic commands that I would introduce in the solving section of this post. In my opinion, Metasploit is an amazing tool with a full range of options but it can be overwhelming at the beginning of using it. The best way to show you the power of this program is by exploiting the real machine inside the target network. So without further ado, I invite you to follow my solution for the Metasploit lab.

Metasploit lab from INE free course

Description of the Metasploit lab

Goals of the Metasploit lab

Today is the day! Finally, we are able to exploit the machine and own it. But the first thing to do is to identify the target inside the network. As usual, I will use nmap for this purpose.


After executing the ifconfig command I've gathered the IP of the local machine inside the target network. The netmask is 255.255.255.0, thus the target network IP is 192.168.99.0. Now we can scan this network and discover open ports as well as services running on each node.


It's clear that the target is the machine at the address 192.168.99.12. Let's see what services are running on this host. Maybe we can find some security weaknesses.


There are plenty of interesting services running out there. I think that at least two of them are vulnerable - FreeFTPd 1.0 and WeOnlyDo sshd 2.1.8.98. From the output, we can be sure that the operating system of the machine is Windows XP and SMB protocol is in use. This means we can check if the host is vulnerable to some attack vectors based on the SMB protocol weaknesses. The last service which leaves port 3389 open is the Remote Desktop Protocol. It's also a very interesting situation since maybe we could log in to the machine remotely with some default credentials.

As the first service in the output of the nmap is FreeFTPd 1.0 let's see if Metasploit can help us with the exploitation of this FTP server first.


There is an exploit available for the 1.0 version of the FreeFTPd service which is fantastic information for us. This exploit/windows/ftp/freeftpd_user program owns the victim's machine most likely with the usage of some overflow vulnerability in the buffer for the username. 


Here is the description of the exploit and it's visible after issuing the info command when this exploit is activated with the use command.


At this moment the exploit is ready to be used or in other words, it's activated. But we can't simply run the exploit without setting the payload. Payload is a code that will be injected into the vulnerable service and executed by the victim's machine right after. The payload will give us remote access to the machine and the exploit will change the flow of the vulnerable program to the payload. Probably the best payload to use is tcp meterpreter. The Meterpreter is a console with much more features compared to the usual operating systems consoles like cmd for instance. Using Meterpreter we have access to some post-exploitation modules. We can for example download files from the exploited machine or uploads them strictly to the target with ease. To set the payload for the exploitation phase you have to use the set payload <path> command.


Now it's time to see what configuration options we have to set in order to make the exploit stable. To print the list of configuration options let's use the show options command.


We have two required configuration options to set for the exploit which are RHOSTS - the IP address of the target machine and RPORT - the port of the target machine. The port is set to 21 which is a default port number for the FTP service and we should leave it as it is. RHOSTS option has to be set to the 192.168.99.12 IP address.

For the payload configuration options, we have three of them EXITFUNC - the way that the payload exits, LHOST - the IP address of the attacker's machine, LPORT - the listening port number on the attacker's machine. In the EXITFUNC option, there are five possible exit techniques. The default technique is the process which means that when the payload ends its execution it calls ExitProcess WinAPI function. In the real-world scenario probably it could be better to use the thread exit technique in case of exploiting an FTP server. This approach could give us a clean exit without generating unnecessary noise because only our connection with an FTP server would be closed. Therefore, I'm going to change the value of this configuration option to thread.


The FreeFTPd exploit and payload are configured and ready to use. The last thing to do is to launch the exploit and see if it owned the victim's machine.


Unfortunately, this particular exploit didn't work. Thus, we can use one of the other two exploits for the FreeFTPd service. Maybe exploit/windows/ftp/freeftpd_pass is a good candidate. 


As you can see the rank is normal which is better than average in our earlier exploit and it targets the 1.0.0 version of the FreeFTPd which runs on the victim's machine. The configuration will be the same as in the freeftpd_user exploit. Let's launch the exploit and see if it owns the machine this time.


The target machine is exploited and we have full control over it. Therefore the post-exploitation phase begins and the first thing to do after a successful attack is to raise privileges on the compromised system. The Meterpreter's command that is able to do privilege escalation on the Windows system is getsystem. It uses three techniques to achieve SYSTEM security privileges. The first two of them are based on impersonation. Impersonation is the ability of a thread to execute in a security context different from that of the process that owns this thread. The third technique assumes that we have SeDebugPrivilege on the compromised machine and does DLL Injection inside a service that runs with SYSTEM privilege. Next, if we already have the DLL injected inside the service with SYSTEM privileges it duplicates the security token and tries to pass it to the Meterpreter service. When this operation is successful we have SYSTEM privileges on the Meterpreter session. But bear in mind that the third technique works only on x86 architecture. If you want to read more about privilege escalation techniques used in the Metasploit here is the documentation ->https://docs.rapid7.com/metasploit/meterpreter-getsystem/. Let's try to run the getsystem command and see what happens.


Boom! We have SYSTEM privileges on the compromised machine! The output of the getsystem command tells us that this was done via technique 1 called Named Pipe Impersonation (In Memory/Admin). This type of privilege escalation uses impersonation as I've explained above. More specifically, the Meterpreter creates the named pipe. Then the cmd.exe is created under the SYSTEM privileges and it connects to the named pipe. The Meterpreter impersonates itself as the client and when it is done the session runs under SYSTEM privilege. Ok, awesome. 

The next step in the post-exploitation phase is achieving persistence. Once we own the machine we don't want to lose this power after a simple reboot, right? Therefore it's crucial to install a backdoor. Backdoor is the program that guarantees access to the compromised machine. It acts like a server that waits for the commands to execute. But sometimes the reverse-backdoor is used when we want to avoid firewall detection. In such a case our reverse-backdoor acts as a client and connects to our machine with the accessible shell. Obviously, Metasploit has some modules that can be used for maintaining persistence. One of them (as the name suggests) is called persistence. Let's try to use a backdoor.

First, we have to hide the Meterpreter session in the background to jump into the msfconsole once again. To do this you have to click Ctrl+Z inside the Meterpreter. And to list active sessions you can use the sessions -l command.


As we are in the msfconsole again let's activate the exploit/windows/local/persistence module.


This module installs the registry-based backdoor on the compromised machine. Remember that it can be done only if the Meterpreter session already exists. Now we have to set the payload for our backdoor. Obviously, it will be another Meterpreter session.


Every configuration option is correctly set but there is an additional option for the persistence module called DisablePayloadHandler. We want to achieve persistence and therefore the payload handler has to be enabled. You will see why it's crucial for the backdoor taken from the Metasploit.


I was lying and not every configuration option was set. :/ The SESSION option should be set to the value of the active Meterpreter session and after running set SESSION 1 everything is correct. The last thing to do is to run the exploit as the job running in the background. The persistence module installs the registry-based backdoor on the victim's system and returns back to the Meterpreter session. At the moment the backdoor sits on the attacked machine and waits for the reboot. When this happens the backdoor connects immediately to the attacking system on the specified port, in our case the port number is 5555. But we have to accept the connection from the victim's machine and handle it somehow. If you look at the listeners working on our machine you will see that we don't actually have one.


We want to accept the connection from the owned machine after reboot, thus we have to create a listener handler on port 5555. The exploit/multi/handler module is what we are looking for. Let's read something about this feature to configure it properly.


There aren't any options to configure in the handler itself. Therefore we can set the payload and configure it. We want to handle a reverse tcp Meterpreter connection on port 5555, therefore our payload will be windows/meterpreter/reverse_tcp.



The LHOST for the listener is set to the 192.168.99.100 which is the IP address of our machine and LPORT is set to 5555 number. Now, all we have to do is to run the listener as the job. (which means in the background)


As the listener is ready to accept connections let's go back to the Meterpreter session and reboot the victim's machine. If everything is set correctly we should be able to maintain access to that attacked host.


I've rebooted the machine with the help of the original cmd console and shutdown /r /f command. As you can see new Meterpreter session was established automatically while booting and the first Meterpreter session died because of the reboot. This means that we achieve persistence and the backdoor works as intended. Now it's time for gathering some information about the compromised machine. The Metasploit framework has the folder named post. Inside this directory, there is plenty of post-exploitation modules to use inside the Meterpreter session. We can for example check what applications are installed on the host with post/windows/gather/enum_applications.



We can even check what users are currently logged in! The post/windows/gather/enum_logged_on_users module will help us with this.


It's quite scary but in Metasploit, there is also the exploit suggester module which scans the compromised machine for local vulnerabilities contained in Metasploit. This module lies in post/multi/recon/local_exploit_suggester.


There are a couple of possibilities to own the victim's machine again, just in case. Suppose that the victim removes our backdoor's registry entry. Then we would try to use one of the exploits listed above or we could simply log in to the administrator's account since it's easy to dump local accounts' hashes. The hashdump module is responsible for this kind of work. I will dump password hashes to the attacking machine and try to crack them with John the Ripper.


John has cracked the password for the Administrator account of the compromised machine. This password is simply "password". The last goal of this lab is to find and download the file Congrats.txt. This task is very simple with the help of the Meterpreter.


I should have this file in my home directory.


That was the last goal of the lab. Thank you for reading and have a nice day!

Comments

Post a Comment

Popular posts from this blog

Learning of malware analysis. Solving 9-1 lab from the "OllyDbg" chapter. ("Practical Malware Analysis" book)

-
Image
Welcome! Firstly, I have to tell you that the name of the chapter that I'm gonna present to you is confusing. I will not use OllyDbg to solve the exercises since Immunity Debugger is my choice. ImmDbg has a better UI than OllyDbg because it has a dark scheme which is an important configuration for me. Beside it, Immunity Debugger is the same as OllyDbg, therefore, my decision was made because of the impressions of the dark scheme UI. :)  I'm happy that I can use a debugger since it's very useful in case of examining the complex code dynamically. Now I can simply run a debugger on the marked section of the executable code and look at the registers and memory dump - based on this information it's relatively easy to tell what an exemplary complex code really does. After the introduction, let's move on to the malware analysis of the first malicious program from the exercises.
Read more

PicoCTF 2018 - Reverse Engineering writeups

-
Image
Hello there I didn't write any topic for a long time but that's because of learning for the AGH Electrical and Electronic Olympics in Poland. After hours of reading about the many topics of computer science to prepare for the AGH competition, I decided to take a look at the most interesting part of the IT for me - security! Today I'm gonna show you my solutions to all (except one) of the RE challenges from Picoctf2018. One more thing - I think that warmup wasn't too hard and interesting so I will avoid it. Enjoy!
Read more