Tips for an Information Security Analyst/Pentester career - Ep. 45: Post-exploitation (pt. 1)

So far we've analyzed how to exploit a system, now we'll see how to go from there.

Post-exploitation commands

Once we're within our session, Meterpreter allows us to use additional commands, other than the commands native to the specific systems, whether it is Windows or UNIX/Linux.

Here I'm going to show you only some of them.

Check the official source for more details.

a) sysinfo: Returns information on the target system, as shown below.

b) getuid: Returns the ID of the user we could hack in as.

c) getpid: Returns the PID (process identifier) for the process we're currently running our session in.

d) getsystem: Achieves a local privilege escalation. In Windows versions later than XP, it doesn't work per se, because of the UAC (User Account Control). We're gonna have to perform an exploit in order to disable UAC first and then run this command.

e) idletime: It tells us how long the user logged on the victim machine has been idle.

f) upload and download: we can upload and download files to and from the victim machine. 

In the video, I uploaded a reverse shell first and then I downloaded a text file.

g) hashdump: Dumps the password hashes, if you could become system administrator. For you to dump the hashes, you might have to migrate to a process having a higher priority, automatically started at boot-up (e.g. svchost.exe).

Post-exploitation tools 

Once we gained a meterpreter session, we can use two classes of tools: 

• Meterpreter scripts

• Post-exploitation modules.

Meterpreter scripts

Meterpreter scripts, written in Ruby programming language, are considered to be deprecated and should be replaced all the time by post-exploitation modules.

However, they're nonetheless very powerful.

Scripts can be found within the /usr/share/metasploit-framework/scripts/meterpreter directory, and all have a .rb extension.

In order to run a script, once you're in the Meterpreter session, you need to use the syntax run <script name>. You don't need to include the .rb file extension.

Meterpreter scripts examples

1) checkvm: Allows to check whether the environment we're running is a virtual machine, or not. In our case, it correctly detects I'm running a VMware virtual machine.

2) get_env: Returns all systems and user variables.

3) scraper: Returns a wide series on information on the target system (the whole registry, password hashes, users, etc.), it stores all results under .msf4/logs/scripts/scraper.

4) winenum: Enumerates a Windows domain by running a series of system command, including the very powerful net command, and stores its results under stores all results under .msf4/logs/scripts/winenum.

Post-exploitation modules

That's what Metasploit recommends to run. They're mostly equivalent to scripts and are stored within the /post directory, distinguished based on the reference operating system.

In order to use them, we're gonna need to background our Meterpreter session.

Their syntax is the same as for exploits (use in order to use a specific module, show options to see its options, etc.).

I'm gonna show you only a couple of examples for you to get the hang of them. Check the video for more details.

a) post/windows/enum_logged_on_users: Enumerates all Windows users who recently logged on to the system. Post-exploitation modules are very simple and don't require for any payload to be configured.

In this case, we only have to setup a SESSION parameter and we're good to go.

b) post/windows/gather/enum_applications: Returns the list of all applications currently installed on the system. Said list is exactly the same as the list we can get by running the get_application_list script.

Privilege escalation on Ubuntu 8.10

In a previous post, we could SSH into our Ubuntu machine by stealing the keys for user georgia, but the problem is we don't know her password, so we can't obtain a privilege escalation.

We notice we run Ubuntu 8.10 and the version for Udev is very old.

Udev versions earlier than 1.40 resulted to have a very bad vulnerability, that could allow root access to commands from user space, other than from kernel space only, as it should be.

This vulnerability can be exploited against our VM and we can use a public exploit written in C, by using searchsploit.

Searchsploit allows to have a copy of the exploit database handy on the local computer.

All we need to know is the PID of udevd netlink socket (normally equal to the PID for udevd minus one) and pass it as an argument to the exploit.

We can pass any payload we want to /tmp/run and it'll be run as root.

So I add a payload that opens up netcat on port 2222 and spawns a Bash shell.

As we're up with a target machine, we can upload the exploit file to Ubuntu, through wget, and then compile our C script to an executable, through gcc.

At that point, if we run the exploit with the PID for udevd netlink socket, we can get a shell as root and we can download the password hashes.

Wrap-up

Through exploitation, we could get a shell to the victim machine, but this is only the start.

The post-exploitation stage includes all you do after gaining a shell, from leveraging vulnerabilities, to establishing persistence and finally covering your tracks.

Episode 46

Episode 44