Christopher Dix – NJIT-CS-03 – April 2021

EH-13-L1 Ethical Hacking Final Project

Project Scenario: Working as a penetration tester, a manager asks for help investigating potential hidden
information. The company’s web development manager was recently let go, who was known to have worked
with other employees on web development tasks that were against company regulations. It is suspected that
these projects were hidden via a web-based application, but, upon resetting the old web development manager’s
password and accessing her computer, nothing outwardly incriminating was found except for one encrypted,
compressed file. This file seems out of place, but no matching password could be found for it. The objective of
this project is to obtain the password for the compressed file and find out what information was hidden.
Project Overview / Steps:
1. Find out the password for the compressed file.
2. Study the compressed file’s content and investigate any suspicious-looking files.
3. When linked together, it is found that some of the files compromise a website with a login page, but one
of the files is not part of the website. Investigate the website to obtain another clue.
4. Study the website’s source code to find a hidden, encoded string.
5. The encoded string is decoded to PHP code, that can be set up as a PHP file to lead to the next step.
6. Upon scanning the network, a Linux machine is discovered that is not part of the original workspace.
Investigate this machine to find a way inside it and continue the investigation.
7. A scan of the machine reveals many open ports, and management requests this information to be
exported into a report for further review. It is also requested to find vulnerabilities in the Vspftd and
Samba services running on that system, since the old web development manager specialized in those
services. Try to obtain access to the machine via each of those services.
8. As a first step in investigating those services, the system is accessed and privilege escalation to root
access level is attempted.
9. Navigating in the system, it is found that the udev process is running. Enumerate its version and note
how it can be used for privilege escalation.
10. After obtaining root access to the machine, management requests that you obtain the password hash for
the root user.
Environment Setup:
Virtual machines were set up within Oracle VM VirtualBox to create the environment for this project.
• A VM running the latest version of Kali Linux will be used as the main system for this project.
• A 64-bit Ubuntu system was created using the provided Metasploitable.vmdk hard disk file.
• A VM running pfSense was used to create a private, internal network for the other machines in the
environment, while also providing Internet access through the host machine’s network.
Task 1: Cracking Files
The aim of this first task is to crack the password that protects the provided RAR archive and extract the data.
• The provided CrackMeIfYouCan.rar file was transferred onto the Kali system.

• An attempt was made to extract the RAR archive, and it was verified that password protection is in
place.

• The rar2john tool was used to extract the password hash from the archive file into a separate file
named hash.txt.

• The John the Ripper tool was used, along with the rockyou.txt dictionary, to crack the archive’s
password hash. The password was found to be letmein.
• The data within the RAR archive was extracted using the cracked password.
Task 2: File Investigation
Now that the contents of the RAR archive were extracted, it will be further investigated for additional
information.
• The contents of the extracted archive include a PHP and CSS file, along with a text file named secret
only i would know.txt.

• Due to the suspicious filename, the secret only i would know.txt file was first investigated.
Upon reading the contents of this file, it appeared to contain several hashes.

• Since the hashes in the file were several different character lengths, it appeared that several different
hashing algorithms were used. To quickly decode them all, the online tool
https://hashes.com/en/decrypt/hash was used. SHA1, NTLM, MD5, and SHA512 hashes were found to
be used in the file, decoding to collectively say “username is xyzxyz password is and
Pa$$w0rd the”.
• The other two files from the archive, index.php and style.css, seem like they could possibly
combine to form a webpage. To investigate this, these files were hosted in an Apache Web Server from
the Kali machine.

• Upon navigating to the webpage in a browser, it appears to be a login page. The page’s source code,
network file transfers when loading the page, and cookies stored by the page were all inspected, but no
additional information of interest was found.
• A login from this page was attempted using the xyzxyz username and Pa$$w0rd password noted in
the secret only i would know.txt file. This login was successful and reloaded the same PHP
file (with the login parameters passed in the URL) with a message stating “You are so close..”. The
network transfers and cookie storage of this page were inspected, and no additional information of
interest was found. However, in inspecting the page’s source code, a commented line was found which
seems to contain a Base64-encoded string.

• The hURL command-line utility was used within Kali to decode the commented string, which appeared
to be HTML code. (Syntax: hURL b [encodedString])
• The decoded HTML was saved to a file entitled decoded.html and copied onto the Apache server.

• Upon opening that decoded.html file in a web browser, the page displays a picture of the VirtualBox
logo, and a browser pop-up alert is shown saying “Find me in the network!”. This could imply
continuing the investigation by scanning the project environment and investigating another system.
• An namp ping scan was performed on the project environment, revealing the Metasploitable system as
an additional machine (not part of the original scenario’s workspace). This machine will be further
investigated. Various flags within nmap were used to help evade the Firewall and IDS running within
pfSense: the -f flag runs the scan using tiny, fragmented IP packets and the --data-length flag
appends additional, random data to the sent packets.
Task 3: Vulnerability Scanning
In this stage, the discovered Linux machine will be scanned for vulnerabilities and exploited to remotely
connect to the machine.
• Reconnaissance was performed on the Metasploitable machine from the Kali system using nmap. A
TCP SYN port scan was completed on all ports (-p- and -sS flags), along with OS detection (using
TCP/IP stack fingerprinting), service enumeration and version detection, script scanning using the
default NSE scripts, and traceroute (-A flag). Aggressive OS guessing was performed (--osscan-
guess flag) to get a better prediction of what operating system the machine could be running. The scan
was set to run at -T4 speed, and the scan was broken into smaller, fragmented IP packets using the -f
flag to avoid IDS detection. The output of the scan was exported to an XML file, named scan.xml.

• The XML output of the nmap scan was converted to an HTML report using the xsltproc utility.
(Please see attached for the HTML-formatted scan report.)
• A telnet connection to the Metasploitable system from the Kali machine was successfully established.
Anonymous login was not allowed; however, the splash screen upon establishing the connection
provided a set of credentials which allowed successful login as the local user.
• It was requested to investigate vulnerabilities specifically in the vsftpd and samba services and to try
to obtain access to the machine via each of them.

o The Metasploit logging database was initialized and started to document performed actions.

o From the nmap scan results, it is known that:

▪ Version 2.3.4 of the vsFTPd service is running on port 21.
▪ Version 3.0.20-Debian of Samba (the smbd service) is running on ports 139 and 445.

o The Metasploit framework console was started, and connection to the logging database was
verified. (NOTE: For logging the host scan with the other activities, (not screenshot), the
db_nmap command was used within the Metasploit console, with the same flags as regular
nmap.)
• A search was made for Metasploit modules relating to the vsftpd service was made, and only one
exploit was found. That exploit was selected, along with the default payload of an interactive UNIX
shell. The remote host option was set for the exploit, and, upon running it, a successful command shell
at root privilege level was established.
• While maintaining the connection via the vsftpd exploit, another Metasploit terminal session was
opened to search for vulnerabilities in the Samba services. The three highlighted exploits were
investigated:
o linux/samba/is_known_pipename: Triggers an arbitrary shared library load vulnerability,
NOT compatible with the installed version of Samba.
o linux/samba/trans2open: Remote buffer overflow, NOT compatible with the installed
version of Samba
o multi/samba/usermap_script: Exploits a command execution vulnerability, Payload =
Reverse shell options, Compatible with the installed version of Samba

• The multi/samba/usermap_script exploit was successfully executed to obtain another root-level

shell into the Metasploitable system. (Note: the set RHOSTS 192.168.2.21 command, not shown in
the screenshot, was used to specify the target.)
• Since Samba is running on the system, the smbclient was used as another attack vector to successfully
create an anonymous connection.

• In order to maintain persistent access to the machine, the /unix/misc/distcc_exec exploit was used
to make another connection. This exploit uses a documented security weakness in the DistCC daemon,
which, according to the nmap scan, is known to be running on port 3632. After selecting the exploit,
setting the target host IP, and attempting to run the exploit, I received an error that no payload has been
selected (since there is no default payload with this exploit). Upon viewing the available payloads, I
first tried a Reverse TCP Bash shell (cmd/unix/reverse_bash), which did not work. I then chose
the first option, a UNIX command shell established by binding TCP via Perl (cmd/unix/bind_perl),
and this payload did successfully establish a command shell with the user daemon (not root-level
access).
Task 4: Privilege Escalation
The goal of this task is to elevate the connection created from the /unix/misc/distcc_exec connection to
allow root-level access and obtain the hash for the root user.
• After gaining access to the machine, the ps aux command was used to enumerate the running
processes, which were reviewed for additional vulnerabilities. (NOTE: Command output not entirely
shown in screenshot.)

• It was noticed that the udev daemon was running on the system. Upon further enumeration, it was
found that the running version of udevd is vulnerable to an exploit that can be used to perform
privilege escalation.

• A search was made for applicable udev vulnerabilities within Metasploit and using searchsploit.
The second result (highlighted), applicable to the Metasploitable system (as per the information from
the nmap scan), will be used.
• The file for the chosen exploit was copied onto the already-running web server on the Kali system
(from earlier in the project).

• From within the command shell created in Metasploit (with the /unix/misc/distcc_exec exploit),
the wget command was used to download the exploit file onto the system (from the web server on the
Kali machine).

• The gcc complier was used to compile the exploit source code into a binary output file, entitled 8572.

• Upon doing research on the exploit (reference https://www.exploit-db.com/exploits/8572), it was

explained that the exploit will execute as root whatever is stored in the /tmp/run file. Thus, to set up
a payload, a shell script was stored into /tmp/run which will use a netcat socket on port 3456 to
remotely execute shell commands.

• In a new terminal window on the Kali system, the netcat command was used to start listening for the
connection on port 3456.
• On the Metasploitable system (using the established connection), execution permission was given to the
compiled exploit using the chmod command.

• As per the exploit documentation, the compiled code is to be run with the process ID of the udevd
netlink socket passed as a parameter. This PID was obtained, and the exploit was executed.
• After running the compiled exploit, the netcat connection was successfully made to the Kali machine,
creating an interactive shell. Running whoami reveals that this shell is running as root and the privilege
escalation was successful. Within this shell, the contents of the /etc/shadow file was obtained in
order to access the password hash for the root user, completing the final goal of this project.

• The Metasploit session activity log was exported to an XML file (please see attached).