After a break of months, I finally urged myself to start writing information security blogs again. Hope, I do my best to deliver a valuable information to my readers. This time I’d be starting with writing walkthroughs and privilege escalation of vulnerable machines / capture the flag (CTF).
I picked Metasploitable virtual machine i.e. an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Mestaploitable version 2 can be downloaded from here. This virtual machine is compatible with VirtualBox, VMWare, and other common virtualization platforms. In this blog, we will try our best to cover privilege escalation in metasploitable 2 machine.
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user – read more.
Note: For privilege escalation we should get limited shell first.
In metasploitable 2, we can get limited shell through various services running on the system.
1. We used nmap (Network Mapper) to search for running services, and ended up finding telnet running with default username and password on metasploitable 2.
Telnet is a program used to establish a connection between two computers. It is inherently insecure because it transmits data in clear text.
On the Kali box, open a terminal, and telnet to the Metasploitable VM. Login with the ‘msfadmin:msfadmin’ credentials.
2.The logged in user is msfadmin (not root account).
3. Following is the Linux version (out-dated).
4. By looking at the Linux kernel version I googled for its exploit. Luckily, I found exploit for it.
5. I downloaded the exploit and by using vim utility, I saved the exploit in exploit file. After that, I converted the file to .C extention (C langauage).
6. Let us see the exploit.
7. Compile c into binary file exploit with gcc uility.
8. Search for any process running with a PID. We can use any PID (but should be non-zero).
9. Confirm the process ID (PID). It should be increased by one in following mode.
10. The exploit for kernel will use/run the below code to run as a root user once a Netcat connection has been established.
11. Open a netcat connection on port 1337 (assigned in tmp/run file). Launch exploit with the PID 2770 (shown above). We successfully got a bash shell on target system.
Hurrah we did it. I look foward to share more CTF’s with you. I’d like to hear from you, share your thoughts in below comments area.
If you are interested to learn about Ethical Hacking and Penetration Testing, I would like you to read the following blog.