eJPT - 3.3 The Metasploit Framework (II)
HmadLinux Exploitation
View some of the notes for this section here - Enumeration Page.
FTP Server
Firstly, let's run an Nmap scan. We can see that vsftpd is running on port 21. We can now search for vsftpd and we see that we have an exploit module (vsftpd_234_backdoor). To open a command shell on the target, we can type /bin/bash -i .
To upgrade our shell to a meterpreter session, we can search for the shell_to_meterpreter module.
SAMBA
We can run an Nmap scan and we see that it has samba open on port 445. We can search for the module is_known_pipename. Once we have obtained a shell. We can upgrade it to a meterpreter session as previously done.
SSH
Again, let's run an Nmap scan and we can see that it's running libssh on port 22. We can use the module libssh_auth_bypass to test if its vulnerable to this exploit. We can now upgrade it to a meterpreter session as previously done.
SMTP
After running our Nmap scan, we see that smtp is running on port 25 and more specifically haraka. We can use the exploit module haraka to exploit the server.
Post-Exploitation Fundamentals
These are the actions performed on the target system after initial access has been obtained. This will generally consist of various techniques:
Local enumeration
Privilege escalation
Dumping hashes
Establishing persistence
Clearing your tracks
Pivoting
Meterpreter Fundamentals
It's an advanced multi-functional payload that operates via DLL injection and is executed in memory on the target system, consequently making it difficult to detect. It communicates over a stager socket and provides an attacker with an interactive command interpreter on the target system that facilitates the execution of system commands, file system navigation, keylogging, etc.
Meterpreter also allows us to load custom scripts and plugins dynamically. Note that it works different on both Linux and Windows for more advanced commands or techniques.
In this case, we will be exploiting the Apache XODA server for which there is a Metasploit module called xoda_file_upload. We will now have a meterpreter session on the target.
Some Useful Commands:
| Command | Description |
sysinfo | To show OS information and kernel version |
getuid | This will show what permissions we currently have |
help | To open up the documentation |
background | This will keep the session open but, in the background |
exit | To completely kill the session |
sessions | To list out our active sessions |
search | You can specify the directory or file path you want to search in |
shell | To get a native command prompt or shell on the target system |
ps | This will list out the processes currently on the system by their index / process ID |
migrate | We can use this to migrate to a specific process followed by the process ID |
execute | This is to execute a command on the target system without opening a shell |
To upgrade a command shell to a Meterpreter shell - using the shell_to_meterpreter module. Another method to do this is to automate the process is to run the sessions command followed by -u and then the session ID.
Windows Post-Exploitation
We can utilize these post-exploitation modules to enumerate the following information about the Windows system we currently have access to:
User privileges
Logged on users
Virtual machine check
Installed programs
Anti-virus
Computers connected to that domain
Installed patches
Shares
Some Useful Windows Meterpreter Commands
| Command | Description |
getsystem | Attempts to elevate privileges to that of administrator |
hashdump | Dumps all the hashes on the system |
enumdesktops | Lists all the accessible Windows stations and desktops |
keyscan_start | Start a keylogger on the target |
show_mount | This will list out the drives or mounts mounted on the target system and type |
getprivs | This will show the privileges that you have |
Some Useful Windows Post-Exploitation Modules
| Module | Description |
archmigrate | Elevate the meterpreter session from 32-bit to 64-bit |
win_privs | Enumerates the privileges of the current user on the target |
enum_logged_on_user | Will check if we have any current or previous logged on users and SID |
checkvm | This to check if it’s a virtual machine |
enum_applications | This will tell us what programs are installed on the target system |
enum_av_excluded | Enumerates what folders are excluded from the AV scans |
enum_computers | This will tell us if the host is parts of a domain |
enum_patches | Enumerates the installed patches |
enum_shares | Enumerates the shares |
enable_rdp | To check whether RDP is enabled on the target system |
If the enum_patches module fails, you can always enumerate the same information by opening up a shell on the target and running the systeminfo command.
Bypassing UAC
UAC stands for User Account Control. It's a security feature introduced in Windows Vista that is used to prevent unauthorized changes from being made to the OS and would require approval from the administrator.
A non-privileged user attempting to execute a program with elevated privileges will be prompted with the UAC credential prompt whereas a privileged user will be prompted with a consent prompt. Attacks can bypass UAC in order to execute malicious executables with elevated privileges.
In order to successfully bypass UAC, we will need to have access to a user account that is part of the local administrators group on the Windows target system. UAC has various integrity levels ranging from low to high, if the UAC protection level is set below high, Windows programs can be executed with elevated privileges without prompting the user for confirmation.
UACMe is an open source, robust privilege escalation tool. it can bypass UAC on multiple versions of Windows ranging from 7 to 10. It allows attackers to execute malicious payloads on a Windows target with elevated privileges by abusing the inbuilt Windows AutoElevate tool. The GitHub repository has more than 60 exploits than can be used to bypass UAC depending on the version of Windows running on the target. You can find the GitHub page here.
Once we have exploited the target, and we have a 64-bit meterpreter session, we can see that the user which we gained access to is part of the administrators group. To bypass UAC with Metasploit, we can use the bypassuac_injection module which will execute it in memory. Now that we have the privileges requires, we can use the getsystem command.
You can view some related UAC notes here.
Token Impersonation with Incognito
Windows access tokens are a core element of the authentication process on Windows and are created and managed by LSASS (Local Security Authority Subsystem Services). A token is responsible for identifying and describing the security context of a process or thread running on a system.
Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identify and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process, after which all child processes started by a user will inherit a copy of the access token from their creator and will run under the privileges of that access token.
Windows access tokens are categorized based on two types of the level tokens which determine which privileges are assigned to what token:
Impersonate level tokens
Delegate level tokens
Impersonate level tokens are created as a direct result of a non-interactive login on Windows, typically through specific system services or domain logons. They can be used to impersonate a token on the local system and not on any external systems that utilize the token.
Delegate level tokens are typically created through an interactive login on Windows, primarily through a traditional login or through remote access protocols, like RDP. These tokens pose the largest threat as they can be used to impersonate tokens on any system.
The process of impersonating access tokens to elevate privileges on a system will primarily depends on the privileges assigned to the account that has been exploited to gain initial access as well as the impersonation or delegation tokens available. You need one of the following tokens (primarily the SeImpersonatePrivilege token) to perform a successful impersonation attack:
SeAssignPrimaryToken- allows a user to impersonate tokensSeCreateToken- allows a user to create an arbitrary token with administrative privilegesSeImpersonatePrivilege- allows a user to create a process under the security context of another user typically with administrative privileges
In order to perform this attack, we will be using a Metasploit module called incognito which allows you to impersonate user tokens after successful exploitation. We can use it to display a list of available tokens that we can impersonate. In this case, the target is also vulnerable to the rejetto_hfs_exec Metasploit module that we used previously.
In this case, if you run the getprivs command within the Meterpreter session, we have access to the SetImpersonatePrivilege privilege. To now use the tool incognito within meterpreter:
load incognito
list_tokens -u
impersonate_token "the name of the token you want to impersonate"
We can now migrate to the explorer process, and we will have elevated privileges.
In the case that we do not find any useful or administrative tokens to impersonate; we can utilize the potato attack which will cover later.
Dumping Hashes with Mimikatz
Mimikatz is a Windows post-exploitation tool that allows for the extraction of clear-text passwords, hashes and Kerberos tickets from memory. We can use it to extract hashes from the lsass.exe process memory where hashes are cached. We can use the pre-compiled Mimikatz executable or if we have access to a meterpreter session, we can use Kiwi. We will require elevated privileges to run this.
The first step, as usual is to perform an Nmap scan. We can see that the target is running a BadBlue service on port 80. There is a Metasploit module to exploit this called badblue_passthru. Once exploited, we will have administrator privileges, and we can now migrate to the LSASS service and we will therefore have the highest privileges.
We can now load kiwi in our meterpreter session and dump all the credentials or we could dump the SAM database, which will dump the hashes for all the user accounts on the system.
creds_all
lsa_dump_sam
Alternatively to using Mimikatz, we can use our current meterpreter session and navigate to the Temp directory. We can then upload the Mimikatz executable on the target system.
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
We can then open up a shell session and run the executable. The first thing would be to check our privileges after we have run the executable and then we can dump the SAM database.
privilege::debug
lsadump::sam
lsadump::secrets
Another useful thing we can run with Mimikatz is that if the system is set to log the logon passwords in cleartext, we can view them by running sekurlsa::logonpasswords.
Pass-the-Hash attack with PsExec
It is an exploitation technique that involves capturing or harvesting NTLM hashes or clear-text passwords and utilizing them to authenticate with the target legitimately. This will allow us to gain access as opposed to obtaining access via service exploitation.
We can use the Metasploit PsExec module or the Crackmapexec tool to do this. You need the LM hash as well as the NTLM hash to do this.
The exploit module within Metasploit is:
exploit/windows/smb/psexec
set SMBUser (username)
set SMBPass (LM_hash:NTLM_hash)
You will have to set a target to get a meterpreter session.
crackmapexec smb (target ip) -u (username) -H "NTLM Hash" -X "any command you'd like to run"
Establishing Persistence
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Gaining an initial foothold is not enough, we have to setup and maintain persistent access to your targets.
Note that to setup persistence, we will need elevated privileges. We can use any of the Windows persistence module available but the module we are looking for is the persistence_service module. Once we have run the module, we can then setup our multi/handler to connect back to the target whenever we need to re-gain access.
Enabling RDP
After gaining access, we can use the Metasploit module enable_rdp. Since we need cleartext credentials for this, we can crack the hashes or just change the administrator password (which is obviously not recommended in a real scenario). To do this, open up a shell and run the following command:
net user administrator password_123
Alternatively, we can use the xfreerdp tool to connect:
xfreerdp /u:administrator /p:password_123 /v:target_ip
Keylogging
This is the process of recording or capturing the keystrokes entered on a target system. It's not limited to post-exploitation, there are plenty of programs and USB devices can be used to capture and transmit the keystrokes entered on a system. We can perform keylogging using meterpreter.
Firstly, we need to migrate to the explorer process, and we can use the keyscan_dump, keyscan_start and keyscan_stop.
Clearing Windows Event Logs
Windows stores and catalogues all actions/events performed on the system and stores them in the Windows Event log. They are categorized based on the type of events they store:
Application logs - stores application/program events like start-ups, crashes, etc.
System logs - stores system events like start-ups, reboots, etc.
Security logs - stores security events like password changes, authentication failures, etc.
Event logs can be accessed via the Event Viewer on Windows. It is very important to clear your tracks after the assessment as the event logs are the first stop for any forensic investigator after a compromise has been detected. To clear the event logs with meterpreter, all you have to do is type clearev. Note that you have to have administrator privileges to do this.
Pivoting
This is a post-exploitation technique that involves utilizing a compromised host to attack other systems on the compromised host's private internal network. After gaining access to the host, we can use the compromised host to exploit other hosts on the same internal network to which we could not access previously.
Since we have gained access to the first target, to pivot to the second target, we add a route using the following meterpreter command:
run autoroute -s 10.10.10.0/20 (replace with target_ip followed by subnet)
We can now run a port-scanning auxiliary module to run a scan from the first target system. Since we can see that port 80 is open and we'd like to scan it, we have to forward it to our system. We can do this from our meterpreter session on target 1.
portfwd add -l 1234 (our port to listen on) -p 80 (port to forward) -r 10.10.10.10 (target2_ip)
We can now run an Nmap scan within Metasploit on target 2.
db_nmap -sS -sV -p 1234 localhost
Since we can see that it is also running the Bad Blue service, we can exploit it, but we have to set the payload to a bind connection as a reverse connection will not work.
set payload windows/meterpreter/bind_tcp
Linux Post-Exploitation
Again, the objective is the same as we would do for Windows - but this time for Linux. We can enumerate some extra information on Linux systems via opening up a command shell:
| Command | Description |
cat /etc/passwd | Lists out the other user accounts in the system |
groups (user_name) | To find out what groups the user is part of |
cat /etc/*issue | Enumerates the release version |
uname -r | Gives you the kernel version |
uname -a | Gives you the host name, kernel information, architecture and more |
ip a s | Lists out all the interfaces on the target system |
netstat -antp | Lists out the various services that are running on open ports |
ps aux | Lists out the processes on the system |
enf | Enumerates the environment variables |
Some Useful Windows Post-Exploitation Modules
| Module | Description |
enum_config | Will get all the Linux configuration files on the system |
gather/env | Gather the OS environments settings |
enum_network | Enumerate network information |
enum_protections | Checks for protection systems / system hardening on the Linux system |
enum_system | Performs system enumeration |
checkcontainer | Checks if it's a docker container |
checkvm | Checks if it's a virtual machine |
enum_users_history | Enumerates the user command history on the target system |
Linux Privilege Escalation
Metasploit offers very little with regards to Linux kernel exploit modules, however, is some cases, there may be an exploit module that can be utilized to exploit a vulnerable service or program in order to elevate our privileges.
Once we have gained initial unprivileged access to the target system, let's upgrade our shell session to a meterpreter session and then spawn a bash session. Now, let's have a look at the process tree using the ps aux command.
We can see that there is a binary which is run by the root user. Let's cat out the contents of the /bin/check-down process. We can see that chrootkit is running. In this case, chrootkit is vulnerable to an exploit. We can use the Metasploit module to exploit it. We need to select the path to the chkrootkit path and run it. Then it will wait for the Cron job to run, and we will have elevated privileges.
Dumping Hashes with Hashdump
Hashdump is a post-exploitation module. It is a direct command within meterpreter that work on Windows systems but we will have to use the module for Linux systems.
Linux password hashes are stored in the /etc/shadow file and can only be accessed by the root user or a user with root privileges. The hashdump module can be used to dump the hashes from the /etc/shadow file and to unshadow the hashes for password cracking with John the Ripper.
Establishing Persistence
In order to establish persistence on a Linux system, you will require root privileges.
The first way to do this, is to set up a backdoor user that will allow us to reconnect to the system. This will only work if the system is running SSH. We can do this by opening up a bash shell.
useradd -m ftp (or other username) -s /bin/bash <-- Create the user
passwd ftp <-- Setting the password
usermod -aG root ftp <-- Adding user to root group
usermod -u 15 ftp <-- Modifies the account ID
One Metasploit module we can use to establish persistence is cron_persistence or sshkey_persistence or service_persistence.
Metasploit GUIs
Armitage
Armitage is a free Java based GUI front-end for the Metasploit Framework. It's used to simplify network discovery, exploitation and post-exploitation.
Armitage requires the MSF database and the Metasploit backend services to be enabled and running in order to function correctly. It comes pre-packaged with Kali Linux. So once you have Metasploit started up and running, you can type armitage in the terminal to open it up.
That’s it for this section. Next one up is the CTF or skill check that iNE has put up.
— Hmad
Subscribe to my newsletter
Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Hmad
Hmad
I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.